1,485 research outputs found

    KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels

    Full text link
    Commodity OS kernels have broad attack surfaces due to the large code base and the numerous features such as device drivers. For a real-world use case (e.g., an Apache Server), many kernel services are unused and only a small amount of kernel code is used. Within the used code, a certain part is invoked only at runtime while the rest are executed at startup and/or shutdown phases in the kernel's lifetime run. In this paper, we propose a reliable and practical system, named KASR, which transparently reduces attack surfaces of commodity OS kernels at runtime without requiring their source code. The KASR system, residing in a trusted hypervisor, achieves the attack surface reduction through a two-step approach: (1) reliably depriving unused code of executable permissions, and (2) transparently segmenting used code and selectively activating them. We implement a prototype of KASR on Xen-4.8.2 hypervisor and evaluate its security effectiveness on Linux kernel-4.4.0-87-generic. Our evaluation shows that KASR reduces the kernel attack surface by 64% and trims off 40% of CVE vulnerabilities. Besides, KASR successfully detects and blocks all 6 real-world kernel rootkits. We measure its performance overhead with three benchmark tools (i.e., SPECINT, httperf and bonnie++). The experimental results indicate that KASR imposes less than 1% performance overhead (compared to an unmodified Xen hypervisor) on all the benchmarks.Comment: The work has been accepted at the 21st International Symposium on Research in Attacks, Intrusions, and Defenses 201

    Capture and analysis of the NFS workload of an ISP email service

    Get PDF
    Tese de mestrado Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Os objectivos desta tese são capturar a carga de comandos NFS de um serviço de email de um provedor de Internet, converter a captura para um formato mais flexível, e analisar as características do mesmo. Até ao momento, nenhum outro trabalho publicado, analisou a carga de comandos de um serviço de email de um provedor de Internet. Um novo estudo, irá ajudar a compreender qual o impacto das diferenças na carga de comandos de um sistema de ficheiros de rede, e o que caracteriza a carga de comandos de um sistema de email real. A captura será analisada, de forma a encontrar novas propriedades que futuros sistemas de ficheiros poderão suportar ou explorar. Nesta tese, fazemos uma análise exaustiva de como capturar altos débitos de tráfego, que envolve vários desafios. Identificamos os problemas encontrados e explicamos como contornar esses problemas. Devido ao elevado tamanho da captura e devido ao espaço limitado de armazenamento disponível, precisámos de converter a captura para um formato mais compacto e flexível, de forma a podermos fazer uma análise de forma eficiente. Descrevemos os desafios para analisar grandes volumes de dados e quais as técnicas utilizadas. Visto que a captura contém dados sensíveis das caixas de correio dos utilizadores, tivemos que anonimizar a captura. Descrevemos que dados têm de ser anonimizados de forma a disponibilizarmos a captura gratuitamente. Também analisamos a captura e demonstramos as características únicas da captura estudada, tais como a natureza periódica da actividade do sistema de ficheiros, a distribuição de tamanhos de todos os ficheiros acedidos, a sequencialidade dos dados acedidos e os tipos de anexos mais comuns numa típica caixa de correio.The aims of this thesis are to capture a real-world NFS workload of an ISP email service, convert the traces to a more useful and flexible format and analyze the characteristics of the workload. No published work has ever analyzed a large-scale, real-world ISP email workload. A new study will help to understand how these changes impact network file system workloads and what characterizes a real-world email workload. Storage traces are analyzed to find properties that future systems should support or exploit. In this thesis, we provide an in-depth explanation of how we were able to capture high data rates, which involves several challenges. We identify the bottlenecks faced and explain how we circumvented them. Due to the large size of the captured workload and limited available storage, we needed to convert the traces to a more compact and flexible format so we could further analyze the workload in an efficient manner. We describe the challenges of analyzing large datasets and the techniques that were used. Since the workload contains sensitive information about the mailboxes, we had to anonymize the workload. We will describe what needed to be anonymized and how it was done. This was an important step to get permission from the ISP to publish the anonymized traces, which will be available for free download. We also performed several analyses that demonstrate unique characteristics of the studied workload, such as the periodic nature of file system activity, the file size distribution for all accessed files, the sequentiality of accessed data, and the most common type of attachments found in a typical mailbox

    Passive NFS Tracing of Email and Research Workloads

    Get PDF
    We present an analysis of a pair of NFS traces of contemporary email and research workloads. We show that although the research workload resembles previously studied workloads, the email workload is quite different. We also perform several new analyses that demonstrate the periodic nature of file system activity, the effect of out-of-order NFS calls, and the strong relationship between the name of a file and its size, lifetime, and access pattern.Engineering and Applied Science

    Doctor of Philosophy

    Get PDF
    dissertationA modern software system is a composition of parts that are themselves highly complex: operating systems, middleware, libraries, servers, and so on. In principle, compositionality of interfaces means that we can understand any given module independently of the internal workings of other parts. In practice, however, abstractions are leaky, and with every generation, modern software systems grow in complexity. Traditional ways of understanding failures, explaining anomalous executions, and analyzing performance are reaching their limits in the face of emergent behavior, unrepeatability, cross-component execution, software aging, and adversarial changes to the system at run time. Deterministic systems analysis has a potential to change the way we analyze and debug software systems. Recorded once, the execution of the system becomes an independent artifact, which can be analyzed offline. The availability of the complete system state, the guaranteed behavior of re-execution, and the absence of limitations on the run-time complexity of analysis collectively enable the deep, iterative, and automatic exploration of the dynamic properties of the system. This work creates a foundation for making deterministic replay a ubiquitous system analysis tool. It defines design and engineering principles for building fast and practical replay machines capable of capturing complete execution of the entire operating system with an overhead of several percents, on a realistic workload, and with minimal installation costs. To enable an intuitive interface of constructing replay analysis tools, this work implements a powerful virtual machine introspection layer that enables an analysis algorithm to be programmed against the state of the recorded system through familiar terms of source-level variable and type names. To support performance analysis, the replay engine provides a faithful performance model of the original execution during replay

    Experiences with a continuous network tracing infrastructure

    Get PDF
    One of the most pressing problems in network research is the lack of long-term trace data from ISPs. The Internet carries an enormous volume and variety of data; mining this data can provide valuable insight into the design and development of new protocols and applications. Although capture cards for high-speed links exist today, actually making the network traffic available for analysis involves more than just getting the packets off the wire, but also handling large and variable traffic loads, sanitizing and anonymizing the data, and coordinating access by multiple users. In this paper we discuss the requirements, challenges, and design of an effective traffic monitoring infrastructure for network research. We describe our experience in deploying and maintaining a multi-user system for continuous trace collection at a large regional ISP. We evaluate the performance of our system and show that it can support sustained collection and processing rates of over 160–300Mbits/s

    Experiences on the characterization of parallel applications in embedded systems with Extrae/Paraver

    Get PDF
    Cutting-edge functionalities in embedded systems require the use of parallel architectures to meet their performance requirements. This imposes the introduction of a new layer in the software stacks of embedded systems: the parallel programming model. Unfortunately, the tools used to analyze embedded systems fall short to characterize the performance of parallel applications at a parallel programming model level, and correlate this with information about non-functional requirements such as real-time, energy, memory usage, etc. HPC tools, like Extrae, are designed with that level of abstraction in mind, but their main focus is on performance evaluation. Overall, providing insightful information about the performance of parallel embedded applications at the parallel programming model level, and relate it to the non-functional requirements, is of paramount importance to fully exploit the performance capabilities of parallel embedded architectures. This paper contributes to the state-of-the-art of analysis tools for embedded systems by: (1) analyzing the particular constraints of embedded systems compared to HPC systems (e.g., static setting, restricted memory, limited drivers) to support HPC analysis tools; (2) porting Extrae, a powerful tracing tool from the HPC domain, to the GR740 platform, a SoC used in the space domain; and (3) augmenting Extrae with new features needed to correlate the parallel execution with the following non-functional requirements: energy, temperature and memory usage. Finally, the paper presents the usefulness of Extrae to characterize OpenMP applications and its non-functional requirements, evaluating different aspects of the applications running in the GR740.This work has been partially funded from the HP4S (High Performance Parallel Payload Processing for Space) project under the ESA-ESTEC ITI contract â„– 4000124124/18/NL/CRS.Peer ReviewedPostprint (author's final draft

    On-chip system call tracing: A feasibility study and open prototype

    Get PDF
    Several tools for program tracing and introspection exist. These tools can be used to analyze potentially malicious or untrusted programs. In this setting, it is important to prevent that the target program determines whether it is being traced or not. This is typically achieved by minimizing the code of the introspection routines and any artifact or side-effect that the program can leverage. Indeed, the most recent approaches consist of lightly instrumented operating systems or thin hypervisors running directly on bare metal. Following this research trend, we investigate the feasibility of transparently tracing a Linux/ARM program without modifying the software stack, while keeping the analysis cost and flexibility compatible with state of the art emulation- or baremetal- based approaches. As for the typical program tracing task, our goal is to reconstruct the stream of system call invocations along with the respective un-marshalled arguments. We propose to leverage the availability of on-chip debugging interfaces of modern ARM systems, which are accessible via JTAG. More precisely, we developed OpenST, an open-source prototype tracer that allowed us to analyze the performance overhead and to assess the transparency with respect to evasive, real-world malicious programs. OpenST has two tracing modes: In-kernel dynamic tracing and external tracing. The in-kernel dynamic tracing mode uses the JTAG interface to \u201chot-patch\u201d the system calls at runtime, injecting introspection code. This mode is more transparent than emulator based approaches, but assumes that the traced program does not have access to the kernel memory\u2014where the introspection code is loaded. The external tracing mode removes this assumption by using the JTAG interface to manage hardware breakpoints. Our tests show that OpenST\u2019s greater transparency comes at the price of a steep performance penalty. However, with a cost model, we show that OpenST scales better than the state of the art, bare-metal-based approach, while remaining equally stealthy to evasive malware
    • …
    corecore