140 likes | 248 Views
Anant Agarwal Richard Schooler. A Binary Agent Technology for COTS Software Integrity. Agenda. Objectives & Approach Prototype Recent Work User Experience Next Steps. Objectives. “First-fault” diagnosis of application mis-behavior (defects, attacks).
E N D
Anant Agarwal Richard Schooler A Binary Agent Technology for COTS Software Integrity
Agenda • Objectives & Approach • Prototype • Recent Work • User Experience • Next Steps 2
Objectives • “First-fault” diagnosis of application mis-behavior (defects, attacks). • “Always on”: obviate need to replicate failures. • Fine-grain execution monitoring. • Focus on: • Deployed applications - not just for development, QA phases. • Inside the application - not just externally-visible behavior. 3
Approach • Approach: • Run-time execution monitoring. • Binary instrumentation to inject probes into release-built executables. • Targets & Assumptions: • Similarity between explicit attacks and accidental faults. • Assume system-level mechanisms in-place - not guarding against replacement of entire executable, compromise of OS, etc. 4
Prototype Tasks • Core technology for customizable agent insertion into Windows NT/2000/XP and SPARC/Solaris. • Anomaly detection and reporting. • Rapid recovery and problem pinpointing. 5
Snapshot Files Instrumented Executables Executables Map Files Major Components Platform-dependent Instrumentation Engine Runtime Service • Block sequence • User logging • Post-Mortem info • Block->Address Map Trace Reconstruction Debug Info • Source Line/Module • Thread • Annotations • Address<->Line Map • Source Module Name Trace (XML) interface 6
Recent Work • Solaris instrumentation & runtime. • User deployments. • Performance measurement. 9
Solaris Implementation • New binary platform: SPARC ISA (delay slots, register windows), COFF format, ELF/STAB debug format, Solaris signal interface, TSD, etc. • Compilers: Forte (SunPro) C/C++ & gcc C. • Some new issues: • 64 bit support. • How to hook runtime (interposition via LD_PRELOAD). • How to get relocation info (no /fixed:no). • Balance between using Solaris-specific features, and staying generic-Unix-portable. 10
Complex, multi-component application architecture. E.g., pharmaceutical trials ASP:Deployed on 100s of servers! User Experience MTS IIS HTTP HTML Handledexception: DLL DLL DLL DLL Data-base Custom Service 11
Typical scenario: business application Custom business application logic is instrumented. Runs on stock framework (application server, OS, database, etc.) Relevant metrics are end-to-end transaction throughput, latency. Results: Range from imperceptible up to ~10% Matches “5%” threshold most enterprises quote to go into production deployment. Performance 12
Distributed application architectures: Multiple machines. Multiple technologies. Larger-scale deployment issues: Analysis/correlation across many application traces. Clusters and server farms. Next Steps 13