74 research outputs found
Automating Seccomp Filter Generation for Linux Applications
Software vulnerabilities in applications undermine the security of
applications. By blocking unused functionality, the impact of potential
exploits can be reduced. While seccomp provides a solution for filtering
syscalls, it requires manual implementation of filter rules for each individual
application. Recent work has investigated automated approaches for detecting
and installing the necessary filter rules. However, as we show, these
approaches make assumptions that are not necessary or require overly
time-consuming analysis.
In this paper, we propose Chestnut, an automated approach for generating
strict syscall filters for Linux userspace applications with lower requirements
and limitations. Chestnut comprises two phases, with the first phase consisting
of two static components, i.e., a compiler and a binary analyzer, that extract
the used syscalls during compilation or in an analysis of the binary. The
compiler-based approach of Chestnut is up to factor 73 faster than previous
approaches without affecting the accuracy adversely. On the binary analysis
level, we demonstrate that the requirement of position-independent binaries of
related work is not needed, enlarging the set of applications for which
Chestnut is usable. In an optional second phase, Chestnut provides a dynamic
refinement tool that allows restricting the set of allowed syscalls further. We
demonstrate that Chestnut on average blocks 302 syscalls (86.5%) via the
compiler and 288 (82.5%) using the binary-level analysis on a set of 18 widely
used applications. We found that Chestnut blocks the dangerous exec syscall in
50% and 77.7% of the tested applications using the compiler- and binary-based
approach, respectively. For the tested applications, Chestnut prevents
exploitation of more than 62% of the 175 CVEs that target the kernel via
syscalls. Finally, we perform a 6 month long-term study of a sandboxed Nginx
server
Efficient Subcubic Alias Analysis for C
Abstract Inclusion-based alias analysis for C can be formulated as a context-free language (CFL) reachability problem. It is well known that the traditional cubic CFL-reachability algorithm does not scale well in practice. We present a highly scalable and efficient CFL-reachability-based alias analysis for C. The key novelty of our algorithm is to propagate reachability information along only original graph edges and bypass a large portion of summary edges, while the traditional CFLreachability algorithm propagates along all summary edges. We also utilize the Four Russians' Trick -a key enabling technique in the subcubic CFL-reachability algorithm -in our alias analysis. We have implemented our subcubic alias analysis and conducted extensive experiments on widely-used C programs from the pointer analysis literature. The results demonstrate that our alias analysis scales extremely well in practice. In particular, it can analyze the recent Linux kernel (which consists of 10M SLOC) in about 30 seconds
Recommended from our members
Enhanced-accuracy oversampled data converters
Digital-to-analog converters (DACs) suffer from static and dynamic nonlinearity problems, which degrade their accuracy and performance. Mismatch errors in the analog components restrict the maximum achievable linearity.
This thesis presents various techniques for correcting these errors. It describes a correction process for the nonlinear behavior of DACs, on three different levels: architectural design, circuit design, and layout design.
The main results achieved are listed below:
• Novel topologies using stochastic approaches to linearize multibit converters are presented.
• A new method is introduced for avoiding the use of multibit DACs in the main loop of multi-path DS analog-to-digital converters (ADCs), which, combined with a novel noise leakage compensation technique, allows the use of low quality inner DACs.
• A novel correction algorithm is proposed, which is based on the acquisition of the individual DAC errors by means of correlation procedures. The extracted values are used for correction purposes. The technique is capable of background operation.
• Different circuits are proposed to improve the performance of current-steering DACs. Also, novel layout techniques are shown for reducing the spatial variations of the unit sources. Some of the presented techniques were combined in a prototype chip, designed and fabricated in a 0.35μm CMOS process. Simulation and preliminary measurement results show that they are effective.Keywords: data converters, digital-to-analog, integrated circuits, analog-to-digital, CMO
Secure execution environment via program shepherding
Thesis (M.Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2003.Includes bibliographical references (p. 77-82).We present program shepherding, a method for monitoring control flow transfers during program execution in order to enforce a security policy. Program shepherding provides three basic techniques as building blocks for security policies. First, program shepherding can restrict execution privileges on the basis of code origins. This distinction can ensure that malicious code masquerading as data is never executed, thwarting a large class of security attacks. Second, shepherding can restrict control transfers based on instruction type, source, and target. Finally, shepherding guarantees that sandboxing checks around any program operation will never be bypassed. Security attacks use inevitable bugs in trusted binaries to coerce a program into performing actions that it was never intended to perform. We use static and dynamic analyses to automatically build a custom security policy for a target program, which specifies the program's execution model. An accurate execution model restricts control flow transfers only to the intended ones and can thwart attacker attempts to alter program execution. For example, shepherding will allow execution of shared library code only through declared entry points. Finer specifications can be extracted from high-level information present in programs' source code - for example, which values a function pointer may take. Program shepherding will allow indirect calls only to their known targets, and function returns only to known callers. These analyses build a strict enough policy to prevent all deviations from the program's control flow graph and nearly all violations of the calling convention. This technique renders most security vulnerabilities unexploitable and thwarts current and future security attacks. We present an efficient implementation of program shepherding's capabilities in the DynamoRIO [6, 7] runtime code modification system. The resulting system imposes minimal performance overhead, operates on unmodified binaries, and requires no special hardware or operating system support.by Vladimir L. Kiriansky.M.Eng
Holistic System Design for Deterministic Replay.
Deterministic replay systems record and reproduce the execution of a hardware or software system. While it is well known how to replay uniprocessor systems, it is much harder to provide deterministic replay of shared memory multithreaded programs on multiprocessors because shared memory accesses add a high-frequency source of non-determinism. This thesis proposes efficient multiprocessor replay systems: Respec, Chimera, and Rosa.
Respec is an operating-system-based replay system. Respec is based on the observation that most program executions are data-race-free and for programs with no data races it is sufficient to record program input and the happens-before order of synchronization operations for replay. Respec speculates that a program is data-race-free and supports rollback and recovery from misspeculation. For racy programs, Respec employs a cheap runtime check that compares system call outputs and memory/register states of recorded and replayed processes at a semi-regular interval.
Chimera uses a sound static data race detector to find all potential data races and instrument pairs of potentially racing instructions to transform an arbitrary program to make it data-race-free. Then, Chimera records only the non-deterministic inputs and the order of synchronization operations for replay. However, existing static data race detectors generate excessive false warnings, leading to high recording overhead. Chimera resolves this problem by employing a combination of profiling, symbolic analysis, and dynamic checks that target the sources of imprecision in the static data race detector.
Rosa is a processor-based ultra-low overhead (less than one percent) replay solution that requires very little hardware support as it essentially only needs a log of cache misses to reproduce a multiprocessor execution. Unlike previous hardware-assisted systems, Rosa does not record shared memory dependencies at all. Instead, it infers them offline using a Satisfiability Modulo Theories (SMT) solver. Our offline analysis is capable of inferring interleavings that are legal under the Sequentially Consistency (SC) and Total Store Order (TSO) memory models.PhDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/102374/1/dongyoon_1.pd
- …