efficient taint analysis using multicore machines milind chabbi dr. gregory andrews and dr. saumya...

Efficient Taint Analysis Using Multicore Machines

Milind Chabbi

Dr. Gregory Andrews and Dr. Saumya Debray

Computer Science Department

University of Arizona

How Often Do You See This?

Problem Statement

• Vulnerabilities and their exploits are ever increasing in the software– CERT Vulnerabilities Statistics show 47x increase in last decade

• Exploits can have devastating effects• Given the complexity of software, it is impossible

to prevent programming defects• State-of-the-art software approaches (e.g

TaintCheck) are effective in detecting exploits, but have excruciating overhead (20-40 times slowdown)

Need to build a secure and efficient computing environment

Road-map

• Classification of Vulnerabilities

• Taint Analysis and Related Work

• Our Approach for Taint Analysis

• Design and Implementation

• Experimental Results

• Conclusion

• Q & A

Types of Vulnerabilities

• Boundary error > 50 %• Input validation error > 40%• Access control error• Authentication error• Configuration error• Exception handling error• Randomization error• Resource error• State error

Boundary ErrorFailure to properly check the length of data

against the size of a data storage object or resource

• Stack-based :• Return address overwrite• Old Base Pointer overwrite• Function Pointer overwrite

• Heap-based :• Function Pointer overwrite • GOT ( Global Offset Table) overwrite• Malloc()/Free() buffer overwrite

Return Address Overwrite

KERNEL

<_libc_start_main + offset>

TEXT

DATA

BSS ( uninilialized data)

foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}HEAP

<Base Pointer of _libc_start_main >BP, SP


KERNEL


TEXT

DATA


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}HEAP

<Base Pointer of _libc_start_main >BP

100SP


KERNEL


TEXT

DATA


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}HEAP


100

SP<main + offset>


KERNEL


TEXT

DATA


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}HEAP


100

SP

<main + offset>

<BP>


KERNEL


TEXT

DATA


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}HEAP

<Base Pointer of _libc_start_main >

100

SP, BP

<main + offset>

<BP>


KERNEL


TEXT

DATA


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}HEAP


BP

100

SP

<main + offset>

<BP>

array[1]

array[0]


KERNEL


TEXT

DATA


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}HEAP


100

SP

<main + offset> TAINTED

array[0]

BP<BP> TAINTED

array[1]


KERNEL


TEXT

DATA


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}HEAP


BP, SP

100


<BP> TAINTED

array[1]

array[0]


KERNEL


TEXT

DATA


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}HEAP


SP

100


<BP> TAINTED

array[1]

array[0]

BP

Heap-Based Function Pointer Overwrite

KERNEL

STACK

TEXT

DATA


Struct heap{

void (*fptr)();

}

Main(){

int * iPtr = malloc(10);

Struct heap * h = malloc(sizeof(Struct heap));

h->fptr = Bar;

read(1, iPtr , 14);

h->fptr();

}

Bar(){

}HEAP

iPtr points here

fptr = Bar

Heap-Based Function Pointer Overwrite

KERNEL

STACK

TEXT

DATA


Struct heap{

void (*fptr)();

}

Main(){



h->fptr = Bar;

read(1, iPtr , 14);

h->fptr();

}

Bar(){

}HEAP

iPtr points here

fptr = TAINTED

Input Validation Error

Failure to verify that user data has legitimate content

• Arguments to Sensitive System Calls like … system(), execve()

• Format String Vulnerability

Format String Vulnerability

Intended use:Foo(){

char buffer[256];

scanf(“%s”,buffer); “Hello World”printf(“%s”,buffer);

}

Vulnerable Use:Foo(){

char buffer[256];

scanf(“%s”,buffer); “Hello World”printf(buffer);

}

Format String Vulnerability

Intended use:Foo(){

char buffer[256];

scanf(“%s”,buffer); “Hello %d World”printf(“%s”,buffer);

}

Vulnerable Use: Foo(){

char buffer[256];

scanf(“%s”,buffer); “Hello %d World”printf(buffer);

}

Common Factor

***A common characteristic of all successful attacks is the ability to change the flow of control by corrupting memory, which lets the attacker execute arbitrary code ***

Taint Analysis

• Counters memory corruption attacks

• Mark external data as suspicious (tainted)

• Track data flow as program executes

• Examine data at possible exploit points

(e.g. control transfers)

• Goals is to keep few false positives or negatives

Static Taint Analysis

1. Source code level analysis

2. Binary level analysis

Good:– No run-time over head

Bad:– Impossible to analyze dynamic features

• Loops, pointers, aliases, etc

– Can have lot of false positives and false negatives

Dynamic Taint Analysis1. Coarse-Grained Approach

Filtering known vulnerabilities in the input

IMB GCC: Local variable reordering

StackGuard : Canary values on stack frame

* Can guard only limited type of vulnerabilities *

2. Fine-grained approachTracking every operation

Fewer/ No false positives

Fewer/ No false negatives

* Potentially High Overhead *

Fine-Grained Taint Analysis• Interpreter-based

TaintCheck : Runs compiled code in emulated mode x86 RISC INSTRUMENT x86 EXECUTE– High overhead due to interpretive execution. ~ 40x

• Architecture-based Each instruction updates a “security tag”

– Needs OS modification, custom hardware support

• Instrumentation-based

Instrumentation-based Taint Analysis

• Program is instrumented to dynamically trace the propagation of taint data

• Requires custom binary rewriting

• Promising because of both static and dynamic analysis

• High scope for optimization

• Instrumentation overhead

• Runtime Tracing overhead

Hardware Trend

• Multicore is common place now

• Sun is already shipping 8-core Niagara chip

• Conventional wisdom is now to double the number of cores on a chip with each silicon generation

• We are clearly moving down the path to 10s,100s or even 1000s of cores

But… Software

• Amdahl’s law of diminishing returns

80x speedup with 100 Processing units

0.25% sequential component!• Software has sequential components• Software is interactive• Multicores/Manycores are only as valuable as the

multithreading software running on them• So…. some cores are idle

Dynamic Taint Analysis Using Multicores

• Use idle cores for taint tracking • Execute taint tracking instructions in parallel

with the actual computation

Simple Illustration

Original computation

while(cond){//computation

}

Taint Analysis:while(cond){

//computation//taint computation.

}

Simple Illustration

Original computation:while(cond){

//computation}

Taint computation:while(cond){ //taint computation.}


while(cond){//computation

}

Simple Illustration


while(cond){//

computation}

Original computation:while(cond){

//computation}

Taint computation:while(cond){ //taint computation.}

30,000FT Overview

• Augment the memory to have a shadow memory such that:

where,

TAG(w) =

• Clone the entire program, run them as two threads• One thread is the original execution• Other thread shadow’s original thread’s execution and does

taint analysis

Mw ')( MwTAG 0 if w is trusted data

1 if w is untrusted data

M 'M

Advantages of Our Approach

• Software based: no custom hardware required

• No source code required• No OS modifications required • Language independent• Dynamic tracking, so has low false

positives and low false negatives• Huge scope for optimizations

Roles and Responsibilities of Shadow

Target Program Tracking

Receive(&a)

b=a

…

Jmp c

Tag(a) = 1 // unsafe data

Tag(b) = Tag(a)

…

If( Tag (c) == 1),

raise alert! Halt

Default : Imitate the control flow of original program

Statically linked x86 relocatable

Disassembler

Control Flow Graph.

Program Cloner

Original program= P

Clonedprogram= Q

Thread Synchronizer

Thread synchronized P = P’

Thread synchronized Q = Q’

Program Analyzer and Instrumenter

Self-protecting x86 executable.

Instrumented P’ = P’’

Taint marker, taint tracker, and exploit detector. = Q’’

Optimizer

Optimally synchronized P’’

Optimally synchronized Q’’

Program Assembler

ArchitectureMemory

Augmenter

CFG + Shadow Momory

KERNEL

STACK

TEXT

DATA


HEAP

Creating Shadow Memory

KERNEL

STACK

TEXT

DATA


HEAP

Creating Shadow MemoryKERNEL

STACK

TEXTDATABSS ( uninilialized data)

HEAP

Shadow Memory


Disassembler

Control Flow Graph.

Program Cloner

Original program= P

Clonedprogram= Q

Thread Synchronizer







Optimizer



Program Assembler

ArchitectureMemory

Augmenter

CFG + Shadow Momory

Shadow Creation by Complete Program Cloning

Function A’

Function B’

Function A

Function B


Disassembler

Control Flow Graph.

Program Cloner

Original program= P

Clonedprogram= Q

Thread Synchronizer







Optimizer



Program Assembler

ArchitectureMemory

Augmenter

CFG + Shadow Momory

Shadow’s Control Flow Imitation

Basic Block A

Basic Block B


Basic Block A’

Basic Block B’

Basic Block A

Basic Block B


global TARGET

Basic Block A’

Basic Block B’

Basic Block A

Basic Block B

Set (TARGET)

While(TARGET);

While(!TARGET);

Reset(TARGET)

While(!TARGET);

Reset(TARGET)

Conditional Branches

global TARGET

Basic Block A’

Basic Block C’

Basic Block AIf cond == TRUE JMP BasicBlock C

Basic Block C

Basic Block B

TARGET = C’

Basic Block B’

while(TARGET);

while(!TARGET);

Local_Target = TARGETReset(TARGET)

if Local_Target == C’ JMP BasicBlock C’

Conditional Branches

global TARGET

Basic Block A’

Basic Block C’

Basic Block AIf cond == TRUE JMP BasicBlock C

Basic Block C

Basic Block B

TARGET = C’

Basic Block B’

while(TARGET);

while(!TARGET);

Local_Target = TARGETReset(TARGET)

if Local_Target == C’ JMP BasicBlock C’

TARGET = B’

while(TARGET);

More Complex Control Structures

• Indirect jumps

• Indirect calls

• Jump tables

With one-to-one mapping between functions, blocks, instructions, and relocations, all of these can be handled.


Disassembler

Control Flow Graph.

Program Cloner

Original program= P

Clonedprogram= Q

Thread Synchronizer







Optimizer



Program Assembler

ArchitectureMemory

Augmenter

CFG + Shadow Momory

Marking Taint Source

• System calls like – Read(), – Recvfrom()

as sources of taint

• After the system call, we definitely know which memory region got tainted

• The shadow DOES NOT make any system call• Other sources of taint include command line

arguments and environment variables

Taint Propagation

1. Copy Propagation : Tainted data is copied from one location to other.

2. Arithmetic Propagation: Tainted data is input operand of a mathematical/logical transformation.

3. Address Propagation: Tainted data can be used to calculate a memory address.

KERNEL

foo()

TEXT

DATA


HEAP

Shadow Memory

foo()’

BP

SP

BP

SP

Run-time View of Modified Program

KERNEL

foo()

TEXT

DATA


HEAP

Shadow Memory

foo()’

BP

SP

BP

SP


bar()

bar()’

Copy Data

Propagate Tag

KERNEL

foo()

TEXT

DATA


HEAP

Shadow Memory

foo()’

BP

SP

BP

SP


bar()

bar()’

Populating Shadow Instructions

Original Computation

Mov %eax, %ebxMov %eax, 0x8(%ebp)Add %eax, 0x8(%ebp)Push %eaxInc %eaxInt 0x80

Shadow Computation

Mov %eax, %ebxMov %eax, 0x8(%ebp)Or %eax, 0x8(%ebp)Push %eaxNoneNone

Populating Shadow Instructions … Indirect memory


Mov %eax, 0x8(%ebx)

Add %eax, 0x8(%edx)

Shadow Computation

Mov %eax, 0x8(%ebx)

Or %eax, 0x8(%edx)


Enque(%ebx)

Mov %eax, 0x8(%ebx)

Enque(%edx)

Add %eax, 0x8(%edx)

Shadow ComputationPush %ebx

Deque(%ebx)

Sub $OFFSET, %ebx

Mov %eax, 0x8(%ebx)

Pop %ebx

Push %edx

Deque(%edx)

Sub $OFFSET, %edx

Or %eax, 0x8(%edx)

Pop %edx

Information Sharing with Shared Buffer


Enque(%ebx)

Mov %eax, 0x8(%ebx)

Enque(%edx)

Shl %eax, 0x8(%edx)

Shadow ComputationPush %ebx

Deque(%ebx)

Sub $OFFSET, %ebx

Mov %eax, 0x8(%ebx)

Pop %ebx

Push %edx

Deque(%edx)

Sub $OFFSET, %edx

Or %eax, 0x8(%edx)

Pop %edx

Information Sharing with Shared Buffer

Guarding Against Exploits

On reaching sensitive program points, Original program waits for the Shadow to do security checks

Example:– Return address

– Indirect jump

– Format string function

– Sensitive system calls

Catching Return Address Overwrite KERNEL


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}


BP

SP

array[1]

array[0]

<main()’s caller >

100

<main()’ + offset>

<BP>

array[1]

array[0]

BP

SP

100

<main + offset>

<BP>

Catching Return Address OverwriteKERNEL


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}


BP

100

SP

<main + offset>

<BP>

array[1]

array[0]


100

TAINTED

TAINTED

TAINTED

TAINTED

BP

SP

Catching Return Address OverwriteKERNEL


foo(int x){

int array[2];

read(1,array,16)

return;

}

main(){

foo(100);

}


BP, SP

100

<main + offset>

<BP>

array[1]

array[0]


100

TAINTED

TAINTED

TAINTED

TAINTED

BP, SP Wait for Shadow to check the tainted ness.

Catching Function Pointer OverwriteKERNEL

STACK

Struct heap{

void (*fptr)();

}

Main(){



h->fptr = Bar;

read(1, iPtr , 14);

h->fptr();

}

Bar(){

}

fPtr = Bar

iPtr

STACK

fPtr’

iPtr’


STACK

Struct heap{

void (*fptr)();

}

Main(){



h->fptr = Bar;

read(1, iPtr , 14);

h->fptr();

}

Bar(){

}

fPtr = Bar

iPtr

STACK

TAINTED

TAINTED


STACK

Struct heap{

void (*fptr)();

}

Main(){



h->fptr = Bar;

read(1, iPtr , 14);

h->fptr();

}

Bar(){

}

fPtr = Bar

iPtr

STACK

TAINTED

TAINTED

Wait for Shadow to check the tainted ness.

Catching Format String Vulnerability

printf(File * fp, char * fmt, …){

if(fmt contains a “%n” that is tainted) then

Flag Warning

}

Vulnerable Use:

Foo(){

char * buffer[256];

scanf(“%s”,buffer);

printf(buffer);

}

0x08 H e l l o % n W o r l dUNTAINTED

TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED

“Hello %nWorld”


Disassembler

Control Flow Graph.

Program Cloner

Original program= P

Clonedprogram= Q

Thread Synchronizer







Optimizer



Program Assembler

ArchitectureMemory

Augmenter

CFG + Shadow Momory

OptimizationReturn Address Checks

Don’t have to check return address overwrite of a function F if:

– The function F by itself has no local variables, and

– No member of the set descendents(F) has local variables.

*Can be extended to functions without arrays.

OptimizationSkipping Function Tracing

A function A when called from function B can be run without tracing if:

– Function A by itself has no store operations.– No member of the set descendents(A) has store

operations.– Function B does not use the return value from function

A for any store operation.*** Classic example strcmp(), strncmp(), memcmp() ****Can be extended to functions that may store to non-arrays

locals.

OptimizationLoop Synchronization

• 80 – 20 rule : Many programs spend most of their time inside loopsLOOP 1:

for( int i = 0; i < n ; i += k ){ array[i] = CONSTANT;

}LOOP 2:

for(int i = 0;read(fd,&ch,1); i+=k){

buffer [i] = ch;}

What Guarantees Can We Make?

Analysis of false negatives:* Can detect all control hijack attacks.* Can detect tainted arguments to sensitive system calls. * Cannot detect Non-control-data attacks that corrupt a variety of

application data .* Cannot stop Denial of Service attacks.

Analysis of false positives:* Intentionally passing user format specifiers to format string handlers. * Intentionally passing user strings to sensitive system calls. * Intentionally executing user injected code.

Security Evaluation

Application Version Vulnerability DetectedFalse

Positive

ATPHttpd 0.4b Stack-based

buffer overflow YES NO

Passlogd 0.1cStack-based


BSD Talkd BSD 2.7 Format String YES NO

BSD Chpass BSD 2.7 Format String YES NO

LibTiff library 3.5.4 Heap-based


Cfingerd 1.4.3 Format String YES NO

Performance Evaluation

Peformance Comparison of ATPhttpd

0

0.02

0.04

0.06

0.08

0.1

0.12

1KB 10KB 20KB 30KB

Page Size in KB

Tim

e i

n S

ec

Time in original execution

Time in instrumented program

HTML PAGE SIZE 1KB 10KB 20KB 30KB

Slowdown ( number of times) 4.03 1.78 1.78 1.48

Effect of OptimizationsPerformace comparison for 30K page

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

Originalcomputation

Taint analyserwith no

optimization

Taint analyserwith some

functions nottraced

Taint analysewith relaxed

retrun addresschecks

Taint analyzerwith optimizedhigh frequency

loop

Taint analyzerwith all

optimizations

Tim

e i

n s

ec

ATPHttpd for 30K page

6.3x

5.2x4.7x

2.7x1.5x

Performance of Various Applications

Application30KB page inATPHTTPD

Cfingerdaemon

Libtiff on 2MBfile

Passlogd with1.25KB

download

Gzip with13.6MB file

Slowdown ( number of times) 1.48 5.16 9.24 1.75 1.05

Performance of Applications

0

0.05

0.1

0.15

0.2

0.25

Cfinger daemon 30KB page inATPHTTPD

Libtif f on 2MB file

Application

Tim

e in

Sec

Original programInstrumeneted program

Performance of Applications

0

0.5

1

1.5

2

2.5

3

3.5

4

4.5

5

Gzip w ith 13.6MB file Passlogd w ith 1.25KB dow nload

Application

Tim

e in

Sec

Original programInstrumeneted program

TaintCheck 36x

LIFT 2.97x

Conclusions• Taint tracking task has enough parallelism with the

original computation that it can be delegated to a concurrent thread

• Our approach has shown the overhead reduction from 20-40 times to less than 5 times on an average

• Vulnerability detection using multicore machines has a promising future

• With many cores being the future of hardware, we can always afford to dedicate some cores for taint analysis

• This approach goes a long way to shaping the future of secure and efficient computing

THANKS

Questions ?

Format String Vulnerability …

Format

200

100

“Hello %d World %d ok %d blah! %n”

Caller’s stack frame


Format

200

100

“Hello 200 World %d ok %d blah! %n”



Format

200

100

“Hello 200 World 100 ok %d blah! %n”



Format

200

100

“Hello 200 World 100 ok %d blah! %n”


Password

CPU SPEC2000 INT - Gzip

Performance Comparison for Gzip

0

0.5

1

1.5

2

2.5

400KB 1.2MB 2.4MB 13.6MB

File size

Tim

e i

n S

ec

Time in original Gzip program

Time in instrumented Gzip program

Input file size 400KB 1.2MB 2.4MB 13.6MB 65.4MB

Slowdown ( number of times) 2.65 1.64 1.40 1.05 1.037

Thread Creation

When spawning the shadow thread, the program should have initialized some of its data structures.

( _start, _init)

Initialization has to happen without shadow.

Classic Chicken and Egg Problem

Main() Main()’

_start()

_init()

_start()’

_init()’

Have One More Copy

_start()

_init()

Spawn Main()’’Call Main()’

Main()

Main()’ Main()’’

_start()’

_init()’

_start()’’

_init()’’

Unsynchronized


Synchronized


Taint

Computation

efficient taint analysis using multicore machines milind chabbi dr. gregory andrews and dr. saumya...

Documents

return address

sp slide

length of data

heap bp

heap sp

bar slide

int array2 read1

sp array1 array0 slide