effective memory protection using dynamic tainting (ase 2007)
TRANSCRIPT
![Page 1: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/1.jpg)
College of ComputingGeorgia Institute of Technology
Supported in part by:NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech,
DHS and US Air Force Contract No. FA8750-05-2-0214
Effective Memory ProtectionUsing Dynamic Tainting
Ioannis DoudalisMilos Prvulovic
(hardware)
James ClauseAlessandro Orso
(software)
and
![Page 2: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/2.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
![Page 3: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/3.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
![Page 4: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/4.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
![Page 5: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/5.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
![Page 6: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/6.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
![Page 7: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/7.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
![Page 8: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/8.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
![Page 9: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/9.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n: 3
![Page 10: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/10.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n: 3
![Page 11: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/11.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n: 3
![Page 12: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/12.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n: 3
![Page 13: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/13.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
9
3
0
![Page 14: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/14.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
9
8
2
3
2
![Page 15: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/15.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
i <= n ➜ i < n
buf:
np:
i:
n:
9
8
2
3
2
![Page 16: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/16.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
9
8
2
3
2
![Page 17: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/17.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
9
8
2
3
2
![Page 18: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/18.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
9
8
2
3
3
7
![Page 19: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/19.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
9
8
2
3
3
7
![Page 20: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/20.jpg)
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
Illegal memory accesses (IMA)Memory
buf:
np:
i:
n:
9
8
2
3
3
7
Illegal memory accesses
• Caused by common programming mistakes
• Cause non-deterministic failures
• Cause security vulnerabilities
![Page 21: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/21.jpg)
Previous workStatic techniques
•Language basede.g., Jim et al. 02, Necula et al. 05
•Analysis basede.g., Dor et al. 03, Hallem et al. 02, Heine and Lam 03, Xie et al. 03
Dynamic techniques
•Analysis basede.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xu et al. 04, Hastings and Joyce 92, Seward and Nethercote 05
•Hardware basede.g., Qin et al. 05, Venkataramani et al. 07, Crandall and Chong 04, Dalton et al. 07, Vachharajani et al. 04
![Page 22: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/22.jpg)
Previous workStatic techniques
•Language basede.g., Jim et al. 02, Necula et al. 05
•Analysis basede.g., Dor et al. 03, Hallem et al. 02, Heine and Lam 03, Xie et al. 03
Dynamic techniques
•Analysis basede.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xu et al. 04, Hastings and Joyce 92, Seward and Nethercote 05
•Hardware basede.g., Qin et al. 05, Venkataramani et al. 07, Crandall and Chong 04, Dalton et al. 07, Vachharajani et al. 04
}Require source code
![Page 23: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/23.jpg)
Previous workStatic techniques
•Language basede.g., Jim et al. 02, Necula et al. 05
•Analysis basede.g., Dor et al. 03, Hallem et al. 02, Heine and Lam 03, Xie et al. 03
Dynamic techniques
•Analysis basede.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xu et al. 04, Hastings and Joyce 92, Seward and Nethercote 05
•Hardware basede.g., Qin et al. 05, Venkataramani et al. 07, Crandall and Chong 04, Dalton et al. 07, Vachharajani et al. 04
}}
Require source code
Unacceptable overhead
![Page 24: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/24.jpg)
Previous workStatic techniques
•Language basede.g., Jim et al. 02, Necula et al. 05
•Analysis basede.g., Dor et al. 03, Hallem et al. 02, Heine and Lam 03, Xie et al. 03
Dynamic techniques
•Analysis basede.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xu et al. 04, Hastings and Joyce 92, Seward and Nethercote 05
•Hardware basede.g., Qin et al. 05, Venkataramani et al. 07, Crandall and Chong 04, Dalton et al. 07, Vachharajani et al. 04
}}
Require source code
Unacceptable overhead
} Extensive modification
![Page 25: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/25.jpg)
Previous workStatic techniques
•Language basede.g., Jim et al. 02, Necula et al. 05
•Analysis basede.g., Dor et al. 03, Hallem et al. 02, Heine and Lam 03, Xie et al. 03
Dynamic techniques
•Analysis basede.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xu et al. 04, Hastings and Joyce 92, Seward and Nethercote 05
•Hardware basede.g., Qin et al. 05, Venkataramani et al. 07, Crandall and Chong 04, Dalton et al. 07, Vachharajani et al. 04
}}
Require source code
Unacceptable overhead
We define our approach to overcome these limitations
• Operate at the binary level
• Use hardware to reduce overhead
• Minimal, practical modifications
} Extensive modification
![Page 26: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/26.jpg)
Approach overview
![Page 27: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/27.jpg)
1 Assign
taint marks
Approach overview
![Page 28: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/28.jpg)
1 Assign
taint marks
Approach overview
P1
A
![Page 29: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/29.jpg)
P1
1
A
1
1 Assign
taint marks
Approach overview
![Page 30: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/30.jpg)
1 Assign
taint marks
Approach overview
P1
P2
1
2
AB
12
![Page 31: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/31.jpg)
1 Assign
taint marks
Approach overview
P3
P1
P2
3
1
2
AC B
123
![Page 32: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/32.jpg)
1 Assign
taint marks
Approach overview
P3
P1
P2
3
1
2P5
AC B
123
P4
![Page 33: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/33.jpg)
1 Assign
taint marks
Approach overview
2 Propagate
taint marks
P3
P1
P2
3
1
2P5
AC B
123
P4
![Page 34: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/34.jpg)
1 Assign
taint marks
Approach overview
2 Propagate
taint marks
P3
P1
P2
3
1
2P5
AC B
123
P4
![Page 35: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/35.jpg)
1 Assign
taint marks
Approach overview
2 Propagate
taint marks
P3
P1
P2
3
1
2P5
3
AC B
123
P4
1
![Page 36: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/36.jpg)
1 Assign
taint marks
Approach overview
3 Check
taint marks
2 Propagate
taint marks
P3
P1
P2
3
1
2P5
3
AC B
123
P4
1
![Page 37: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/37.jpg)
1 Assign
taint marks
Approach overview
3 Check
taint marks
2 Propagate
taint marks
P3
P1
P2
3
1
2P5
3
AC B
123
P4
1
![Page 38: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/38.jpg)
1 Assign
taint marks
Approach overview
3 Check
taint marks
2 Propagate
taint marks
P3
P1
P2
3
1
2P5
3
AC B
123
P4
1
![Page 39: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/39.jpg)
1 Assign
taint marks
Approach overview
3 Check
taint marks
2 Propagate
taint marks
P3
P1
P2
3
1
2P5
3
AC B
123
P4
1
✔
![Page 40: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/40.jpg)
1 Assign
taint marks
Approach overview
3 Check
taint marks
2 Propagate
taint marks
P3
P1
P2
3
1
2
AC B
123
P4
P5
3
1
![Page 41: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/41.jpg)
1 Assign
taint marks
Approach overview
3 Check
taint marks
2 Propagate
taint marks
P3
P1
P2
3
1
2
AC B
123
P4
P5
3
1
![Page 42: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/42.jpg)
1 Assign
taint marks
Approach overview
3 Check
taint marks
2 Propagate
taint marks
P3
P1
P2
3
1
2
AC B
123
P4
✘
P5
3
1
![Page 43: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/43.jpg)
Outline• Our approach
1. Assigning taint marks
2. Propagating taint marks
3. Checking taint marks
• Empirical evaluation
• Conclusions
![Page 44: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/44.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
43
21
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:
4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
43
21
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:
4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
![Page 45: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/45.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
![Page 46: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/46.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
![Page 47: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/47.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
{
[&np, &np + sizeof(int *))
![Page 48: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/48.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
![Page 49: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/49.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
32
1
![Page 50: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/50.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
43
21
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:
4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
43
21
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:
4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
![Page 51: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/51.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
buf:
np:
i:
n:4
32
1
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
32
1
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
![Page 52: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/52.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
buf:
np:
i:
n:4
32
1
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
32
1
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
address-of operator (&)
![Page 53: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/53.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
buf:
np:
i:
n:4
32
1
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
32
1
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
![Page 54: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/54.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
buf:
np:
i:
n:4
32
1
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
32
1
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
32
1
![Page 55: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/55.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
buf:
np:
i:
n:4
32
1
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
32
1
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
![Page 56: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/56.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
43
21
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:
4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
43
21
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:
4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
![Page 57: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/57.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
![Page 58: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/58.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
buf:
np:
i:
n:4
2
32
1
3
![Page 59: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/59.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
buf:
np:
i:
n:4
2
32
1
3
[ret, ret + arg0)
{
![Page 60: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/60.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
buf:
np:
i:
n:4
2
32
1
3
![Page 61: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/61.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
buf:
np:
i:
n:4
2
32
15
55
3
![Page 62: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/62.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
43
21
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:
4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
43
21
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:
4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
![Page 63: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/63.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
![Page 64: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/64.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
return value of malloc
![Page 65: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/65.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
![Page 66: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/66.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
buf:
np:
i:
n:4
2
32
15
55
3
![Page 67: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/67.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
![Page 68: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/68.jpg)
Memory Pointers
1 Assigning taint marksSt
atic
Dyn
amic
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
43
21
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:
4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Static memory allocations
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
43
21
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to statically allocated memory
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
1Identify the ranges of allocated memory
2Assign a unique taint mark to each range
buf:
np:
i:
n:
4
2
32
1
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Dynamic memory allocations
1Identify pointer creation sites
2Assign the pointer the same taint mark as the memory it points to
buf:
np:
i:
n:
4
2
32
15
55
3
void main() {
int *np, n, i, *buf;
np = &n;
printf(“Enter size: “);
scanf(“%d”, np);
buf = malloc(n * sizeof(int));
for(i = 0; i <= n; i++)
*(buf + i) = rand()%10;
...
}
Pointers to dynamically allocated memory
![Page 69: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/69.jpg)
AND
Addition, Subtraction
Overview
Propagating taint marks2
Multiplication, Division,OR, XOR
Overview
P1
1
P2
![Page 70: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/70.jpg)
AND
Addition, Subtraction
Overview
Propagating taint marks2
Multiplication, Division,OR, XOR
Overview +, −, ×, ÷,
and, or, xor,
...
P1
1
P2
![Page 71: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/71.jpg)
AND
Addition, Subtraction
Overview
Propagating taint marks2
Multiplication, Division,OR, XOR
Overview +, −, ×, ÷,
and, or, xor,
...
P1
1
P2
Should the result be tainted?If so, how?
![Page 72: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/72.jpg)
AND
Addition, Subtraction
Overview
Propagating taint marks2
Multiplication, Division,OR, XOR
Overview
• Propagation must take into account both operation semantics and programmer intent
+, −, ×, ÷,
and, or, xor,
...
P1
1
P2
Should the result be tainted?If so, how?
![Page 73: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/73.jpg)
AND
Addition, Subtraction
Overview
Propagating taint marks2
Multiplication, Division,OR, XOR
Overview
• Propagation must take into account both operation semantics and programmer intent
• Our policy is based on knowledge of C/C++/assembly and patterns observed in real software
+, −, ×, ÷,
and, or, xor,
...
P1
1
P2
Should the result be tainted?If so, how?
![Page 74: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/74.jpg)
AND
Addition, Subtraction
Overview
Propagating taint marks2
Multiplication, Division,OR, XOR
Addition, Subtraction
A +/− B = CA B C
Most common use of addition and subtraction is to add or subtract a
pointer and an offset
1 1
1 /1no
taint...
![Page 75: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/75.jpg)
AND
Addition, Subtraction
Overview
Propagating taint marks2
Multiplication, Division,OR, XOR
AND The result of anding a pointer and a mask should be treated differently
depending on the value of the mask
c = a & 0xffffff00 - base addressc = a & 0x000000ff - offset
A & B = CA B C
1 or1no
taint...
![Page 76: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/76.jpg)
AND
Addition, Subtraction
Overview
Propagating taint marks2
Multiplication, Division,OR, XOR
Multiplication, Division,OR, XOR
We found zero cases where the result of any of these operations
was a pointer
![Page 77: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/77.jpg)
Checking taint marksWhen memory is accessed through a pointer:
compare the memory taint mark and the pointer taint mark
3
Pointer Memory IMA?
no
yes
yes
yes
yes
1
2 2
2
3
3
![Page 78: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/78.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
![Page 79: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/79.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
![Page 80: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/80.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
![Page 81: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/81.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
i:
n:
43
21
![Page 82: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/82.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
i:
n:
43
21
![Page 83: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/83.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
i:
n:
42
32
1
![Page 84: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/84.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
i:
n:
42
32
1
![Page 85: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/85.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
i:
n:
42
32
1
![Page 86: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/86.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
i:
n:
42
32
1
✔
![Page 87: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/87.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
i:
n:
42
32
1
![Page 88: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/88.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
i:
n:
42
32
1
3
![Page 89: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/89.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
i:
n:
42
32
1
3
![Page 90: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/90.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
5
i:
n:
42
32
15
55
3
![Page 91: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/91.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
5
i:
n:
42
32
15
55
3
![Page 92: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/92.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
5
i:
n:
42
32
15
55
3
0
![Page 93: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/93.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
+ =5 5
buf:
np:
5
i:
n:
42
32
15
55
3
0
![Page 94: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/94.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
+ =5 5
buf:
np:
5
i:
n:
42
32
15
55
3
0✔
![Page 95: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/95.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
5
i:
n:
42
32
15
55
3
0
![Page 96: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/96.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
5
i:
n:
42
32
15
55
9
3
0
![Page 97: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/97.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
5
i:
n:
42
32
15
55
9
8
2
3
2
![Page 98: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/98.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
5
i:
n:
42
32
15
55
9
8
2
3
2
![Page 99: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/99.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
5
i:
n:
42
32
15
55
9
8
2
3
3
+ =5 5
![Page 100: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/100.jpg)
Preventing IMAs
void main() {1. int *np, n, i, *buf;
2. np = &n;
3. printf(“Enter size: “);4. scanf(“%d”, np);
5. buf = malloc(n * sizeof(int));
6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10; ...}
buf:
np:
5
i:
n:
42
32
15
55
9
8
2
3
3
+ =5 5
✘
![Page 101: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/101.jpg)
Limiting the number of taint marks
An unlimited number of taint marks makes a hardware implementation infeasible
• increases the overhead (time and space)
• complicates the design
![Page 102: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/102.jpg)
Limiting the number of taint marks
An unlimited number of taint marks makes a hardware implementation infeasible
• increases the overhead (time and space)
• complicates the design
➡ Assign taint marks from a limited, reusable pool
![Page 103: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/103.jpg)
Effects on the approach
With an random assignment of n taint marks the detection probability is:
IMAs are detected probabilistically
p = 1� 1n
![Page 104: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/104.jpg)
Effects on the approach
With an random assignment of n taint marks the detection probability is:
IMAs are detected probabilistically
2 marks = 50%, 4 marks = 75%, 16 marks = 93.75%, 256 marks = 99.6%
p = 1� 1n
![Page 105: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/105.jpg)
Effects on the approach
With an random assignment of n taint marks the detection probability is:
1. The technique can be tuned by increasing or decreasing the number of taint marks
IMAs are detected probabilistically
2 marks = 50%, 4 marks = 75%, 16 marks = 93.75%, 256 marks = 99.6%
p = 1� 1n
![Page 106: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/106.jpg)
Effects on the approach
With an random assignment of n taint marks the detection probability is:
1. The technique can be tuned by increasing or decreasing the number of taint marks
2. In practice the approach is successful with only a small number (2) of taint marks
IMAs are detected probabilistically
2 marks = 50%, 4 marks = 75%, 16 marks = 93.75%, 256 marks = 99.6%
p = 1� 1n
![Page 107: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/107.jpg)
Empirical evaluation
RQ1: Is the efficiency of our approach sufficient for it to be applied to deployed software?
RQ2: What is the effectiveness of our technique when using limited number of taint marks?
![Page 108: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/108.jpg)
RQ1: experimental method
• Hardware implementation
• Cycle accurate simuator (SESC)
• Treat taint marks as first class citizens
• Subjects
• SPEC CPU2000 benchmark (12 applications)
• Calculate the overhead imposed by our approach for each subject application
![Page 109: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/109.jpg)
RQ1: experimental method
• Hardware implementation
• Cycle accurate simuator (SESC)
• Treat taint marks as first class citizens
• Subjects
• SPEC CPU2000 benchmark (12 applications)
• Calculate the overhead imposed by our approach for each subject application
Current implementation assigns taint marks only to dynamically allocated memory, but propagation and
checking are fully implemented
![Page 110: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/110.jpg)
RQ1: results
0
5
10
15
20
25
30
bzip2
craft
yeo
nga
p gcc
gzip mcf
parse
r
perlb
mktw
olf
vorte
xvp
r
avera
ge
% o
verh
ead
(tim
e)
2 marks8 marks16 marks256 marks
![Page 111: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/111.jpg)
RQ1: results
0
5
10
15
20
25
30
bzip2
craft
yeo
nga
p gcc
gzip mcf
parse
r
perlb
mktw
olf
vorte
xvp
r
avera
ge
% o
verh
ead
(tim
e)
2 marks8 marks16 marks256 marks
• Even with 256 marks, the average overhead is in the single digits
![Page 112: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/112.jpg)
RQ1: results
0
5
10
15
20
25
30
bzip2
craft
yeo
nga
p gcc
gzip mcf
parse
r
perlb
mktw
olf
vorte
xvp
r
avera
ge
% o
verh
ead
(tim
e)
2 marks8 marks16 marks256 marks
• All attacks were detected with two taint marks
• Even with 256 marks, the average overhead is in the single digits
![Page 113: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/113.jpg)
RQ1: results
0
5
10
15
20
25
30
bzip2
craft
yeo
nga
p gcc
gzip mcf
parse
r
perlb
mktw
olf
vorte
xvp
r
avera
ge
% o
verh
ead
(tim
e)
2 marks8 marks16 marks256 marks
• All attacks were detected with two taint marks
• Software-only implementations impose two orders of magnitude more overhead
• Even with 256 marks, the average overhead is in the single digits
![Page 114: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/114.jpg)
RQ2: experimental method
• Software implementation
• Binary instrumenter (Pin)
• Use instrumentation to assign, propagate, and check taint marks
• Subjects
• SPEC CPU2000 benchmark (12 applications)
• 5 applications with 7 known IMAs
• Run both each applications protected by our software implementation and check that only the known illegal memory accesses are detected (5 times)
![Page 115: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/115.jpg)
RQ2: resultsApplication IMA location Type Detected
bc-1.06 more_arrays: 177 buffer overflow ✔ (5/5)
bc-1.06 lookup: 577 buffer overflow ✔ (5/5)
gnupg-1.4.4 parse_comment: 2095 integer overflow ✔ (5/5)
mutt-1.4.2.li utf8_to_utf7: 199 buffer overflow ✔ (5/5)
php-5.2.0 php_char_to_str_ex: 3152 integer overflow ✔ (5/5)
pine-4.44 rfc882_cat: 260 buffer overflow ✔ (5/5)
squid-2.3 ftpBuildTitleUrl: 1024 buffer overflow ✔ (5/5)
Applications with known IMAs
![Page 116: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/116.jpg)
RQ2: resultsApplication IMA location Type Detected
bc-1.06 more_arrays: 177 buffer overflow ✔ (5/5)
bc-1.06 lookup: 577 buffer overflow ✔ (5/5)
gnupg-1.4.4 parse_comment: 2095 integer overflow ✔ (5/5)
mutt-1.4.2.li utf8_to_utf7: 199 buffer overflow ✔ (5/5)
php-5.2.0 php_char_to_str_ex: 3152 integer overflow ✔ (5/5)
pine-4.44 rfc882_cat: 260 buffer overflow ✔ (5/5)
squid-2.3 ftpBuildTitleUrl: 1024 buffer overflow ✔ (5/5)
Applications with known IMAs
All attacks were detected with two taint marks
![Page 117: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/117.jpg)
RQ2: resultsApplication IMA location Type Detected
bc-1.06 more_arrays: 177 buffer overflow ✔ (5/5)
bc-1.06 lookup: 577 buffer overflow ✔ (5/5)
gnupg-1.4.4 parse_comment: 2095 integer overflow ✔ (5/5)
mutt-1.4.2.li utf8_to_utf7: 199 buffer overflow ✔ (5/5)
php-5.2.0 php_char_to_str_ex: 3152 integer overflow ✔ (5/5)
pine-4.44 rfc882_cat: 260 buffer overflow ✔ (5/5)
squid-2.3 ftpBuildTitleUrl: 1024 buffer overflow ✔ (5/5)
Application IMA location Type Detected
vortex SendMsg: 279null-pointerdereference
✔ (5/5)
Applications with known IMAs
SPEC Benchmarks (“IMA free”)
All attacks were detected with two taint marks
![Page 118: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/118.jpg)
Future work
• Complete implementation that handles static memory
• Additional experiments with a wider range of IMAs
• Further optimization of the hardware implementation
![Page 119: Effective Memory Protection Using Dynamic Tainting (ASE 2007)](https://reader034.vdocument.in/reader034/viewer/2022052507/558432bad8b42ac0658b5288/html5/thumbnails/119.jpg)
Conclusions• Definition of an approach for preventing illegal
memory accesses in deployed software
• uses dynamic taint analysis to protect memory
• uses probabilistic detection to achieve acceptable overhead
• Empirical evaluation showing that the approach
• is effective at detecting IMA in real applications
• can be implemented efficiently in hardware