Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang...
-
Upload
cali-scaggs -
Category
Documents
-
view
214 -
download
0
Transcript of Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang...
![Page 1: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/1.jpg)
Dec 5, 2007 University of Virginia 1
Efficient Dynamic Tainting using Multiple Cores
Yan Huang
University of Virginia
Dec. 5 2007
![Page 2: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/2.jpg)
Dec 5, 2007 University of Virginia 2
…
Memory Allocator
Integer Overflow SQL Injection
Cross-site Scripting
Format String
Stack Smashing
Common trait: Incorrect use of
untrusted resources
![Page 3: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/3.jpg)
Dec 5, 2007 University of Virginia 3
Dynamic Tainting (DT)
• Keep track of the source for each byte used in the program
• Shadow Memory
• Taint Seed
• Taint Propagation
• Taint Assert
![Page 4: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/4.jpg)
Dec 5, 2007 University of Virginia 4
Is the content in this location derived from untrusted source?
Yes!
Then I won’t jump there. I am suspicious I’ve got
attacked.
Illustration – Buffer Overflow
![Page 5: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/5.jpg)
Dec 5, 2007 University of Virginia 5
So what’s the problem?
• Dynamic Tainting is also applied to:– Malware detection– Ensuring privacy policies– Software testing
![Page 6: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/6.jpg)
Dec 5, 2007 University of Virginia 6
Way too slow!
Better be kept from online usage.
• Traditional dynamic tainting systems incurs about 20x ~ 50+x overhead than direct execution.
Why is it the case?
![Page 7: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/7.jpg)
Dec 5, 2007 University of Virginia 7
add %eax, 4(%ebp)
Imagine how we need to instrument this single instruction
![Page 8: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/8.jpg)
Dec 5, 2007 University of Virginia 8
Tasks Costs
Spill a few registers (may include FLAG registers) for taint computation 2~4
Map %eax to its shadow memory location 1
Map memory (%ebp) to its shadow memory location 2
Map FLAG registers to its shadow memory (optional) 1~2
Load the taint status of the two operands 2
Compute and store the new taint status in the shadow memory 1~3
Restore the spilled registers (may include status registers) 2~4
add %eax, 4(%ebp) 1
Tatal 12~19
![Page 9: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/9.jpg)
Dec 5, 2007 University of Virginia 9
• Some essential facts
– the tainting computation and the original computation are highly parallelizable.
– taint shepparding itself can also be simpler if it
is kept separate from the original computation.
• Some essential facts
– the tainting computation and the original computation are highly parallelizable.
– taint shepparding itself can also be simpler if it
is kept separate from the original computation.
• Some essential facts – the tainting computation and the original
computation are highly parallelizable.
– taint shepparding itself can also be simpler if it
is kept separate from the original computation.
Our Treatment – Multiple Cores
![Page 10: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/10.jpg)
Dec 5, 2007 University of Virginia 10
The Basic Model
Main ProcEnvironment VariablesVarious global tables
Runtime stack
.data section.bss section.text section
Heap area
Shadow ProcEnvironment VariablesVarious global tables
Runtime stack
.data section.bss section.text section
Heap area
![Page 11: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/11.jpg)
Dec 5, 2007 University of Virginia 11
The Basic Model
Main Proc Shadow Proc
add %eax, 4(%ebp)add %eax, 4(%ebp) or %eax, 4(%ebp)
add %eax, %ebxadd %eax, %ebx or %eax, %ebx
push %eaxpush %eax push %eax
Queue_m2s
add %eax, 4(%ebx)add %eax, 4(%ebx) push %eaxcall Dequeuemov %eax, %ebxpop %eaxor %eax, 4(%ebx)
%ebx
Queue_s2mQueue_s2m (optional)
push %eaxmov %ebx, %eaxcall Enqueuepop %eaxadd %eax, 4(%ebx)
![Page 12: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/12.jpg)
Dec 5, 2007 University of Virginia 12
Main ProcEnvironment VariablesVarious global tables
Runtime stack
.data section.bss section.text section
Heap area
Shadow ProcEnvironment VariablesVarious global tables
Runtime stack
.data section.bss section.text section
Heap area
Queue_m2s
Queue_s2m (optional)
The Basic Model – Quick Recap
• We have 2 separate processes/threads (main and shadow)
• Main only takes care of original computation
• Shadow only deals with tainting
• They keep similar memory layout
• They communicate via one (or two) dedicated queues
![Page 13: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/13.jpg)
Dec 5, 2007 University of Virginia 13
Implementation
![Page 14: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/14.jpg)
Dec 5, 2007 University of Virginia 14
Program Compiling and Execution Diagram
source code
compiler front end
binary code
loader
process in execution
assembly code
compiler back endstatic
dynamic
![Page 15: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/15.jpg)
Dec 5, 2007 University of Virginia 15
Source to Source Static Rewriter (SSSR)
AdvantagesHigh level program objects information available;
Less dependent on ISA;
No penalty for run-time code generation;
Easier to debug;
original source code
SSSR
main proc src code shadow proc src code
processes in execution
… …
DisadvantagesRequiring the application’s source code;
Hard to deal with low level (hardware related) control
performance dependent on the underlying compiler
![Page 16: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/16.jpg)
Dec 5, 2007 University of Virginia 16
Source to Binary Compiler (SBC)
original source code
SBC
main proc bin code shadow proc bin code
processes in execution
loader
AdvantagesHigh level program information available;
Full control over the binary generation
Easy to do low level optimizations;
Able to follow into statically linked libraries.
DisadvantagesRequiring the application’s source code;
ISA dependent implementation;
Unable to follow through dynamically linked libraries;
Special care needed to protect the shadow memory;
![Page 17: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/17.jpg)
Dec 5, 2007 University of Virginia 17
Binary to Binary Static Rewriter (BBSR)
original binary code
BBSR
main proc bin code shadow proc bin code
processes in execution
loader
AdvantagesThe rewriting doesn’t incur run-time overhead;Doesn’t require the application’s source code;Easy to do low level optimizations;Able to follow into statically linked libraries;
DisadvantagesLacking high level program information for optimization;
Binary static analysis is hard and even infeasible;
ISA dependent implementation;
Unable to follow through dynamically linked libraries;
Special care needed to protect the shadow memory;
![Page 18: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/18.jpg)
Dec 5, 2007 University of Virginia 18
process address space
Binary to Binary Dynamic Rewriter
original binary code
loader
main procbin code
shadow proc bin code
BBDR
AdvantagesDoesn’t require the source code;Easy shadow memory protection;Able to follow through dynamically linked libraries;Dynamic information available for optimization;System-wide if BBDR is running underlying the
OS;
Disadvantages• Run-time overhead introduced by the dynamic
transformer;
• Lacking high level program information to do optimization;
![Page 19: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/19.jpg)
Dec 5, 2007 University of Virginia 19
Quick recap
OptimizationOpportunity
Static librarytracing
Dynamic library tracing
ISAIndependent
Shadowmemory
protection
source-to-source √ × × √ hard
source-to-binary √ √ × × hard
static binary rewriter × √ × × hard
runtime binary transformer × √ √ × intuitive
source-to-binary √ √ × × hard
runtime binary transformer × √ √ × intuitive
![Page 20: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/20.jpg)
Dec 5, 2007 University of Virginia 20
Implementation
• Source to binary compiler– phoenix– gcc
• Dynamic binary rewriter– Strata– Pin
• An assembly to assembly translator could be reused in both approaches
![Page 21: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/21.jpg)
Dec 5, 2007 University of Virginia 21
Optimizations
• Reducing the number of synchronization points– ignore ‘never-tainted’ memory locations– ignore checking ‘never-tainted’ return addresses
• Reducing the chance of spinning wait– large queue buffers– do taint checking only in the shadow process– allow the main process to go over less critical points
• Efficient data communication– put the queue in L2 cache
![Page 22: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/22.jpg)
Dec 5, 2007 University of Virginia 22
Evaluation
• Functional evaluation– Does it really work correctly?
• Performance evaluation– Is it efficient enough for online deployment?– Benchmarks– Real programs
![Page 23: Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.](https://reader035.fdocuments.in/reader035/viewer/2022062712/56649cab5503460f9496cd8d/html5/thumbnails/23.jpg)
Dec 5, 2007 University of Virginia 23
Questions