1 / 33

FlexiTaint A Programmable Accelerator for Dynamic Taint Propagation

FlexiTaint A Programmable Accelerator for Dynamic Taint Propagation. Guru Venkataramani , Ioannis Doudalis, Yan Solihin, Milos Prvulovic. Introduction. Software is increasingly complex Software bugs can also lead to security exploits

jalen
Download Presentation

FlexiTaint A Programmable Accelerator for Dynamic Taint Propagation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. FlexiTaint A Programmable Accelerator forDynamic Taint Propagation Guru Venkataramani, Ioannis Doudalis, Yan Solihin, Milos Prvulovic

  2. Introduction • Software is increasingly complex • Software bugs can also lead to security exploits • Mechanisms for runtime checking and tracking to identify and prevent attacks • Tainting tags values, then propagates these tags as values flow through the program Venkataramani HPCA’08

  3. Tainting unsafe data Venkataramani HPCA’08

  4. Tainting unsafe data Safe source (NOT tainted) Venkataramani HPCA’08

  5. Tainting unsafe data Venkataramani HPCA’08

  6. Tainting unsafe data Venkataramani HPCA’08

  7. Tainting unsafe data X Unsafe source (tainted) Venkataramani HPCA’08

  8. Tainting unsafe data X Venkataramani HPCA’08

  9. Tainting unsafe data X Jump Venkataramani HPCA’08

  10. Tainting • Taint - usually one bit field that tags a memory address with extra information • Taints are propagated as values are copied or used in computation • Unsafe uses of tainted data triggers alarm • e.g., In security apps, jump on tainted address value denotes an attack! Venkataramani HPCA’08

  11. Challenges • Software Approach • Finds specific attacks, can be updated for new attacks • Large performance overheads • Problems with self modifying code, JIT compilation • Issues with multithreading • Hardware approach • Faster than software based solutions • Limited to no programmability (Hardwired to one policy) • Widens memory, buses etc. • Solves some MultiProcessor Issues • Very expensive (non-standard components) Venkataramani HPCA’08

  12. Objectives • Programmability at runtime to follow any desired taint propagation policy • Ability to track multiple policies at the same time • Use standard components whenever possible • Standard memory, buses, etc. • Minimal changes to complex OoO CPU core • Support for multiprocessors Venkataramani HPCA’08

  13. FlexiTaint • A programmable accelerator for dynamic taint propagation • Supports multiple policies at the same time • Decouples Taint storage from data • Allows use of standard memory, buses, etc. • Tainting done at the back-end of the pipeline • OoO CPU engine largely unchanged • Can support multiprocessor configurations Venkataramani HPCA’08

  14. Taint Propagation • Taint Propagation Rule Output Taint = Fn (opcode, input_taint_1, …) Fn is the Taint Propagation Policy • Implement Fn as a software handler for programmability • Memoize recent outcomes of Fn in a small Taint Propagation Cache (TPC) Venkataramani HPCA’08

  15. Support for multiple policies • Fn could effectively propagate multiple policies at a time Fn( ) Opcode Output_taint Input_taint_2 Input_taint_1 Propagation policy#1 Propagation policy#2 Venkataramani HPCA’08

  16. Avoiding TPC accesses • TPC access for every instruction is expensive • Latency, energy issues • Common case optimizations to skip TPC lookup • Opt#1: ZERO input taint → ZERO output taint; ELSE TPC lookup Do not access TPC if ZERO input taint Opcode 1 Venkataramani HPCA’08

  17. Avoiding TPC accesses • Opt#2: IF Only one input taint→copy to output taint; ELSE TPC lookup Opt#1 Opt#2 Do not access TPC if ONLY one input taint Opcode 0 1 Venkataramani HPCA’08

  18. FlexiTaint • A programmable accelerator for dynamic taint propagation • Supports multiple policies at the same time • Decouples Taint storage from data • Allows use of standard memory, buses, etc. • Tainting done at the back-end of the pipeline • OoO CPU engine largely unchanged • Can support multiprocessor configurations Venkataramani HPCA’08

  19. Taint Storage Protected, Reserved Virtual Space for Taint Information Taint Application’s Virtual Address Space Normal Virtual Memory Space for code, data, stack and heap Code, Data, Heap and Stack Taint information is stored as a packed array in the reserved space (like in MemTracker [HPCA’07]) Venkataramani HPCA’08

  20. Fetching Taint From Memory Taint Base Reg Data address (0xABCD) Number of Taint Bits 0xF0000000 0xF0000000 101010111100 101010111100 11 11 0xF0000000 01 2 + Taint address(0xF0000ABC) Taint value (11) Taint Cache MUX 11001010 11001010 Taint Reg File Venkataramani HPCA’08

  21. FlexiTaint • A programmable accelerator for dynamic taint propagation • Supports multiple policies at the same time • Decouples Taint storage from data • Allows use of standard memory, buses, etc. • Tainting done at the back-end of the pipeline • OoO CPU engine largely unchanged • Can support multiprocessor configurations Venkataramani HPCA’08

  22. Implementation Front end Back end Out of Order CMT ID REN IW REG EXE MEM WB Data L1 Fetch Engine Inst L1 Reg File Venkataramani HPCA’08

  23. Implementation Front end Back end Out of Order Taint Forwarding ID REN IW REG EXE MEM WB PCMT TPr CMT Prefetch Data L1 Fetch Engine Taint L1 Taint RF Inst L1 Reg File Venkataramani HPCA’08

  24. Other Issues • Multiprocessor implementation • Coherence • Taint stored in normal memory,have their own addresses • Consistency • Key issue: atomicity of taint and data • Example: Same instruction can’t access new data, old taint • OS issues like context switches and paging • More details in paper Venkataramani HPCA’08

  25. Evaluation Platform • SESC, Out of Order, Core 2 parameters • 2.93 GHz, 4-issue • 32 KB, 8-way, 64B block L1 Data cache • 4 KB, 4-way, 64B block L1 Taint cache • 4 MB, 16-way, 64B block unified L2 • 8-cores with 4 MB shared L2 (Multiprocessor) • SPEC 2000 • Skipped 10% of code (initialization) and simulated 1 Billion instructions in detail • Splash-2 (Simulated from start to end) Venkataramani HPCA’08

  26. Taint Propagation Schemes • External Input Tainting • Taint buffer used by read(), recv() • All ops propagate taint from inputs to output • If Jump uses tainted value, RAISE EXCEPTION • Heap Pointer Tracking • Taint address returned by malloc() • Add/Sub: if only one input is tainted, propagate • Add: both inputs are tainted, RAISE EXCEPTION • Sub: both inputs are tainted, Remove Taint • For other ops, propagate taint from inputs Venkataramani HPCA’08

  27. Performance Overhead 3.7% 3.7% 3.7% 3.7% Execution time overhead 1% 1% 1% 1% 1% Venkataramani HPCA’08

  28. FlexiTaint Optimizations Breakdown of instructions Venkataramani HPCA’08

  29. Effect of Limited Programmability(Heap Pointer Tracking) • Heap Pointer Tracking • Taint address returned by malloc() • Add/Sub: if only one input is tainted, propagate • Add: both inputs are tainted, RAISE EXCEPTION • Sub: both inputs are tainted, Remove Taint • For other ALU ops, propagate taint from inputs Output Taint is XOR of input taints Venkataramani HPCA’08

  30. Effect of Limited Programmability(Heap Pointer Tracking) 3.5x X times slowdown 1.5x Venkataramani HPCA’08

  31. Related Work • Raksha [ISCA’07] + Flexible in how taints are propagated for each class of instruction • Has limited options like whether to propagate taint or not, whether operands should be ORed or ANDed • Widens memory and data paths • Other proposals target specific policies • Newsome [NDSS’05], Suh [ASPLOS’04] ,Minos [MICRO’04], etc. Venkataramani HPCA’08

  32. Conclusions • FlexiTaint is a Programmable accelerator for dynamic taint propagation • Decouples taint storage from data storage • Back-end implementation for efficiency • Demonstrates Low performance overheads • Averages: 1% on Spec2k, 3.7% on Splash-2 • Worst: 8.4% mcf (SPEC), 8.7% ocean (Splash) Venkataramani HPCA’08

  33. Thank you! Questions? guru@cc.gatech.edu Venkataramani HPCA’08

More Related