Skip to main content

Software Cruising: A New Technology for Building Concurrent Software Monitor

  • Chapter
  • First Online:
Secure Cloud Computing

Abstract

We introduce a novel concurrent software monitoring technology, called software cruising. It leverages multicore architectures and utilizes lock-free data structures and algorithms to achieve efficient and scalable security monitoring. Applications include, but are not limited to, heap buffer integrity checking, kernel memory cruising, data structure and object invariant checking, rootkit detection, and information provenance and flow checking. In the software cruising framework, one or more dedicated threads, called cruising threads, are running concurrently with the monitored user or kernel code, to constantly check, or cruise, for security violations. We believe the software cruising technology would result in a game-changing capability in security monitoring for the cloud-based and traditional computing and network systems.

We have developed two prototypical cruising systems: Cruiser, a lock-free concurrent heap buffer overflow monitor in user space, and Kruiser, a semi-synchronized non-blocking OS kernel cruiser. Our experimental results showed that software cruising can be deployed in practice with modest overhead. In user space, heap buffer overflow cruising incurs only 5 % performance overhead on average for the SPEC CPU2006 benchmark, and the Apache throughput slowdown is only 3 % maximum and negligible on average. In kernel space, it is negligible for SPEC, and 3.8 % for Apache. Both technologies can be deployed in large scale for cloud data centers and server farms in an automated manner.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Technically speaking, lock-free and non-blocking are related, but different concepts. Here, we do not distinguish the difference and rather use them interchangeably to mean that it is not traditional lock-based and not blocking.

References

  1. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS ’05), pp. 340–353 (2005)

    Google Scholar 

  2. Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: USENIX Security ’09, pp. 51–66 (2009)

    Google Scholar 

  3. Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: Proceedings of the ACM SIGPLAN conference on Programming language design and implementation, PLDI ’04, pp. 290–301 (2004)

    Google Scholar 

  4. Avijit, K., Gupta, P.: Tied, libsafeplus, tools for runtime buffer overflow protection. In: USENIX Security ’04, pp. 4–4 (2004)

    Google Scholar 

  5. Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: ACSAC ’08: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 77–86. IEEE Computer Society, Washington, DC, USA (2008). DOI http://dx.doi.org/10.1109/ACSAC.2008.29

  6. Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the ACM conference on Computer and communications security, CCS ’03, pp. 281–289 (2003)

    Google Scholar 

  7. Berger, E.D.: HeapShield: Library-based heap overflow protection for free. Tech. Report UMCS TR-2006-28, Univ. of Mass. Amherst (2006)

    Google Scholar 

  8. Berger, E.D., Zorn, B.G.: DieHard: probabilistic memory safety for unsafe languages. In: Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, PLDI ’06, pp. 158–168. ACM, New York, NY, USA (2006). DOI http://doi.acm.org/10.1145/1133981.1134000. URL http://doi.acm.org/10.1145/1133981.1134000

  9. Bhatkar, E., Duvarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: USENIX Security ’03, pp. 105–120 (2003)

    Google Scholar 

  10. Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of the 7th symposium on Operating systems design and implementation, OSDI ’06, pp. 147–160. USENIX Association, Berkeley, CA, USA (2006). URL http://dl.acm.org/citation.cfm?id=1298455.1298470

  11. Chatterjee, S., Lahiri, S., Qadeer, S., Rakamaric, Z.: A reachability predicate for analyzing low-level software. In: O. Grumberg, M. Huth (eds.) Proceedings of the 13th international conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’07), Lecture Notes in Computer Science, vol. 4424, pp. 19–33. Springer Berlin Heidelberg (2007). DOI 10.1007/978-3-540-71209-1_4. URL http://dx.doi.org/10.1007/978-3-540-71209-1_4

  12. Chiueh, T.C., Hsu, F.H.: RAD: A compile-time solution to buffer overflow attacks. In: Proceedings of the The 21st International Conference on Distributed Computing Systems (ICDCS ’01), pp. 409–417 (2001)

    Google Scholar 

  13. Condit, J., Hackett, B., Lahiri, S.K., Qadeer, S.: Unifying type checking and property checking for low-level code. In: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’09, pp. 302–314. ACM, New York, NY, USA (2009). DOI http://doi.acm.org/10.1145/1480881.1480921. URL http://doi.acm.org/10.1145/1480881.1480921

  14. Cowan, C., Beattie, S.: PointGuard: protecting pointers from buffer overflow vulnerabilities. In: USENIX Security ’03, pp. 91–104 (2003)

    Google Scholar 

  15. Cowan, C., Pu, C.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security ’98, pp. 63–78 (1998)

    Google Scholar 

  16. Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-variant systems: a secretless framework for security through diversity. In: USENIX Security ’06, pp. 105–120 (2006)

    Google Scholar 

  17. Denning, D.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–243 (1976)

    Article  MATH  MathSciNet  Google Scholar 

  18. Dor, N., Rodeh, M., Sagiv, M.: CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In: Proceedings of the ACM SIGPLAN conference on Programming language design and implementation, PLDI ’03, pp. 155–167 (2003)

    Google Scholar 

  19. Efstathopoulos, P., Krohn, M., VanDeBogart, S., Frey, C., Ziegler, D., Kohler, E., Mazieres, D., Kaashoek, F., Morris, R.: Labels and event processes in the Asbestos operating system. In: Proceedings of the Nineteenth ACM SIGOPS symposium on Operating systems principles, SOSP ’05 (2005)

    Google Scholar 

  20. Electric Fence: Malloc debugger. http://directory.fsf.org/project/ElectricFence/

  21. Frantzen, M., Shuey, M.: StackGhost: Hardware facilitated stack protection. In: USENIX Security ’01, pp. 55–66 (2001)

    Google Scholar 

  22. Hastings, R., Joyce, B.: Purify: Fast detection of memory leaks and access errors. In: the Winter 1992 Usenix Conference, pp. 125–136 (1992)

    Google Scholar 

  23. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998). URL http://dl.acm.org/citation.cfm?id=1298081.1298084

    Google Scholar 

  24. IBM: ProPolice detector. http://www.trl.ibm.com/projects/security/ssp/

  25. IBM System/370 Extended Architecture, Principles of Operations: IBM Publication No. SA22-7085 (1983)

    Google Scholar 

  26. Jim, T., Morrisett, J.G., Grossman, D., Hicks, M.W., Cheney, J., Wang, Y.: Cyclone: A safe dialect of C. In: USENIX Annual Technical Conference (ATC ’02), pp. 275–288 (2002)

    Google Scholar 

  27. Keromytis, A.D.: The case for self-healing software. In: Aspects of Network and Information Security: Proceedings NATO Advanced Studies Institute (ASI) on Network Security and Intrusion Detection (2005)

    Google Scholar 

  28. King, S.T., Chen, P.M.: Backtracking intrusions. In: Proceedings of the nineteenth ACM symposium on Operating systems principles, SOSP ’03, pp. 223–236. ACM, New York, NY, USA (2003). DOI 10.1145/945445.945467. URL http://doi.acm.org/10.1145/945445.945467

  29. Kiriansky, V., Bruening, D., Amarasinghe, S.P.: Secure execution via program shepherding. In: USENIX Security ’02, pp. 191–206 (2002)

    Google Scholar 

  30. Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: Proceedings of the twenty-first ACM SIGOPS symposium on Operating systems principles, SOSP (2007)

    Google Scholar 

  31. Lahiri, S.K., Qadeer, S.: Verifying properties of well-founded linked lists. In: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’06, pp. 115–126. ACM, New York, NY, USA (2006). DOI http://doi.acm.org/10.1145/1111037.1111048. URL http://doi.acm.org/10.1145/1111037.1111048

  32. Lamport, L.: Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng. 3(2), 125–143 (1977)

    Article  MATH  MathSciNet  Google Scholar 

  33. Michael, M.M.: Hazard pointers: Safe memory reclamation for lock-free objects. IEEE Trans. Parallel Distrib. Syst. 15(6), 491–504 (2004)

    Article  Google Scholar 

  34. Myers, A., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Computer Systems (2000)

    Google Scholar 

  35. Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proceedings of the sixteenth ACM symposium on Operating systems principles, SOSP ’97, pp. 129–142. ACM, New York, NY, USA (1997). DOI 10.1145/268998.266669. URL http://doi.acm.org/10.1145/268998.266669

  36. Necula, G.C., Condit, J., Harren, M., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. 27(3), 477–526 (2005)

    Article  Google Scholar 

  37. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In: Proceedings of the Network and Distributed System Security Symposium (NDSS ’05) (2005)

    Google Scholar 

  38. NIST. SAMATE Reference Dataset: http://samate.nist.gov/SRD

  39. Novark, G., Berger, E.D.: DieHarder: securing the heap. In: Proceedings of the 17th ACM conference on Computer and communications security, CCS ’10, pp. 573–584. ACM, New York, NY, USA (2010). DOI http://doi.acm.org/10.1145/1866307.1866371. URL http://doi.acm.org/10.1145/1866307.1866371

  40. Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th conference on USENIX Security Symposium - Volume 14, pp. 113–128. USENIX Association, Berkeley, CA, USA (2005). URL http://dl.acm.org/citation.cfm?id=1251398.1251406

  41. Perkins, J.H., Kim, S., Larsen, S., Amarasinghe, S., Bachrach, J., Carbin, M., Pacheco, C., Sherwood, F., Sidiroglou, S., Sullivan, G., Wong, W.F., Zibin, Y., Ernst, M.D., Rinard, M.: Automatically patching errors in deployed software. In: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP ’09, pp. 87–102. ACM, New York, NY, USA (2009). DOI http://doi.acm.org/10.1145/1629575.1629585. URL http://doi.acm.org/10.1145/1629575.1629585

  42. Petroni Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: Proceedings of the 14th ACM conference on Computer and communications security, CCS ’07, pp. 103–115 (2007)

    Google Scholar 

  43. Portokalidis, G., Keromytis, A.D.: REASSURE: A self-contained mechanism for healing software using rescue points. In: Advances in Information and Computer Security—6th International Workshop, IWSEC 2011, Tokyo, Japan, November 8–10, 2011. Proceedings, Lecture Notes in Computer Science, vol. 7038, pp. 16–32. Springer (2011)

    Google Scholar 

  44. Prasad, M., Chiueh, T.C.: A binary rewriting defense against stack based buffer overflow attacks. In: Usenix Annual Technical Conference (Usenix ATC ’03), pp. 211–224 (2003)

    Google Scholar 

  45. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Proceedings of the 11th international conference on Recent advances in intrusion detection, RAID ’08 (2008)

    Google Scholar 

  46. Robertson, W., Kruegel, C., Mutz, D., Valeur, F.: Run-time detection of heap-based overflows. In: Proceedings of the 17th Usenix Conference on System Administration (LISA ’03), pp. 51–60. Usenix Association, Berkeley, CA, USA (2003)

    Google Scholar 

  47. Roethlisberge, D.: Omnikey Cardman 4040 Linux driver buffer overflow (2007). http://www.securiteam.com/unixfocus/5CP0D0AKUA.html

  48. Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS ’04), pp. 159–169 (2004)

    Google Scholar 

  49. Salamat, B., Jackson, T., Gal, A., Franz, M.: Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space. In: Proceedings of the 4th ACM European conference on Computer systems (EuroSys ’09), pp. 33–46 (2009)

    Google Scholar 

  50. Schneider, F.: Blueprint for a science of cybersecurity. The Next Wave 19(2), 47–57 (2012)

    Google Scholar 

  51. SecurityFocus: Wu-ftpd file globbing heap corruption (2001). http://www.securityfocus.com/bid/3581

  52. SecurityFocus: Sudo password prompt heap overflow (2002). http://www.securityfocus.com/bid/4593

  53. SecurityFocus: CVS directory request double free heap corruption (2003). http://www.securityfocus.com/bid/6650

  54. SecurityFocus: Mozilla Firefox and Seamonkey regular expression parsing heap buffer overflow (2009). http://www.securityfocus.com/bid/35891

  55. SecurityFocus: libHX ‘HX_split()’ remote heap-based buffer overflow (2010). http://www.securityfocus.com/bid/42592

  56. SecurityFocus: Lynx browser ‘convert_to_idna()’ function remote heap based buffer overflow (2010). http://www.securityfocus.com/bid/42316

  57. Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In: Proceedings of the twenty-first ACM SIGOPS symposium on Operating systems principles, SOSP ’07, pp. 335–350 (2007)

    Google Scholar 

  58. Sharif, M.I., Lee, W., Cui, W., Lanzi, A.: Secure in-VM monitoring using hardware virtualization. In: Proceedings of the 16th ACM conference on Computer and communications security, CCS ’09, pp. 477–487 (2009)

    Google Scholar 

  59. Shehory, O.: SHADOWS: Self-healing complex software systems. In: Automated Software Engineering, pp. 71–76 (2008). DOI 10.1109/ASEW.2008.4686296

    Google Scholar 

  60. Sidiroglou, S., Laadan, O., Perez, C., Viennot, N., Nieh, J., Keromytis, A.D.: ASSURE: automatic software self-healing using rescue points. In: M.L. Soffa, M.J. Irwin (eds.) ASPLOS, pp. 37–48. ACM (2009)

    Google Scholar 

  61. Solar Designer: Non-executable user stack (1997). http://www.openwall.com/linux/

  62. sqrkkyu, twzi: Attacking the core: Kernel exploiting notes (2007). http://phrack.org/issues.html

  63. Srivastava, A., Erete, I., Giffin, J.: Kernel data integrity protection via memory access control. Tech. Rep. GT-CS-09-04, Georgia Institute of Technology (2009)

    Google Scholar 

  64. StackShield: (2000). http://www.angelfire.com/sk/stackshield/

  65. The PaX project: http://pax.grsecurity.net/

  66. Tian, D., Zeng, Q., Wu, D., Liu, P., Hu, C.: Kruiser: Semi-synchronized non-blocking concurrent kernel heap buffer overflow monitoring. In: Proceedings of the 19th Network and Distributed System Security Symposium, NDSS ’12 (2012)

    Google Scholar 

  67. Tiwari, M., Wassel, H.M., Mazloom, B., Mysore, S., Chong, F.T., Sherwood, T.: Complete information flow tracking from the gates up. In: Proceedings of the 14th international conference on Architectural support for programming languages and operating systems, ASPLOS XIV, pp.  109–120. ACM, New York, NY, USA (2009). DOI 10.1145/1508244.1508258. URL http://doi.acm.org/10.1145/1508244.1508258

  68. Tsai, T.K., Singh, N.: Libsafe: Transparent system-wide protection against buffer overflow attacks. In: Proceedings of the 2002 International Conference on Dependable Systems and Networks (DSN ’02), pp. 541–541 (2002)

    Google Scholar 

  69. US-CERT/NIST: CVE-2008-1673. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1673

  70. US-CERT/NIST: CVE-2009-2407. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2407

  71. US-CERT/NIST: National vulnerability database, CVE-2002-0392. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0392

  72. US-CERT/NIST: National vulnerability database, CVE-2003-0252. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0252

  73. Valgrind: http://valgrind.org/

  74. Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of the 7th Network and Distributed System Security Symposium, NDSS ’00, pp. 3–17 (2000)

    Google Scholar 

  75. Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. In: Proceedings of the fourteenth ACM symposium on Operating systems principles, SOSP ’93, pp. 203–216. ACM, New York, NY, USA (1993). DOI 10.1145/168619.168635. URL http://doi.acm.org/10.1145/168619.168635

  76. Wang, Z., Jiang, X., Cui, W., Ning, P.: Countering kernel rootkits with lightweight hook protection. In: CCS ’09: Proceedings of the 16th ACM Conference on Computer and Communications Security (2009)

    Google Scholar 

  77. Wei, J., Payne, B.D., Giffin, J., Pu, C.: Soft-timer driven transient kernel control flow attacks and defense. In: ACSAC ’08: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 97–107. IEEE Computer Society, Washington, DC, USA (2008). DOI http://dx.doi.org/10.1109/ACSAC.2008.40

  78. Xiong, X., Tian, D., Liu, P.: Practical protection of kernel integrity for commodity OS from untrusted extensions. In: Proceedings of the Network and Distributed System Security Symposium, NDSS ’11. The Internet Society (2011)

    Google Scholar 

  79. Xu, J., Kalbarczyk, Z., Patel, S., Iyer, R.: Architecture support for defending against buffer overflow attacks. In: Workshop Evaluating & Architecting Sys. Depend. (2002)

    Google Scholar 

  80. Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazieres, D.: Making information flow explicit in HiStar. Communications of the ACM (2011)

    Google Scholar 

  81. Zeldovich, N., Kannan, H., Dalton, M., Kozyrakis, C.: Hardware enforcement of application security policies using tagged memory. In: Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI’08, pp. 225–240. USENIX Association, Berkeley, CA, USA (2008). URL http://dl.acm.org/citation.cfm?id=1855741.1855757

  82. Zeng, Q., Wu, D., Liu, P.: Cruiser: Concurrent heap buffer overflow monitoring using lock-free data structures. In: Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation, PLDI ’11, pp. 367–377. ACM, New York, NY, USA (2011). DOI http://doi.acm.org/10.1145/1993498.1993541. URL http://doi.acm.org/10.1145/1993498.1993541

Download references

Acknowledgements

This research was supported in part by the National Science Foundation (NSF) under the grants CNS-1223710 and CNS-0905131, the Army Research Office (ARO) under the grant W911NF-09-1-0525 (MURI), and the Air Force Office of Scientific Research (AFOSR) under the grant W911NF1210055.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Dinghao Wu .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer Science+Business Media New York

About this chapter

Cite this chapter

Wu, D., Liu, P., Zeng, Q., Tian, D. (2014). Software Cruising: A New Technology for Building Concurrent Software Monitor. In: Jajodia, S., Kant, K., Samarati, P., Singhal, A., Swarup, V., Wang, C. (eds) Secure Cloud Computing. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-9278-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-9278-8_14

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-9277-1

  • Online ISBN: 978-1-4614-9278-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics