Understanding data lifetime via whole system simulation

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13, pp.22-22, (2004)

Cited by: 437|Views205
EI
Full Text
Bibtex
Weibo

Abstract

Strictly limiting the lifetime (i.e. propagation and duration of exposure) of sensitive data (e.g. passwords) is an important and well accepted practice in secure software development. Unfortunately, there are no current methods available for easily analyzing data lifetime, and very little information available on the quality of today's s...More

Code:

Data:

Introduction
  • Examining sensitive data lifetime can lend valuable insight into the security of software systems.
  • The same data is often handled by many different components, including device drivers, operating system, system libraries, programming language runtimes, applications, etc., in the course of a single transaction
  • This limits the applicability of traditional static and dynamic program analysis techniques, as they are typically limited in scope to a single program, often require program source code, and generally cannot deal with more than one implementation language
Highlights
  • Examining sensitive data lifetime can lend valuable insight into the security of software systems
  • The same data is often handled by many different components, including device drivers, operating system, system libraries, programming language runtimes, applications, etc., in the course of a single transaction. This limits the applicability of traditional static and dynamic program analysis techniques, as they are typically limited in scope to a single program, often require program source code, and generally cannot deal with more than one implementation language. To overcome these limitations we have developed a tool based on whole-system simulation called TaintBochs, which allows us to track the propagation of sensitive data at hardware level, enabling us to examine all places that sensitive data can reside
  • In section 2 we present the motivation for our work, discussing why data lifetime is important to security, why minimizing data lifetime is challenging, and how whole system simulation can help
  • Minimizing data lifetime greatly decreases the chances of sensitive data exposure
  • We explored how whole system simulation can provide a practical solution to the problem of understanding data lifetime in very large and complex software systems through the use of hardware level taint analysis
  • We demonstrated the effectiveness of this solution by implementing a whole system simulation environment called TaintBochs and applying it to analyze sensitive data lifetime in a variety of large real world applications
Results
  • 4.1.1 Mozilla

    In the first experiment the authors tracked a user-input password in Mozilla during the login phase of the Yahoo Mail website.

    Mozilla was a interesting subject because of its real world impact, and because its size.
  • Mozilla provided an excellent test of TaintBoch’s ability to make a large application comprehensible.
  • One of them was able to analyze Mozilla in roughly a day.
  • The authors consider this quite acceptable given the size of the data set being analyzed, and that none of them had prior familiarity with its code base
Conclusion
  • The authors used TaintBochs to study sensitive data lifetime in real world systems by examining password handing in Mozilla, Apache, Perl, and Emacs.
  • The authors found that these systems and the components that they rely on handle data carelessly, resulting in sensitive data being propagated widely across memory with no provisions made to purge it.
  • The authors further demonstrated that a few practical changes could drastically reduce the amount of long lived sensitive data in these systems
Related work
  • Previous work on whole system simulation for analyzing software has largely focused on studying performance and providing a test bed for new hardware features. Extensive work on the design of whole system simulators including performance, extensibility, interpretation of hardware level data in terms of higher level semantics, etc. was explored in SimOS [23].

    Dynamic binary translators which operate at the single process level instead of the whole system level have demonstrated significant power for doing dynamic analysis of software [8]. These systems work as assemblyto-assembly translators, dynamically instrumenting binaries as they are executed, rather than as complete simulators. For example, Valgrind [20] has been widely deployed in the Linux community and provides a wide range of functionality including memory error detection (ala Purify [16]), data race detection, cache profiling, etc. Somewhere between an full simulator and binary translator is Hobbes [7], a single process x86 interpreter that can detect memory errors and perform runtime type checking. Hobbes and Valgrind both provide frameworks for writing new dynamic analysis tools.
Funding
  • This work was supported in part by the National Science Foundation under Grant No 0121481 and a Stanford Graduate Fellowship
Reference
  • Apache Software Foundation. The Apache HTTP Server project. http://httpd.apache.org.
    Findings
  • K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symposium on Security and Privacy, May 2002.
    Google ScholarLocate open access versionFindings
  • V. Bala, E. Duesterwald, and S. Banerjia. Dynamo: a transparent dynamic optimization system. ACM SIGPLAN Notices, 35(5):1– 12, 2000.
    Google ScholarLocate open access versionFindings
  • M. Blaze. A cryptographic file system for UNIX. In ACM Conference on Computer and Communications Security, pages 9–16, 1993.
    Google ScholarLocate open access versionFindings
  • Bochs: The cross platform IA-32 emulator. http://bochs.sourceforge.net/.
    Findings
  • P. Broadwell, M. Harren, and N. Sastry. Scrash: A system for generating secure crash information. In Proceedings of the 11th USENIX Security Symposium, August 2003.
    Google ScholarLocate open access versionFindings
  • M. Burrows, S. N. Freund, and J. Wiener. Run-time type checking for binary programs. International Conference on Compiler Construction, April 2003.
    Google ScholarLocate open access versionFindings
  • B. Cmelik and D. Keppel. Shade: a fast instruction-set simulator for execution profiling. In Proceedings of the 1994 ACM SIGMETRICS conference on Measurement and modeling of computer systems, pages 128–137. ACM Press, 1994.
    Google ScholarLocate open access versionFindings
  • G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. ReVirt: enabling intrusion analysis through virtualmachine logging and replay. SIGOPS Operating Systems Review, 36(SI):211–224, 2002.
    Google ScholarLocate open access versionFindings
  • J. S. Foster. Type Qualifiers: Lightweight Specifications to Improve Software Quality. PhD thesis, University of California, Berkeley, Dec. 2002.
    Google ScholarFindings
  • Gentoo Linux. http://www.gentoo.org.
    Findings
  • P. Gutmann. Secure deletion of data from magnetic and solidstate memory. In Proceedings of the 6th USENIX Security Symposium, july 1996.
    Google ScholarLocate open access versionFindings
  • P. Gutmann. Data remanence in semiconductor devices. In Proceedings of the 7th USENIX Security Symposium, Jan. 1998.
    Google ScholarLocate open access versionFindings
  • P. Gutmann. Software generation of practically strong random numbers. In Proceedings of the 8th USENIX Security Symposium, August 1999.
    Google ScholarLocate open access versionFindings
  • M. Howard. Some bad news and some good news. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode%/html/secure10102002.asp, October 2002.
    Findings
  • IBM Rational software. IBM Rational Purify. http://www.rational.com.
    Findings
  • V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, August 2002.
    Google ScholarLocate open access versionFindings
  • D. Lea. A memory allocator. http://gee.cs.oswego.edu/dl/html/malloc.html.
    Findings
  • P. S. Magnusson, M. Christensson, J. Eskilson, D. Forsgren, G. Hallberg, J. Hogberg, F. Larsson, A. Moestedt, and B. Werner. Simics: A full system simulation platform. IEEE Computer, 35(2):50–58, February 2002.
    Google ScholarLocate open access versionFindings
  • N. Nethercote and J. Seward. Valgrind: A program supervision framework. In O. Sokolsky and M. Viswanathan, editors, Electronic Notes in Theoretical Computer Science, volume 89.
    Google ScholarLocate open access versionFindings
  • Perl security manual page. http://www.perldoc.com/perl5.6/pod/perlsec.html.
    Findings
  • N. Provos. Encrypting virtual memory. In Proceedings of the 10th USENIX Security Symposium, pages 35–44, August 2000.
    Google ScholarLocate open access versionFindings
  • M. Rosenblum, S. A. Herrod, E. Witchel, and A. Gupta. Complete computer system simulation: The SimOS approach. IEEE Parallel and Distributed Technology: Systems and Applications, 3(4):34–43, Winter 1995.
    Google ScholarLocate open access versionFindings
  • U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proc. 10th USENIX Security Symposium, August 2001.
    Google ScholarLocate open access versionFindings
  • D. A. Solomon and M. Russinovich. Inside Microsoft Windows 2000. Microsoft Press, 2000.
    Google ScholarLocate open access versionFindings
  • R. Stallman et al. GNU Emacs. ftp://ftp.gnu.org/pub/ gnu/emacs.
    Google ScholarFindings
  • The Mozilla Organization. Home of the mozilla, firebird, and camino web browsers. http://www.mozilla.org/.
    Findings
  • [29] J. Viega and G. McGraw. Building Secure Software. AddisonWesley, 2002.
    Google ScholarFindings
  • [30] VMware, Inc. VMware virtual machine technology. http://www.vmware.com/.
    Findings
  • [31] E. Witchel and M. Rosenblum. Embra: Fast and flexible machine simulation. In Measurement and Modeling of Computer Systems, pages 68–79, 1996.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科