Presentation on Topic “ Effective memory protection using

Dynamic tainting”

Contents1. IMA2. Dynamic tainting3. Assigning taint marks4. Propagating the taint marks5. Checking6. Preventing the illegal memory access7. Implementation8. Limiting the number of taint marks9. Effects on the approach10. Conclusion11. References

IMA??Illegal Memory Access(IMA) – An

important class of memory related faults.Currently free area ‘m’ , of required size is

allocated.Starting address of m can be assigned to a

pointer ‘p’.Access to m is legal only if it is referenced

by p or a pointer derived from p and access occur during the interval when p is valid.

All other access are Illegal Memory Accesses or IMA’s.

void main() {1. int *np , n, i, *buf;2. np=&n;3. printf(“enter the size:”);4. scanf(“%d”,np);5. buf=malloc (n *

sizeof(int));6. for( i=0; i<=n; i++)7. *(buf+i)=rand()%10;8. ....9. }

Illegal Memory Access (IMA)MEMORY

buf innpn:3i:1i:2i:3

9827

Dynamic TaintingDynamic Tainting – a technique for

marking and tracking certain data at run time.

Marking two kinds of data : memory in data space and pointers.

When m is allocated, it is tainted with ‘t’.

When p is created with m as referent , p is also tainted with ‘t’.

When memory is accessed taint mark is checked.

Dynamic tainting is done 3 parts :1) Tainting

Static memory allocation. Pointer to statically allocated memory. Dynamically memory allocation. Pointer to dynamically allocated

memory. 2) Propagating taint marks

Propagation of memory taints. Propagation of pointer taints.

3) Checking

Assigning taint marks Initializing taint marks. 4 cases

1) Static memory allocation.2) Pointer to statically allocated

memory.3) Dynamic memory allocation.4) Pointer to dynamically allocated

memory.

1 Identify the ranges 2 Assign a unique taint

of allocated memory. mark to each range. 1. void main() {2. int *np, n, i, *buf;3. np = &n;4. printf(“enter the size”);5. scanf(“%d”, np);6. buf= malloc(n* sizeof(int));7. for(i=0;i<=n; i++)8. *(buf+i)= rand()%26;9. ...}

Statically memory allocation

buf:i:n:np:

1

2

3.4

Identify pointer Assign pointer the same taint creation sites. mark as memory it points to.

1) void main(){2) int *np, n, i, buf;3) np= &n;4) printf(“Enter the size”); 5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0; i<=n; i++){8) *(buf+i)= rand()%26;9) }

2

Pointers to statically allocated memory

1

buf:i:n:np:2

3.4

1 2

Identify the ranges Assign a unique taint

of allocated memory. mark to each range.

1) void main(){2) int *np, n, i, *buf;3) np= &n;4) printf(“Enter the size”); 5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0; i<=n; i++){8) *(buf+i)= rand()%26;9) }

Dynamic memory allocation

1 2

buf:i:n:np:2

3.4

1 2

55

5

Pointer to dynamically allocated memory

Identify pointer Assign the pointer the same taint creation sites. mark as the memory it points to.

1) void main() { 2) int *np, n, i, *buf;3) np= &n;4) printf(“Enter the size:”);5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0;i<=n; i++)8) *(buf+i)= rand()%26;9) ... }

21

buf:i:n:np:2

3.4

1 2

55

5

5

Propagation of taints Detects how taints marks flow along

data as program executes.

2 concepts : Propagation of memory taints.Propagation of pointer taints.

Propagation of memory taints

Not actually propagated.

Taints are associated with a memory area when it is allocated and removed when deallocated.

Pointer remain tainted.

If such a pointer is used to access , an IMA is still detected.

Dynamically allocated memory- deallocated taint will be removed by calling a memory deallocation function , e.g. free()

Statically allocated memory-deallocated and taint mark is removed when function returns(local variable) or when program exits(global variable).

Propagation of pointer taints Taint marks associated with pointer

propagated to derived pointer.

The rule models all possible operation on pointers and associate, for each operation an action that assign to the result of the operation the correct taint mark.

Propagation rulesAdd or Subtract

c= a+/-ba tainted with ta, b is tainted with tbThen c will be tainted ta+tb or ta-tb

Multiply, Divide, Modulo, Bitwise OR, XORThe result of these operations are

never tainted.

Bitwise AND c= a & b If a and b are both tainted or

untainted then c is not tainted , else c is tainted.

Bitwise NOTc= ~aAlternative to subtraction.tc = -ta

CheckingFor each memory access, taint mark of

the pointer and memory is checked. If they are not the same, an IMA is detected.

pointer

memory IMA

no yes yes yes yes

5

2

5

5

5

5

Preventing IMAs1) void main() {2) int *np, n, i, *buf; 3) np= &n;4) printf(“enter the size:”);5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0; i<=n; i++)8) *(buf+i) = rand()%26;9) ...}

buf:i:

n:3np:2

3.4

1 2

55

5

5

+ =5 5

Software Implementation

An additional pass is added in compiler (LLVM) to taint all stack and global defined arrays.

Taint propagation may be implemented using any dynamic tainting framework.

Hardware Implementation

Taint processing and storage. 2 options : Data widening and

Decoupling.Data widening : extending data with

few bits to represent taint information.Decoupling: Taint information is stored

as a packed array in reserved part of application’s virtual address space.

This address space is managed by OS similar to normal data pages.

Taint propagation and access checking Hard wiring is used for taint

propagation and checking.Hard wiring require modification in hard

wiring for making changes in future.Easier to add hardwire support for taint

propagation.As a result of all these consideration, a

hardwiring approach is opted for taint propagation and access checking.

In short, Taint propagation and initializing is

done using decoupling. Taint propagation and checking is

done using Hardwiring technique.

Limiting the number of taint marks

An unlimited number of taint marks makes hardware implementation infeasible.

increase the overhead(time and space).

complicates the design.

! IMAs are detected probilistically With random number assignment of n

taint marks the detection probability is: p= 1-1/n2 marks=50%, 4 marks=75%, 16 marks=93.75% , 256

marks=99.6%.

The technique can be tuned by increasing and decreasing the number of taint marks.

Effects on the approach

ConclusionDefinition of an approach for

preventing illegal memory accesses in deployed software

uses dynamic taint analysis to protect memory.

uses probabilistic detection to achieve acceptable overhead.

References IEEE Transactions on Computers , vol 61, no 1,

January 2012, “Effective and Efficient Memory Protection using Dynamic Tainting” by Ioannis Doudalis, James Clause, Guru Venkataramani, Milos Prvulovic,and Alessandro Orso.

G. Venkataramani, Doudalis, y.solihin”FlexiTaint :A programmable accelerator for dynamic taint propagation”

Doudalis , James Clause , A.orso” Effective memory protection using dynamic tainting”.proc.22nd IEEE 2007

Thank you

Questions?