230 likes | 356 Views
Identification and Protection of Security-Critical Data. MCS Project Presentation. Nora Sovarel University of Virginia Computer Science June 6, 2006. Security-Critical Data. Corruption may lead to compromised security Control data Used as or used to calculate Instruction Pointer
E N D
Identification and Protection of Security-Critical Data MCS Project Presentation Nora Sovarel University of Virginia Computer Science June 6, 2006
Security-Critical Data • Corruption may lead to compromised security • Control data • Used as or used to calculate Instruction Pointer • Numerous defenses • StackGuard, Write or Exec, Shadow Stack • Instruction Set Randomization ([Barrantes+,CCS’03], [Kc+,CCS’03]) • Control Flow Integrity ([Abadi+, CCS’05]), DIRA ([Smirnov and Chiueh, NDSS’05]) • Non-control data
POST commands POST … rm –rf * / Non-Control Data Attack • Heap corruption attack against configuration data ([Chen+,USENIX’05]) SERVER CGI-BIN=“/bin” CGI-BIN=“/usr/local/httpd/cgi-bin” CGI-BIN=“/bin”
Non-Control Data • Execution is altered by changing data • Configuration data - CGI-BIN path • User input – validated and then corrupted • User identity data - uid, root access if changed to 0 • Decision making data - if condition [Chen+,USENIX’05]
Non-Control Data Characteristics • Long lifetime • Many opportunities to corrupt it • Rarely updated • Passed as parameters to system calls • execve, setuid, fopen, fwrite • Special cases • If condition • Saved registers
Approach • Store security-critical data in secure store • Protected by hardware • Writes allowed only in specially marked code sections • Corruption attempt generates segmentation fault • Program • Need to mark data and update sections • By programmer – language extension • Automatically - inference • Automatic program transformation • Store marked data in secure store • Insert system calls for update sections
Variable lifetime init Variable r w r r w read-only read-write read-write Secure Store
Requirements • No system calls injected • No system calls skipped • Operating System support • Hardware support • Acceptable performance penalty • Reasonable programmer effort Use an existing control data defense mprotect NX/XD bit Case studies
Roadmap • Motivation • Approach • Design • Language Extensions • Inference • Program Transformation • Implementation • Case Studies
C Language Extentions • critical - Type qualifier • Marks security critical data • Data allocated in special storage • update – statement update := updatestatement
Inference • Security-critical data • Future Work • Update Sections • Data marked using attributes • Assignment to critical data • Call to library function - predefined list • User defined function • specialization for each combination of critical/non-critical parameters • Some user guidance required
User Defined Functions void set( int *p, int v) { *p = v; } void set1( critical int *p, int v) { enable_update(); *p = v; disable_update(); } … int *critical p; … set1(p,1); … void set(int *p, int v) { *p = v; } … int critical *p; … set(p,1); …
Program Transformation • Puts security-critical data in secure store • Heap • Static data • Stack • Sets the initial access rights • Inserts enable/disable protection calls
Example critical int *x; … x=malloc(…) … update { statement; } … free(x); … int *x; … x=secure_malloc(…) … enable_update(); statement; disable_update(); … secure_free(x); …
Implementation • Secure heap – modified Doug Lea memory allocator • Enable/disable protection • Update section inference – CIL module • Future Work • Data Inference, secure stack, secure global data section
Case Studies - Goals • Security-critical data and update sections • How many? • How they can be automatically inferred? • Measure the performance (Null-Httpd) • Verify the update section inference (Wu-FTPD)
Case Studies - Applications Null-Httpd 0.5.0 • 2,300 LOC • Web server • Static HTML • CGI (Perl, PHP) • Thread for each request • Process for each script Wu-FTPD 2.6.0 • 18,000 LOC • FTP server • Fork to execute external applications (ls,zip,tar)
Wu-FTPD 2.6.0 Static data passwd structure Mostly local variables - uid, args execve, seteuid Security-Critical Data Null-Httpd 0.5.0 • Mostly static data • Configuration parameters • Connection data • Local Variables - args, env • write/send, execve
Update Sections - Null-Httpd 0.5.0 • 117 sections • The granularity of critical • The application architecture • snprintf – more than half of the sections • strcat, strncpy • Interesting cases • potential deadlock - recv, read • aliasing - strchr
Update Sections – Wu-FTPD 2.6.0 • Inference found 30 sections • Usually less than one screen away from definition • Missed one case • critical char* gargv[MAX_GARGV] • copy pointers – no direct call to malloc • no crash, but security vulnerability
Performance - Null-Httpd 0.5.0 • Penalty per single update – more than 5 orders of magnitude • Penalty per connection • latency protected / latency unprotected = 1.4 • Possible improvements • The data layout (fewer data) • Merge adjacent update sections
Conclusion • Security-critical data can be identified and protected • Most passed to a few system calls • Run-time protections provided by existing hardware • Update sections can be inferred • Number depends on application • Many for Null-Httpd (application design) • Performance penalty depends on the application • Big for Null-Httpd • Not measured for Wu-FTPD, but expected to be low
Questions Thanks: David Evans, Westley Weimer, Nate Paul, Jeff Shirley