Advertisement

Software Cruising: A New Technology for Building Concurrent Software Monitor

  • Dinghao Wu
  • Peng Liu
  • Qiang Zeng
  • Donghai Tian
Chapter

Abstract

We introduce a novel concurrent software monitoring technology, called software cruising. It leverages multicore architectures and utilizes lock-free data structures and algorithms to achieve efficient and scalable security monitoring. Applications include, but are not limited to, heap buffer integrity checking, kernel memory cruising, data structure and object invariant checking, rootkit detection, and information provenance and flow checking. In the software cruising framework, one or more dedicated threads, called cruising threads, are running concurrently with the monitored user or kernel code, to constantly check, or cruise, for security violations. We believe the software cruising technology would result in a game-changing capability in security monitoring for the cloud-based and traditional computing and network systems.

We have developed two prototypical cruising systems: Cruiser, a lock-free concurrent heap buffer overflow monitor in user space, and Kruiser, a semi-synchronized non-blocking OS kernel cruiser. Our experimental results showed that software cruising can be deployed in practice with modest overhead. In user space, heap buffer overflow cruising incurs only 5 % performance overhead on average for the SPEC CPU2006 benchmark, and the Apache throughput slowdown is only 3 % maximum and negligible on average. In kernel space, it is negligible for SPEC, and 3.8 % for Apache. Both technologies can be deployed in large scale for cloud data centers and server farms in an automated manner.

Keywords

Virtual Machine Kernel Space Buffer Overflow Performance Overhead Monitor Virtual Machine 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgements

This research was supported in part by the National Science Foundation (NSF) under the grants CNS-1223710 and CNS-0905131, the Army Research Office (ARO) under the grant W911NF-09-1-0525 (MURI), and the Air Force Office of Scientific Research (AFOSR) under the grant W911NF1210055.

References

  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS ’05), pp. 340–353 (2005)Google Scholar
  2. 2.
    Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: USENIX Security ’09, pp. 51–66 (2009)Google Scholar
  3. 3.
    Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: Proceedings of the ACM SIGPLAN conference on Programming language design and implementation, PLDI ’04, pp. 290–301 (2004)Google Scholar
  4. 4.
    Avijit, K., Gupta, P.: Tied, libsafeplus, tools for runtime buffer overflow protection. In: USENIX Security ’04, pp. 4–4 (2004)Google Scholar
  5. 5.
    Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: ACSAC ’08: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 77–86. IEEE Computer Society, Washington, DC, USA (2008). DOI http://dx.doi.org/10.1109/ACSAC.2008.29
  6. 6.
    Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the ACM conference on Computer and communications security, CCS ’03, pp. 281–289 (2003)Google Scholar
  7. 7.
    Berger, E.D.: HeapShield: Library-based heap overflow protection for free. Tech. Report UMCS TR-2006-28, Univ. of Mass. Amherst (2006)Google Scholar
  8. 8.
    Berger, E.D., Zorn, B.G.: DieHard: probabilistic memory safety for unsafe languages. In: Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, PLDI ’06, pp. 158–168. ACM, New York, NY, USA (2006). DOI http://doi.acm.org/10.1145/1133981.1134000. URL http://doi.acm.org/10.1145/1133981.1134000
  9. 9.
    Bhatkar, E., Duvarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: USENIX Security ’03, pp. 105–120 (2003)Google Scholar
  10. 10.
    Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of the 7th symposium on Operating systems design and implementation, OSDI ’06, pp. 147–160. USENIX Association, Berkeley, CA, USA (2006). URL http://dl.acm.org/citation.cfm?id=1298455.1298470
  11. 11.
    Chatterjee, S., Lahiri, S., Qadeer, S., Rakamaric, Z.: A reachability predicate for analyzing low-level software. In: O. Grumberg, M. Huth (eds.) Proceedings of the 13th international conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’07), Lecture Notes in Computer Science, vol. 4424, pp. 19–33. Springer Berlin Heidelberg (2007). DOI 10.1007/978-3-540-71209-1_4. URL http://dx.doi.org/10.1007/978-3-540-71209-1_4
  12. 12.
    Chiueh, T.C., Hsu, F.H.: RAD: A compile-time solution to buffer overflow attacks. In: Proceedings of the The 21st International Conference on Distributed Computing Systems (ICDCS ’01), pp. 409–417 (2001)Google Scholar
  13. 13.
    Condit, J., Hackett, B., Lahiri, S.K., Qadeer, S.: Unifying type checking and property checking for low-level code. In: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’09, pp. 302–314. ACM, New York, NY, USA (2009). DOI http://doi.acm.org/10.1145/1480881.1480921. URL http://doi.acm.org/10.1145/1480881.1480921
  14. 14.
    Cowan, C., Beattie, S.: PointGuard: protecting pointers from buffer overflow vulnerabilities. In: USENIX Security ’03, pp. 91–104 (2003)Google Scholar
  15. 15.
    Cowan, C., Pu, C.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security ’98, pp. 63–78 (1998)Google Scholar
  16. 16.
    Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-variant systems: a secretless framework for security through diversity. In: USENIX Security ’06, pp. 105–120 (2006)Google Scholar
  17. 17.
    Denning, D.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–243 (1976)CrossRefMATHMathSciNetGoogle Scholar
  18. 18.
    Dor, N., Rodeh, M., Sagiv, M.: CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In: Proceedings of the ACM SIGPLAN conference on Programming language design and implementation, PLDI ’03, pp. 155–167 (2003)Google Scholar
  19. 19.
    Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazieres, D., Kaashoek, F., Morris, R.: Labels and event processes in the Asbestos operating system. In: Proceedings of the Nineteenth ACM SIGOPS symposium on Operating systems principles, SOSP ’05 (2005)Google Scholar
  20. 20.
    Electric Fence: Malloc debugger. http://directory.fsf.org/project/ElectricFence/
  21. 21.
    Frantzen, M., Shuey, M.: StackGhost: Hardware facilitated stack protection. In: USENIX Security ’01, pp. 55–66 (2001)Google Scholar
  22. 22.
    Hastings, R., Joyce, B.: Purify: Fast detection of memory leaks and access errors. In: the Winter 1992 Usenix Conference, pp. 125–136 (1992)Google Scholar
  23. 23.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998). URL http://dl.acm.org/citation.cfm?id=1298081.1298084 Google Scholar
  24. 24.
  25. 25.
    IBM System/370 Extended Architecture, Principles of Operations: IBM Publication No. SA22-7085 (1983)Google Scholar
  26. 26.
    Jim, T., Morrisett, J.G., Grossman, D., Hicks, M.W., Cheney, J., Wang, Y.: Cyclone: A safe dialect of C. In: USENIX Annual Technical Conference (ATC ’02), pp. 275–288 (2002)Google Scholar
  27. 27.
    Keromytis, A.D.: The case for self-healing software. In: Aspects of Network and Information Security: Proceedings NATO Advanced Studies Institute (ASI) on Network Security and Intrusion Detection (2005)Google Scholar
  28. 28.
    King, S.T., Chen, P.M.: Backtracking intrusions. In: Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP ’03, pp. 223–236. ACM, New York, NY, USA (2003). DOI 10.1145/945445.945467. URL http://doi.acm.org/10.1145/945445.945467
  29. 29.
    Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: USENIX Security ’02, pp. 191–206 (2002)Google Scholar
  30. 30.
    Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: Proceedings of the twenty-first ACM SIGOPS symposium on Operating systems principles, SOSP (2007)Google Scholar
  31. 31.
    Lahiri, S.K., Qadeer, S.: Verifying properties of well-founded linked lists. In: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’06, pp. 115–126. ACM, New York, NY, USA (2006). DOI http://doi.acm.org/10.1145/1111037.1111048. URL http://doi.acm.org/10.1145/1111037.1111048
  32. 32.
    Lamport, L.: Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng. 3(2), 125–143 (1977)CrossRefMATHMathSciNetGoogle Scholar
  33. 33.
    Michael, M.M.: Hazard pointers: Safe memory reclamation for lock-free objects. IEEE Trans. Parallel Distrib. Syst. 15(6), 491–504 (2004)CrossRefGoogle Scholar
  34. 34.
    Myers, A., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Computer Systems (2000)Google Scholar
  35. 35.
    Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proceedings of the sixteenth ACM symposium on Operating systems principles, SOSP ’97, pp. 129–142. ACM, New York, NY, USA (1997). DOI 10.1145/268998.266669. URL http://doi.acm.org/10.1145/268998.266669
  36. 36.
    Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. 27(3), 477–526 (2005)CrossRefGoogle Scholar
  37. 37.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In: Proceedings of the Network and Distributed System Security Symposium (NDSS ’05) (2005)Google Scholar
  38. 38.
    NIST. SAMATE Reference Dataset: http://samate.nist.gov/SRD
  39. 39.
    Novark, G., Berger, E.D.: DieHarder: securing the heap. In: Proceedings of the 17th ACM conference on Computer and communications security, CCS ’10, pp. 573–584. ACM, New York, NY, USA (2010). DOI http://doi.acm.org/10.1145/1866307.1866371. URL http://doi.acm.org/10.1145/1866307.1866371
  40. 40.
    Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th conference on USENIX Security Symposium - Volume 14, pp. 113–128. USENIX Association, Berkeley, CA, USA (2005). URL http://dl.acm.org/citation.cfm?id=1251398.1251406
  41. 41.
    Perkins, J.H., Kim, S., Larsen, S., Amarasinghe, S., Bachrach, J., Carbin, M., Pacheco, C., Sherwood, F., Sidiroglou, S., Sullivan, G., Wong, W.F., Zibin, Y., Ernst, M.D., Rinard, M.: Automatically patching errors in deployed software. In: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP ’09, pp. 87–102. ACM, New York, NY, USA (2009). DOI http://doi.acm.org/10.1145/1629575.1629585. URL http://doi.acm.org/10.1145/1629575.1629585
  42. 42.
    Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM conference on Computer and communications security, CCS ’07, pp. 103–115 (2007)Google Scholar
  43. 43.
    Portokalidis, G., Keromytis, A.D.: REASSURE: A self-contained mechanism for healing software using rescue points. In: Advances in Information and Computer Security—6th International Workshop, IWSEC 2011, Tokyo, Japan, November 8–10, 2011. Proceedings, Lecture Notes in Computer Science, vol. 7038, pp. 16–32. Springer (2011)Google Scholar
  44. 44.
    Prasad, M., Chiueh, T.C.: A binary rewriting defense against stack based buffer overflow attacks. In: Usenix Annual Technical Conference (Usenix ATC ’03), pp. 211–224 (2003)Google Scholar
  45. 45.
    Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Proceedings of the 11th international conference on Recent advances in intrusion detection, RAID ’08 (2008)Google Scholar
  46. 46.
    Robertson, W., Kruegel, C., Mutz, D., Valeur, F.: Run-time detection of heap-based overflows. In: Proceedings of the 17th Usenix Conference on System Administration (LISA ’03), pp. 51–60. Usenix Association, Berkeley, CA, USA (2003)Google Scholar
  47. 47.
    Roethlisberge, D.: Omnikey Cardman 4040 Linux driver buffer overflow (2007). http://www.securiteam.com/unixfocus/5CP0D0AKUA.html
  48. 48.
    Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS ’04), pp. 159–169 (2004)Google Scholar
  49. 49.
    Salamat, B., Jackson, T., Gal, A., Franz, M.: Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space. In: Proceedings of the 4th ACM European conference on Computer systems (EuroSys ’09), pp. 33–46 (2009)Google Scholar
  50. 50.
    Schneider, F.: Blueprint for a science of cybersecurity. The Next Wave 19(2), 47–57 (2012)Google Scholar
  51. 51.
    SecurityFocus: Wu-ftpd file globbing heap corruption (2001). http://www.securityfocus.com/bid/3581
  52. 52.
    SecurityFocus: Sudo password prompt heap overflow (2002). http://www.securityfocus.com/bid/4593
  53. 53.
    SecurityFocus: CVS directory request double free heap corruption (2003). http://www.securityfocus.com/bid/6650
  54. 54.
    SecurityFocus: Mozilla Firefox and Seamonkey regular expression parsing heap buffer overflow (2009). http://www.securityfocus.com/bid/35891
  55. 55.
    SecurityFocus: libHX ‘HX_split()’ remote heap-based buffer overflow (2010). http://www.securityfocus.com/bid/42592
  56. 56.
    SecurityFocus: Lynx browser ‘convert_to_idna()’ function remote heap based buffer overflow (2010). http://www.securityfocus.com/bid/42316
  57. 57.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of the twenty-first ACM SIGOPS symposium on Operating systems principles, SOSP ’07, pp. 335–350 (2007)Google Scholar
  58. 58.
    Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, pp. 477–487 (2009)Google Scholar
  59. 59.
    Shehory, O.: SHADOWS: Self-healing complex software systems. In: Automated Software Engineering, pp. 71–76 (2008). DOI 10.1109/ASEW.2008.4686296Google Scholar
  60. 60.
    Sidiroglou, S., Laadan, O., Perez, C., Viennot, N., Nieh, J., Keromytis, A.D.: ASSURE: automatic software self-healing using rescue points. In: M.L. Soffa, M.J. Irwin (eds.) ASPLOS, pp. 37–48. ACM (2009)Google Scholar
  61. 61.
    Solar Designer: Non-executable user stack (1997). http://www.openwall.com/linux/
  62. 62.
    sqrkkyu, twzi: Attacking the core: Kernel exploiting notes (2007). http://phrack.org/issues.html
  63. 63.
    Srivastava, A., Erete, I., Giffin, J.: Kernel data integrity protection via memory access control. Tech. Rep. GT-CS-09-04, Georgia Institute of Technology (2009)Google Scholar
  64. 64.
  65. 65.
    The PaX project: http://pax.grsecurity.net/
  66. 66.
    Tian, D., Zeng, Q., Wu, D., Liu, P., Hu, C.: Kruiser: Semi-synchronized non-blocking concurrent kernel heap buffer overflow monitoring. In: Proceedings of the 19th Network and Distributed System Security Symposium, NDSS ’12 (2012)Google Scholar
  67. 67.
    Tiwari, M., Wassel, H.M., Mazloom, B., Mysore, S., Chong, F.T., Sherwood, T.: Complete information flow tracking from the gates up. In: Proceedings of the 14th international conference on Architectural support for programming languages and operating systems, ASPLOS XIV, pp.  109–120. ACM, New York, NY, USA (2009). DOI 10.1145/1508244.1508258. URL http://doi.acm.org/10.1145/1508244.1508258
  68. 68.
    Tsai, T.K., Singh, N.: Libsafe: Transparent system-wide protection against buffer overflow attacks. In: Proceedings of the 2002 International Conference on Dependable Systems and Networks (DSN ’02), pp. 541–541 (2002)Google Scholar
  69. 69.
  70. 70.
  71. 71.
    US-CERT/NIST: National vulnerability database, CVE-2002-0392. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0392
  72. 72.
    US-CERT/NIST: National vulnerability database, CVE-2003-0252. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0252
  73. 73.
  74. 74.
    Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of the 7th Network and Distributed System Security Symposium, NDSS ’00, pp. 3–17 (2000)Google Scholar
  75. 75.
    Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. In: Proceedings of the fourteenth ACM symposium on Operating systems principles, SOSP ’93, pp. 203–216. ACM, New York, NY, USA (1993). DOI 10.1145/168619.168635. URL http://doi.acm.org/10.1145/168619.168635
  76. 76.
    Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: CCS ’09: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)Google Scholar
  77. 77.
    Wei, J., Payne, B.D., Giffin, J., Pu, C.: Soft-timer driven transient kernel control flow attacks and defense. In: ACSAC ’08: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 97–107. IEEE Computer Society, Washington, DC, USA (2008). DOI http://dx.doi.org/10.1109/ACSAC.2008.40
  78. 78.
    Xiong, X., Tian, D., Liu, P.: Practical protection of kernel integrity for commodity OS from untrusted extensions. In: Proceedings of the Network and Distributed System Security Symposium, NDSS ’11. The Internet Society (2011)Google Scholar
  79. 79.
    Xu, J., Kalbarczyk, Z., Patel, S., Iyer, R.: Architecture support for defending against buffer overflow attacks. In: Workshop Evaluating & Architecting Sys. Depend. (2002)Google Scholar
  80. 80.
    Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazieres, D.: Making information flow explicit in HiStar. Communications of the ACM (2011)Google Scholar
  81. 81.
    Zeldovich, N., Kannan, H., Dalton, M., Kozyrakis, C.: Hardware enforcement of application security policies using tagged memory. In: Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI’08, pp. 225–240. USENIX Association, Berkeley, CA, USA (2008). URL http://dl.acm.org/citation.cfm?id=1855741.1855757
  82. 82.
    Zeng, Q., Wu, D., Liu, P.: Cruiser: Concurrent heap buffer overflow monitoring using lock-free data structures. In: Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation, PLDI ’11, pp. 367–377. ACM, New York, NY, USA (2011). DOI http://doi.acm.org/10.1145/1993498.1993541. URL http://doi.acm.org/10.1145/1993498.1993541

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  • Dinghao Wu
    • 1
  • Peng Liu
    • 1
  • Qiang Zeng
    • 1
  • Donghai Tian
    • 2
  1. 1.Pennsylvania State UniversityUniversity ParkUSA
  2. 2.Beijing Institute of TechnologyBeijingChina

Personalised recommendations