DOC PREVIEW
Pitt IS 2620 - Securing software by enforcing data flow integrity

This preview shows page 1-2-3-4-5 out of 14 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Securing software by enforcing data-flow integrityMiguel CastroMicrosoft ResearchManuel CostaMicrosoft ResearchUniversity of CambridgeTim HarrisMicrosoft ResearchAbstractSoftware attacks often subvert the intended data-flow ina vulnerable program. For example, attackers exploitbuffer overflows and format string vulnerabilities to writedata to unintended locations. We present a simple tech-nique that prevents these attacks by enforcing data-flowintegrity. It computes a data-flow graph using static anal-ysis, and it instruments the program to ensure that theflow of data at runtime is allowed by the data-flow graph.We describe an efficient implementation of data-flow in-tegrity enforcement that uses static analysis to reduceinstrumentation overhead. This implementation can beused in practice to detect a broad class of attacks anderrors because it can be applied automatically to C andC++ programs without modifications, it does not havefalse positives, and it has low overhead.1 IntroductionMost software is written in unsafe languages like C andC++. Even programs written in type-safe languageshave libraries and runtimes written in unsafe languages.Therefore, software is vulnerable to attacks and it islikely to remain vulnerable in the foreseeable future.Almost all these attacks subvert the intended data-flow in the program. They exploit software vulnerabil-ities to write data to unintended locations. For exam-ple, control-data attacks exploit buffer overflows or othervulnerabilities to overwrite a return address [32], a func-tion pointer [28], or some other piece of control-data.Non-control-data attacks exploit similar vulnerabilitiesto overwrite security critical data without subverting theintended control-flow in the program [14]. Non-control-data attacks have not been observed in the wild but theyare just as serious and there are no good defenses againstthem. Non-control-data attacks will become common aswe deploy defenses for control-data attacks.This paper presents a technique that can prevent bothcontrol and non-control-data attacks by enforcing a sim-ple safety property that we call data-flow integrity. Thistechnique computes a data-flow graph for a vulnerableprogram using static analysis, and instruments the pro-gram to ensure that the flow of data at runtime is allowedby the data-flow graph. It can be applied to existing Cand C++ programs automatically because it requires nomodifications and it does not generate false positives.There are many proposals to prevent attacks on soft-ware, for example, [30, 24, 27, 5, 18, 34, 31, 16, 19, 13,37]. CCured [30] and Cyclone [24] propose memory-safe dialects of C that prevent all these attacks. The dis-advantage of these approaches is that the effort to portexisting C code to these dialects is non-trivial and theyrequire significant changes to the C runtime, for exam-ple, they replace malloc and free by a garbage collec-tor. There are several techniques that can be appliedto existing programs but can only defend from attacksthat overwrite specific targets, for example, return ad-dresses [18], or that exploit specific types of vulnerabil-ities, for example, buffer overflows [25, 34]. Programshepherding [27] and control-flow integrity [5] provide ageneric defense against control-data attacks but they can-not defend against non-control-data attacks. Techniquesthat perform dynamic taint analysis [37, 15, 19, 31, 13,16, 22, 33] can prevent control-data attacks and they canprevent some non-control-data attacks [37, 16, 13], butthey may have false positives and they incur a very highoverhead without hardware support.We implemented data-flow integrity enforcement us-ing the Phoenix compiler infrastructure [29]. The imple-mentation uses reaching definitions analysis [7] to com-pute a static data-flow graph. For each value read by aninstruction, it computes the set of instructions that maywrite the value. The analysis relies on the same assump-tions that existing compilers rely on to implement stan-dard optimizations. These are precisely the assumptionsthat attacks violate and data-flow integrity enforcementdetects when they are violated.OSDI ’06: 7th USENIX Symposium on Operating Systems Design and ImplementationUSENIX Association147To enforce data-flow integrity at runtime, our imple-mentation instruments the program to compute the defi-nition that actually reaches each use at runtime. It main-tains a table with the identifier of the last instruction towrite to each memory position. The program is instru-mented to update this table before every write and toprevent the attacker from tampering with the table. Wealso instrument reads to check if the identifier of the in-struction that wrote the value being read is an element ofthe set computed by the static analysis. If it is not, weraise an exception. Our implementation does not gener-ate false positives; when we raise an exception, the pro-gram has an error.We have developed a number of optimizations to re-duce the instrumentation overhead. The first optimiza-tion computes equivalence classes of instructions and as-signs the same identifier to all the instructions in the sameclass. This reduces the number of bits required to repre-sent identifiers and simplifies the code to check set mem-bership on reads. Additionally, we perform static anal-ysis of the low level intermediate representation of thecompiler to remove unnecessary read and write instru-mentation. This analysis is more conservative than theone used to compute the data-flow graph; it does not relyon any assumptions that may be invalidated by attacks.We evaluated the efficacy and overhead of our im-plementation. The results show that data-flow integrityenforcement can prevent many control-data and non-control-data attacks, and that it can detect errors in ex-isting programs. The instrumentation overhead is low:the space overhead is approximately 50%, and the aver-age runtime overhead is between 44% and 103% in CPUintensive Spec 2000 benchmarks. In a Web server run-ning Spec Web 1999, the runtime overhead is even lower:the average response time increases by 0.1% and peakthroughput decreases by 23%. Thus, data-flow integrityenforcement can be used in practice to defend softwarefrom attacks.2 Data flow integrity enforcementThis section starts by providing a high level overviewof data-flow integrity enforcement. Then it describes indetail the static analysis and the instrumentation.2.1 OverviewData-flow integrity enforcement has three


View Full Document

Pitt IS 2620 - Securing software by enforcing data flow integrity

Download Securing software by enforcing data flow integrity
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Securing software by enforcing data flow integrity and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Securing software by enforcing data flow integrity 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?