efficient taint analysis using multicore machines milind chabbi dr. gregory andrews and dr. saumya...
Post on 21-Dec-2015
228 views
TRANSCRIPT
Efficient Taint Analysis Using Multicore Machines
Milind Chabbi
Dr. Gregory Andrews and Dr. Saumya Debray
Computer Science Department
University of Arizona
How Often Do You See This?
How Often Do You See This?
How Often Do You See This?
How Often Do You See This?
Problem Statement
• Vulnerabilities and their exploits are ever increasing in the software– CERT Vulnerabilities Statistics show 47x increase in last decade
• Exploits can have devastating effects• Given the complexity of software, it is impossible
to prevent programming defects• State-of-the-art software approaches (e.g
TaintCheck) are effective in detecting exploits, but have excruciating overhead (20-40 times slowdown)
Need to build a secure and efficient computing environment
Road-map
• Classification of Vulnerabilities
• Taint Analysis and Related Work
• Our Approach for Taint Analysis
• Design and Implementation
• Experimental Results
• Conclusion
• Q & A
Types of Vulnerabilities
• Boundary error > 50 %• Input validation error > 40%• Access control error• Authentication error• Configuration error• Exception handling error• Randomization error• Resource error• State error
Boundary ErrorFailure to properly check the length of data
against the size of a data storage object or resource
• Stack-based :• Return address overwrite• Old Base Pointer overwrite• Function Pointer overwrite
• Heap-based :• Function Pointer overwrite • GOT ( Global Offset Table) overwrite• Malloc()/Free() buffer overwrite
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >BP, SP
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >BP
100SP
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >BP
100
SP<main + offset>
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >BP
100
SP
<main + offset>
<BP>
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >
100
SP, BP
<main + offset>
<BP>
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >
BP
100
SP
<main + offset>
<BP>
array[1]
array[0]
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >
100
SP
<main + offset> TAINTED
array[0]
BP<BP> TAINTED
array[1]
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >
BP, SP
100
<main + offset> TAINTED
<BP> TAINTED
array[1]
array[0]
Return Address Overwrite
KERNEL
<_libc_start_main + offset>
TEXT
DATA
BSS ( uninilialized data)
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}HEAP
<Base Pointer of _libc_start_main >
SP
100
<main + offset> TAINTED
<BP> TAINTED
array[1]
array[0]
BP
Heap-Based Function Pointer Overwrite
KERNEL
STACK
TEXT
DATA
BSS ( uninilialized data)
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}HEAP
iPtr points here
fptr = Bar
Heap-Based Function Pointer Overwrite
KERNEL
STACK
TEXT
DATA
BSS ( uninilialized data)
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}HEAP
iPtr points here
fptr = TAINTED
Heap-Based Function Pointer Overwrite
KERNEL
STACK
TEXT
DATA
BSS ( uninilialized data)
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}HEAP
iPtr points here
fptr = TAINTED
Input Validation Error
Failure to verify that user data has legitimate content
• Arguments to Sensitive System Calls like … system(), execve()
• Format String Vulnerability
Format String Vulnerability
Intended use:Foo(){
char buffer[256];
scanf(“%s”,buffer); “Hello World”printf(“%s”,buffer);
}
Vulnerable Use:Foo(){
char buffer[256];
scanf(“%s”,buffer); “Hello World”printf(buffer);
}
Format String Vulnerability
Intended use:Foo(){
char buffer[256];
scanf(“%s”,buffer); “Hello %d World”printf(“%s”,buffer);
}
Vulnerable Use: Foo(){
char buffer[256];
scanf(“%s”,buffer); “Hello %d World”printf(buffer);
}
Common Factor
***A common characteristic of all successful attacks is the ability to change the flow of control by corrupting memory, which lets the attacker execute arbitrary code ***
Taint Analysis
• Counters memory corruption attacks
• Mark external data as suspicious (tainted)
• Track data flow as program executes
• Examine data at possible exploit points
(e.g. control transfers)
• Goals is to keep few false positives or negatives
Static Taint Analysis
1. Source code level analysis
2. Binary level analysis
Good:– No run-time over head
Bad:– Impossible to analyze dynamic features
• Loops, pointers, aliases, etc
– Can have lot of false positives and false negatives
Dynamic Taint Analysis1. Coarse-Grained Approach
Filtering known vulnerabilities in the input
IMB GCC: Local variable reordering
StackGuard : Canary values on stack frame
* Can guard only limited type of vulnerabilities *
2. Fine-grained approachTracking every operation
Fewer/ No false positives
Fewer/ No false negatives
* Potentially High Overhead *
Fine-Grained Taint Analysis• Interpreter-based
TaintCheck : Runs compiled code in emulated mode x86 RISC INSTRUMENT x86 EXECUTE– High overhead due to interpretive execution. ~ 40x
• Architecture-based Each instruction updates a “security tag”
– Needs OS modification, custom hardware support
• Instrumentation-based
Instrumentation-based Taint Analysis
• Program is instrumented to dynamically trace the propagation of taint data
• Requires custom binary rewriting
• Promising because of both static and dynamic analysis
• High scope for optimization
• Instrumentation overhead
• Runtime Tracing overhead
Hardware Trend
• Multicore is common place now
• Sun is already shipping 8-core Niagara chip
• Conventional wisdom is now to double the number of cores on a chip with each silicon generation
• We are clearly moving down the path to 10s,100s or even 1000s of cores
But… Software
• Amdahl’s law of diminishing returns
80x speedup with 100 Processing units
0.25% sequential component!• Software has sequential components• Software is interactive• Multicores/Manycores are only as valuable as the
multithreading software running on them• So…. some cores are idle
Dynamic Taint Analysis Using Multicores
• Use idle cores for taint tracking • Execute taint tracking instructions in parallel
with the actual computation
Simple Illustration
Original computation
while(cond){//computation
}
Taint Analysis:while(cond){
//computation//taint computation.
}
Simple Illustration
Original computation:while(cond){
//computation}
Taint computation:while(cond){ //taint computation.}
Original computation
while(cond){//computation
}
Simple Illustration
Original computation
while(cond){//
computation}
Original computation:while(cond){
//computation}
Taint computation:while(cond){ //taint computation.}
30,000FT Overview
• Augment the memory to have a shadow memory such that:
where,
TAG(w) =
• Clone the entire program, run them as two threads• One thread is the original execution• Other thread shadow’s original thread’s execution and does
taint analysis
Mw ')( MwTAG 0 if w is trusted data
1 if w is untrusted data
M 'M
Advantages of Our Approach
• Software based: no custom hardware required
• No source code required• No OS modifications required • Language independent• Dynamic tracking, so has low false
positives and low false negatives• Huge scope for optimizations
Roles and Responsibilities of Shadow
Target Program Tracking
Receive(&a)
b=a
…
Jmp c
Tag(a) = 1 // unsafe data
Tag(b) = Tag(a)
…
If( Tag (c) == 1),
raise alert! Halt
Default : Imitate the control flow of original program
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
KERNEL
STACK
TEXT
DATA
BSS ( uninilialized data)
HEAP
Creating Shadow Memory
KERNEL
STACK
TEXT
DATA
BSS ( uninilialized data)
HEAP
Creating Shadow MemoryKERNEL
STACK
TEXTDATABSS ( uninilialized data)
HEAP
Shadow Memory
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
Shadow Creation by Complete Program Cloning
Function A’
Function B’
Function A
Function B
Shadow Creation by Complete Program Cloning
Function A’
Function B’
Function A
Function B
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
Shadow’s Control Flow Imitation
Basic Block A
Basic Block B
Shadow’s Control Flow Imitation
Basic Block A’
Basic Block B’
Basic Block A
Basic Block B
Shadow’s Control Flow Imitation
global TARGET
Basic Block A’
Basic Block B’
Basic Block A
Basic Block B
Set (TARGET)
While(TARGET);
While(!TARGET);
Reset(TARGET)
While(!TARGET);
Reset(TARGET)
Conditional Branches
global TARGET
Basic Block A’
Basic Block C’
Basic Block AIf cond == TRUE JMP BasicBlock C
Basic Block C
Basic Block B
TARGET = C’
Basic Block B’
while(TARGET);
while(!TARGET);
Local_Target = TARGETReset(TARGET)
if Local_Target == C’ JMP BasicBlock C’
Conditional Branches
global TARGET
Basic Block A’
Basic Block C’
Basic Block AIf cond == TRUE JMP BasicBlock C
Basic Block C
Basic Block B
TARGET = C’
Basic Block B’
while(TARGET);
while(!TARGET);
Local_Target = TARGETReset(TARGET)
if Local_Target == C’ JMP BasicBlock C’
TARGET = B’
while(TARGET);
More Complex Control Structures
• Indirect jumps
• Indirect calls
• Jump tables
With one-to-one mapping between functions, blocks, instructions, and relocations, all of these can be handled.
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
Marking Taint Source
• System calls like – Read(), – Recvfrom()
as sources of taint
• After the system call, we definitely know which memory region got tainted
• The shadow DOES NOT make any system call• Other sources of taint include command line
arguments and environment variables
Taint Propagation
1. Copy Propagation : Tainted data is copied from one location to other.
2. Arithmetic Propagation: Tainted data is input operand of a mathematical/logical transformation.
3. Address Propagation: Tainted data can be used to calculate a memory address.
KERNEL
foo()
TEXT
DATA
BSS ( uninilialized data)
HEAP
Shadow Memory
foo()’
BP
SP
BP
SP
Run-time View of Modified Program
KERNEL
foo()
TEXT
DATA
BSS ( uninilialized data)
HEAP
Shadow Memory
foo()’
BP
SP
BP
SP
Run-time View of Modified Program
bar()
bar()’
Copy Data
Propagate Tag
KERNEL
foo()
TEXT
DATA
BSS ( uninilialized data)
HEAP
Shadow Memory
foo()’
BP
SP
BP
SP
Run-time View of Modified Program
bar()
bar()’
Populating Shadow Instructions
Original Computation
Mov %eax, %ebxMov %eax, 0x8(%ebp)Add %eax, 0x8(%ebp)Push %eaxInc %eaxInt 0x80
Shadow Computation
Mov %eax, %ebxMov %eax, 0x8(%ebp)Or %eax, 0x8(%ebp)Push %eaxNoneNone
Populating Shadow Instructions … Indirect memory
Original Computation
Mov %eax, 0x8(%ebx)
Add %eax, 0x8(%edx)
Shadow Computation
Mov %eax, 0x8(%ebx)
Or %eax, 0x8(%edx)
Original Computation
Enque(%ebx)
Mov %eax, 0x8(%ebx)
Enque(%edx)
Add %eax, 0x8(%edx)
Shadow ComputationPush %ebx
Deque(%ebx)
Sub $OFFSET, %ebx
Mov %eax, 0x8(%ebx)
Pop %ebx
Push %edx
Deque(%edx)
Sub $OFFSET, %edx
Or %eax, 0x8(%edx)
Pop %edx
Information Sharing with Shared Buffer
Original Computation
Enque(%ebx)
Mov %eax, 0x8(%ebx)
Enque(%edx)
Shl %eax, 0x8(%edx)
Shadow ComputationPush %ebx
Deque(%ebx)
Sub $OFFSET, %ebx
Mov %eax, 0x8(%ebx)
Pop %ebx
Push %edx
Deque(%edx)
Sub $OFFSET, %edx
Or %eax, 0x8(%edx)
Pop %edx
Information Sharing with Shared Buffer
Original Computation
Enque(%ebx)
Mov %eax, 0x8(%ebx)
Enque(%edx)
Shl %eax, 0x8(%edx)
Shadow ComputationPush %ebx
Deque(%ebx)
Sub $OFFSET, %ebx
Mov %eax, 0x8(%ebx)
Pop %ebx
Push %edx
Deque(%edx)
Sub $OFFSET, %edx
Or %eax, 0x8(%edx)
Pop %edx
Information Sharing with Shared Buffer
Guarding Against Exploits
On reaching sensitive program points, Original program waits for the Shadow to do security checks
Example:– Return address
– Indirect jump
– Format string function
– Sensitive system calls
Catching Return Address Overwrite KERNEL
<_libc_start_main + offset>
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}
<Base Pointer of _libc_start_main >
BP
SP
array[1]
array[0]
<main()’s caller >
100
<main()’ + offset>
<BP>
array[1]
array[0]
BP
SP
100
<main + offset>
<BP>
Catching Return Address OverwriteKERNEL
<_libc_start_main + offset>
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}
<Base Pointer of _libc_start_main >
BP
100
SP
<main + offset>
<BP>
array[1]
array[0]
<main()’s caller >
100
TAINTED
TAINTED
TAINTED
TAINTED
BP
SP
Catching Return Address OverwriteKERNEL
<_libc_start_main + offset>
foo(int x){
int array[2];
read(1,array,16)
return;
}
main(){
foo(100);
}
<Base Pointer of _libc_start_main >
BP, SP
100
<main + offset>
<BP>
array[1]
array[0]
<main()’s caller >
100
TAINTED
TAINTED
TAINTED
TAINTED
BP, SP Wait for Shadow to check the tainted ness.
Catching Function Pointer OverwriteKERNEL
STACK
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}
fPtr = Bar
iPtr
STACK
fPtr’
iPtr’
Catching Function Pointer OverwriteKERNEL
STACK
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}
fPtr = Bar
iPtr
STACK
TAINTED
TAINTED
Catching Function Pointer OverwriteKERNEL
STACK
Struct heap{
void (*fptr)();
}
Main(){
int * iPtr = malloc(10);
Struct heap * h = malloc(sizeof(Struct heap));
h->fptr = Bar;
read(1, iPtr , 14);
h->fptr();
}
Bar(){
}
fPtr = Bar
iPtr
STACK
TAINTED
TAINTED
Wait for Shadow to check the tainted ness.
Catching Format String Vulnerability
printf(File * fp, char * fmt, …){
if(fmt contains a “%n” that is tainted) then
Flag Warning
}
Vulnerable Use:
Foo(){
char * buffer[256];
scanf(“%s”,buffer);
printf(buffer);
}
0x08 H e l l o % n W o r l dUNTAINTED
TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED TAINTED
“Hello %nWorld”
Statically linked x86 relocatable
Disassembler
Control Flow Graph.
Program Cloner
Original program= P
Clonedprogram= Q
Thread Synchronizer
Thread synchronized P = P’
Thread synchronized Q = Q’
Program Analyzer and Instrumenter
Self-protecting x86 executable.
Instrumented P’ = P’’
Taint marker, taint tracker, and exploit detector. = Q’’
Optimizer
Optimally synchronized P’’
Optimally synchronized Q’’
Program Assembler
ArchitectureMemory
Augmenter
CFG + Shadow Momory
OptimizationReturn Address Checks
Don’t have to check return address overwrite of a function F if:
– The function F by itself has no local variables, and
– No member of the set descendents(F) has local variables.
*Can be extended to functions without arrays.
OptimizationSkipping Function Tracing
A function A when called from function B can be run without tracing if:
– Function A by itself has no store operations.– No member of the set descendents(A) has store
operations.– Function B does not use the return value from function
A for any store operation.*** Classic example strcmp(), strncmp(), memcmp() ****Can be extended to functions that may store to non-arrays
locals.
OptimizationLoop Synchronization
• 80 – 20 rule : Many programs spend most of their time inside loopsLOOP 1:
for( int i = 0; i < n ; i += k ){ array[i] = CONSTANT;
}LOOP 2:
for(int i = 0;read(fd,&ch,1); i+=k){
buffer [i] = ch;}
What Guarantees Can We Make?
Analysis of false negatives:* Can detect all control hijack attacks.* Can detect tainted arguments to sensitive system calls. * Cannot detect Non-control-data attacks that corrupt a variety of
application data .* Cannot stop Denial of Service attacks.
Analysis of false positives:* Intentionally passing user format specifiers to format string handlers. * Intentionally passing user strings to sensitive system calls. * Intentionally executing user injected code.
Security Evaluation
Application Version Vulnerability DetectedFalse
Positive
ATPHttpd 0.4b Stack-based
buffer overflow YES NO
Passlogd 0.1cStack-based
buffer overflow YES NO
BSD Talkd BSD 2.7 Format String YES NO
BSD Chpass BSD 2.7 Format String YES NO
LibTiff library 3.5.4 Heap-based
buffer overflow YES NO
Cfingerd 1.4.3 Format String YES NO
Performance Evaluation
Peformance Comparison of ATPhttpd
0
0.02
0.04
0.06
0.08
0.1
0.12
1KB 10KB 20KB 30KB
Page Size in KB
Tim
e i
n S
ec
Time in original execution
Time in instrumented program
HTML PAGE SIZE 1KB 10KB 20KB 30KB
Slowdown ( number of times) 4.03 1.78 1.78 1.48
Effect of OptimizationsPerformace comparison for 30K page
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
Originalcomputation
Taint analyserwith no
optimization
Taint analyserwith some
functions nottraced
Taint analysewith relaxed
retrun addresschecks
Taint analyzerwith optimizedhigh frequency
loop
Taint analyzerwith all
optimizations
Tim
e i
n s
ec
ATPHttpd for 30K page
6.3x
5.2x4.7x
2.7x1.5x
Performance of Various Applications
Application30KB page inATPHTTPD
Cfingerdaemon
Libtiff on 2MBfile
Passlogd with1.25KB
download
Gzip with13.6MB file
Slowdown ( number of times) 1.48 5.16 9.24 1.75 1.05
Performance of Applications
0
0.05
0.1
0.15
0.2
0.25
Cfinger daemon 30KB page inATPHTTPD
Libtif f on 2MB file
Application
Tim
e in
Sec
Original programInstrumeneted program
Performance of Applications
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Gzip w ith 13.6MB file Passlogd w ith 1.25KB dow nload
Application
Tim
e in
Sec
Original programInstrumeneted program
TaintCheck 36x
LIFT 2.97x
Conclusions• Taint tracking task has enough parallelism with the
original computation that it can be delegated to a concurrent thread
• Our approach has shown the overhead reduction from 20-40 times to less than 5 times on an average
• Vulnerability detection using multicore machines has a promising future
• With many cores being the future of hardware, we can always afford to dedicate some cores for taint analysis
• This approach goes a long way to shaping the future of secure and efficient computing
THANKS
Questions ?
Format String Vulnerability …
Format
200
100
“Hello %d World %d ok %d blah! %n”
Caller’s stack frame
Format String Vulnerability …
Format
200
100
“Hello 200 World %d ok %d blah! %n”
Caller’s stack frame
Format String Vulnerability …
Format
200
100
“Hello 200 World 100 ok %d blah! %n”
Caller’s stack frame
Format String Vulnerability …
Format
200
100
“Hello 200 World 100 ok %d blah! %n”
Caller’s stack frame
Password
Format String Vulnerability …
Format
200
100
“Hello 200 World 100 ok %d blah! %n”
Caller’s stack frame
Password
CPU SPEC2000 INT - Gzip
Performance Comparison for Gzip
0
0.5
1
1.5
2
2.5
400KB 1.2MB 2.4MB 13.6MB
File size
Tim
e i
n S
ec
Time in original Gzip program
Time in instrumented Gzip program
Input file size 400KB 1.2MB 2.4MB 13.6MB 65.4MB
Slowdown ( number of times) 2.65 1.64 1.40 1.05 1.037
Thread Creation
When spawning the shadow thread, the program should have initialized some of its data structures.
( _start, _init)
Initialization has to happen without shadow.
Classic Chicken and Egg Problem
Main() Main()’
_start()
_init()
_start()’
_init()’
Have One More Copy
_start()
_init()
Spawn Main()’’Call Main()’
Main()
Main()’ Main()’’
_start()’
_init()’
_start()’’
_init()’’
Unsynchronized
Original Computation
Synchronized
Original Computation
Taint
Computation