Abstract
Security enforcement inlined into user threads often delays the protected programs; inlined resource reclamation may interrupt program execution and defer resource release. We propose software cruising, a novel technique that migrates security enforcement and resource reclamation from user threads to a concurrent monitor thread. The technique leverages the increasingly popular multicore and multiprocessor architectures and uses lock-free data structures to achieve non-blocking and efficient synchronization between the monitor and user threads. As a case study, software cruising is applied to the heap buffer overflow problem. Previous mitigation and detection techniques for this problem suffer from high performance overhead, legacy code compatibility, semantics loyalty, or tedious manual program transformation. We present a concurrent heap buffer overflow detector, Cruiser, in which a concurrent thread is added to the user program to monitor heap integrity, and custom lock-free data structures and algorithms are designed to achieve high efficiency and scalability. The experiments show that our approach is practical: it imposes an average of 5% performance overhead on SPEC CPU2006, and the throughput slowdown on Apache is negligible on average.
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In CCS '05, pages 340--353. Google Scholar
Digital Library
- P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In Usenix Security '09, pages 51--66. Google Scholar
Digital Library
- AlephOne. Smashing the stack for fun and profit. Phrack, 7 (49), 1996.Google Scholar
- T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient detection of all pointer and array access errors. In PLDI '04, pages 290--301. Google Scholar
Digital Library
- K. Avijit and P. Gupta. Tied, libsafeplus, tools for runtime buffer overflow protection. In Usenix Security '04, pages 4--4. Google Scholar
Digital Library
- E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In CCS '03, pages 281--289. Google Scholar
Digital Library
- E. Bhatkar, D. C. Duvarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In Usenix Security '03, pages 105--120. Google Scholar
Digital Library
- Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack, 10 (56), May 2000.Google Scholar
- M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In OSDI '06, pages 147--160. Google Scholar
Digital Library
- CERT Advisory, CA-2001-19 CodeRed worm.Google Scholar
- CERT Advisory, CA-2002-33 Heap Overflow Vulnerability in Microsoft Data Access Components.Google Scholar
- CERT Advisory, CA-2003-20 SQLSlammer worm.Google Scholar
- S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Usenix Security '05, pages 177--192, 2005. Google Scholar
Digital Library
- T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks. In ICDCS '01, pages 409--417. Google Scholar
Digital Library
- M. Conover. w00w00 on heap overflows, 1999. www.w00w00.org/ files/articles/heaptut.txt.Google Scholar
- C. Cowan and S. Beattie. PointGuard: protecting pointers from buffer overflow vulnerabilities. In Usenix Security '03, pages 91--104. Google Scholar
Digital Library
- C. Cowan and C. Pu. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In Usenix Security '98, pages 63--78, January 1998. Google Scholar
Digital Library
- B. Cox, D. Evans, A. Filipi, J. Rowanhill, W. Hu, J. Davidson, J. Knight, A. Nguyen-Tuong, and J. Hiser. N-variant systems: a secretless framework for security through diversity. In Usenix Security '06, pages 105--120. Google Scholar
Digital Library
- E. D.Berger. HeapShield: Library-based heap overflow protection for free. Tech. report, Univ. of Massachusetts Amherst, 2006.Google Scholar
- N. Dor, M. Rodeh, and M. Sagiv. CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In PLDI '03, pages 155--167, June 2003. Google Scholar
Digital Library
- T. Durden. Bypassing PaX ASLR protection. Phrack, 2002.Google Scholar
- E. Fence. Malloc debugger. http://directory.fsf.org/project/ElectricFence/.Google Scholar
- M. Frantzen and M. Shuey. Stackghost: Hardware facilitated stack protection. In Usenix Security '01, pages 55--66. Google Scholar
Digital Library
- J. Giacomoni, T. Moseley, and M. Vachharajani. Fastforward for efficient pipeline parallelism: a cache-optimized concurrent lock-free queue. In PPoPP '08, pages 43--52. Google Scholar
Digital Library
- N. Hardy. The confused deputy. ACM Oper. Syst. Rev., 22 (4): 36--38. Google Scholar
Digital Library
- T. L. Harris. A pragmatic implementation of non-blocking linked lists. In DISC '01, pages 300--314. Google Scholar
Digital Library
- R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In the Winter 1992 Usenix Conference, pages 125--136.Google Scholar
- M. Herlihy. A methodology for implementing highly concurrent data structures. In PPoPP '90, pages 197--206. Google Scholar
Digital Library
- IBM. ProPolice detector. www.trl.ibm.com/projects/security/ssp/.Google Scholar
- IBM System/370 Extended Architecture, Principles of Operations. IBM Publication No. SA22-7085, 1983.Google Scholar
- T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Usenix ATC '02, pages 275--288, June 2002. Google Scholar
Digital Library
- R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In the International Workshop on Automatic Debugging, 1997.Google Scholar
- M. Kaempf. Vudo malloc tricks. Phrack, 11 (57), 2001.Google Scholar
- V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In Usenix Security '02, pages 191--206. Google Scholar
Digital Library
- L. Lamport. Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng., 3 (2): 125--143, 1977. Google Scholar
Digital Library
- D. Lea. dlmalloc. http://g.oswego.edu/.Google Scholar
- P. Lee, T. Bu, and G. Chandranmenon. A lock-free, cache-efficient multi-core synchronization mechanism for line-rate network traffic monitoring. In IPDPS '10, pages 1--12.Google Scholar
- R. Lemos. Counting the cost of Slammer, 2003. http://news.cnet.com/ Counting-the-cost-of-Slammer/2100-1002_3-982955.html.Google Scholar
- M. M. Michael. Hazard pointers: Safe memory reclamation for lock-free objects. IEEE Trans. Parallel Distrib. Syst., 15 (6): 491--504, 2004. Google Scholar
Digital Library
- M. M. Michael. High performance dynamic lock-free hash tables and list-based sets. In SPAA '02, pages 73--82. Google Scholar
Digital Library
- MSDN. Structured exception handling. http://msdn.microsoft.com/en-us/library/ms680657(VS.85).aspx.Google Scholar
- G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27 (3): 477--526, 2005. Google Scholar
Digital Library
- NIST. National Vulnerability Database. http://nvd.nist.gov/.Google Scholar
- NIST. SAMATE Reference Dataset. http://samate.nist.gov/SRD.Google Scholar
- G. Novark and E. D. Berger. Dieharder: securing the heap. In CCS '10, pages 573--584. Google Scholar
Digital Library
- Open Source project. Amino concurrent building blocks. http://amino-cbbs.sourceforge.net/.Google Scholar
- Open Source Project. libsigsegv. http://libsigsegv.sourceforge.net/.Google Scholar
- S. Prakash, Y.-H. Lee, and T. Johnson. A nonblocking algorithm for shared queues using compare-and-swap. IEEE Trans. Comput., 43 (5): 548--559, 1994. Google Scholar
Digital Library
- M. Prasad and T. Chiueh. A binary rewriting defense against stack based buffer overflow attacks. In Usenix ATC '03, pages 211--224.Google Scholar
- G. Richarte. Four different tricks to bypass StackShield and StackGuard protection. Tech. report, Core Security Tech., 2002.Google Scholar
- W. Robertson, C. Kruegel, D. Mutz, and F. Valeur. Run-time detection of heap-based overflows. In LISA '03, pages 51--60. Google Scholar
Digital Library
- O. Ruwase and M. S. Lam. A practical dynamic buffer overflow detector. In NDSS '04, pages 159--169.Google Scholar
- B. Salamat, T. Jackson, A. Gal, and M. Franz. Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space. In EuroSys '09, pages 33--46. Google Scholar
Digital Library
- SecuriTeam. http://www.securiteam.com/.Google Scholar
- SecurityFocus. CVS directory request double free heap corruption, 2003.Google Scholar
- SecurityFocus. Mozilla Firefox and Seamonkey regular expression parsing heap buffer overflow, 2009.Google Scholar
- SecurityFocus. Wu-ftpd file globbing heap corruption, 2001.Google Scholar
- SecurityFocus. libHX 'HX_split()' remote heap-based buffer overflow, 2010.Google Scholar
- SecurityFocus. Lynx browser 'convert_to_idna()' function remote heap based buffer overflow, 2010.Google Scholar
- SecurityFocus. http://www.securityfocus.com/.Google Scholar
- SecurityFocus. Sudo password prompt heap overflow, 2002.Google Scholar
- O. Shalev and N. Shavit. Split-ordered lists: Lock-free extensible hash tables. J. ACM, 53 (3): 379--405, 2006. Google Scholar
Cross Ref
- Solar Designer. Non-executable user stack, 1997. http://www.open wall.com/linux/.Google Scholar
- StackShield. http://www.angelfire.com/sk/stackshield/, January 2000.Google Scholar
- The PaX project. http://pax.grsecurity.net/.Google Scholar
- T. K. Tsai and N. Singh. Libsafe: Transparent system-wide protection against buffer overflow attacks. In DSN '02, pages 541--541. Google Scholar
Digital Library
- US-CERT. Vulnerability notes database. www.kb.cert.org/vuls.Google Scholar
- Valgrind. http://valgrind.org/.Google Scholar
- D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In NDSS'00, pages 3--17.Google Scholar
- J. Xu, Z. Kalbarczyk, S. Patel, and R. Iyer. Architecture support for defending against buffer overflow attacks. In Workshop Evaluating & Architecting Sys. Depend., 2002.Google Scholar
- M. Zhivich, T. Leek, and R. Lippmann. Dynamic buffer overflow detection. In Workshop on the Evaluation of Software Defect Detection Tools, 2005.Google Scholar
Index Terms
Cruiser: concurrent heap buffer overflow monitoring using lock-free data structures
Recommendations
Cruiser: concurrent heap buffer overflow monitoring using lock-free data structures
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and ImplementationSecurity enforcement inlined into user threads often delays the protected programs; inlined resource reclamation may interrupt program execution and defer resource release. We propose software cruising, a novel technique that migrates security ...
Lock Cohorting: A General Technique for Designing NUMA Locks
Special Issue on PPOPP 2012Multicore machines are quickly shifting to NUMA and CC-NUMA architectures, making scalable NUMA-aware locking algorithms, ones that take into account the machine's nonuniform memory and caching hierarchy, ever more important. This article presents lock ...
Stopless: a real-time garbage collector for multiprocessors
ISMM '07: Proceedings of the 6th international symposium on Memory managementWe present Stopless: a concurrent real-time garbage collector suitable for modern multiprocessors running parallel multithreaded applications. Creating a garbage-collected environment that supports real-time on modern platforms is notoriously hard,...







Comments