computer science detecting memory access errors via illegal write monitoring ongoing research by...
TRANSCRIPT
![Page 1: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/1.jpg)
Computer Science
Detecting Memory Access Errorsvia
Illegal Write Monitoring
Ongoing Researchby
Emre Can Sezer
![Page 2: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/2.jpg)
Emre Can SezerComputer Science
![Page 3: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/3.jpg)
Emre Can SezerComputer Science
Outline
• Quick wrap-up of last semester’s presentation
• Basic design
• Problems and Solutions– Pointers– Structure types
• Discussion– Performance considerations– Applications
![Page 4: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/4.jpg)
Emre Can SezerComputer Science
Wrap-up of last semester’s talk
• C is not type safe, and continue to have vulnerabilities• Worm outbreaks
– NIDS’s can only detect random scanning worms
– NIDS’s accept a certain number of casualties
• Data attacks evade most HIDS’s• We need a good host-based framework to detect a
broad range of memory corruption attacks
![Page 5: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/5.jpg)
Emre Can SezerComputer Science
Main Observation with an Illustrative Example
• Line 11 can overflow buffer.• Line 11 should only be writing to buffer.
1 void func () {2 int isAdmin;3 char buffer[255];4 isAdmin = 0;5 if ( check_pssw(buffer) ) {6 isAdmin = 1;7 } else {8 isAdmin = 0;9 }10 …11 scanf (“%s”, buffer);12 …13 if (isAdmin) {…} else {…}14 …15 return;16 }
Ove
rflo
w
Ret. address
Buffer[255]
isAdmin
Activation Record of
func() on stack
![Page 6: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/6.jpg)
Emre Can SezerComputer Science
Basic Design
• Observation: A memory location is only modified by a small number of instructions.
• Idea: – Select a list of memory locations to monitor
– For every location determine the list of instructions that can modify it, called the memory location’s write set (WS).
– At runtime perform checks to ensure monitored memory locations are only modified by instructions in their WS.
• Implementation has two parts:– Static analysis
– Dynamic monitoring
![Page 7: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/7.jpg)
Emre Can SezerComputer Science
Static Analysis
• Use source code analysis• For every variable, determine the variable’s WS.
– Assignment instructions where the variable is on the LHS.
– Library function calls in which the variable is used as an argument that the function can modify (i.e. memcpy())
• Current implementation uses Code Surfer• A script automatically extracts all the information
required
![Page 8: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/8.jpg)
Emre Can SezerComputer Science
Dynamic Monitoring
• Terminology– Monitoring agent is called “agent” for short– The list of memory locations that are being monitored is M.
• Illegal write checking– Capturing of memory writes and set membership checks
• State maintenance– Capturing function calls and returns– Capturing malloc family of function calls– “Points to” tracking for pointers*
• We have written a skin for Valgrind, an open source x86 emulator, for dynamic monitoring
![Page 9: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/9.jpg)
Emre Can SezerComputer Science
System Overview
![Page 10: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/10.jpg)
Emre Can SezerComputer Science
Problems and Solutions
Static Analysis Dynamic Monitoring
Variable names Memory addresses
Line numbers Program counter (PC)
If code is compiled with debug flags, a PC can be translated into a file name and line number.
?
• Static Analysis and Dynamic Monitoring don’t talk the same language
![Page 11: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/11.jpg)
Emre Can SezerComputer Science
Finding variables on memory
• Global variables – Reside in the data segment
– Have fixed addresses
• Local variables – Their addresses depend on the function call stack
– They are defined as offsets from the beginning of the function’s activation record
– Function calls must be monitored at runtime
![Page 12: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/12.jpg)
Emre Can SezerComputer Science
Problem: Good old pointers
• Line 4 is writing to a heap location• How do we monitor and associate with line 4?• Solution:
– For a pointer p, keep two separate WS’s• One for the pointer variable itself WS(p)• Another for the memory region it points to WS(ref(p))
– At runtime determine ref(p) and add WS(ref(p)) to ref(p)’s WS.
1 void main () {2 int * array;3 array = (int *) malloc (10*sizeof(int));4 array[5] = 42;5 }
![Page 13: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/13.jpg)
Emre Can SezerComputer Science
Problem: Good old pointers
• Side benefits– Inter-procedural static analysis is not required.
– Pointer aliasing and arithmetic can be handled.
![Page 14: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/14.jpg)
Emre Can SezerComputer Science
Problem: Good old pointers
• If a function has pointer type formal arguments, we check where they point to at function call time
• In this example, line 2 is added to a’s WS.
•1 int square (int * num) {•2 *num = (*num) * (*num);•3 }
•4 void main () {•5 int a;•6 scanf (“%d”, &a);•7 square (&a);•8 printf (“%d\n”, a);•9 }
![Page 15: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/15.jpg)
Emre Can SezerComputer Science
Problem: Chained Dereferences
• Our current approach cannot handle this situation• Relation between line 4 and var z is lost• Solution:
– Use source code rewriting
– Replace all complex dereferences with simple dereferences by introducing temporary variables
1 int z;2 int * y = &z;3 int ** x = &y;
4 **x = 5;
1 int z;2 int * y = &z;3 int ** x = &y;
4a int * temp1 = *x;4b *temp1 = 5;
![Page 16: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/16.jpg)
Emre Can SezerComputer Science
Problem: Structures
• Not handled in our current implementation• Solution:
– Treat every field of a structure as a separate variable with its own WS
– Instructions operating on a structure variable is added to each field’s WS seperately
struct { int num; char str[4]; } entry;
1 int main () {2 struct entry var;3 strcpy(var.str, "Hello");4 return 0;5 }
struct { int num; char str[4]; } entry;
1 int main() {2 struct entry base;3 struct entry * var = &base;
4 strcpy(var->str, "Hello");
5 }
![Page 17: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/17.jpg)
Emre Can SezerComputer Science
Discussion: Capabilities
• Detects memory corruption errors at the time of write
• Can provide information about:– Instruction causing the error– Variable that was illegitimately written to– Current user stack– The error type (buffer overflow, double free etc.)
![Page 18: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/18.jpg)
Emre Can SezerComputer Science
Discussion: Performance
• No real performance results yet
• Expecting to see 20x slow down
• We keep data structures for each variable, so memory requirement may be high
• Implications?– How much CPU/RAM does a web server use?– How bad is bad? 1% increase 1000% increase?– How does application runtime overhead influence
service?
![Page 19: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/19.jpg)
Emre Can SezerComputer Science
Discussion: Applications
• Attack identification– Use light-weight IPS– Replay attack on instrumented version to identify
attack
• Debugging tool– Testing and debugging usually don’t have lower
performance demands
![Page 20: Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ec65503460f94bd0f27/html5/thumbnails/20.jpg)
Computer Science
Memory Level Monitoring for
Detecting Illegal Writes
Ongoing Researchby
Emre Can Sezer