Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Transcription

1 1 Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Presenter: Yue Zheng Yulin Shi

2 Outline Motivation & Background Hardware DIFT overview DIFT Coprocessor Design Prototype System Evaluation Conclusion Discussion points 2 2

3 Outline Motivation & Background Hardware DIFT overview DIFT Coprocessor Design Prototype System Evaluation Conclusion Discussion points 3 3

4 Motivation & Background? Why is the pointer dereference potentially dangerous Dynamic Information Flow Tracking (DIFT) Tag data from untrusted source Track tainted data propagation Check unsafe tainted data usage Vulnerable C Code int idx = tainted_input; buffer[idx] = x; // memory corruption Tainted Pointer Dereference R1 load R2 add R4 store M[R4] TRAP &tainted_input M[R1] R2 + R3 R5 #Re g R1 R2 R3 R4 R5 Data &tainted_input idx (tainted_input) &buffer &buffer + idx x Tag 4 4

5 Why is the pointer dereference potentially dangerous? Buffer Overflow Attack store M[R4] R5 Vulnerable C Code char buf[126]; strcpy(buf,str); TRAP 5 5

6 Motivation & Background Software DIFT Use Dynamic Binary Translation (DBT) to implement DIFT Avoid recompilation Introduce significant overheads Limitation Incompatible with self-modifying and multithreaded programs 6 6

7 Outline Motivation & Background Hardware DIFT overview DIFT Coprocessor Design Prototype System Evaluation Conclusion Discussion points 7 7

8 Hardware DIFT overview In-core DIFT Minimize runtime overhead Require significant modifications to processor structure 8 8

9 Hardware DIFT overview Offloading DIFT Offer the flexibility of analysis in software Introduce significant overheads halve the throughput, double the power consumption Require pipeline changes 9 9

10 Hardware DIFT overview Off-core DIFT DIFT synchronizes with main core only on system calls Eliminate the changes to processor Allow pairing with multiple processor designs 10 10

11 Outline Motivation & Background Hardware DIFT overview DIFT Coprocessor Design Prototype System Evaluation Conclusion Discussion points 11 11

12 DIFT Coprocessor Design Security Model R1 Security Model load R2 &tainted_input M[R1] Synchronization Coprocessor Instruction Exception add R4 store M[R4] TRAP R2 + R3 R5 System Call Tainted Pointer Dereference IF ID RE N Main Core R O B EX EX TRAP Commit 12 12

13 DIFT Coprocessor Design - Architecture Main Core Processor VS Coprocessor Main Core Processor Coprocessor Handle data 32 bits Complexity Handle tag propagation and check 4 bits Simple 13 13

14 DIFT Coprocessor Design - Architecture Four-stage pipeline: Decode, Execution, TagCheck, WriteBack Main Core Decoupling Queue Tag Reg File Security Decode Tag ALU Tag Check Logic Writeback Queue Stall DIFT Coprocessor Tag Cache L2 Cache DRAM Tag s Decode Execution TagCheck WriteBack 14 14

15 DIFT Coprocessor Design - Interface Coprocessor Setup Software control security policies Instruction Flow Information PC, Instruction Encoding and Memory Address Decoupling Greater or equal processing rate to avoid full queue Security Exceptions Asynchronous interrupts and run in trusted mode PC, Inst Encoding, Mem Addr Security Decode 15 15

16 Outline Motivation & Background Hardware DIFT overview DIFT Coprocessor Design Prototype System Evaluation Conclusion Discussion points 16 16

17 Prototype Hardware SPARC V8 Processor FPGA Board Software Gentoo Linux 2.6 Design Statistics 7.64% area overhead 17 17

18 Outline Motivation & Background Hardware DIFT overview DIFT Coprocessor Architecture Prototype System Evaluation Conclusion Discussion points 18 18

19 Evaluation Security Evaluation Wide Low High Independent level workload attacks of range programming language Common Utilities Servers Web apps Kernel code 19 Program Lan g. Attack Detected Vulnerability Gzip C Directory traversal Open tainted directory Tar C Directory traversal Open tainted directory Scry PHP Cross-site scripting Tainted <script> tag Htdig C++ Cross-site scripting Tainted <script> tag Polymorph C Buffer overflow Tainted code ptr dereference Sendmail C Buffer overflow Tainted data ptr dereference Quotactl syscall C User/kernel pointer dereference Tainted pointer to kernelspace SUS C Format string bug Tainted %n in syslog WU_FTPD C Format string bug Tainted %n in vfprintf 19

20 Evaluation Performance Evaluation Execution time 512-byte tag cache 6-entry queue Runtime overhead < 1% 20 20

21 Evaluation Performance Evaluation Scaling the tag cache 21 21

22 Evaluation Performance Evaluation Scaling the decoupling queue 16-byte tag cache Tag miss 22 22

23 Evaluation Processor/Coprocessor Performance Ratio 11.7% 3.8% 16-entry queue Can be paired with various main cores 23 23

24 Outline Motivation & Background Hardware DIFT overview DIFT Coprocessor Architecture Prototype System Evaluation Conclusion Discussion points 24 24

25 Conclusion DIFT: a promising security technique Proposed an off-core, decoupling coprocessor for DIFT Provide the same security features as in-core DIFT Reduce DIFT implementation cost drastically Has low area and performance overheads Developed a full-system prototype Protect real-world Linux applications 25 25

26 Questions? 26 26

27 27 Debate Is a wider-issue coprocessor better than a single-issue coprocessor for 3-way superscalar processors? Is it worth to add a checkpoint scheme to DIFT to provide reliable recovery? ( A checkpoint scheme allows the system to rollback for recovery)