Presentation is loading. Please wait.

Presentation is loading. Please wait.

RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford."— Presentation transcript:

1 RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford University

2 @ 2006, Michael Dalton 2 Motivation  Software security is in a crisis Far-reaching financial & social implications  Worms now mixing different kinds of attacks No longer just simple buffer overflows  High-level semantic vulnerabilities now most common threats SQL Injection, Cross Site Scripting, Directory Traversal, etc Easy to exploit; often architecture & OS independent  Need a new approach that is Robust, End-to-end, Practical, Flexible, Fast

3 @ 2006, Michael Dalton 3 Dynamic Information Flow Tracking  DIFT tags (taints) data from untrusted sources Each byte or word of memory, register has a taint bit  Taint is propagated across instructions If any source operand is tainted, destination becomes tainted  Trap to OS if tainted data used unsafely Tainted pointer dereference Tainted jump address Tainted code  Can prevent memory corruption on unmodified binaries

4 @ 2006, Michael Dalton 4 Limitations of Current DIFT Systems  Software-based DIFT is slow and impractical >3x overhead, source-code access, does not work with threads …  Hardware-based DIFT uses one, fixed security policy Can only solve one problem (e.g., memory corruption)  unsafe  High-level attacks cannot be addressed Cannot adapt to code that violates policy assumptions  impactical  E.g. glib uses alternate bounds checking instructions Vulnerable to attacks that exploit inflexibility of policies  Hardware security exceptions generate OS traps Cannot protect OS  not end-to-end Cannot combined HW and SW to cover difficult cases  inflexible  On a trap, just terminate the program…

5 @ 2006, Michael Dalton 5 RAKSHA Overview  Raksha follows the general DIFT model All state is extended by a 4-bit tag (registers & memory) Operations propagate tags from sources to destinations Operations check tags to identify security traps  New features Software-controlled check & propagate policies  flexibility  Specify policy using check, propagate registers  Fine-grain software control to avoid common pitfalls  Flexibility allows us to catch wide range of bugs Up to 4 concurrently active policies  robustness  One policy per tag bit  Provide comprehensive protection against many bugs Low-overhead, user-level, security traps  end-to-end, flexibility  Can extend with software; can check operating system

6 @ 2006, Michael Dalton 6 Policy Specification  One check & propagate register per active security policy  Policies specified at granularity of primitive operation Int/FP Arithmetic, Move, Logical, Comparison, Execute  Instructions are decoded into ≥1 primitive operations Apply rules specified by check/prop regs to each operation Addresses basic pitfalls of previous designs  Additional support for custom rules

7 @ 2006, Michael Dalton 7 Low Overhead Security Traps  A tag checks invoke pre-registered handler Handler in same address space as code under inspection Handler invocation triggers a special “trusted mode”  A security policy used to protect handler code & data Code & data are tainted Policy does not allow access outside of trusted mode  Benefits Can check security of (most of the) OS  Reduce the amount of code you really trust Coupling HW and SW security analysis is practical  Low performance overhead

8 @ 2006, Michael Dalton 8 Raksha-based LEON3

9 @ 2006, Michael Dalton 9 Raksha Implementation Summary  Full-system prototype based on LEON 3 Open source processor from Gaisler Research SPARC V8 compliant  Synthesized on Virtex 2 FPGA board ParameterSpecification Pipeline depth7 stages Instruction Cache8KB Data Cache32KB Clock frequency20 Mhz Block RAM utilization22% 4 input LUT utilization42% Total increase in gates due to tags7.17%

10 @ 2006, Michael Dalton 10 Raksha Software Infrastructure  Goal: run real-world software stack Running a full-featured Linux 2.6 on Raksha hardware  Custom distribution booting over NFS Full GNU toolchain + glibc  Over 120 packages total  Support enterprise software SSH Postgresql wu-ftpd Apache …

11 @ 2006, Michael Dalton 11 Security Results  Detected and prevented wide range of security attacks Includes high-level semantic attacks All analyses run on unmodified application binaries ProgramAttackDetected Vulnerability gzipDirectory TraversalOpen tainted dir OpenSSHCommand Injectionexecve tainted file ProFPDSQL Injectiontainted SQL query htdigCross-Site Scripting Tainted output with tag tracerouteDouble freeTainted data ptr polymorphBuffer OverflowTainted code ptr Wu-FTPDFormat StringTainted format string in vfprintf

12 @ 2006, Michael Dalton 12 Performance Results  Overhead is analysis-dependent Proportional to exceptions frequency and handler duration Many analyses are very cheap  Most high-level analyses invoked infrequently Buffer overflow protection can be most expensive  If software is used to correctly filter false-positives/negatives  Buffer overflow overhead ProgramExceptionOS trap gcc1.01x1.04x crafty1.01x1.02x gzip1.31x3.60x bzip22.99x18.80x vortex1.34x3.41x

13 @ 2006, Michael Dalton 13 Conclusions  Security trends require flexible solutions High-level vulnerabilities now most common bug  Previous information flow work inflexible Fixed policies that only address one problem (buffer overflow)  Raksha: a flexible DIFT architecture for security Software controlled policies, multiple policies, software extensible  Full-system Raksha prototype using FPGA board Modified Leon3 + Linux 2.6 Protected unmodified binaries from real-world vulnerabilities Simultaneously protect against high-level web attacks, semantic vulnerabilities, and low-level buffer overflows

14 @ 2006, Michael Dalton 14 Future Work  Demonstrate OS protection  Whole system information flow Across processes & files Experiment with more flexible notion of trust and taintedness  Information flow OS Collaboration with HiStar group at Stanford  Beyond Security Debugging  Unlimited watchpoints, breakpoints, info flow in gdb DRAM error modeling Migrate dynamic analyses to unmodified binaries Fault Isolation Tag-aware VMs, interpreters

Download ppt "RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford."

Similar presentations

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
PART 4: (2/2) Central Processing Unit (CPU) Basics CHAPTER 13: REDUCED INSTRUCTION SET COMPUTERS (RISC) 1.

PART 4: (2/2) Central Processing Unit (CPU) Basics CHAPTER 13: REDUCED INSTRUCTION SET COMPUTERS (RISC) 1.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford.

RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford.
1 UCR Reference Monitors/Information Flow Tracking Slide credits: Raksha presentation based on that original authors?

1 UCR Reference Monitors/Information Flow Tracking Slide credits: Raksha presentation based on that original authors?
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim.

Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Chapter 4 Processor Technology and Architecture. Chapter goals Describe CPU instruction and execution cycles Explain how primitive CPU instructions are.

Chapter 4 Processor Technology and Architecture. Chapter goals Describe CPU instruction and execution cycles Explain how primitive CPU instructions are.
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.

1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.

CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.

1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.

What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.

Similar presentations

Ads by Google