Abstract
We introduce a novel concurrent software monitoring technology, called software cruising. It leverages multicore architectures and utilizes lock-free data structures and algorithms to achieve efficient and scalable security monitoring. Applications include, but are not limited to, heap buffer integrity checking, kernel memory cruising, data structure and object invariant checking, rootkit detection, and information provenance and flow checking. In the software cruising framework, one or more dedicated threads, called cruising threads, are running concurrently with the monitored user or kernel code, to constantly check, or cruise, for security violations. We believe the software cruising technology would result in a game-changing capability in security monitoring for the cloud-based and traditional computing and network systems.
We have developed two prototypical cruising systems: Cruiser, a lock-free concurrent heap buffer overflow monitor in user space, and Kruiser, a semi-synchronized non-blocking OS kernel cruiser. Our experimental results showed that software cruising can be deployed in practice with modest overhead. In user space, heap buffer overflow cruising incurs only 5 % performance overhead on average for the SPEC CPU2006 benchmark, and the Apache throughput slowdown is only 3 % maximum and negligible on average. In kernel space, it is negligible for SPEC, and 3.8 % for Apache. Both technologies can be deployed in large scale for cloud data centers and server farms in an automated manner.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Technically speaking, lock-free and non-blocking are related, but different concepts. Here, we do not distinguish the difference and rather use them interchangeably to mean that it is not traditional lock-based and not blocking.
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS ’05), pp. 340–353 (2005)
Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: USENIX Security ’09, pp. 51–66 (2009)
Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: Proceedings of the ACM SIGPLAN conference on Programming language design and implementation, PLDI ’04, pp. 290–301 (2004)
Avijit, K., Gupta, P.: Tied, libsafeplus, tools for runtime buffer overflow protection. In: USENIX Security ’04, pp. 4–4 (2004)
Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: ACSAC ’08: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 77–86. IEEE Computer Society, Washington, DC, USA (2008). DOI http://dx.doi.org/10.1109/ACSAC.2008.29
Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the ACM conference on Computer and communications security, CCS ’03, pp. 281–289 (2003)
Berger, E.D.: HeapShield: Library-based heap overflow protection for free. Tech. Report UMCS TR-2006-28, Univ. of Mass. Amherst (2006)
Berger, E.D., Zorn, B.G.: DieHard: probabilistic memory safety for unsafe languages. In: Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, PLDI ’06, pp. 158–168. ACM, New York, NY, USA (2006). DOI http://doi.acm.org/10.1145/1133981.1134000. URL http://doi.acm.org/10.1145/1133981.1134000
Bhatkar, E., Duvarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: USENIX Security ’03, pp. 105–120 (2003)
Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of the 7th symposium on Operating systems design and implementation, OSDI ’06, pp. 147–160. USENIX Association, Berkeley, CA, USA (2006). URL http://dl.acm.org/citation.cfm?id=1298455.1298470
Chatterjee, S., Lahiri, S., Qadeer, S., Rakamaric, Z.: A reachability predicate for analyzing low-level software. In: O. Grumberg, M. Huth (eds.) Proceedings of the 13th international conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’07), Lecture Notes in Computer Science, vol. 4424, pp. 19–33. Springer Berlin Heidelberg (2007). DOI 10.1007/978-3-540-71209-1_4. URL http://dx.doi.org/10.1007/978-3-540-71209-1_4
Chiueh, T.C., Hsu, F.H.: RAD: A compile-time solution to buffer overflow attacks. In: Proceedings of the The 21st International Conference on Distributed Computing Systems (ICDCS ’01), pp. 409–417 (2001)
Condit, J., Hackett, B., Lahiri, S.K., Qadeer, S.: Unifying type checking and property checking for low-level code. In: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’09, pp. 302–314. ACM, New York, NY, USA (2009). DOI http://doi.acm.org/10.1145/1480881.1480921. URL http://doi.acm.org/10.1145/1480881.1480921
Cowan, C., Beattie, S.: PointGuard: protecting pointers from buffer overflow vulnerabilities. In: USENIX Security ’03, pp. 91–104 (2003)
Cowan, C., Pu, C.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security ’98, pp. 63–78 (1998)
Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-variant systems: a secretless framework for security through diversity. In: USENIX Security ’06, pp. 105–120 (2006)
Denning, D.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–243 (1976)
Dor, N., Rodeh, M., Sagiv, M.: CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In: Proceedings of the ACM SIGPLAN conference on Programming language design and implementation, PLDI ’03, pp. 155–167 (2003)
Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazieres, D., Kaashoek, F., Morris, R.: Labels and event processes in the Asbestos operating system. In: Proceedings of the Nineteenth ACM SIGOPS symposium on Operating systems principles, SOSP ’05 (2005)
Electric Fence: Malloc debugger. http://directory.fsf.org/project/ElectricFence/
Frantzen, M., Shuey, M.: StackGhost: Hardware facilitated stack protection. In: USENIX Security ’01, pp. 55–66 (2001)
Hastings, R., Joyce, B.: Purify: Fast detection of memory leaks and access errors. In: the Winter 1992 Usenix Conference, pp. 125–136 (1992)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998). URL http://dl.acm.org/citation.cfm?id=1298081.1298084
IBM: ProPolice detector. http://www.trl.ibm.com/projects/security/ssp/
IBM System/370 Extended Architecture, Principles of Operations: IBM Publication No. SA22-7085 (1983)
Jim, T., Morrisett, J.G., Grossman, D., Hicks, M.W., Cheney, J., Wang, Y.: Cyclone: A safe dialect of C. In: USENIX Annual Technical Conference (ATC ’02), pp. 275–288 (2002)
Keromytis, A.D.: The case for self-healing software. In: Aspects of Network and Information Security: Proceedings NATO Advanced Studies Institute (ASI) on Network Security and Intrusion Detection (2005)
King, S.T., Chen, P.M.: Backtracking intrusions. In: Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP ’03, pp. 223–236. ACM, New York, NY, USA (2003). DOI 10.1145/945445.945467. URL http://doi.acm.org/10.1145/945445.945467
Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: USENIX Security ’02, pp. 191–206 (2002)
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: Proceedings of the twenty-first ACM SIGOPS symposium on Operating systems principles, SOSP (2007)
Lahiri, S.K., Qadeer, S.: Verifying properties of well-founded linked lists. In: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’06, pp. 115–126. ACM, New York, NY, USA (2006). DOI http://doi.acm.org/10.1145/1111037.1111048. URL http://doi.acm.org/10.1145/1111037.1111048
Lamport, L.: Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng. 3(2), 125–143 (1977)
Michael, M.M.: Hazard pointers: Safe memory reclamation for lock-free objects. IEEE Trans. Parallel Distrib. Syst. 15(6), 491–504 (2004)
Myers, A., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Computer Systems (2000)
Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proceedings of the sixteenth ACM symposium on Operating systems principles, SOSP ’97, pp. 129–142. ACM, New York, NY, USA (1997). DOI 10.1145/268998.266669. URL http://doi.acm.org/10.1145/268998.266669
Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. 27(3), 477–526 (2005)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In: Proceedings of the Network and Distributed System Security Symposium (NDSS ’05) (2005)
NIST. SAMATE Reference Dataset: http://samate.nist.gov/SRD
Novark, G., Berger, E.D.: DieHarder: securing the heap. In: Proceedings of the 17th ACM conference on Computer and communications security, CCS ’10, pp. 573–584. ACM, New York, NY, USA (2010). DOI http://doi.acm.org/10.1145/1866307.1866371. URL http://doi.acm.org/10.1145/1866307.1866371
Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th conference on USENIX Security Symposium - Volume 14, pp. 113–128. USENIX Association, Berkeley, CA, USA (2005). URL http://dl.acm.org/citation.cfm?id=1251398.1251406
Perkins, J.H., Kim, S., Larsen, S., Amarasinghe, S., Bachrach, J., Carbin, M., Pacheco, C., Sherwood, F., Sidiroglou, S., Sullivan, G., Wong, W.F., Zibin, Y., Ernst, M.D., Rinard, M.: Automatically patching errors in deployed software. In: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP ’09, pp. 87–102. ACM, New York, NY, USA (2009). DOI http://doi.acm.org/10.1145/1629575.1629585. URL http://doi.acm.org/10.1145/1629575.1629585
Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM conference on Computer and communications security, CCS ’07, pp. 103–115 (2007)
Portokalidis, G., Keromytis, A.D.: REASSURE: A self-contained mechanism for healing software using rescue points. In: Advances in Information and Computer Security—6th International Workshop, IWSEC 2011, Tokyo, Japan, November 8–10, 2011. Proceedings, Lecture Notes in Computer Science, vol. 7038, pp. 16–32. Springer (2011)
Prasad, M., Chiueh, T.C.: A binary rewriting defense against stack based buffer overflow attacks. In: Usenix Annual Technical Conference (Usenix ATC ’03), pp. 211–224 (2003)
Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Proceedings of the 11th international conference on Recent advances in intrusion detection, RAID ’08 (2008)
Robertson, W., Kruegel, C., Mutz, D., Valeur, F.: Run-time detection of heap-based overflows. In: Proceedings of the 17th Usenix Conference on System Administration (LISA ’03), pp. 51–60. Usenix Association, Berkeley, CA, USA (2003)
Roethlisberge, D.: Omnikey Cardman 4040 Linux driver buffer overflow (2007). http://www.securiteam.com/unixfocus/5CP0D0AKUA.html
Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS ’04), pp. 159–169 (2004)
Salamat, B., Jackson, T., Gal, A., Franz, M.: Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space. In: Proceedings of the 4th ACM European conference on Computer systems (EuroSys ’09), pp. 33–46 (2009)
Schneider, F.: Blueprint for a science of cybersecurity. The Next Wave 19(2), 47–57 (2012)
SecurityFocus: Wu-ftpd file globbing heap corruption (2001). http://www.securityfocus.com/bid/3581
SecurityFocus: Sudo password prompt heap overflow (2002). http://www.securityfocus.com/bid/4593
SecurityFocus: CVS directory request double free heap corruption (2003). http://www.securityfocus.com/bid/6650
SecurityFocus: Mozilla Firefox and Seamonkey regular expression parsing heap buffer overflow (2009). http://www.securityfocus.com/bid/35891
SecurityFocus: libHX ‘HX_split()’ remote heap-based buffer overflow (2010). http://www.securityfocus.com/bid/42592
SecurityFocus: Lynx browser ‘convert_to_idna()’ function remote heap based buffer overflow (2010). http://www.securityfocus.com/bid/42316
Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of the twenty-first ACM SIGOPS symposium on Operating systems principles, SOSP ’07, pp. 335–350 (2007)
Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, pp. 477–487 (2009)
Shehory, O.: SHADOWS: Self-healing complex software systems. In: Automated Software Engineering, pp. 71–76 (2008). DOI 10.1109/ASEW.2008.4686296
Sidiroglou, S., Laadan, O., Perez, C., Viennot, N., Nieh, J., Keromytis, A.D.: ASSURE: automatic software self-healing using rescue points. In: M.L. Soffa, M.J. Irwin (eds.) ASPLOS, pp. 37–48. ACM (2009)
Solar Designer: Non-executable user stack (1997). http://www.openwall.com/linux/
sqrkkyu, twzi: Attacking the core: Kernel exploiting notes (2007). http://phrack.org/issues.html
Srivastava, A., Erete, I., Giffin, J.: Kernel data integrity protection via memory access control. Tech. Rep. GT-CS-09-04, Georgia Institute of Technology (2009)
StackShield: (2000). http://www.angelfire.com/sk/stackshield/
The PaX project: http://pax.grsecurity.net/
Tian, D., Zeng, Q., Wu, D., Liu, P., Hu, C.: Kruiser: Semi-synchronized non-blocking concurrent kernel heap buffer overflow monitoring. In: Proceedings of the 19th Network and Distributed System Security Symposium, NDSS ’12 (2012)
Tiwari, M., Wassel, H.M., Mazloom, B., Mysore, S., Chong, F.T., Sherwood, T.: Complete information flow tracking from the gates up. In: Proceedings of the 14th international conference on Architectural support for programming languages and operating systems, ASPLOS XIV, pp. 109–120. ACM, New York, NY, USA (2009). DOI 10.1145/1508244.1508258. URL http://doi.acm.org/10.1145/1508244.1508258
Tsai, T.K., Singh, N.: Libsafe: Transparent system-wide protection against buffer overflow attacks. In: Proceedings of the 2002 International Conference on Dependable Systems and Networks (DSN ’02), pp. 541–541 (2002)
US-CERT/NIST: CVE-2008-1673. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1673
US-CERT/NIST: CVE-2009-2407. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2407
US-CERT/NIST: National vulnerability database, CVE-2002-0392. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0392
US-CERT/NIST: National vulnerability database, CVE-2003-0252. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0252
Valgrind: http://valgrind.org/
Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of the 7th Network and Distributed System Security Symposium, NDSS ’00, pp. 3–17 (2000)
Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. In: Proceedings of the fourteenth ACM symposium on Operating systems principles, SOSP ’93, pp. 203–216. ACM, New York, NY, USA (1993). DOI 10.1145/168619.168635. URL http://doi.acm.org/10.1145/168619.168635
Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: CCS ’09: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)
Wei, J., Payne, B.D., Giffin, J., Pu, C.: Soft-timer driven transient kernel control flow attacks and defense. In: ACSAC ’08: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 97–107. IEEE Computer Society, Washington, DC, USA (2008). DOI http://dx.doi.org/10.1109/ACSAC.2008.40
Xiong, X., Tian, D., Liu, P.: Practical protection of kernel integrity for commodity OS from untrusted extensions. In: Proceedings of the Network and Distributed System Security Symposium, NDSS ’11. The Internet Society (2011)
Xu, J., Kalbarczyk, Z., Patel, S., Iyer, R.: Architecture support for defending against buffer overflow attacks. In: Workshop Evaluating & Architecting Sys. Depend. (2002)
Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazieres, D.: Making information flow explicit in HiStar. Communications of the ACM (2011)
Zeldovich, N., Kannan, H., Dalton, M., Kozyrakis, C.: Hardware enforcement of application security policies using tagged memory. In: Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI’08, pp. 225–240. USENIX Association, Berkeley, CA, USA (2008). URL http://dl.acm.org/citation.cfm?id=1855741.1855757
Zeng, Q., Wu, D., Liu, P.: Cruiser: Concurrent heap buffer overflow monitoring using lock-free data structures. In: Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation, PLDI ’11, pp. 367–377. ACM, New York, NY, USA (2011). DOI http://doi.acm.org/10.1145/1993498.1993541. URL http://doi.acm.org/10.1145/1993498.1993541
Acknowledgements
This research was supported in part by the National Science Foundation (NSF) under the grants CNS-1223710 and CNS-0905131, the Army Research Office (ARO) under the grant W911NF-09-1-0525 (MURI), and the Air Force Office of Scientific Research (AFOSR) under the grant W911NF1210055.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer Science+Business Media New York
About this chapter
Cite this chapter
Wu, D., Liu, P., Zeng, Q., Tian, D. (2014). Software Cruising: A New Technology for Building Concurrent Software Monitor. In: Jajodia, S., Kant, K., Samarati, P., Singhal, A., Swarup, V., Wang, C. (eds) Secure Cloud Computing. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-9278-8_14
Download citation
DOI: https://doi.org/10.1007/978-1-4614-9278-8_14
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-9277-1
Online ISBN: 978-1-4614-9278-8
eBook Packages: Computer ScienceComputer Science (R0)