Memory protection using dynamic tainting
- 1. Presentation on Topic “ Effective memory protection using Dynamic tainting”
- 2. Contents 1. IMA 2. Dynamic tainting 3. Assigning taint marks 4. Propagating the taint marks 5. Checking 6. Preventing the illegal memory access 7. Implementation 8. Limiting the number of taint marks 9. Effects on the approach 10. Conclusion 11. References
- 3. IMA?? Illegal Memory Access(IMA) – An important class of memory related faults. Currently free area ‘m’ , of required size is allocated. Starting address of m can be assigned to a pointer ‘p’. Access to m is legal only if it is referenced by p or a pointer derived from p and access occur during the interval when p is valid. All other access are Illegal Memory Accesses or IMA’s.
- 4. void main() { 1. int *np , n, i, *buf; 2. np=&n; 3. printf(“enter the size:”); 4. scanf(“%d”,np); 5. buf=malloc (n * sizeof(int)); 6. for( i=0; i<=n; i++) 7. *(buf+i)=rand()%10; 8. .... 9. } Illegal Memory Access (IMA) MEMORY buf i n np n:3 i:1i:2i:3 9 8 2 7
- 5. Dynamic Tainting Dynamic Tainting – a technique for marking and tracking certain data at run time. Marking two kinds of data : memory in data space and pointers. When m is allocated, it is tainted with ‘t’. When p is created with m as referent , p is also tainted with ‘t’. When memory is accessed taint mark is checked.
- 6. Dynamic tainting is done 3 parts : 1) Tainting Static memory allocation. Pointer to statically allocated memory. Dynamically memory allocation. Pointer to dynamically allocated memory. 2) Propagating taint marks Propagation of memory taints. Propagation of pointer taints. 3) Checking
- 7. Assigning taint marks Initializing taint marks. 4 cases 1) Static memory allocation. 2) Pointer to statically allocated memory. 3) Dynamic memory allocation. 4) Pointer to dynamically allocated memory.
- 8. 1 Identify the ranges 2 Assign a unique taint of allocated memory. mark to each range. 1. void main() { 2. int *np, n, i, *buf; 3. np = &n; 4. printf(“enter the size”); 5. scanf(“%d”, np); 6. buf= malloc(n* sizeof(int)); 7. for(i=0;i<=n; i++) 8. *(buf+i)= rand()%26; 9. ...} Statically memory allocation buf: i: n: np:
- 9. Identify pointer Assign pointer the same taint creation sites. mark as memory it points to. 1) void main(){ 2) int *np, n, i, buf; 3) np= &n; 4) printf(“Enter the size”); 5) scanf(“%d”, np); 6) buf= malloc(n*sizeof(int)); 7) for(i=0; i<=n; i++){ 8) *(buf+i)= rand()%26; 9) } 2 Pointers to statically allocated memory 1 buf: i: n: np:
- 10. Identify the ranges Assign a unique taint of allocated memory. mark to each range. 1) void main(){ 2) int *np, n, i, *buf; 3) np= &n; 4) printf(“Enter the size”); 5) scanf(“%d”, np); 6) buf= malloc(n*sizeof(int)); 7) for(i=0; i<=n; i++){ 8) *(buf+i)= rand()%26; Dynamic memory allocation 1 2 buf: i: n: np:
- 11. Pointer to dynamically allocated memory Identify pointer Assign the pointer the same taint creation sites. mark as the memory it points to. 1) void main() { 2) int *np, n, i, *buf; 3) np= &n; 4) printf(“Enter the size:”); 5) scanf(“%d”, np); 6) buf= malloc(n*sizeof(int)); 7) for(i=0;i<=n; i++) 8) *(buf+i)= rand()%26; 9) ... } 21 buf: i: n: np:
- 12. Propagation of taints Detects how taints marks flow along data as program executes. 2 concepts : Propagation of memory taints. Propagation of pointer taints.
- 13. Propagation of memory taints Not actually propagated. Taints are associated with a memory area when it is allocated and removed when deallocated. Pointer remain tainted. If such a pointer is used to access , an IMA is still detected.
- 14. Dynamically allocated memory- deallocated taint will be removed by calling a memory deallocation function , e.g. free() Statically allocated memory-deallocated and taint mark is removed when function returns(local variable) or when program exits(global variable).
- 15. Propagation of pointer taints Taint marks associated with pointer propagated to derived pointer. The rule models all possible operation on pointers and associate, for each operation an action that assign to the result of the operation the correct taint mark.
- 16. Propagation rules Add or Subtract c= a+/-b a tainted with ta, b is tainted with tb Then c will be tainted ta+tb or ta-tb Multiply, Divide, Modulo, Bitwise OR, XOR The result of these operations are never tainted.
- 17. Bitwise AND c= a & b If a and b are both tainted or untainted then c is not tainted , else c is tainted. Bitwise NOT c= ~a Alternative to subtraction. tc = -ta
- 18. Checking For each memory access, taint mark of the pointer and memory is checked. If they are not the same, an IMA is detected. pointer memory IMA no yes yes yes yes 5 2 5 5 5 5
- 19. Preventing IMAs 1) void main() { 2) int *np, n, i, *buf; 3) np= &n; 4) printf(“enter the size:”); 5) scanf(“%d”, np); 6) buf= malloc(n*sizeof(int)); 7) for(i=0; i<=n; i++) 8) *(buf+i) = rand()%26; 9) ...} buf: i: n:3 np: + =
- 20. Software Implementation An additional pass is added in compiler (LLVM) to taint all stack and global defined arrays. Taint propagation may be implemented using any dynamic tainting framework.
- 21. Hardware Implementation Taint processing and storage. 2 options : Data widening and Decoupling. Data widening : extending data with few bits to represent taint information. Decoupling: Taint information is stored as a packed array in reserved part of application’s virtual address space. This address space is managed by OS similar to normal data pages.
- 22. Taint propagation and access checking Hard wiring is used for taint propagation and checking. Hard wiring require modification in hard wiring for making changes in future. Easier to add hardwire support for taint propagation. As a result of all these consideration, a hardwiring approach is opted for taint propagation and access checking.
- 23. In short, Taint propagation and initializing is done using decoupling. Taint propagation and checking is done using Hardwiring technique.
- 24. Limiting the number of taint marks An unlimited number of taint marks makes hardware implementation infeasible. increase the overhead(time and space). complicates the design.
- 25. ! IMAs are detected probilistically With random number assignment of n taint marks the detection probability is: p= 1-1/n 2 marks=50%, 4 marks=75%, 16 marks=93.75% , 256 marks=99.6%. The technique can be tuned by increasing and decreasing the number of taint marks. Effects on the approach
- 26. Conclusion Definition of an approach for preventing illegal memory accesses in deployed software uses dynamic taint analysis to protect memory. uses probabilistic detection to achieve acceptable overhead.
- 27. References IEEE Transactions on Computers , vol 61, no 1, January 2012, “Effective and Efficient Memory Protection using Dynamic Tainting” by Ioannis Doudalis, James Clause, Guru Venkataramani, Milos Prvulovic,and Alessandro Orso. G. Venkataramani, Doudalis, y.solihin”FlexiTaint :A programmable accelerator for dynamic taint propagation” Doudalis , James Clause , A.orso” Effective memory protection using dynamic tainting”.proc.22nd IEEE 2007