AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
This paper introduces program shepherding, which employs the techniques of restricted code origins, restricted control transfers, and un-circumventable sandboxing to provide strong security guarantees

Secure Execution via Program Shepherding

USENIX Security Symposium, pp.191-206, (2002)

Cited by: 712|Views2386
EI
Full Text
Bibtex
Weibo

Abstract

We introduce program shepherding, a method for monitoring control flow transfers during program execution to enforce a security policy. Program shepherding provides three techniques as building blocks for security policies. First, shepherding can restrict execution privileges on the basis of code origins. This distinction can ensure that ...More

Code:

Data:

Introduction
  • The goal of most security attacks is to gain unauthorized access to a computer system by taking control of a vulnerable privileged program.
  • This is done by exploiting bugs that allow overwriting stored program addresses with pointers to malicious code.
  • Ploits that allow address overwrites, as they are as varied as program bugs themselves.
  • It is unreasonable to try to stop malevolent writes to memory containing program addresses, because addresses are stored in many different places and are legitimately manipulated by the application, compiler, linker, and loader
Highlights
  • The goal of most security attacks is to gain unauthorized access to a computer system by taking control of a vulnerable privileged program
  • We investigated attacks against RIO itself, e.g., overwriting RIO’s Global Offset Table entry to allow malicious code to run in RIO mode, but could not come up with an attack that could bypass the protection mechanisms presented in Section 6
  • This paper introduces program shepherding, which employs the techniques of restricted code origins, restricted control transfers, and un-circumventable sandboxing to provide strong security guarantees
  • We have implemented program shepherding in the RIO runtime system, which does not rely on hardware, operating system, or compiler support, and operates on unmodified binaries on both generic Linux and Windows IA-32 platforms
  • We have shown that our implementation successfully prevents a wide range of security attacks efficiently
  • Future expansions include using semantic information provided by compilers to specify permissible operations on a fine-grained level, and performing explicit protection and monitoring of known program addresses to prevent corruption
Results
  • The authors' program shepherding implementation is able to detect and prevent a wide range of known security attacks.
  • When a thread enters RIO mode, only that thread’s RIO data pages and code cache pages are unprotected.
  • A potential attack could occur while one thread is in RIO mode and another thread in application mode modifies the first thread’s RIO data pages.
  • The authors could solve this problem by forcing all threads to exit application mode when any one thread enters RIO mode.
Conclusion
  • This paper introduces program shepherding, which employs the techniques of restricted code origins, restricted control transfers, and un-circumventable sandboxing to provide strong security guarantees.
  • Program shepherding does not prevent exploits that overwrite sensitive data.
  • The authors' system currently implements one set of policy settings, but the authors are expanding the set of security policies that the system can provide without loss of performance.
  • Future expansions include using semantic information provided by compilers to specify permissible operations on a fine-grained level, and performing explicit protection and monitoring of known program addresses to prevent corruption.
  • Protecting the application’s GOT [12] and allowing updates only by the
Tables
  • Table1: Sample list of policies built using program shepherding. Each row shows a continuum of choices ranging from most restrictive on the right to least restrictive on the left for how to control the action in the left-hand column. Bold entries indicate the policy choices that we implemented for our experimental system
  • Table2: Performance achieved when various features are added to an interpreter, measured on two of the SPEC2000 benchmarks [<a class="ref-link" id="c25" href="#r25">25</a>], crafty and vpr. Pure emulation results in a slowdown factor of several hundred. Successively adding caching, linking, and traces brings the performance down dramatically
  • Table3: Privileges of each type of memory page belonging to the application process. R stands for Read, W for Write, and E for Execute. We separate execute privileges here to make it clear what code is allowed by RIO to execute. Program shepherding’s un-circumventable sandboxing guarantees that these system call checks are executed. Because the RIO data pages and the code cache pages are write-protected when in application mode, and we do not allow application code to change these protections, we guarantee that RIO’s state cannot be corrupted
  • Table4: Memory usage of the SPEC2000 benchmarks [<a class="ref-link" id="c25" href="#r25">25</a>], in KB, on Linux. For benchmarks with multiple data sets, the run with the maximum memory usage is shown. Static code is the total size of the text sections of the benchmark and all shared libraries it uses. Executed code is the total size of all instructions processed by RIO when running the benchmark. RIO total is the total memory used by RIO itself when running the benchmark. Native total is total memory used by the benchmark when run natively (outside of RIO)
Download tables as Excel
Related work
  • Reflecting the significance and popularity of buffer overflow and format string attacks, there have been several other efforts to provide automatic protection and detection of these vulnerabilities. We summarize the more successful ones.

    Normalized Execution Time ammp applu apsi art bzip2 crafty eon equake gap gcc gzip mcf mesa mgrid parser perlbmk sixtrack swim twolf vortex vpr wupwise har. mean

    Program Shepherding Performance under Linux RIO RIO + Program Shepherding

    RIO + Program Shepherding + Protection Benchmark

    Normalized Execution Time

    Program Shepherding Performance under Windows
Funding
  • This research was supported in part by the Defense Advanced Research Projects Agency under Grant F29601-01-2-0166
Reference
  • Matthew Arnold, Stephen Fink, David Grove, Michael Hind, and Peter F. Sweeney. Adaptive optimization in the Jalapeno JVM. In 2000 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA’00), October 2000.
    Google ScholarLocate open access versionFindings
  • Vasanth Bala, Evelyn Duesterwald, and Sanjeev Banerjia. Dynamo: A transparent runtime optimization system. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’00), June 2000.
    Google ScholarLocate open access versionFindings
  • Derek Bruening, Evelyn Duesterwald, and Saman Amarasinghe. Design and implementation of a dynamic optimization framework for Windows. In 4th ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-4), December 2000.
    Google ScholarLocate open access versionFindings
  • Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack, 5(56), May 2000.
    Google ScholarLocate open access versionFindings
  • Wen-Ke Chen, Sorin Lerner, Ronnie Chaiken, and David M. Gillies. Mojo: A dynamic optimization system. In 3rd ACM Workshop on FeedbackDirected and Dynamic Optimization (FDDO-3), December 2000.
    Google ScholarLocate open access versionFindings
  • Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman. FormatGuard: Automatic protection from printf format string vulnerabilities, 2001. In 10th USENIX Security Symposium, Washington, D.C., August 2001.
    Google ScholarLocate open access versionFindings
  • Crispin Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. 7th USENIX Security Symposium, pages 63–78, San Antonio, Texas, January 1998.
    Google ScholarLocate open access versionFindings
  • Common vulnerabilities and exposures. MITRE Corporation. http://cve.mitre.org/.
    Findings
  • D. Deaver, R. Gorton, and N. Rubin. Wiggins/Restone: An on-line program specializer. In Proceedings of Hot Chips 11, August 1999.
    Google ScholarLocate open access versionFindings
  • Solar Designer. Non-executable user stack. http://www.openwall.com/linux/.
    Findings
  • L. Peter Deutsch and Allan M. Schiffman. Efficient implementation of the Smalltalk-80 system. In ACM Symposium on Principles of Programming Languages (POPL ’84), January 1984.
    Google ScholarLocate open access versionFindings
  • Executable and Linking Format (ELF). Tool Interface Standards Committee, May 1995.
    Google ScholarFindings
  • Dawson R. Engler, M. Frans Kaashoek, and James O’Toole. Exokernel: An operating system architecture for application-level resource management. In Symposium on Operating Systems Principles, pages 251–266, 1995.
    Google ScholarLocate open access versionFindings
  • M. Frantzen and M. Shuey. Stackghost: Hardware facilitated stack protection. In Proc. 10th USENIX Security Symposium, Washington, D.C., August 2001.
    Google ScholarLocate open access versionFindings
  • Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A secure environment for untrusted helper applications. In Proceedings of the 6th Usenix Security Symposium, San Jose, Ca., 1996.
    Google ScholarLocate open access versionFindings
  • Michel Kaempf. Vudo - an object superstitiously believed to embody magical powers. Phrack, 8(57), August 2001.
    Google ScholarLocate open access versionFindings
  • Calvin Ko, Timothy Fraser, Lee Badger, and Douglas Kilpatrick. Detecting and countering system intrusions using software wrappers. In Proc. 9th USENIX Security Symposium, Denver, Colorado, August 2000.
    Google ScholarLocate open access versionFindings
  • Nergal. The advanced return-into-lib(c) exploits. Phrack, 4(58), December 2001.
    Google ScholarLocate open access versionFindings
  • Tim Newsham. Format string attacks. Guardent, Inc., September 2000. http://www.guardent.com/docs/ FormatString.PDF.
    Findings
  • Aleph One. Smashing the stack for fun and profit. Phrack, 7(49), November 1996.
    Google ScholarLocate open access versionFindings
  • Intel Pentium 4 and Intel Xeon processor optimization reference manual. Intel Corporation, 2001.
    Google ScholarFindings
  • Zenith Parsec. Remote linux groff exploitation via lpd vulnerability. http://www.securityfocus.com/bid/3103.
    Findings
  • PaX Team. Non executable data pages. http://pageexec.virtualave.net/pageexec.txt.
    Findings
  • Eric Rotenberg, Steve Bennett, and J. E. Smith. Trace cache: A low latency approach to high bandwidth instruction fetching. In 29th Annual International Symposium on Microarchitecture (MICRO ’96), December 1996.
    Google ScholarLocate open access versionFindings
  • SPEC CPU2000 benchmark suite. Standard Performance Evaluation Corporation. http://www.spec.org/osg/cpu2000/.
    Findings
  • Vendicator. Stackshield: A “stack smashing” technique protection tool for linux. http://www.angelfire.com/sk/stackshield/.
    Findings
  • Rafal Wojtczuk. Defeating solar designer nonexecutable stack patch. http://www.securityfocus.com/archive/1/8470.
    Findings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科