Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by...

Computer Science

Detecting Memory Access Errorsvia

Illegal Write Monitoring

Ongoing Researchby

Emre Can Sezer

Emre Can SezerComputer Science


Outline

• Quick wrap-up of last semester’s presentation

• Basic design

• Problems and Solutions– Pointers– Structure types

• Discussion– Performance considerations– Applications


Wrap-up of last semester’s talk

• C is not type safe, and continue to have vulnerabilities• Worm outbreaks

– NIDS’s can only detect random scanning worms

– NIDS’s accept a certain number of casualties

• Data attacks evade most HIDS’s• We need a good host-based framework to detect a

broad range of memory corruption attacks


Main Observation with an Illustrative Example

• Line 11 can overflow buffer.• Line 11 should only be writing to buffer.

1 void func () {2 int isAdmin;3 char buffer[255];4 isAdmin = 0;5 if ( check_pssw(buffer) ) {6 isAdmin = 1;7 } else {8 isAdmin = 0;9 }10 …11 scanf (“%s”, buffer);12 …13 if (isAdmin) {…} else {…}14 …15 return;16 }

Ove

rflo

w

Ret. address

Buffer[255]

isAdmin

Activation Record of

func() on stack


Basic Design

• Observation: A memory location is only modified by a small number of instructions.

• Idea: – Select a list of memory locations to monitor

– For every location determine the list of instructions that can modify it, called the memory location’s write set (WS).

– At runtime perform checks to ensure monitored memory locations are only modified by instructions in their WS.

• Implementation has two parts:– Static analysis

– Dynamic monitoring


Static Analysis

• Use source code analysis• For every variable, determine the variable’s WS.

– Assignment instructions where the variable is on the LHS.

– Library function calls in which the variable is used as an argument that the function can modify (i.e. memcpy())

• Current implementation uses Code Surfer• A script automatically extracts all the information

required


Dynamic Monitoring

• Terminology– Monitoring agent is called “agent” for short– The list of memory locations that are being monitored is M.

• Illegal write checking– Capturing of memory writes and set membership checks

• State maintenance– Capturing function calls and returns– Capturing malloc family of function calls– “Points to” tracking for pointers*

• We have written a skin for Valgrind, an open source x86 emulator, for dynamic monitoring


System Overview


Problems and Solutions

Static Analysis Dynamic Monitoring

Variable names Memory addresses

Line numbers Program counter (PC)

If code is compiled with debug flags, a PC can be translated into a file name and line number.

?

• Static Analysis and Dynamic Monitoring don’t talk the same language


Finding variables on memory

• Global variables – Reside in the data segment

– Have fixed addresses

• Local variables – Their addresses depend on the function call stack

– They are defined as offsets from the beginning of the function’s activation record

– Function calls must be monitored at runtime


Problem: Good old pointers

• Line 4 is writing to a heap location• How do we monitor and associate with line 4?• Solution:

– For a pointer p, keep two separate WS’s• One for the pointer variable itself WS(p)• Another for the memory region it points to WS(ref(p))

– At runtime determine ref(p) and add WS(ref(p)) to ref(p)’s WS.

1 void main () {2 int * array;3 array = (int *) malloc (10*sizeof(int));4 array[5] = 42;5 }



• Side benefits– Inter-procedural static analysis is not required.

– Pointer aliasing and arithmetic can be handled.



• If a function has pointer type formal arguments, we check where they point to at function call time

• In this example, line 2 is added to a’s WS.

•1 int square (int * num) {•2 *num = (*num) * (*num);•3 }

•4 void main () {•5 int a;•6 scanf (“%d”, &a);•7 square (&a);•8 printf (“%d\n”, a);•9 }


Problem: Chained Dereferences

• Our current approach cannot handle this situation• Relation between line 4 and var z is lost• Solution:

– Use source code rewriting

– Replace all complex dereferences with simple dereferences by introducing temporary variables

1 int z;2 int * y = &z;3 int ** x = &y;

4 **x = 5;

1 int z;2 int * y = &z;3 int ** x = &y;

4a int * temp1 = *x;4b *temp1 = 5;


Problem: Structures

• Not handled in our current implementation• Solution:

– Treat every field of a structure as a separate variable with its own WS

– Instructions operating on a structure variable is added to each field’s WS seperately

struct { int num; char str[4]; } entry;

1 int main () {2 struct entry var;3 strcpy(var.str, "Hello");4 return 0;5 }

struct { int num; char str[4]; } entry;

1 int main() {2 struct entry base;3 struct entry * var = &base;

4 strcpy(var->str, "Hello");

5 }


Discussion: Capabilities

• Detects memory corruption errors at the time of write

• Can provide information about:– Instruction causing the error– Variable that was illegitimately written to– Current user stack– The error type (buffer overflow, double free etc.)


Discussion: Performance

• No real performance results yet

• Expecting to see 20x slow down

• We keep data structures for each variable, so memory requirement may be high

• Implications?– How much CPU/RAM does a web server use?– How bad is bad? 1% increase 1000% increase?– How does application runtime overhead influence

service?


Discussion: Applications

• Attack identification– Use light-weight IPS– Replay attack on instrumented version to identify

attack

• Debugging tool– Testing and debugging usually don’t have lower

performance demands

Computer Science

Memory Level Monitoring for

Detecting Illegal Writes

Ongoing Researchby

Emre Can Sezer

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by...

Documents

Transcript of Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by...