efficient taint analysis using multicore machines milind chabbi dr. gregory andrews and dr. saumya...
Post on 21-Dec-2015
226 views
TRANSCRIPT
![Page 1: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/1.jpg)
Efficient Taint Analysis Using Multicore Machines
Milind Chabbi
Dr. Gregory Andrews and Dr. Saumya Debray
Computer Science Department
University of Arizona
![Page 2: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/2.jpg)
How Often Do You See This?
![Page 3: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/3.jpg)
How Often Do You See This?
![Page 4: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/4.jpg)
How Often Do You See This?
![Page 5: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/5.jpg)
How Often Do You See This?
![Page 6: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/6.jpg)
Problem Statement
• Vulnerabilities and their exploits are ever increasing in the software– CERT Vulnerabilities Statistics show 47x increase in last decade
• Exploits can have devastating effects• Given the complexity of software, it is impossible
to prevent programming defects• State-of-the-art software approaches (e.g
TaintCheck) are effective in detecting exploits, but have excruciating overhead (20-40 times slowdown)
Need to build a secure and efficient computing environment
![Page 7: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/7.jpg)
Road-map
• Classification of Vulnerabilities
• Taint Analysis and Related Work
• Our Approach for Taint Analysis
• Design and Implementation
• Experimental Results
• Conclusion
• Q & A
![Page 8: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/8.jpg)
Types of Vulnerabilities
• Boundary error > 50 %• Input validation error > 40%• Access control error• Authentication error• Configuration error• Exception handling error• Randomization error• Resource error• State error
![Page 9: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/9.jpg)
Boundary ErrorFailure to properly check the length of data
against the size of a data storage object or resource
• Stack-based :• Return address overwrite• Old Base Pointer overwrite• Function Pointer overwrite
• Heap-based :• Function Pointer overwrite • GOT ( Global Offset Table) overwrite• Malloc()/Free() buffer overwrite
![Page 10: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/10.jpg)
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >BP, SP
![Page 11: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/11.jpg)
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >BP
100SP
![Page 12: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/12.jpg)
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >BP
100
SP<main + offset>
![Page 13: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/13.jpg)
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >BP
100
SP
<main + offset>
<BP>
![Page 14: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/14.jpg)
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >
100
SP, BP
<main + offset>
<BP>
![Page 15: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/15.jpg)
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >
BP
100
SP
<main + offset>
<BP>
array[1]
array[0]
![Page 16: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/16.jpg)
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >
100
SP
<main + offset> TAINTED
array[0]
BP<BP> TAINTED
array[1]
![Page 17: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/17.jpg)
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >
BP, SP
100
<main + offset> TAINTED
<BP> TAINTED
array[1]
array[0]
![Page 18: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/18.jpg)
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >
SP
100
<main + offset> TAINTED
<BP> TAINTED
array[1]
array[0]
BP
![Page 19: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/19.jpg)
Heap-Based Function Pointer Overwrite
KERNEL
STACK
TEXT
DATA
BSS ( uninilialized data)
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}HEAP
iPtr points here
fptr = Bar
![Page 20: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/20.jpg)
Heap-Based Function Pointer Overwrite
KERNEL
STACK
TEXT
DATA
BSS ( uninilialized data)
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}HEAP
iPtr points here
fptr = TAINTED
![Page 21: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/21.jpg)
Heap-Based Function Pointer Overwrite
KERNEL
STACK
TEXT
DATA
BSS ( uninilialized data)
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}HEAP
iPtr points here
fptr = TAINTED
![Page 22: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/22.jpg)
Input Validation Error
Failure to verify that user data has legitimate content
• Arguments to Sensitive System Calls like … system(), execve()
• Format String Vulnerability
![Page 23: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/23.jpg)
Format String Vulnerability
Intended use:Foo(){
char buffer[256];
scanf(“%s”,buffer); “Hello World”printf(“%s”,buffer);
}
Vulnerable Use:Foo(){
char buffer[256];
scanf(“%s”,buffer); “Hello World”printf(buffer);
}
![Page 24: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/24.jpg)
Format String Vulnerability
Intended use:Foo(){
char buffer[256];
scanf(“%s”,buffer); “Hello %d World”printf(“%s”,buffer);
}
Vulnerable Use: Foo(){
char buffer[256];
scanf(“%s”,buffer); “Hello %d World”printf(buffer);
}
![Page 25: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/25.jpg)
Common Factor
***A common characteristic of all successful attacks is the ability to change the flow of control by corrupting memory, which lets the attacker execute arbitrary code ***
![Page 26: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/26.jpg)
Taint Analysis
• Counters memory corruption attacks
• Mark external data as suspicious (tainted)
• Track data flow as program executes
• Examine data at possible exploit points
(e.g. control transfers)
• Goals is to keep few false positives or negatives
![Page 27: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/27.jpg)
Static Taint Analysis
1. Source code level analysis
2. Binary level analysis
Good:– No run-time over head
Bad:– Impossible to analyze dynamic features
• Loops, pointers, aliases, etc
– Can have lot of false positives and false negatives
![Page 28: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/28.jpg)
Dynamic Taint Analysis1. Coarse-Grained Approach
Filtering known vulnerabilities in the input
IMB GCC: Local variable reordering
StackGuard : Canary values on stack frame
* Can guard only limited type of vulnerabilities *
2. Fine-grained approachTracking every operation
Fewer/ No false positives
Fewer/ No false negatives
* Potentially High Overhead *
![Page 29: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/29.jpg)
Fine-Grained Taint Analysis• Interpreter-based
TaintCheck : Runs compiled code in emulated mode x86 RISC INSTRUMENT x86 EXECUTE– High overhead due to interpretive execution. ~ 40x
• Architecture-based Each instruction updates a “security tag”
– Needs OS modification, custom hardware support
• Instrumentation-based
![Page 30: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/30.jpg)
Instrumentation-based Taint Analysis
• Program is instrumented to dynamically trace the propagation of taint data
• Requires custom binary rewriting
• Promising because of both static and dynamic analysis
• High scope for optimization
• Instrumentation overhead
• Runtime Tracing overhead
![Page 31: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/31.jpg)
Hardware Trend
• Multicore is common place now
• Sun is already shipping 8-core Niagara chip
• Conventional wisdom is now to double the number of cores on a chip with each silicon generation
• We are clearly moving down the path to 10s,100s or even 1000s of cores
![Page 32: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/32.jpg)
But… Software
• Amdahl’s law of diminishing returns
80x speedup with 100 Processing units
0.25% sequential component!• Software has sequential components• Software is interactive• Multicores/Manycores are only as valuable as the
multithreading software running on them• So…. some cores are idle
![Page 33: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/33.jpg)
Dynamic Taint Analysis Using Multicores
• Use idle cores for taint tracking • Execute taint tracking instructions in parallel
with the actual computation
![Page 34: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/34.jpg)
Simple Illustration
Original computation
while(cond){//computation
}
Taint Analysis:while(cond){
//computation//taint computation.
}
![Page 35: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/35.jpg)
Simple Illustration
Original computation:while(cond){
//computation}
Taint computation:while(cond){ //taint computation.}
Original computation
while(cond){//computation
}
![Page 36: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/36.jpg)
Simple Illustration
Original computation
while(cond){//
computation}
Original computation:while(cond){
//computation}
Taint computation:while(cond){ //taint computation.}
![Page 37: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/37.jpg)
30,000FT Overview
• Augment the memory to have a shadow memory such that:
where,
TAG(w) =
• Clone the entire program, run them as two threads• One thread is the original execution• Other thread shadow’s original thread’s execution and does
taint analysis
Mw ')( MwTAG 0 if w is trusted data
1 if w is untrusted data
M 'M
![Page 38: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/38.jpg)
Advantages of Our Approach
• Software based: no custom hardware required
• No source code required• No OS modifications required • Language independent• Dynamic tracking, so has low false
positives and low false negatives• Huge scope for optimizations
![Page 39: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/39.jpg)
Roles and Responsibilities of Shadow
Target Program Tracking
Receive(&a)
b=a
…
Jmp c
Tag(a) = 1 // unsafe data
Tag(b) = Tag(a)
…
If( Tag (c) == 1),
raise alert! Halt
Default : Imitate the control flow of original program
![Page 40: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/40.jpg)
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
![Page 41: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/41.jpg)
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
![Page 42: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/42.jpg)
KERNEL
STACK
TEXT
DATA
BSS ( uninilialized data)
HEAP
Creating Shadow Memory
![Page 43: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/43.jpg)
KERNEL
STACK
TEXT
DATA
BSS ( uninilialized data)
HEAP
Creating Shadow MemoryKERNEL
STACK
TEXTDATABSS ( uninilialized data)
HEAP
Shadow Memory
![Page 44: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/44.jpg)
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
![Page 45: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/45.jpg)
Shadow Creation by Complete Program Cloning
Function A’
Function B’
Function A
Function B
![Page 46: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/46.jpg)
Shadow Creation by Complete Program Cloning
Function A’
Function B’
Function A
Function B
![Page 47: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/47.jpg)
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
![Page 48: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/48.jpg)
Shadow’s Control Flow Imitation
Basic Block A
Basic Block B
![Page 49: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/49.jpg)
Shadow’s Control Flow Imitation
Basic Block A’
Basic Block B’
Basic Block A
Basic Block B
![Page 50: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/50.jpg)
Shadow’s Control Flow Imitation
global TARGET
Basic Block A’
Basic Block B’
Basic Block A
Basic Block B
Set (TARGET)
While(TARGET);
While(!TARGET);
Reset(TARGET)
While(!TARGET);
Reset(TARGET)
![Page 51: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/51.jpg)
Conditional Branches
global TARGET
Basic Block A’
Basic Block C’
Basic Block AIf cond == TRUE JMP BasicBlock C
Basic Block C
Basic Block B
TARGET = C’
Basic Block B’
while(TARGET);
while(!TARGET);
Local_Target = TARGETReset(TARGET)
if Local_Target == C’ JMP BasicBlock C’
![Page 52: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/52.jpg)
Conditional Branches
global TARGET
Basic Block A’
Basic Block C’
Basic Block AIf cond == TRUE JMP BasicBlock C
Basic Block C
Basic Block B
TARGET = C’
Basic Block B’
while(TARGET);
while(!TARGET);
Local_Target = TARGETReset(TARGET)
if Local_Target == C’ JMP BasicBlock C’
TARGET = B’
while(TARGET);
![Page 53: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/53.jpg)
More Complex Control Structures
• Indirect jumps
• Indirect calls
• Jump tables
With one-to-one mapping between functions, blocks, instructions, and relocations, all of these can be handled.
![Page 54: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/54.jpg)
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
![Page 55: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/55.jpg)
Marking Taint Source
• System calls like – Read(), – Recvfrom()
as sources of taint
• After the system call, we definitely know which memory region got tainted
• The shadow DOES NOT make any system call• Other sources of taint include command line
arguments and environment variables
![Page 56: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/56.jpg)
Taint Propagation
1. Copy Propagation : Tainted data is copied from one location to other.
2. Arithmetic Propagation: Tainted data is input operand of a mathematical/logical transformation.
3. Address Propagation: Tainted data can be used to calculate a memory address.
![Page 57: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/57.jpg)
KERNEL
foo()
TEXT
DATA
BSS ( uninilialized data)
HEAP
Shadow Memory
foo()’
BP
SP
BP
SP
Run-time View of Modified Program
![Page 58: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/58.jpg)
KERNEL
foo()
TEXT
DATA
BSS ( uninilialized data)
HEAP
Shadow Memory
foo()’
BP
SP
BP
SP
Run-time View of Modified Program
bar()
bar()’
![Page 59: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/59.jpg)
Copy Data
Propagate Tag
KERNEL
foo()
TEXT
DATA
BSS ( uninilialized data)
HEAP
Shadow Memory
foo()’
BP
SP
BP
SP
Run-time View of Modified Program
bar()
bar()’
![Page 60: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/60.jpg)
Populating Shadow Instructions
Original Computation
Mov %eax, %ebxMov %eax, 0x8(%ebp)Add %eax, 0x8(%ebp)Push %eaxInc %eaxInt 0x80
Shadow Computation
Mov %eax, %ebxMov %eax, 0x8(%ebp)Or %eax, 0x8(%ebp)Push %eaxNoneNone
![Page 61: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/61.jpg)
Populating Shadow Instructions … Indirect memory
Original Computation
Mov %eax, 0x8(%ebx)
Add %eax, 0x8(%edx)
Shadow Computation
Mov %eax, 0x8(%ebx)
Or %eax, 0x8(%edx)
![Page 62: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/62.jpg)
Original Computation
Enque(%ebx)
Mov %eax, 0x8(%ebx)
Enque(%edx)
Add %eax, 0x8(%edx)
Shadow ComputationPush %ebx
Deque(%ebx)
Sub $OFFSET, %ebx
Mov %eax, 0x8(%ebx)
Pop %ebx
Push %edx
Deque(%edx)
Sub $OFFSET, %edx
Or %eax, 0x8(%edx)
Pop %edx
Information Sharing with Shared Buffer
![Page 63: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/63.jpg)
Original Computation
Enque(%ebx)
Mov %eax, 0x8(%ebx)
Enque(%edx)
Shl %eax, 0x8(%edx)
Shadow ComputationPush %ebx
Deque(%ebx)
Sub $OFFSET, %ebx
Mov %eax, 0x8(%ebx)
Pop %ebx
Push %edx
Deque(%edx)
Sub $OFFSET, %edx
Or %eax, 0x8(%edx)
Pop %edx
Information Sharing with Shared Buffer
![Page 64: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/64.jpg)
Original Computation
Enque(%ebx)
Mov %eax, 0x8(%ebx)
Enque(%edx)
Shl %eax, 0x8(%edx)
Shadow ComputationPush %ebx
Deque(%ebx)
Sub $OFFSET, %ebx
Mov %eax, 0x8(%ebx)
Pop %ebx
Push %edx
Deque(%edx)
Sub $OFFSET, %edx
Or %eax, 0x8(%edx)
Pop %edx
Information Sharing with Shared Buffer
![Page 65: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/65.jpg)
Guarding Against Exploits
On reaching sensitive program points, Original program waits for the Shadow to do security checks
Example:– Return address
– Indirect jump
– Format string function
– Sensitive system calls
![Page 66: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/66.jpg)
Catching Return Address Overwrite KERNEL
<_libc_start_main + offset>
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}
<Base Pointer of _libc_start_main >
BP
SP
array[1]
array[0]
<main()’s caller >
100
<main()’ + offset>
<BP>
array[1]
array[0]
BP
SP
100
<main + offset>
<BP>
![Page 67: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/67.jpg)
Catching Return Address OverwriteKERNEL
<_libc_start_main + offset>
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}
<Base Pointer of _libc_start_main >
BP
100
SP
<main + offset>
<BP>
array[1]
array[0]
<main()’s caller >
100
TAINTED
TAINTED
TAINTED
TAINTED
BP
SP
![Page 68: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/68.jpg)
Catching Return Address OverwriteKERNEL
<_libc_start_main + offset>
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}
<Base Pointer of _libc_start_main >
BP, SP
100
<main + offset>
<BP>
array[1]
array[0]
<main()’s caller >
100
TAINTED
TAINTED
TAINTED
TAINTED
BP, SP Wait for Shadow to check the tainted ness.
![Page 69: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/69.jpg)
Catching Function Pointer OverwriteKERNEL
STACK
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}
fPtr = Bar
iPtr
STACK
fPtr’
iPtr’
![Page 70: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/70.jpg)
Catching Function Pointer OverwriteKERNEL
STACK
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}
fPtr = Bar
iPtr
STACK
TAINTED
TAINTED
![Page 71: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/71.jpg)
Catching Function Pointer OverwriteKERNEL
STACK
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}
fPtr = Bar
iPtr
STACK
TAINTED
TAINTED
Wait for Shadow to check the tainted ness.
![Page 72: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/72.jpg)
Catching Format String Vulnerability
printf(File * fp, char * fmt, …){
if(fmt contains a “%n” that is tainted) then
Flag Warning
}
Vulnerable Use:
Foo(){
char * buffer[256];
scanf(“%s”,buffer);
printf(buffer);
}
0x08 H e l l o % n W o r l dUNTAINTED
TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED
“Hello %nWorld”
![Page 73: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/73.jpg)
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
![Page 74: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/74.jpg)
OptimizationReturn Address Checks
Don’t have to check return address overwrite of a function F if:
– The function F by itself has no local variables, and
– No member of the set descendents(F) has local variables.
*Can be extended to functions without arrays.
![Page 75: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/75.jpg)
OptimizationSkipping Function Tracing
A function A when called from function B can be run without tracing if:
– Function A by itself has no store operations.– No member of the set descendents(A) has store
operations.– Function B does not use the return value from function
A for any store operation.*** Classic example strcmp(), strncmp(), memcmp() ****Can be extended to functions that may store to non-arrays
locals.
![Page 76: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/76.jpg)
OptimizationLoop Synchronization
• 80 – 20 rule : Many programs spend most of their time inside loopsLOOP 1:
for( int i = 0; i < n ; i += k ){ array[i] = CONSTANT;
}LOOP 2:
for(int i = 0;read(fd,&ch,1); i+=k){
buffer [i] = ch;}
![Page 77: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/77.jpg)
What Guarantees Can We Make?
Analysis of false negatives:* Can detect all control hijack attacks.* Can detect tainted arguments to sensitive system calls. * Cannot detect Non-control-data attacks that corrupt a variety of
application data .* Cannot stop Denial of Service attacks.
Analysis of false positives:* Intentionally passing user format specifiers to format string handlers. * Intentionally passing user strings to sensitive system calls. * Intentionally executing user injected code.
![Page 78: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/78.jpg)
Security Evaluation
Application Version Vulnerability DetectedFalse
Positive
ATPHttpd 0.4b Stack-based
buffer overflow YES NO
Passlogd 0.1cStack-based
buffer overflow YES NO
BSD Talkd BSD 2.7 Format String YES NO
BSD Chpass BSD 2.7 Format String YES NO
LibTiff library 3.5.4 Heap-based
buffer overflow YES NO
Cfingerd 1.4.3 Format String YES NO
![Page 79: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/79.jpg)
Performance Evaluation
Peformance Comparison of ATPhttpd
0
0.02
0.04
0.06
0.08
0.1
0.12
1KB 10KB 20KB 30KB
Page Size in KB
Tim
e i
n S
ec
Time in original execution
Time in instrumented program
HTML PAGE SIZE 1KB 10KB 20KB 30KB
Slowdown ( number of times) 4.03 1.78 1.78 1.48
![Page 80: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/80.jpg)
Effect of OptimizationsPerformace comparison for 30K page
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
Originalcomputation
Taint analyserwith no
optimization
Taint analyserwith some
functions nottraced
Taint analysewith relaxed
retrun addresschecks
Taint analyzerwith optimizedhigh frequency
loop
Taint analyzerwith all
optimizations
Tim
e i
n s
ec
ATPHttpd for 30K page
6.3x
5.2x4.7x
2.7x1.5x
![Page 81: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/81.jpg)
Performance of Various Applications
Application30KB page inATPHTTPD
Cfingerdaemon
Libtiff on 2MBfile
Passlogd with1.25KB
download
Gzip with13.6MB file
Slowdown ( number of times) 1.48 5.16 9.24 1.75 1.05
Performance of Applications
0
0.05
0.1
0.15
0.2
0.25
Cfinger daemon 30KB page inATPHTTPD
Libtif f on 2MB file
Application
Tim
e in
Sec
Original programInstrumeneted program
Performance of Applications
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Gzip w ith 13.6MB file Passlogd w ith 1.25KB dow nload
Application
Tim
e in
Sec
Original programInstrumeneted program
TaintCheck 36x
LIFT 2.97x
![Page 82: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/82.jpg)
Conclusions• Taint tracking task has enough parallelism with the
original computation that it can be delegated to a concurrent thread
• Our approach has shown the overhead reduction from 20-40 times to less than 5 times on an average
• Vulnerability detection using multicore machines has a promising future
• With many cores being the future of hardware, we can always afford to dedicate some cores for taint analysis
• This approach goes a long way to shaping the future of secure and efficient computing
![Page 83: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/83.jpg)
THANKS
Questions ?
![Page 84: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/84.jpg)
Format String Vulnerability …
Format
200
100
“Hello %d World %d ok %d blah! %n”
Caller’s stack frame
![Page 85: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/85.jpg)
Format String Vulnerability …
Format
200
100
“Hello 200 World %d ok %d blah! %n”
Caller’s stack frame
![Page 86: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/86.jpg)
Format String Vulnerability …
Format
200
100
“Hello 200 World 100 ok %d blah! %n”
Caller’s stack frame
![Page 87: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/87.jpg)
Format String Vulnerability …
Format
200
100
“Hello 200 World 100 ok %d blah! %n”
Caller’s stack frame
Password
![Page 88: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/88.jpg)
Format String Vulnerability …
Format
200
100
“Hello 200 World 100 ok %d blah! %n”
Caller’s stack frame
Password
![Page 89: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/89.jpg)
CPU SPEC2000 INT - Gzip
Performance Comparison for Gzip
0
0.5
1
1.5
2
2.5
400KB 1.2MB 2.4MB 13.6MB
File size
Tim
e i
n S
ec
Time in original Gzip program
Time in instrumented Gzip program
Input file size 400KB 1.2MB 2.4MB 13.6MB 65.4MB
Slowdown ( number of times) 2.65 1.64 1.40 1.05 1.037
![Page 90: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/90.jpg)
Thread Creation
When spawning the shadow thread, the program should have initialized some of its data structures.
( _start, _init)
Initialization has to happen without shadow.
Classic Chicken and Egg Problem
Main() Main()’
_start()
_init()
_start()’
_init()’
![Page 91: Efficient Taint Analysis Using Multicore Machines Milind Chabbi Dr. Gregory Andrews and Dr. Saumya Debray Computer Science Department University of Arizona](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d5e5503460f94a3e7b1/html5/thumbnails/91.jpg)
Have One More Copy
_start()
_init()
Spawn Main()’’Call Main()’
Main()
Main()’ Main()’’
_start()’
_init()’
_start()’’
_init()’’
Unsynchronized
Original Computation
Synchronized
Original Computation
Taint
Computation