effective memory protection using dynamic tainting
play

Effective Memory Protection Using Dynamic Tainting James Clause - PowerPoint PPT Presentation

Apr 10, 2023 •664 likes •1.87k views

Effective Memory Protection Using Dynamic Tainting James Clause Ioanis Doudalis and Alessandro Orso Milos Prvulovic (software) (hardware) College of Computing Georgia Institute of Technology Supported in part by: NSF awards CCF-0541080

  1. Approach overview 3 2 1 C B A 1 Assign taint marks P 1 2 Propagate P 4 taint marks 1 1 P 2 2 3 Check P 5 taint marks P 3 3 3

  2. Approach overview 3 2 1 C B A 1 Assign taint marks P 1 2 Propagate P 4 taint marks 1 1 P 2 2 3 Check P 5 taint marks P 3 3 3

  3. Approach overview 3 2 1 C B A 1 Assign taint marks � P 1 2 Propagate P 4 taint marks 1 1 P 2 2 3 Check P 5 taint marks P 3 3 3

  4. Approach overview 3 2 1 C B A 1 Assign taint marks P 1 2 Propagate P 4 taint marks 1 1 P 2 2 3 Check P 5 taint marks P 3 3 3

  5. Approach overview 3 2 1 C B A 1 Assign taint marks P 1 2 Propagate P 4 taint marks 1 1 P 2 2 3 Check P 5 taint marks P 3 3 3

  6. Approach overview 3 2 1 C B A 1 Assign taint marks P 1 � 2 Propagate P 4 taint marks 1 1 P 2 2 3 Check P 5 taint marks P 3 3 3

  7. Outline • Our approach 1. Assigning taint marks 2. Propagating taint marks 3. Checking taint marks • Empirical evaluation • Conclusions

  8. 1 Assigning taint marks Static Dynamic Memory Pointers

  9. 1 Assigning taint marks Static Dynamic Memory Pointers

  10. 1 Assigning taint marks Static Dynamic buf: i: n: Memory Pointers np:

  11. 1 Assigning taint marks Static [&np , &np + sizeof(int *)) Dynamic buf: i: n: { Memory Pointers np:

  12. 1 Assigning taint marks Static Dynamic buf: i: n: Memory Pointers np:

  13. 1 Assigning taint marks Static Dynamic buf: 4 i: 3 n: 2 Memory Pointers np: 1

  14. 1 Assigning taint marks Static Dynamic Memory Pointers

  15. 1 Assigning taint marks Static Dynamic Memory Pointers

  16. 1 Assigning taint marks Static address-of operator ( &) Dynamic Memory Pointers

  17. 1 Assigning taint marks Static Dynamic Memory Pointers

  18. 1 Assigning taint marks Static Dynamic buf: 4 i: 3 n: 2 Memory Pointers np: 1

  19. 1 Assigning taint marks Static Dynamic Memory Pointers

  20. 1 Assigning taint marks Static Dynamic Memory Pointers

  21. 1 Assigning taint marks Static Dynamic Memory Pointers

  22. 1 Assigning taint marks Static Dynamic buf: 4 i: 3 n: 3 2 Memory Pointers np: 1 2

  23. 1 Assigning taint marks { Static Dynamic [ret, ret + arg0) buf: 4 i: 3 n: 3 2 Memory Pointers np: 1 2

  24. 1 Assigning taint marks Static Dynamic buf: 4 i: 3 n: 3 2 Memory Pointers np: 1 2

  25. 1 Assigning taint marks Static 5 5 5 Dynamic buf: 4 i: 3 n: 3 2 Memory Pointers np: 1 2

  26. 1 Assigning taint marks Static Dynamic Memory Pointers

  27. 1 Assigning taint marks Static Dynamic Memory Pointers

  28. 1 Assigning taint marks Static Dynamic return value of malloc Memory Pointers

  29. 1 Assigning taint marks Static Dynamic Memory Pointers

  30. 1 Assigning taint marks Static 5 5 5 Dynamic buf: 4 i: 3 n: 3 2 Memory Pointers np: 1 2

  31. 1 Assigning taint marks Static Dynamic Memory Pointers

  32. 1 Assigning taint marks Static Dynamic Memory Pointers

  33. Propagating taint marks 2 Overview Overview P 1 P 2 Addition, Subtraction 1 AND Multiplication, Division, OR, XOR

  34. Propagating taint marks 2 + , � , � , ÷ , Overview Overview P 1 P 2 and , or , xor , Addition, Subtraction 1 ... AND Multiplication, Division, OR, XOR

  35. Propagating taint marks 2 + , � , � , ÷ , Overview Overview P 1 P 2 and , or , xor , Addition, Subtraction 1 ... Should the result be tainted? AND If so, how? Multiplication, Division, OR, XOR

  36. Propagating taint marks 2 + , � , � , ÷ , Overview Overview P 1 P 2 and , or , xor , Addition, Subtraction 1 ... Should the result be tainted? AND If so, how? Multiplication, Division, • Propagation must take into account both OR, XOR operation semantics and programmer intent

  37. Propagating taint marks 2 + , � , � , ÷ , Overview Overview P 1 P 2 and , or , xor , Addition, Subtraction 1 ... Should the result be tainted? AND If so, how? Multiplication, Division, • Propagation must take into account both OR, XOR operation semantics and programmer intent • Our policy is based on knowledge of C/C++/assembly and patterns observed in real software

  38. Propagating taint marks 2 A + / − B = C Overview A B C 1 1 Addition, Subtraction Addition, Subtraction / no 1 1 taint ... AND Most common use of addition and Multiplication, Division, subtraction is to add or subtract a OR, XOR pointer and an offset

  39. Propagating taint marks 2 A & B = C Overview A B C no or 1 1 taint Addition, Subtraction ... AND AND The result of and ing a pointer and a mask should be treated differently depending on the value of the mask Multiplication, Division, OR, XOR c = a & 0xffffff00 - base address c = a & 0x000000ff - offset

  40. Propagating taint marks 2 Overview Addition, Subtraction We found zero cases where the AND result of any of these operations was a pointer Multiplication, Division, Multiplication, Division, OR, XOR OR, XOR

  41. Checking taint marks 3 When memory is accessed through a pointer: compare the memory taint mark and the pointer taint mark Pointer Memory IMA? no 2 2 yes 1 2 yes 3 yes 3 yes

  42. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... }

  43. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... }

  44. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... }

  45. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: ... 2 } np: 1

  46. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: ... 2 } np: 1

  47. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: ... 2 } np: 1 2

  48. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: ... 2 } np: 1 2

  49. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: ... 2 } np: 1 2

  50. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: ... 2 } np: 1 2 �

  51. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: ... 2 } np: 1 2

  52. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: 1 2

  53. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: 1 2

  54. Preventing IMAs 5 void main() { 1. int *np, n, i, *buf; 5 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: 1 2

  55. Preventing IMAs 5 void main() { 1. int *np, n, i, *buf; 5 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 i: 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: 1 2

  56. Preventing IMAs 5 void main() { 1. int *np, n, i, *buf; 5 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 i: 0 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: 1 2

  57. Preventing IMAs 5 void main() { 1. int *np, n, i, *buf; 5 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 i: 0 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: + = 5 5 1 2

  58. Preventing IMAs 5 void main() { 1. int *np, n, i, *buf; 5 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 � i: 0 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: + = 5 5 1 2

  59. Preventing IMAs 5 void main() { 1. int *np, n, i, *buf; 5 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 i: 0 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: 1 2

  60. Preventing IMAs 9 5 void main() { 1. int *np, n, i, *buf; 5 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 i: 0 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: 1 2

  61. Preventing IMAs 9 5 void main() { 8 1. int *np, n, i, *buf; 5 2 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 i: 2 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: 1 2

  62. Preventing IMAs 9 5 void main() { 8 1. int *np, n, i, *buf; 5 2 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 i: 2 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: 1 2

  63. Preventing IMAs 9 5 void main() { 8 1. int *np, n, i, *buf; 5 2 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 i: 3 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: + = 5 5 1 2

  64. Preventing IMAs 9 5 void main() { 8 1. int *np, n, i, *buf; 5 2 5 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5 buf: 5. buf = malloc(n * sizeof(int)); 4 i: 3 � 6. for(i = 0; i <= n; i++) 3 7. *(buf + i) = rand()%10; n: 3 ... 2 } np: + = 5 5 1 2

Recommend

Dynamic Memory Allocation Today Dynamic memory allocation mechanisms &amp; policies

Dynamic Memory Allocation Today Dynamic memory allocation mechanisms &amp; policies

Dynamic Memory Allocation Today Dynamic memory allocation mechanisms &amp; policies Memory bugs Chris Riesbeck, Spring 2010 Original: Fabian Bustamante Wednesday, November 2, 2011 Dynamic memory allocation Application Dynamic

1.2k views • 47 slides
Tag-Protector: An Effective and Dynamic Detection of Out-of-bound Memory Accesses Ahmed Saeed,

Tag-Protector: An Effective and Dynamic Detection of Out-of-bound Memory Accesses Ahmed Saeed,

Tag-Protector: An Effective and Dynamic Detection of Out-of-bound Memory Accesses Ahmed Saeed, Ali Ahmadinia Mike Just School of Engineering and Built Environment School of Mathematics and Glasgow Caledonian University, United Kingdom

310 views • 15 slides
Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory Layout (1) Each Linux process runs within its own virtual address space tables and the MMU (if available) security due to

1.25k views • 68 slides
Dynamic memory organization Considering one possible approach (gnu) to organize dynamic memory

Dynamic memory organization Considering one possible approach (gnu) to organize dynamic memory

Dynamic memory organization Considering one possible approach (gnu) to organize dynamic memory on the system side Give each application its own unique (virtual) memory space Allow that space to be subdivided into space for

473 views • 6 slides
1 Store Buffer Design Example Memory Dependence Any load instruction receives the memory Store

1 Store Buffer Design Example Memory Dependence Any load instruction receives the memory Store

Register and Memory Dependences Store: SW Rt, A(Rs) LW Rt, A(Rs) 1. 1. Calculate effective Calculate effective Lecture 10: Memory Dependence memory address memory address Detection and Speculation dependent on Rs dependent on Rs

479 views • 3 slides
Dynamic Memory Management Allocating memory: The Interface Buddy System

Dynamic Memory Management Allocating memory: The Interface Buddy System

CPSC 410/611 : Operating Systems Dynamic Memory Management Allocating memory: The Interface Buddy System Slab Allocation Reading: Doeppner, 3.3 Memory Areas Memory areas (regions) are intervals of legal

183 views • 5 slides
Dynamic memory networks for Dynamic memory networks for visual and textual question visual and

Dynamic memory networks for Dynamic memory networks for visual and textual question visual and

Dynamic memory networks for Dynamic memory networks for visual and textual question visual and textual question answering answering Stephen Merity (@smerity) Joint work with the MetaMind team: Caiming Xiong, Richard Socher, and more

378 views • 33 slides
Dynamic Memory Management The Linux Perspective Allocating memory: The

Dynamic Memory Management The Linux Perspective Allocating memory: The

CPSC 410/611 : Operating Systems Dynamic Memory Management The Linux Perspective Allocating memory: The Interface Buddy System Slab Allocation Reading: Silberschatz (8 th ed.), Chapters 9.8

447 views • 6 slides
1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

Memory Protection Memory Protection Paging Virtual memory provides protection by: Each process (user or OS) has different virtual memory space. Machines and Virtualization Machines and Virtualization The OS maintain the page tables

83 views • 5 slides
Dynamic Memory Overview Dynamically allocated memory is stored in the Heap-section of

Dynamic Memory Overview Dynamically allocated memory is stored in the Heap-section of

Dynamic Memory Overview Dynamically allocated memory is stored in the Heap-section of memory. It is solely controlled by the programmer (unlike, for example, stack frames or read-only data). As a result, it is the programmers

269 views • 15 slides
Memory Management Thierry Sans Today's questions How to allocate free space? Dynamic Memory

Memory Management Thierry Sans Today's questions How to allocate free space? Dynamic Memory

Memory Management Thierry Sans Today's questions How to allocate free space? Dynamic Memory Allocation How to evict pages from memory? (a.k.a when to swap) Page Replacements Algorithms How much memory to give to each process?

516 views • 48 slides
Memory Management Guest lecture by Junfeng Yang Outline Dynamic memory allocation Stack

Memory Management Guest lecture by Junfeng Yang Outline Dynamic memory allocation Stack

COMS 3995: Networks, Operating Systems and Security Memory Management Guest lecture by Junfeng Yang Outline Dynamic memory allocation Stack Heap Heap allocation strategies Intro to memory management Paging 1 Dynamic

770 views • 43 slides
Main Memory Management External and Internal Fragmentation Address Binding HW

Main Memory Management External and Internal Fragmentation Address Binding HW

CSE 421/521 - Operating Systems Roadmap Fall 2012 Main Memory Management Lecture - XII Fixed and Dynamic Memory Allocation Main Memory Management External and Internal Fragmentation Address Binding HW Address Protection

434 views • 6 slides
TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution Environments Gui Andrade Krste Asanovi Dayeol Lee David Kohlbrenner Dawn Song University of California, Berkeley TRUSTED MEMORY? Securing data/code

703 views • 48 slides
Memory Protection ability to avoid unwanted memory accesses management Sharing

Memory Protection ability to avoid unwanted memory accesses management Sharing

Requirements Relocation ability to change process image position Memory Protection ability to avoid unwanted memory accesses management Sharing ability to share memory portions among processes Logical organization

504 views • 15 slides
Monday Week 05 *op = '\0'; return out; // what is the precise effect? } 1/36 Dynamic Memory

Monday Week 05 *op = '\0'; return out; // what is the precise effect? } 1/36 Dynamic Memory

} Monday Week 05 *op = '\0'; return out; // what is the precise effect? } 1/36 Dynamic Memory Allocation BUG: the out variable is removed when lowerCase() returns. Statically allocated objects ... ... Dynamic Memory Allocation 4/36 are

446 views • 6 slides
1. Dynamic Languages 1. In-Vehicle Net working 1. Plast ic Memory 1. Prot ein Memory 1. S et t ing

1. Dynamic Languages 1. In-Vehicle Net working 1. Plast ic Memory 1. Prot ein Memory 1. S et t ing

1. Dynamic Languages 1. In-Vehicle Net working 1. Plast ic Memory 1. Prot ein Memory 1. S et t ing up a LAN using Linux 1. UMTS 1. Wireless US B 1. Zero Knowledge Prot ocols and Proof S yst ems 1. Tempest and Echelon 1. S ynt het ic Apert ure

273 views • 8 slides
Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory

Protecting Memory What is there to protect in memory? Page tables and virtual memory protection Special security issues for memory Buffer overflows Lecture 8 Page 1 CS 236 Online What Is In Memory? Executable code

401 views • 24 slides
Effiziente Programmierung in c Dynamic Memory Allocation A presentation from : Marcel Ellermann

Effiziente Programmierung in c Dynamic Memory Allocation A presentation from : Marcel Ellermann

Effiziente Programmierung in c Dynamic Memory Allocation A presentation from : Marcel Ellermann Seminar Effizientes Programmieren in C Dynamic Memory Allocation Marcel Ellermann 1 Agenda Introduction to Memory Management

582 views • 34 slides
Dynamic Memory Management for Real-Time Multiprocessor System-on-a-Chip Mohamed A. Shalan

Dynamic Memory Management for Real-Time Multiprocessor System-on-a-Chip Mohamed A. Shalan

Dynamic Memory Management for Real-Time Multiprocessor System-on-a-Chip Mohamed A. Shalan Dissertation Advisor Vincent J. Mooney III School of Electrical and Computer Engineering Agenda Introduction &amp; Motivation Dynamic Memory

1.06k views • 71 slides
Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William G.J. Halfond Alessandro Orso Panagiotis Manolios Georgia Institute of Technology Supported by NSF awards CCR-0205422 and CCR-0306372 to GA Tech and

678 views • 34 slides
Pointers and dynamic objects Topics Pointers Memory addresses Declaration

Pointers and dynamic objects Topics Pointers Memory addresses Declaration

Pointers and dynamic objects Topics Pointers Memory addresses Declaration Dereferencing a pointer Pointers to pointer Static vs. dynamic objects new and delete Computer Memory Each variable is assigned a memory

636 views • 48 slides
Dynamic Memory Allocation Lecture 14 COP 3014 Spring 2018 April 4, 2018 Allocating memory

Dynamic Memory Allocation Lecture 14 COP 3014 Spring 2018 April 4, 2018 Allocating memory

Dynamic Memory Allocation Lecture 14 COP 3014 Spring 2018 April 4, 2018 Allocating memory There are two ways that memory gets allocated for data storage: 1. Compile Time (or static) Allocation Memory for named variables is allocated by the

783 views • 10 slides
Dynamic Memory Allocation Lecture 14 COP 3014 Fall 2019 November 20, 2019 Allocating memory

Dynamic Memory Allocation Lecture 14 COP 3014 Fall 2019 November 20, 2019 Allocating memory

Dynamic Memory Allocation Lecture 14 COP 3014 Fall 2019 November 20, 2019 Allocating memory There are two ways that memory gets allocated for data storage: 1. Compile Time (or static) Allocation Memory for named variables is allocated by

987 views • 10 slides

More recommend