Memory protection using dynamic tainting
-
Upload
useraapka -
Category
Engineering
-
view
637 -
download
8
Transcript of Memory protection using dynamic tainting
Presentation on Topic “ Effective memory protection using
Dynamic tainting”
Contents1. IMA2. Dynamic tainting3. Assigning taint marks4. Propagating the taint marks5. Checking6. Preventing the illegal memory access7. Implementation8. Limiting the number of taint marks9. Effects on the approach10. Conclusion11. References
IMA??Illegal Memory Access(IMA) – An
important class of memory related faults.Currently free area ‘m’ , of required size is
allocated.Starting address of m can be assigned to a
pointer ‘p’.Access to m is legal only if it is referenced
by p or a pointer derived from p and access occur during the interval when p is valid.
All other access are Illegal Memory Accesses or IMA’s.
void main() {1. int *np , n, i, *buf;2. np=&n;3. printf(“enter the size:”);4. scanf(“%d”,np);5. buf=malloc (n *
sizeof(int));6. for( i=0; i<=n; i++)7. *(buf+i)=rand()%10;8. ....9. }
Illegal Memory Access (IMA)MEMORY
buf innpn:3i:1i:2i:3
9827
Dynamic TaintingDynamic Tainting – a technique for
marking and tracking certain data at run time.
Marking two kinds of data : memory in data space and pointers.
When m is allocated, it is tainted with ‘t’.
When p is created with m as referent , p is also tainted with ‘t’.
When memory is accessed taint mark is checked.
Dynamic tainting is done 3 parts :1) Tainting
Static memory allocation. Pointer to statically allocated memory. Dynamically memory allocation. Pointer to dynamically allocated
memory. 2) Propagating taint marks
Propagation of memory taints. Propagation of pointer taints.
3) Checking
Assigning taint marks Initializing taint marks. 4 cases
1) Static memory allocation.2) Pointer to statically allocated
memory.3) Dynamic memory allocation.4) Pointer to dynamically allocated
memory.
1 Identify the ranges 2 Assign a unique taint
of allocated memory. mark to each range. 1. void main() {2. int *np, n, i, *buf;3. np = &n;4. printf(“enter the size”);5. scanf(“%d”, np);6. buf= malloc(n* sizeof(int));7. for(i=0;i<=n; i++)8. *(buf+i)= rand()%26;9. ...}
Statically memory allocation
buf:i:n:np:
1
2
3.4
Identify pointer Assign pointer the same taint creation sites. mark as memory it points to.
1) void main(){2) int *np, n, i, buf;3) np= &n;4) printf(“Enter the size”); 5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0; i<=n; i++){8) *(buf+i)= rand()%26;9) }
2
Pointers to statically allocated memory
1
buf:i:n:np:2
3.4
1 2
Identify the ranges Assign a unique taint
of allocated memory. mark to each range.
1) void main(){2) int *np, n, i, *buf;3) np= &n;4) printf(“Enter the size”); 5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0; i<=n; i++){8) *(buf+i)= rand()%26;9) }
Dynamic memory allocation
1 2
buf:i:n:np:2
3.4
1 2
55
5
Pointer to dynamically allocated memory
Identify pointer Assign the pointer the same taint creation sites. mark as the memory it points to.
1) void main() { 2) int *np, n, i, *buf;3) np= &n;4) printf(“Enter the size:”);5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0;i<=n; i++)8) *(buf+i)= rand()%26;9) ... }
21
buf:i:n:np:2
3.4
1 2
55
5
5
Propagation of taints Detects how taints marks flow along
data as program executes.
2 concepts : Propagation of memory taints.Propagation of pointer taints.
Propagation of memory taints
Not actually propagated.
Taints are associated with a memory area when it is allocated and removed when deallocated.
Pointer remain tainted.
If such a pointer is used to access , an IMA is still detected.
Dynamically allocated memory- deallocated taint will be removed by calling a memory deallocation function , e.g. free()
Statically allocated memory-deallocated and taint mark is removed when function returns(local variable) or when program exits(global variable).
Propagation of pointer taints Taint marks associated with pointer
propagated to derived pointer.
The rule models all possible operation on pointers and associate, for each operation an action that assign to the result of the operation the correct taint mark.
Propagation rulesAdd or Subtract
c= a+/-ba tainted with ta, b is tainted with tbThen c will be tainted ta+tb or ta-tb
Multiply, Divide, Modulo, Bitwise OR, XORThe result of these operations are
never tainted.
Bitwise AND c= a & b If a and b are both tainted or
untainted then c is not tainted , else c is tainted.
Bitwise NOTc= ~aAlternative to subtraction.tc = -ta
CheckingFor each memory access, taint mark of
the pointer and memory is checked. If they are not the same, an IMA is detected.
pointer
memory IMA
no yes yes yes yes
5
2
5
5
5
5
Preventing IMAs1) void main() {2) int *np, n, i, *buf; 3) np= &n;4) printf(“enter the size:”);5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0; i<=n; i++)8) *(buf+i) = rand()%26;9) ...}
buf:i:
n:3np:2
3.4
1 2
55
5
5
+ =5 5
Software Implementation
An additional pass is added in compiler (LLVM) to taint all stack and global defined arrays.
Taint propagation may be implemented using any dynamic tainting framework.
Hardware Implementation
Taint processing and storage. 2 options : Data widening and
Decoupling.Data widening : extending data with
few bits to represent taint information.Decoupling: Taint information is stored
as a packed array in reserved part of application’s virtual address space.
This address space is managed by OS similar to normal data pages.
Taint propagation and access checking Hard wiring is used for taint
propagation and checking.Hard wiring require modification in hard
wiring for making changes in future.Easier to add hardwire support for taint
propagation.As a result of all these consideration, a
hardwiring approach is opted for taint propagation and access checking.
In short, Taint propagation and initializing is
done using decoupling. Taint propagation and checking is
done using Hardwiring technique.
Limiting the number of taint marks
An unlimited number of taint marks makes hardware implementation infeasible.
increase the overhead(time and space).
complicates the design.
! IMAs are detected probilistically With random number assignment of n
taint marks the detection probability is: p= 1-1/n2 marks=50%, 4 marks=75%, 16 marks=93.75% , 256
marks=99.6%.
The technique can be tuned by increasing and decreasing the number of taint marks.
Effects on the approach
ConclusionDefinition of an approach for
preventing illegal memory accesses in deployed software
uses dynamic taint analysis to protect memory.
uses probabilistic detection to achieve acceptable overhead.
References IEEE Transactions on Computers , vol 61, no 1,
January 2012, “Effective and Efficient Memory Protection using Dynamic Tainting” by Ioannis Doudalis, James Clause, Guru Venkataramani, Milos Prvulovic,and Alessandro Orso.
G. Venkataramani, Doudalis, y.solihin”FlexiTaint :A programmable accelerator for dynamic taint propagation”
Doudalis , James Clause , A.orso” Effective memory protection using dynamic tainting”.proc.22nd IEEE 2007
Thank you
Questions?