1 / 23

Identification and Protection of Security-Critical Data

Identification and Protection of Security-Critical Data. MCS Project Presentation. Nora Sovarel University of Virginia Computer Science June 6, 2006. Security-Critical Data. Corruption may lead to compromised security Control data Used as or used to calculate Instruction Pointer

thimba
Download Presentation

Identification and Protection of Security-Critical Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identification and Protection of Security-Critical Data MCS Project Presentation Nora Sovarel University of Virginia Computer Science June 6, 2006

  2. Security-Critical Data • Corruption may lead to compromised security • Control data • Used as or used to calculate Instruction Pointer • Numerous defenses • StackGuard, Write or Exec, Shadow Stack • Instruction Set Randomization ([Barrantes+,CCS’03], [Kc+,CCS’03]) • Control Flow Integrity ([Abadi+, CCS’05]), DIRA ([Smirnov and Chiueh, NDSS’05]) • Non-control data

  3. POST commands POST … rm –rf * / Non-Control Data Attack • Heap corruption attack against configuration data ([Chen+,USENIX’05]) SERVER CGI-BIN=“/bin” CGI-BIN=“/usr/local/httpd/cgi-bin” CGI-BIN=“/bin”

  4. Non-Control Data • Execution is altered by changing data • Configuration data - CGI-BIN path • User input – validated and then corrupted • User identity data - uid, root access if changed to 0 • Decision making data - if condition [Chen+,USENIX’05]

  5. Non-Control Data Characteristics • Long lifetime • Many opportunities to corrupt it • Rarely updated • Passed as parameters to system calls • execve, setuid, fopen, fwrite • Special cases • If condition • Saved registers

  6. Approach • Store security-critical data in secure store • Protected by hardware • Writes allowed only in specially marked code sections • Corruption attempt generates segmentation fault • Program • Need to mark data and update sections • By programmer – language extension • Automatically - inference • Automatic program transformation • Store marked data in secure store • Insert system calls for update sections

  7. Variable lifetime init Variable r w r r w read-only read-write read-write Secure Store

  8. Requirements • No system calls injected • No system calls skipped • Operating System support • Hardware support • Acceptable performance penalty • Reasonable programmer effort Use an existing control data defense mprotect NX/XD bit Case studies

  9. Roadmap • Motivation • Approach • Design • Language Extensions • Inference • Program Transformation • Implementation • Case Studies

  10. C Language Extentions • critical - Type qualifier • Marks security critical data • Data allocated in special storage • update – statement update := updatestatement

  11. Inference • Security-critical data • Future Work • Update Sections • Data marked using attributes • Assignment to critical data • Call to library function - predefined list • User defined function • specialization for each combination of critical/non-critical parameters • Some user guidance required

  12. User Defined Functions void set( int *p, int v) { *p = v; } void set1( critical int *p, int v) { enable_update(); *p = v; disable_update(); } … int *critical p; … set1(p,1); … void set(int *p, int v) { *p = v; } … int critical *p; … set(p,1); …

  13. Program Transformation • Puts security-critical data in secure store • Heap • Static data • Stack • Sets the initial access rights • Inserts enable/disable protection calls

  14. Example critical int *x; … x=malloc(…) … update { statement; } … free(x); … int *x; … x=secure_malloc(…) … enable_update(); statement; disable_update(); … secure_free(x); …

  15. Implementation • Secure heap – modified Doug Lea memory allocator • Enable/disable protection • Update section inference – CIL module • Future Work • Data Inference, secure stack, secure global data section

  16. Case Studies - Goals • Security-critical data and update sections • How many? • How they can be automatically inferred? • Measure the performance (Null-Httpd) • Verify the update section inference (Wu-FTPD)

  17. Case Studies - Applications Null-Httpd 0.5.0 • 2,300 LOC • Web server • Static HTML • CGI (Perl, PHP) • Thread for each request • Process for each script Wu-FTPD 2.6.0 • 18,000 LOC • FTP server • Fork to execute external applications (ls,zip,tar)

  18. Wu-FTPD 2.6.0 Static data passwd structure Mostly local variables - uid, args execve, seteuid Security-Critical Data Null-Httpd 0.5.0 • Mostly static data • Configuration parameters • Connection data • Local Variables - args, env • write/send, execve

  19. Update Sections - Null-Httpd 0.5.0 • 117 sections • The granularity of critical • The application architecture • snprintf – more than half of the sections • strcat, strncpy • Interesting cases • potential deadlock - recv, read • aliasing - strchr

  20. Update Sections – Wu-FTPD 2.6.0 • Inference found 30 sections • Usually less than one screen away from definition • Missed one case • critical char* gargv[MAX_GARGV] • copy pointers – no direct call to malloc • no crash, but security vulnerability

  21. Performance - Null-Httpd 0.5.0 • Penalty per single update – more than 5 orders of magnitude • Penalty per connection • latency protected / latency unprotected = 1.4 • Possible improvements • The data layout (fewer data) • Merge adjacent update sections

  22. Conclusion • Security-critical data can be identified and protected • Most passed to a few system calls • Run-time protections provided by existing hardware • Update sections can be inferred • Number depends on application • Many for Null-Httpd (application design) • Performance penalty depends on the application • Big for Null-Httpd • Not measured for Wu-FTPD, but expected to be low

  23. Questions Thanks: David Evans, Westley Weimer, Nate Paul, Jeff Shirley

More Related