PartiSan: Fast and Flexible Sanitization via Run-Time Partitioning
Sanitizers can detect security vulnerabilities in C/C++ code that elude static analysis. Current practice is to continuously fuzz and sanitize internal pre-release builds. Sanitization-enabled builds are rarely released publicly. This is in large part due to the high memory and processing requirements of sanitizers.
We present PartiSan, a run-time partitioning technique that speeds up sanitizers and allows them to be used in a more flexible manner. Our core idea is to partition the execution into sanitized slices that incur a run-time overhead, and “unsanitized” slices running at full speed. With PartiSan, sanitization is no longer an all-or-nothing proposition. A single build can be distributed to every user regardless of their willingness to enable sanitization and the capabilities of their host system. PartiSan enables application developers to define their own sanitization policies. Such policies can automatically adjust the amount of sanitization to fit within a performance budget or disable sanitization if the host lacks sufficient resources. The flexibility afforded by run-time partitioning also means that we can alternate between different types of sanitizers dynamically; today, developers have to pick a single type of sanitizer ahead of time. Finally, we show that run-time partitioning can speed up fuzzing by running the sanitized partition only when the fuzzer discovers an input that causes a crash or uncovers new execution paths.
KeywordsSecurity Privacy Software security Application security
We would like to thank Jonas Wagner for his advice and pointing out useful previous work. We also would like to thank the anonymous reviewers for their valuable feedback.
This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contracts FA8750-15-C-0124 and FA8750-15-C-0085, by the United States Office of Naval Research (ONR) under contract N00014-17-1-2782, and by the National Science Foundation under awards CNS-1619211 and CNS-1513837.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA) or its Contracting Agents, the Office of Naval Research or its Contracting Agents, the National Science Foundation, or any other agency of the U.S. Government.
The authors also gratefully acknowledge a gift from Oracle Corporation.
- 1.Biswas, P., et al.: Venerable variadic vulnerabilities vanquished. In: 26th USENIX Security Symposium. SSYM 2017. USENIX Association, Vancouver (2017, to appear)Google Scholar
- 2.Crane, S., Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Thwarting cache side-channel attacks through dynamic software diversity. In: 22nd Annual Network and Distributed Systems Security Symposium. NDSS 2015. Internet Society, San Diego (2015)Google Scholar
- 3.Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: 22nd Annual Network and Distributed Systems Security Symposium. NDSS 2015. Internet Society, San Diego (2015)Google Scholar
- 4.Google: Fuzzer test suite (2018). https://github.com/google/fuzzer-test-suite
- 5.Haller, I., et al.: TypeSan: practical type confusion detection. In: 23rd ACM SIGSAC Conference on Computer and Communications Security. CCS 2016, pp. 517–528. ACM, New York (2016)Google Scholar
- 6.International Organization for Standardization: Information technology - programming languages - C. Standard, International Organization for Standardization, Geneva, CH, December 2011Google Scholar
- 7.Jeon, Y., Biswas, P., Carr, S., Lee, B., Payer, M.: HexType: efficient detection of type confusion errors for C++. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2373–2387. ACM, New York (2017)Google Scholar
- 8.Koppen, G.: Discontinuing the hardened Tor browser series (2017). https://blog.torproject.org/blog/discontinuing-hardened-tor-browser-series
- 9.Kurmus, A., Zippel, R.: A tale of two kernels: towards ending kernel hardening wars with split kernel. In: 21st ACM SIGSAC Conference on Computer and Communications Security. CCS 2014, pp. 1366–1377. ACM, New York (2014)Google Scholar
- 10.Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis & transformation. In: 2004 International Symposium on Code Generation and Optimization. CGO 2004, p. 75. IEEE Computer Society, Palo Alto (2004)Google Scholar
- 11.Lee, B., Song, C., Kim, T., Lee, W.: Type casting verification: stopping an emerging attack vector. In: 24th USENIX Security Symposium. SSYM 2015, pp. 81–96. USENIX Association, Austin (2015)Google Scholar
- 12.Lee, J., et al.: Taming undefined behavior in LLVM. In: 38th annual ACM SIGPLAN Conference on Programming Language Design and Implementation. PLDI 2017. ACM, Barcelona, June 2017Google Scholar
- 13.LLVM Developers: Undefined behavior sanitizer (2017). https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
- 14.LLVM Developers: libFuzzer (2018). https://llvm.org/docs/LibFuzzer.html
- 15.National Institute of Standards and Technology: National vulnerability database (2017). https://nvd.nist.gov
- 16.Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: AddressSanitizer: a fast address sanity checker. In: 2012 USENIX Annual Technical Conference. ATC 2012, p. 28. USENIX Association, Berkeley (2012)Google Scholar
- 17.Serebryany, K., Iskhodzhanov, T.: ThreadSanitizer: data race detection in practice. In: 2009 Workshop on Binary Instrumentation and Applications. WBIA 2009, pp. 62–71. ACM, New York (2009)Google Scholar
- 18.Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: 2013 IEEE Symposium on Security and Privacy. SP 2013, pp. 574–588. IEEE, San Francisco (2013)Google Scholar
- 19.Song, D., et al.: SoK: sanitizing for security. In: 40th IEEE Symposium on Security and Privacy. SP 2019. IEEE Computer Society, San Francisco (2019)Google Scholar
- 20.Standard Performance Evaluation Corporation: SPEC CPU 2006 (2017). https://www.spec.org/cpu2006
- 21.Stepanov, E., Serebryany, K.: MemorySanitizer: fast detector of uninitialized memory use in C++. In: 2015 IEEE/ACM International Symposium on Code Generation and Optimization. CGO 2015, pp. 46–55. IEEE, San Francisco (2015)Google Scholar
- 22.Wagner, J., Kuznetsov, V., Candea, G., Kinder, J.: High system-code security with low overhead. In: 2015 IEEE Symposium on Security and Privacy. SP 2015, pp. 866–879. IEEE Computer Society, Washington, D.C. (2015)Google Scholar
- 23.Wagner, J.B.: Elastic program transformations: automatically optimizing the reliability/performance trade-off in systems software. Ph.D. thesis, Ecole Polytechnique Federale de Lausanne (2017)Google Scholar
- 24.Xu, M., Lu, K., Kim, T., Lee, W.: Bunshin: compositing security mechanisms through diversification. In: 2017 USENIX Annual Technical Conference. ATC 2017, pp. 271–283. USENIX Association (2017)Google Scholar