Memory protection using dynamic tainting
-
Upload
useraapka -
Category
Engineering
-
view
637 -
download
8
Transcript of Memory protection using dynamic tainting
![Page 1: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/1.jpg)
Presentation on Topic “ Effective memory protection using
Dynamic tainting”
![Page 2: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/2.jpg)
Contents1. IMA2. Dynamic tainting3. Assigning taint marks4. Propagating the taint marks5. Checking6. Preventing the illegal memory access7. Implementation8. Limiting the number of taint marks9. Effects on the approach10. Conclusion11. References
![Page 3: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/3.jpg)
IMA??Illegal Memory Access(IMA) – An
important class of memory related faults.Currently free area ‘m’ , of required size is
allocated.Starting address of m can be assigned to a
pointer ‘p’.Access to m is legal only if it is referenced
by p or a pointer derived from p and access occur during the interval when p is valid.
All other access are Illegal Memory Accesses or IMA’s.
![Page 4: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/4.jpg)
void main() {1. int *np , n, i, *buf;2. np=&n;3. printf(“enter the size:”);4. scanf(“%d”,np);5. buf=malloc (n *
sizeof(int));6. for( i=0; i<=n; i++)7. *(buf+i)=rand()%10;8. ....9. }
Illegal Memory Access (IMA)MEMORY
buf innpn:3i:1i:2i:3
9827
![Page 5: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/5.jpg)
Dynamic TaintingDynamic Tainting – a technique for
marking and tracking certain data at run time.
Marking two kinds of data : memory in data space and pointers.
When m is allocated, it is tainted with ‘t’.
When p is created with m as referent , p is also tainted with ‘t’.
When memory is accessed taint mark is checked.
![Page 6: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/6.jpg)
Dynamic tainting is done 3 parts :1) Tainting
Static memory allocation. Pointer to statically allocated memory. Dynamically memory allocation. Pointer to dynamically allocated
memory. 2) Propagating taint marks
Propagation of memory taints. Propagation of pointer taints.
3) Checking
![Page 7: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/7.jpg)
Assigning taint marks Initializing taint marks. 4 cases
1) Static memory allocation.2) Pointer to statically allocated
memory.3) Dynamic memory allocation.4) Pointer to dynamically allocated
memory.
![Page 8: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/8.jpg)
1 Identify the ranges 2 Assign a unique taint
of allocated memory. mark to each range. 1. void main() {2. int *np, n, i, *buf;3. np = &n;4. printf(“enter the size”);5. scanf(“%d”, np);6. buf= malloc(n* sizeof(int));7. for(i=0;i<=n; i++)8. *(buf+i)= rand()%26;9. ...}
Statically memory allocation
buf:i:n:np:
1
2
3.4
![Page 9: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/9.jpg)
Identify pointer Assign pointer the same taint creation sites. mark as memory it points to.
1) void main(){2) int *np, n, i, buf;3) np= &n;4) printf(“Enter the size”); 5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0; i<=n; i++){8) *(buf+i)= rand()%26;9) }
2
Pointers to statically allocated memory
1
buf:i:n:np:2
3.4
1 2
![Page 10: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/10.jpg)
Identify the ranges Assign a unique taint
of allocated memory. mark to each range.
1) void main(){2) int *np, n, i, *buf;3) np= &n;4) printf(“Enter the size”); 5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0; i<=n; i++){8) *(buf+i)= rand()%26;9) }
Dynamic memory allocation
1 2
buf:i:n:np:2
3.4
1 2
55
5
![Page 11: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/11.jpg)
Pointer to dynamically allocated memory
Identify pointer Assign the pointer the same taint creation sites. mark as the memory it points to.
1) void main() { 2) int *np, n, i, *buf;3) np= &n;4) printf(“Enter the size:”);5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0;i<=n; i++)8) *(buf+i)= rand()%26;9) ... }
21
buf:i:n:np:2
3.4
1 2
55
5
5
![Page 12: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/12.jpg)
Propagation of taints Detects how taints marks flow along
data as program executes.
2 concepts : Propagation of memory taints.Propagation of pointer taints.
![Page 13: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/13.jpg)
Propagation of memory taints
Not actually propagated.
Taints are associated with a memory area when it is allocated and removed when deallocated.
Pointer remain tainted.
If such a pointer is used to access , an IMA is still detected.
![Page 14: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/14.jpg)
Dynamically allocated memory- deallocated taint will be removed by calling a memory deallocation function , e.g. free()
Statically allocated memory-deallocated and taint mark is removed when function returns(local variable) or when program exits(global variable).
![Page 15: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/15.jpg)
Propagation of pointer taints Taint marks associated with pointer
propagated to derived pointer.
The rule models all possible operation on pointers and associate, for each operation an action that assign to the result of the operation the correct taint mark.
![Page 16: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/16.jpg)
Propagation rulesAdd or Subtract
c= a+/-ba tainted with ta, b is tainted with tbThen c will be tainted ta+tb or ta-tb
Multiply, Divide, Modulo, Bitwise OR, XORThe result of these operations are
never tainted.
![Page 17: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/17.jpg)
Bitwise AND c= a & b If a and b are both tainted or
untainted then c is not tainted , else c is tainted.
Bitwise NOTc= ~aAlternative to subtraction.tc = -ta
![Page 18: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/18.jpg)
CheckingFor each memory access, taint mark of
the pointer and memory is checked. If they are not the same, an IMA is detected.
pointer
memory IMA
no yes yes yes yes
5
2
5
5
5
5
![Page 19: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/19.jpg)
Preventing IMAs1) void main() {2) int *np, n, i, *buf; 3) np= &n;4) printf(“enter the size:”);5) scanf(“%d”, np);6) buf= malloc(n*sizeof(int));7) for(i=0; i<=n; i++)8) *(buf+i) = rand()%26;9) ...}
buf:i:
n:3np:2
3.4
1 2
55
5
5
+ =5 5
![Page 20: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/20.jpg)
Software Implementation
An additional pass is added in compiler (LLVM) to taint all stack and global defined arrays.
Taint propagation may be implemented using any dynamic tainting framework.
![Page 21: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/21.jpg)
Hardware Implementation
Taint processing and storage. 2 options : Data widening and
Decoupling.Data widening : extending data with
few bits to represent taint information.Decoupling: Taint information is stored
as a packed array in reserved part of application’s virtual address space.
This address space is managed by OS similar to normal data pages.
![Page 22: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/22.jpg)
Taint propagation and access checking Hard wiring is used for taint
propagation and checking.Hard wiring require modification in hard
wiring for making changes in future.Easier to add hardwire support for taint
propagation.As a result of all these consideration, a
hardwiring approach is opted for taint propagation and access checking.
![Page 23: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/23.jpg)
In short, Taint propagation and initializing is
done using decoupling. Taint propagation and checking is
done using Hardwiring technique.
![Page 24: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/24.jpg)
Limiting the number of taint marks
An unlimited number of taint marks makes hardware implementation infeasible.
increase the overhead(time and space).
complicates the design.
![Page 25: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/25.jpg)
! IMAs are detected probilistically With random number assignment of n
taint marks the detection probability is: p= 1-1/n2 marks=50%, 4 marks=75%, 16 marks=93.75% , 256
marks=99.6%.
The technique can be tuned by increasing and decreasing the number of taint marks.
Effects on the approach
![Page 26: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/26.jpg)
ConclusionDefinition of an approach for
preventing illegal memory accesses in deployed software
uses dynamic taint analysis to protect memory.
uses probabilistic detection to achieve acceptable overhead.
![Page 27: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/27.jpg)
References IEEE Transactions on Computers , vol 61, no 1,
January 2012, “Effective and Efficient Memory Protection using Dynamic Tainting” by Ioannis Doudalis, James Clause, Guru Venkataramani, Milos Prvulovic,and Alessandro Orso.
G. Venkataramani, Doudalis, y.solihin”FlexiTaint :A programmable accelerator for dynamic taint propagation”
Doudalis , James Clause , A.orso” Effective memory protection using dynamic tainting”.proc.22nd IEEE 2007
![Page 28: Memory protection using dynamic tainting](https://reader033.fdocuments.us/reader033/viewer/2022042723/58e8e1f21a28abe06c8b55ab/html5/thumbnails/28.jpg)
Thank you
Questions?