case study of asap code repair
play

Case Study of ASAP Code Repair Mathias Payer*, Thomas R. Gross - PowerPoint PPT Presentation

Hot-Patching a Web Server: a Case Study of ASAP Code Repair Mathias Payer*, Thomas R. Gross Department of Computer Science ETH Zurich * now at UC Berkeley Security Dilemma Integrity and availability threatened by vulnerabilities Two


  1. Hot-Patching a Web Server: a Case Study of ASAP Code Repair Mathias Payer*, Thomas R. Gross Department of Computer Science ETH Zurich * now at UC Berkeley

  2. Security Dilemma Integrity and availability threatened by vulnerabilities Two remedies: update or sandboxing • Security updates fix known vulnerabilities but require service restart • Sandboxes protect from unknown exploits but stop the service when an attack is detected

  3. DynSec in 1 Minute Key insight: both sandboxes and dynamic update mechanisms rely on some form of virtualization Binary Translation (BT) provides virtualization • Sandbox protects integrity • Dynamic update mechanism protects availability

  4. DynSec in 2 Minutes Application DynSec Patches Binary Translation Loader Kernel Patch extraction and distribution

  5. Hot-Patching a Web Server Analyze all security patches of Apache 2.2 From Dec 1 st 2005 to Feb. 18 th 2013 • • Total of 49 security bugs, most are simple • Many different classes of bugs All vulnerabilities Software patches Sandbox protection

  6. Outline Motivation Patching architecture & distribution Apache case-study Evaluation Conclusion

  7. Code Translation Binary Translator ● Translates individual basic blocks ● Weave patches into translated code ● Protect from security exploits Original Code Translated Code 1' 1 2 2' 3 3' 4 Kernel

  8. Patch Classes Simple patch • Only few instructions change, directly patched Patches building on DSO: • New import patch: additional library function used • New function patch: additional function • Additional call patch: calls to existing functions • New String patch: new static string used Other patches • Type change, code refactoring, heavyweight changes

  9. Patch Distribution Most Linux distributions provide dynamic update service; piggy pack on this distribution service • Automatically generate a dynamic patch when new package is generated • Systems download packages and install dynamic patches to running services • System administrators update binaries during next maintenance window

  10. Implementation DynSec builds on TRuE/libdetox [IEEE S&P’12, ACM VEE’11] • Patching thread injected in BT layer • Implemented in <2000 LoC • 48 LoC changed in TRuE to add DynSec hooks • Supports unmodified, unaware, multi-threaded x86 applications on Linux

  11. Outline Motivation Patching architecture & distribution Apache case-study • Vulnerability classes • Distribution Evaluation Conclusion

  12. Apache: Vulnerability Classes Low 23 Moderate 19 Important 7 DoS XSS IL EXE HBOF lPE AIH lDoS CSRF ACI IOF

  13. DynSec Coverage Most (45/49) vulnerabilities are hot patchable • All 7 important vulnerabilities • 18 (out of 19) moderate vulnerabilities • 20 (out of 23) low vulnerabilities Patch complexity • Important patches: 4 simple, 3 DSO patches • Moderate patches: 6 simple, 12 DSO patches • Low patches: 10 simple, 10 DSO patches

  14. DynSec: Uncovered exploits CVE-2007-3304 (lDoS, mod): signals to arbitrary PIDs • Heavy code refactoring CVE-2008-0005 (XSS, low): missing UTF-7 encoding • Additional types, new functions CVE-2012-0031 (DoS, low): scoreboard parent DoS • Type change, new functions CVE-2012-0883 (DoS, low): insecure variable in script • Not applicable to DynSec (start-up script only)

  15. DynSec: Uncovered exploits CVE-2007-3304 (lDoS, mod): signals to arbitrary PIDs • Heavy code refactoring Possibility for 4 year stride CVE-2008-0005 (XSS, low): missing UTF-7 encoding without restart • Additional types, new functions CVE-2012-0031 (DoS, low): scoreboard parent DoS • Type change, new functions CVE-2012-0883 (DoS, low): insecure variable in script • Not applicable to DynSec (start-up script only)

  16. Sandbox Coverage Protects from all code-based exploits • Code injection • Control-Flow redirection (ROP/partial JOP) • System call policies Unpatched protection for 11 (of 49) bugs • Two important vulnerabilities (out of 7) • 5 moderate vulnerabilities (out of 20) • 4 low vulnerabilities (out of 21)

  17. Outline Motivation Patching architecture & distribution Apache case-study Evaluation • SPEC CPU 2006 performance • Apache performance Conclusion

  18. Evaluation DynSec evaluated using SPEC CPU2006 • CPU: Intel Core2 Quad Q6600 @ 2.64GHz, 8GB RAM • Ubuntu 11.04, Linux 2.6.38 • Used GCC 4.5.1 with – O2 Benchmark configurations • Native • Sandboxing (use TRuE w/ shadow stack and checks) • DynSec (with different patches)

  19. 0.5 1.5 2.5 0 1 2 SPEC CPU2006: Performance 400.perlbench 401.bzip2 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp Sandbox 473.astar 410.bwaves 416.gamess 433.milc DynSec 434.zeusmp 435.gromacs 436.cactusADM 437.leslie3d 444.namd 450.soplex 453.povray 454.calculix 459.GemsFDTD 465.tonto 470.lbm 482.sphinx3 Mean

  20. 0.5 1.5 2.5 0 1 2 SPEC CPU2006: Performance 400.perlbench 401.bzip2 Low performance overhead 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp Sandbox (~11%) 473.astar 410.bwaves 416.gamess 433.milc DynSec 434.zeusmp 435.gromacs 436.cactusADM 437.leslie3d 444.namd 450.soplex 453.povray 454.calculix 459.GemsFDTD 465.tonto 470.lbm 482.sphinx3 Mean

  21. Apache: “large” files (~250kb) Performance impact: picture.png 1000 900 800 Throughput [MB/s] 700 600 500 400 300 200 100 0 100 1000 10000 Total connections Native TRUE DynSec DynSec-50 DynSec-100

  22. Apache: “large” files (~250kb) Performance impact: picture.png 1000 900 800 Throughput [MB/s] 700 Less than 7% slowdown 600 500 400 300 200 100 0 100 1000 10000 Total connections Native TRUE DynSec DynSec-50 DynSec-100

  23. Apache: small (tiny) files (~50b) Performance impact: index.html 3.5 3 Throughput [MB/s] 2.5 2 1.5 1 0.5 0 100 1000 10000 Total connections Native TRUE DynSec DynSec-50 DynSec-100

  24. Apache: small (tiny) files (~50b) Performance impact: index.html 3.5 3 Low performance cost for Throughput [MB/s] 2.5 2 large connection counts 1.5 1 0.5 0 100 1000 10000 Total connections Native TRUE DynSec DynSec-50 DynSec-100

  25. Outline Motivation Patching architecture & distribution Apache case-study Evaluation Conclusion

  26. Conclusion Virtualization enables on-the-fly code rewriting and repair for unmodified applications • Sandbox protects integrity • Patches provide availability Study shows that protecting large, long-running, and modular applications like Apache is feasible • High coverage: 45 of 49 Apache bugs patchable • Low performance impact: 7% for Apache 2.2

  27. Patching Architecture DynSec thread waits for incoming patches Patch application happens in 3 steps: • Signal all application threads to stop • Flush all code caches • Restart application threads Patch is applied indirectly when code is retranslated • BT checks for every instruction if a patch is available

  28. Patch Format The focus of DynSec is on security patches • Most security patches are only few lines of code • Type changes and code refactoring out of scope Patches are sets of changed instructions Each patch may specify additional shared library for more heavyweight changes

  29. Patch Extraction Build patched application with current toolchain Extract instruction differences between patched and unpatched version of the binary (per function) • Changed instructions are added to patch • Check differences in static read-only data • Manually ensure integrity of patch (no type changes, no data changes)

Recommend


More recommend