Pitt IS 2620 - A Flexible Information Flow Architecture

Unformatted text preview:

Raksha: A Flexible Information Flow Architecturefor Software SecurityMichael Dalton, Hari Kannan, Christos KozyrakisComputer Systems LaboratoryStanford University{mwdalton, hkannan, kozyraki}@stanford.eduABSTRACTHigh-level semantic vulnerabilities such as SQL injection and cross-site scripting have surpassed buffer overflows as the most prevalentsecurity exploits. The breadth and diversity of software vulnera-bilities demand new security solutions that combine the speed andpracticality of hardware approaches with the flexibility and robust-ness of software systems.This paper proposes Raksha, an architecture for software se-curity based on dynamic information flow tracking (DIFT). Rak-sha provides three novel features that allow for a flexible hard-ware/software approach to security. First, it supports flexible andprogrammable security policies that enable software to direct hard-ware analysis towards a wide range of high-level and low-level at-tacks. Second, it supports multiple active security policies that canprotect the system against concurrent attacks. Third, it supportslow-overhead security handlers that allow software to correct, com-plement, or extend the hardware-based analysis without the over-head associated with operating system traps.We present an FPGA prototype for Raksha that provides a full-featured Linux workstation for security analysis. Using unmodi-fied binaries for real-world applications, we demonstrate that Rak-sha can detect high-level attacks such as directory traversal, com-mand injection, SQL injection, and cross-site scripting as well aslow-level attacks such as buffer overflows. We also show that low-overhead exception handling is critical for analyses such as mem-ory corruption protection in order to address false positives thatoccur due to the diverse code patterns in frequently used software.Categories and Subject Descriptors: C.0 [General]: Hardware-Software Interfaces; D.4.6 [Operating Systems:] Security & Pro-tection – Information Flow ControlsGeneral Terms: Security, Design, Experimentation, PerformanceKeywords: Software security, Semantic Vulnerabilities, Dynamicinformation flow tracking, Processor architecture1. INTRODUCTIONIt is widely recognized that computer security is a critical prob-lem with far-reaching financial and social implications [19]. De-Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.ISCA’07, June 9–13, 2007, San Diego, California, USA.Copyright 2007 ACM 978-1-59593-706-3/07/0006 ...$5.00.spite significant development efforts, existing security tools do notprovide reliable protection against an ever-increasing set of attacks,worms, and viruses that target vulnerabilities in deployed software.Apart from memory corruption bugs such as buffer overflows, at-tackers are now focusing on high-level exploits such as SQL injec-tion, command injection, cross-site scripting and directory traver-sals [11, 26]. Worms that target multiple vulnerabilities in an or-chestrated manner are also increasingly common [1, 26].The root of the problem is that existing approaches do not ex-hibit many of the desired characteristics for security techniques:robust: they should provide defense against vulnerabilities withfew false positives or false negatives; flexible: they should adaptto cover evolving threats; end-to-end: they should be applicable touser programs, libraries, and even the operating system; practical:they should work with real-world code and software models (ex-isting binaries, dynamically generated, or extensible code) withoutspecific assumptions about compilers or libraries; and finally fast:they should have small impact on application performance.Recent research has established dynamic information flow track-ing (DIFT) [9, 17] as a promising platform for detecting a widerange of security attacks. The idea behind DIFT is to tag (taint)untrusted data and track its propagation through the system. DIFTassociates a tag with every word of memory in the system. Anynew data derived from untrusted data is also tagged. If tainted datais used in a potentially unsafe manner, such as executing a taggedSQL command or dereferencing a tagged pointer, a security excep-tion is raised.The generality of the DIFT model has led to the development ofseveral software [4, 14, 5, 28, 13, 18, 15, 21] and hardware [24,6, 2] implementations. Nevertheless, current DIFT systems do notexhibit all of the characteristics listed above. Software DIFT is flex-ible, as it can enforce arbitrary policies and adapt to different typesof exploits. However, DIFT through runtime binary instrumenta-tion leads to slowdowns ranging from 3× to 37× [21, 14]. Somesoftware systems require access to the source code [28], while oth-ers do not work safely with multithreaded programs [21].Hardware DIFT systems address several performance and prac-ticality issues by performing tag propagation and checks transpar-ently as a program executes. However, such systems use a sin-gle hardcoded security policy that targets memory corruption at-tacks. Hence, they cannot address high-level semantic vulnerabil-ities, such as SQL injection, which tend to be architecture, lan-guage, and OS-independent. Moreover, hardware DIFT systemscannot cope with binaries that violate their basic assumptions aboutsafe/unsafe uses, or defend against attacks that evade their tainttracking rules [8]. Finally, no existing DIFT system can protectthe OS code.482This paper presents Raksha1, a flexible architecture for softwaresecurity using information flow tracking. Raksha provides a frame-work that combines the best of both hardware and software DIFT.Hardware support provides transparent, fine-grain management ofsecurity tags at low performance overhead for user code, OS code,and data that crosses multiple processes. Software provides theflexibility and robustness necessary to deal with a wide range ofattacks.Raksha introduces the following features at the architecture level.First, it provides a flexible and programmable mechanism for spec-ifying security policies. The flexibility is necessary to target high-level attacks such as


View Full Document

Pitt IS 2620 - A Flexible Information Flow Architecture

Download A Flexible Information Flow Architecture
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view A Flexible Information Flow Architecture and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view A Flexible Information Flow Architecture 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?