Post on 13-Jan-2016
Computer Science
Detecting Memory Access Errorsvia
Illegal Write Monitoring
Ongoing Researchby
Emre Can Sezer
Emre Can SezerComputer Science
Emre Can SezerComputer Science
Outline
• Quick wrap-up of last semester’s presentation
• Basic design
• Problems and Solutions– Pointers– Structure types
• Discussion– Performance considerations– Applications
Emre Can SezerComputer Science
Wrap-up of last semester’s talk
• C is not type safe, and continue to have vulnerabilities• Worm outbreaks
– NIDS’s can only detect random scanning worms
– NIDS’s accept a certain number of casualties
• Data attacks evade most HIDS’s• We need a good host-based framework to detect a
broad range of memory corruption attacks
Emre Can SezerComputer Science
Main Observation with an Illustrative Example
• Line 11 can overflow buffer.• Line 11 should only be writing to buffer.
1 void func () {2 int isAdmin;3 char buffer[255];4 isAdmin = 0;5 if ( check_pssw(buffer) ) {6 isAdmin = 1;7 } else {8 isAdmin = 0;9 }10 …11 scanf (“%s”, buffer);12 …13 if (isAdmin) {…} else {…}14 …15 return;16 }
Ove
rflo
w
Ret. address
Buffer[255]
isAdmin
Activation Record of
func() on stack
Emre Can SezerComputer Science
Basic Design
• Observation: A memory location is only modified by a small number of instructions.
• Idea: – Select a list of memory locations to monitor
– For every location determine the list of instructions that can modify it, called the memory location’s write set (WS).
– At runtime perform checks to ensure monitored memory locations are only modified by instructions in their WS.
• Implementation has two parts:– Static analysis
– Dynamic monitoring
Emre Can SezerComputer Science
Static Analysis
• Use source code analysis• For every variable, determine the variable’s WS.
– Assignment instructions where the variable is on the LHS.
– Library function calls in which the variable is used as an argument that the function can modify (i.e. memcpy())
• Current implementation uses Code Surfer• A script automatically extracts all the information
required
Emre Can SezerComputer Science
Dynamic Monitoring
• Terminology– Monitoring agent is called “agent” for short– The list of memory locations that are being monitored is M.
• Illegal write checking– Capturing of memory writes and set membership checks
• State maintenance– Capturing function calls and returns– Capturing malloc family of function calls– “Points to” tracking for pointers*
• We have written a skin for Valgrind, an open source x86 emulator, for dynamic monitoring
Emre Can SezerComputer Science
System Overview
Emre Can SezerComputer Science
Problems and Solutions
Static Analysis Dynamic Monitoring
Variable names Memory addresses
Line numbers Program counter (PC)
If code is compiled with debug flags, a PC can be translated into a file name and line number.
?
• Static Analysis and Dynamic Monitoring don’t talk the same language
Emre Can SezerComputer Science
Finding variables on memory
• Global variables – Reside in the data segment
– Have fixed addresses
• Local variables – Their addresses depend on the function call stack
– They are defined as offsets from the beginning of the function’s activation record
– Function calls must be monitored at runtime
Emre Can SezerComputer Science
Problem: Good old pointers
• Line 4 is writing to a heap location• How do we monitor and associate with line 4?• Solution:
– For a pointer p, keep two separate WS’s• One for the pointer variable itself WS(p)• Another for the memory region it points to WS(ref(p))
– At runtime determine ref(p) and add WS(ref(p)) to ref(p)’s WS.
1 void main () {2 int * array;3 array = (int *) malloc (10*sizeof(int));4 array[5] = 42;5 }
Emre Can SezerComputer Science
Problem: Good old pointers
• Side benefits– Inter-procedural static analysis is not required.
– Pointer aliasing and arithmetic can be handled.
Emre Can SezerComputer Science
Problem: Good old pointers
• If a function has pointer type formal arguments, we check where they point to at function call time
• In this example, line 2 is added to a’s WS.
•1 int square (int * num) {•2 *num = (*num) * (*num);•3 }
•4 void main () {•5 int a;•6 scanf (“%d”, &a);•7 square (&a);•8 printf (“%d\n”, a);•9 }
Emre Can SezerComputer Science
Problem: Chained Dereferences
• Our current approach cannot handle this situation• Relation between line 4 and var z is lost• Solution:
– Use source code rewriting
– Replace all complex dereferences with simple dereferences by introducing temporary variables
1 int z;2 int * y = &z;3 int ** x = &y;
4 **x = 5;
1 int z;2 int * y = &z;3 int ** x = &y;
4a int * temp1 = *x;4b *temp1 = 5;
Emre Can SezerComputer Science
Problem: Structures
• Not handled in our current implementation• Solution:
– Treat every field of a structure as a separate variable with its own WS
– Instructions operating on a structure variable is added to each field’s WS seperately
struct { int num; char str[4]; } entry;
1 int main () {2 struct entry var;3 strcpy(var.str, "Hello");4 return 0;5 }
struct { int num; char str[4]; } entry;
1 int main() {2 struct entry base;3 struct entry * var = &base;
4 strcpy(var->str, "Hello");
5 }
Emre Can SezerComputer Science
Discussion: Capabilities
• Detects memory corruption errors at the time of write
• Can provide information about:– Instruction causing the error– Variable that was illegitimately written to– Current user stack– The error type (buffer overflow, double free etc.)
Emre Can SezerComputer Science
Discussion: Performance
• No real performance results yet
• Expecting to see 20x slow down
• We keep data structures for each variable, so memory requirement may be high
• Implications?– How much CPU/RAM does a web server use?– How bad is bad? 1% increase 1000% increase?– How does application runtime overhead influence
service?
Emre Can SezerComputer Science
Discussion: Applications
• Attack identification– Use light-weight IPS– Replay attack on instrumented version to identify
attack
• Debugging tool– Testing and debugging usually don’t have lower
performance demands
Computer Science
Memory Level Monitoring for
Detecting Illegal Writes
Ongoing Researchby
Emre Can Sezer