Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and...
-
Upload
tracey-lang -
Category
Documents
-
view
215 -
download
1
Transcript of Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and...
![Page 1: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/1.jpg)
Learning, Monitoring, and Repair in Application Communities
Martin Rinard
Computer Science and Artificial Intelligence Laboratory
Massachusetts Institute of Technology
![Page 2: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/2.jpg)
Goal
Structure of implemented systemHow it works
Planned developments for future
![Page 3: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/3.jpg)
Basic Idea
• Community learns invariants that are always true in successful executions
• Community is attacked• Find a set of invariants that are
violated when attack happens• Deploy several alternative repairs that
enforce violated invariants• Community tries the different repairs,
recognizes which ones work• Successful repairs distributed across
community
![Page 4: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/4.jpg)
System Operational Modes
• Invariant Learning Mode• Monitoring Mode (detecting attacks)• Invariant Localization Mode
(detecting which invariants are violated)
• Protection Mode (deploying and evaluating repairs)
• Modes can be temporally and spatially overlapped
![Page 5: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/5.jpg)
Invariant Learning Mode Architecture
Tracing
Client Library
Determina MPEE
Application
Local Daikon
NodeManager
Central Daikon
ManagementConsole
InvariantDatabase
Trace Data
InvariantsInvariants
Invariants
Invariant Updates
(https/ssl)
Community Machine
Server Machine
![Page 6: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/6.jpg)
What Is Trace Data?
• Sequence of observations<basic block, binary variable, value>
• Binary variables• Variable at binary (not source) level• Type determined by use
• Example1: mov edx, [eax]2: cmp edx, [ecx+4]
• Five binary variables – • 1:eax (ptr) 1:[eax] (int) • 2:edx (int) 2:ecx (ptr) 2:[ecx+4] (int)
![Page 7: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/7.jpg)
Determina MPEE andClient Library
Application (binary)
Basic Block CheckingAnd Transformation
Basic Block
Checked, Transforme
d Basic Block
Code Cache
PC
• In learning mode• Basic blocks are
transformed to print out trace data
![Page 8: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/8.jpg)
Invariant Learning Mode Architecture
Tracing
Client Library
Determina MPEE
Application
Local Daikon
NodeManager
Central Daikon
ManagementConsole
InvariantDatabase
Trace Data
InvariantsInvariants
Invariants
Invariant Updates
(https/ssl)
Community Machine
Server Machine
![Page 9: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/9.jpg)
What Does the Local Daikon Do?
• Local Daikon• Reads trace data • Performs invariant inference
• Standard set of invariants
• One of (var = one of {val1, …, valn})
• Not null (var != null)
• Less than (var1 - var2 < c)
• Many more (75 different kinds)• Variables from same basic block (for now)
![Page 10: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/10.jpg)
Invariant Learning Mode Architecture
Tracing
Client Library
Determina MPEE
Application
Local Daikon
NodeManager
Central Daikon
ManagementConsole
InvariantDatabase
Trace Data
InvariantsInvariants
Invariants
Invariant Updates
(https/ssl)
Community Machine
Server Machine
![Page 11: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/11.jpg)
What Does Central Daikon Do?
• Takes invariants from Local Daikons• Logically merges invariants into Invariant
Database• Each kind of invariant has merge rules• For example
•x = 5 merge x = 6 is x one-of {5, 6}•x > 0 merge x > 10 is x > 10•x = 5 merge no invariant about x is
no invariant about x•x = 5 merge no data yet about x is x
= 5
![Page 12: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/12.jpg)
Application Community Issues
• Lots of community members learning at same time
• Each community member instruments a (randomly chosen) subset of basic blocks• Minimizes learning overhead• While obtaining reasonable coverage
• Learning takes place over successful executions (without attacks)• Controlled environment• A posteriori judgement
![Page 13: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/13.jpg)
Monitoring Mode Architecture
Client Library
Determina MPEE
Application
NodeManager
Protection Manager
ManagementConsole
Attack Informatio
nAttack
Information
(https/ssl)
Community Machine
Server Machine
Attack Detection
![Page 14: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/14.jpg)
Community Machine
• Detects attack signal• Determina Memory Firewall• Fatal error (invalid address, divide by
zero)• In principle, any indication of attack
• Attack information• Program counter where attack
occurred• Stack when attack occurred
• Sent to server as application dies
![Page 15: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/15.jpg)
Invariant Localization Overview
• Goal: Find out which invariants are violated when program is attacked
• Strategy: • Find invariants close to attack • Make running applications check for
violations of these invariants• Correlate invariant violations with
attacks
![Page 16: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/16.jpg)
Invariant Localization Mode Architecture
Attack & InvariantViolation Detector
Client Library
Determina MPEE
Application
NodeManager
Protection Manager
ManagementConsole
InvariantDatabase
Attack & Invariant
Information
Attack & Invariant
Information
Invariants
(https/ssl)
Community Machine
Server Machine
LiveShieldGeneration
LiveShieldInstallation
LiveShields
LiveShields LiveShield
s
![Page 17: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/17.jpg)
Finding Invariants Close to Attack
• Attack Information• PC of instruction where attack detected
(jump to invalid code) (instruction that accessed invalid memory) (divide by zero instruction)
• Call stack•Duplicate stack•Preserved even for stack smashing
attacks• Find basic blocks that are close to involved
PCs• Find invariants for those basic blocks
![Page 18: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/18.jpg)
Detecting Invariant Violations
• Add checking code to application• Check for violations of selected
invariants• Log any violated invariants
• Use Determina LiveShield mechanism• Distribute code patches to basic blocks• Eject basic blocks from code cache• Insert new version of basic block with
new checking code• Updates programs as they run
![Page 19: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/19.jpg)
Using LiveShield Mechanism
• Protection manager selects invariants to check
• Generates C code that implements check• Passes C code to scripts
• Compile the code• Generate patch• Sign it, convert to LiveShield format
• Distribute LiveShields back to applications• Each application gets all LiveShields• Goal is to maximize checking information
![Page 20: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/20.jpg)
Correlating Invariant Violations and Attacks
• Protection manager fed two kinds of information• Invariant violation information• Attack information
• Correlates the information• If invariant violation is followed by an
attack• Then invariant is a candidate for
enforcement
![Page 21: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/21.jpg)
Protection Mode Architecture
Client Library
Determina MPEE
Application
NodeManager
Protection Manager
ManagementConsole
InvariantDatabase
Attack & Invariant
Information
Attack & Invariant
Information
Invariants
(https/ssl)
Community Machine
Server Machine
LiveShieldGeneration
LiveShieldInstallation
LiveShields
LiveShields LiveShield
s
Attack Detector & Invariant Enforcement
![Page 22: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/22.jpg)
Invariant Enforcement
• Given an invariant to enforce• Protection manager generates LiveShields
that correspond to different repair options• Current implementation for one-of
constraints• Variable is a pointer to a function• Constraint violation is a jump to function
previously unseen at that jump instruction• Potential repairs
•Call one of previously seen functions•Skip call•Return immediately back to caller
![Page 23: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/23.jpg)
Selecting A Good Repair
• Protection manager generates a LiveShield for each repair option
• Distributes LiveShields across applications• Random assignment, biased as follows• Each LiveShield has a success number
• Invariant enforcement followed by continued successful execution increments number
• Attack or crash decrements number• Probability of selection is proportional to
success number• Periodically reassign LiveShields to
applications
![Page 24: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/24.jpg)
System in Action - Learning
Community Machines
Invariants
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
Invariants
![Page 25: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/25.jpg)
System in Action - Monitoring
Community Machines
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
![Page 26: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/26.jpg)
System in Action - Monitoring
Community Machines
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
Attack Informatio
n
![Page 27: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/27.jpg)
System in Action – Invariant Localization
Community Machines
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
Invariants
Invariant Checks in LiveShield
s
![Page 28: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/28.jpg)
System in Action – Invariant Localization
Community Machines
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
Invariant Violation Information
Attack Information
![Page 29: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/29.jpg)
System in Action – Protection
Community Machines
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
Repair Distribution
![Page 30: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/30.jpg)
System in Action – Protection
Community Machines
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
Invariant Violation Information
Attack Information
![Page 31: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/31.jpg)
System in Action – Protection
Community Machines
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
Repair Redistributio
n
![Page 32: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/32.jpg)
System in Action – Protection
Community Machines
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
Repair Redistributio
n
![Page 33: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/33.jpg)
System in Action – Protection
Community Machines
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
![Page 34: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/34.jpg)
System in Action – Protection
Community Machines
InvariantDatabase
Protection Manager
ManagementConsole
Server Machine
![Page 35: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/35.jpg)
System in Action – Concrete Example
• Learning mode• Key binary variable is target of jsri instruction• Learn a one-of constraint
(target is one-of invoked functions) • Monitoring mode
• Memory Firewall detects attempt to execute unauthorized function
• Invariant localization mode• Attack information identifies jsri instruction
as target of attack• Correlates invariant violation with attack
• Protection Mode• Distribute range of repairs
(skip call, call previously observed function)• Check that they successfully neutralize attack
![Page 36: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/36.jpg)
Attack Surface Issues
• Determina Runtime as attack target• Addressed with page protection policies
• Also randomize placement• Runtime data• Runtime code, code cache
Page Type Runtime Mode Application Mode
App code R R
App data RW RW
Runtime code RE R
Code Cache RW RE
Runtime data RW R
![Page 37: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/37.jpg)
Communication Issues
• What about forged communications?• Management console has certificate
authority• Clients use password to get
certificates• All communications
•Signed, authenticated, encrypted•Revocation if necessary
InvariantDatabase
ManagementConsole
CertificateAuthority
![Page 38: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/38.jpg)
Status
• Architecture implemented and tested• Components exist• Communication implemented,
operational• Determina Memory Firewall as attack
detector• One-of invariants on function pointers
(demo)
![Page 39: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/39.jpg)
Parameterized Architecture and Implementation
• Parameterization points• Attack signal• Invariants
•Inference•Enforcement mechanisms
• Flexibility in implementation strategies• Invariant localization strategies• Invariant repair strategies
![Page 40: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/40.jpg)
Class of Attacks
Prerequisites for stopping an attack• Attack characteristics
• Attack signal• Attack must violate invariants• Enforcing invariants must neutralize
attack• Invariant characteristics
• Daikon must recognize invariants• System must be able to successfully
repair violations of invariants
![Page 41: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/41.jpg)
Examples of Attacks We Can Stop
• Function pointer • Attack signal – Determina Memory
Firewall• Invariant
•One-of invariant•Function pointer binary variable
• Repair•Jump to previously seen function•Skip call
![Page 42: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/42.jpg)
Examples of Attacks We Can Stop
• Code injection attacks via stack overwriting• Attack signal – Determina Memory
Firewall• Invariant
•Less than invariant•Stack pointer binary variable
• Repair•Skip writes via binary variable•Coerce binary variable back into range
![Page 43: Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649e9d5503460f94b9eac8/html5/thumbnails/43.jpg)
Future Evolution
• Exploit parameterization capabilities• More sophisticated invariants
• Data structure inference• Sequences of program actions
• More sophisticated repairs• More sophisticated attack signals
• Detect more subtle attacks•Program keeps executing•Executes legitimate code only
• Use invariant violation as attack signal