Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ.

Published byPhoebe Moore Modified over 9 years ago

Similar presentations

Presentation on theme: "Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ."— Presentation transcript:

1 Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ. of Minnesota Frederic T. Chong UCSB May 12, 2015

2 Motivation Vulnerabilities Stats. in CVE 2005 and 2006 Unsafe uses of untrusted data

3 DIFT: dynamic information flow tracking  Mark unsafe data as tainted  Track the propagation of tainted data across program execution  Alert if tainted data used unsafely

4 Buffer Overflow in qwik-smtpd char arg[1024] char clientHELO [32]; char localIP[64] … fscanf (network, “%s”, arg) … strcpy(clientHELO, arg) … if(!strcmp(clientIP, localIP)) { /* Relay the mail */ } When supply a long enough arg … LocalIP clientHELO data section

5 How DIFT defeats the attack ? Tainted Data! Tainted Data! fscanf(network,“%s”,arg) if(!strcmp (clientIP,localIP)){ /* Relay the mail */ } read Tainted Data Cannot compare! localIP clientHELO strcpy Security Policy Tainted data cannot alter control flow of program data section arg Security Alert

6 Previous Systems Software LIFT, Xu et al., TaintTrace TaintCheck, Chen et al. 2005 20062007 Dytan Hardware 200420072008 FlexiTaintRakshaSuh et al., RIFLE, Minos Currently deployable × Best case: LIFT average 4.6X slowdown for SPECINT- 2000 Fast × Many processor/memory changes × Not ready for production-run deployment

7 Is it possible to have a readily deployable DIFT system with good performance?

8 Contribution: SHIFT  Key Observation  DIFT can be efficiently emulated using DEP (deferred exception propagation) in Control Speculation  Implemented on Itanium Processor using GCC to do instrumentation  Good performance:  No modification to hardware:  Average 2.81X and 2.27X slowdown for byte- and word-level taint tracking  With minimal hardware modification:  Average 2.32X and 1.8X for byte- and word-level

9 Outline SHIFT: From Speculative Execution to DIFT SHIFT Design and Implementation Evaluation Conclusion

10 Control Speculation execute optimistically

11 Deferred Exception Propagation ◦ What happens if an exception occurs in the speculative execution ?  Cannot throw the exception immediately  Should propagate it across program execution speculative load check if exception occurs recovery code r13 0 0 r14 r15 Token 0 0 0 0 1 1

12 Similarity between DEP and DIFT DEPDIFT ld and recovery chk ld and alert chk similar! r13 0 0 r14 r15 Token 0 0 0 0 1 1 r13 0 0 r14 r15 Tag 0 0 0 0 1 1

13 From DEP to DIFT  DEP: Accelerate the propagation of taint tags  Minor Enhancement:  Instructions setting/clearing exception token  DEP-aware compare instructions

14 Outline SHIFT: From Speculative Execution to DIFT SHIFT Design and Implementation Evaluation Conclusion

15 General Working Flow of SHIFT Taint Source Network I/O Disk files Keyboard input Specific functions Specific location Taint Policy Taint PropagationViolation Capture Tainted Data Untainted Data op (add,...) Using tainted Data call [Tainted Data] jmp [Tainted Data]... Policy Engine Alert Fault Memory Registers Tag Bitmap Load; set tag bit Store; update bitmap

16 Violation Capture  OS traps  DEP token violation triggers traps  Expensive when many traps  Instrumentation  Add instructions for checking DEP tokens before critical usages  Could cause code expansion  SHIFT supports both

17 Coexisting Control Speculation with DIFT  Revert to non-speculative code upon speculation failure  No matter whether the token is caused by tainted data or deferred exceptions  Performance implication  False positives for control speculation due to DIFT  Effective when little tainted data is involved  In apache 98% safe data transitions (LIFT MICRO’06)

18 Implementation (1/2)  Implemented on Itanium based on GCC  Itanium has good support for control speculation  Each general register has a NaT (Natval) bit  NaT(Natval) is propagated during program execution  Missing features  Instrutions setting/clearing NaT bits  NaT-aware compare instructions

19 Implementation (2/2)  Compiler Instrumentation  C code: Instrumentation on Low-level IR (RTL)  Language-independent  Extract program semantics to filter false alarms  Boundary checked data may be used safely  Assembly code  Use wrapper functions to propagate taint information  memset, strcpy, memcpy, etc.

20 Tag Memory Operation Load Computation Example Instrumentation Simulating NaT generation

21 Outline SHIFT: From Speculative Execution to DIFT SHIFT Design and Implementation Evaluation Security evaluation Performance evaluation Conclusion

22 Experimental Setup  Machine setup:  HP Integrity rx1620  Two 1.6GHz Itanium processors  4GB of memory  Redhat Linux Enterprise 4  GCC-4.1.1 with –O3 optimization flag  Security evaluation  Several real-world vulnerabilities from CVE (http://cve.mitre.org)  Performance evaluation  Apache web-server using apache benchmark (ab)  Eight applications from SPECINT-2000  disk input as untrusted source

23 Questions for Evaluation  Can SHIFT defeat real-world security attacks?  Does SHIFT provide reasonable performance?  What contributes to the performance overhead?

24 Security Policies in SHIFT  Default policies  Tainted data cannot be used as load/store address  No modification of critical CPU state (e.g. branch registers)  Application semantic policies (Xu et al. security’06, Raksha isca’07 )  Directory transversal  Tainted data cannot be used as an absolute file path  Cross-site scripting  No tainted script tag ( )  SQL injection attack  Tainted data cannot contain SQL meta chars

25 SHIFT Security Results CVE#Program (Version)Tainted <>Attack Type 2006-6097GNU Tar (1.4)CDirectory Traversal 2005-1228GNU Gzip (1.2.4)CDirectory Traversal 2006-0983Qwikiwiki (1.4.1)PHPDirectory Traversal 2006-2001Scry (1.1)PHPCross Site Scripting 2007-4334php-stats (0.1.9.2)PHPCross Site Scripting 2005-3347phpsysinfo (2.3)PHPCross Site Scripting 2006-6912phpmyfaq (1.6.8)PHP SQL Command Injection N/ABftpd(0.96 prior)CFormat string attack High-level Semantic Attacks Low-level Memory Corruption Attacks

26 Performance Overhead with Apache 4.1% average about 1% overhead 0.5%

27 Relative Perf. of SPEC 4.7X 1.3X average 2.81X at byte-level and 2.27X at word-level

28 Relative Perf. of SPEC-INT (Arch Support) average 2.32X and 1.8X at byte- and word-level 1.29X 3.02X  0.49X and 0.47X improvement over no-arch support for byte- and word-level  With instructions clearing/setting DEP token and DEP-aware compare instructions in Itanium

29 DIFT Costs w/ (w/o) Control Speculation Instruction categories Example Instructions Proportion ( SPECINT-2K ) # DIFT insts w/o control speculation # DIFT insts w/ control speculation Arithmeticadd r7, r8, r945.7%5-60 Control-flowbeq r7,r8, r917.6%2-40 Memoryld r7, 8(r8)36.3%7-86-7

30 SPEC-INT 2000 (Breakdown of Remaining Overhead) Load Computation dominates the performance overhead

31 Related work  Software-based DIFT  TaintCheck (NDSS’05), LIFT (MICRO’06), Xu et al. security’06, Dytan (ISTAA’07)  Hardware-based DIFT  Minos (MICRO’04), Suh et al.(ASPLOS’04), Raksha(ISCA’07), Flexitaint (HPCA’08)

32 Conclusion Practical and efficient DIFT system ◦ Novel use of DEP to accelerate DIFT To-date best performance data for SPECINT-2000 ◦ 2.81X and 2.27X slowdown for byte- and word-level Non-invasive architectural support ◦ Reduce the performance slowdown to 2.32X and 1.8X ◦ Future work ◦ Compiler optimization could reduce overhead

33 Questions?  Thanks

34 Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ. of Minnesota Frederic T. Chong UCSB May 12, 2015

35 Code Size Expansion 1.45X for byte-level And 1.36X for word-level 3.88X for byte-level And 3.23X for word-level Average 2.71X for byte-level And 2.43X for word-level

36 Relative Perf. of SPEC (Coexist DIFT and Control Speculation)  Average 0.05X and 0.06X increase in slowdown for byte- and word-level 4.6X 1.3X average 2.86X at byte-level and 2.34X at word-level

37 Tag Management in Itanium (1/2) Virtual address space in Linux Tag address space

38 Tag Management in Itanium (2/2) Mapping from VA to TA

39 Related work  LIFT (micro’06)  Use binary translation, support unmodified binaries  Only detect low-level memory-corruption attack  Aggressive compiler optimization to reduce tracking code  Average 4.6X performance slowdown for SPECINT-2000

40 Backup slides  Compiler Optimization  Sophisticated optimization is promising  one of our main future work  Use profiling to decide if control speculation is needed  Handling self-modifying code  not often in application code  Multi-threaded applications

41 Discussion and Further Work Compiler Optimization ◦ sophisticated optimization is promising ◦ Multi-threaded applications

Download ppt "Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ."

Similar presentations

Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.

Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.
IMPACT Second Generation EPIC Architecture Wen-mei Hwu IMPACT Second Generation EPIC Architecture Wen-mei Hwu Department of Electrical and Computer Engineering.

IMPACT Second Generation EPIC Architecture Wen-mei Hwu IMPACT Second Generation EPIC Architecture Wen-mei Hwu Department of Electrical and Computer Engineering.
Dynamic Optimization using ADORE Framework 10/22/2003 Wei Hsu Computer Science and Engineering Department University of Minnesota.

Dynamic Optimization using ADORE Framework 10/22/2003 Wei Hsu Computer Science and Engineering Department University of Minnesota.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Helper Threads via Virtual Multithreading on an experimental Itanium 2 processor platform. Perry H Wang et. Al.

Helper Threads via Virtual Multithreading on an experimental Itanium 2 processor platform. Perry H Wang et. Al.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,
RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford.

RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.
UPC Reducing Misspeculation Penalty in Trace-Level Speculative Multithreaded Architectures Carlos Molina ψ, ф Jordi Tubella ф Antonio González λ,ф ISHPC-VI,

UPC Reducing Misspeculation Penalty in Trace-Level Speculative Multithreaded Architectures Carlos Molina ψ, ф Jordi Tubella ф Antonio González λ,ф ISHPC-VI,
Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim.

Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim.
2/15/2006Software-Hardware Cooperative Memory Disambiguation, Alok Garg, HPCA 20061 Software-Hardware Cooperative Memory Disambiguation Ruke Huang, Alok.

2/15/2006"Software-Hardware Cooperative Memory Disambiguation", Alok Garg, HPCA Software-Hardware Cooperative Memory Disambiguation Ruke Huang, Alok.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.

Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.

Similar presentations

Ads by Google