identification and protection of security-critical data
DESCRIPTION
Identification and Protection of Security-Critical Data. MCS Project Presentation. Nora Sovarel University of Virginia Computer Science June 6, 2006. Security-Critical Data. Corruption may lead to compromised security Control data Used as or used to calculate Instruction Pointer - PowerPoint PPT PresentationTRANSCRIPT
Identification and Protection of Security-
Critical Data
Nora SovarelUniversity of Virginia
Computer ScienceJune 6, 2006
MCS Project Presentation
2
Security-Critical Data
• Corruption may lead to compromised security
• Control data– Used as or used to calculate Instruction Pointer– Numerous defenses
• StackGuard, Write or Exec, Shadow Stack• Instruction Set Randomization ([Barrantes+,CCS’03],
[Kc+,CCS’03])
• Control Flow Integrity ([Abadi+, CCS’05]), DIRA ([Smirnov and Chiueh, NDSS’05])
• Non-control data
3
CGI-BIN=“/bin”
POST commands
Non-Control Data Attack
• Heap corruption attack against configuration data ([Chen+,USENIX’05])
CGI-BIN=“/usr/local/httpd/cgi-bin”
SERVER POST …
rm –rf * /
CGI-BIN=“/bin”
4
Non-Control Data
• Execution is altered by changing data – Configuration data - CGI-BIN path– User input – validated and then corrupted– User identity data - uid, root access if
changed to 0– Decision making data - if condition
[Chen+,USENIX’05]
5
Non-Control Data Characteristics
• Long lifetime– Many opportunities to corrupt it
• Rarely updated• Passed as parameters to system calls
– execve, setuid, fopen, fwrite
• Special cases– If condition– Saved registers
6
Approach
• Store security-critical data in secure store– Protected by hardware – Writes allowed only in specially marked code
sections– Corruption attempt generates segmentation fault
• Program – Need to mark data and update sections
• By programmer – language extension• Automatically - inference
– Automatic program transformation• Store marked data in secure store• Insert system calls for update sections
7
Variable lifetime
init r w r r w
read-onlyread-write
Variable
Secure Store
read-write
8
Requirements
• No system calls injected• No system calls skipped
• Operating System support• Hardware support
• Acceptable performance penalty• Reasonable programmer effort
Use an existing controldata defense
mprotect NX/XD bit
Case studies
9
Roadmap
• Motivation• Approach• Design
– Language Extensions– Inference– Program Transformation
• Implementation• Case Studies
10
C Language Extentions
• critical - Type qualifier – Marks security critical data– Data allocated in special storage
• update – statement
update := update statement
11
Inference
• Security-critical data– Future Work
• Update Sections– Data marked using attributes– Assignment to critical data– Call to library function - predefined list– User defined function
• specialization for each combination of critical/non-critical parameters
– Some user guidance required
12
User Defined Functionsvoid set(int *p, int v) { *p = v;}
…int critical *p;…set(p,1);…
void set( int *p, int v) { *p = v;}void set1( critical int *p, int v) { enable_update(); *p = v; disable_update();}…int *critical p;…set1(p,1);…
13
Program Transformation
• Puts security-critical data in secure store– Heap– Static data– Stack
• Sets the initial access rights • Inserts enable/disable protection calls
14
Example
critical int *x;…x=malloc(…)…update {statement;}…free(x);…
int *x;…x=secure_malloc(…)…enable_update();statement; disable_update();…secure_free(x);…
15
Implementation
• Secure heap – modified Doug Lea memory allocator
• Enable/disable protection• Update section inference – CIL module
• Future Work– Data Inference, secure stack, secure
global data section
16
Case Studies - Goals
• Security-critical data and update sections– How many?– How they can be automatically
inferred?
• Measure the performance (Null-Httpd)
• Verify the update section inference (Wu-FTPD)
17
Case Studies - Applications
Null-Httpd 0.5.0• 2,300 LOC• Web server
– Static HTML– CGI (Perl, PHP)
• Thread for each request
• Process for each script
Wu-FTPD 2.6.0• 18,000 LOC• FTP server• Fork to execute
external applications (ls,zip,tar)
18
Security-Critical Data
Wu-FTPD 2.6.0• Static data
– passwd structure
• Mostly local variables - uid, args
• execve, seteuid
Null-Httpd 0.5.0• Mostly static data
– Configuration parameters
– Connection data
• Local Variables - args, env
• write/send, execve
19
Update Sections - Null-Httpd 0.5.0
• 117 sections– The granularity of critical– The application architecture
• snprintf – more than half of the sections• strcat, strncpy• Interesting cases
– potential deadlock - recv, read – aliasing - strchr
20
Update Sections – Wu-FTPD 2.6.0
• Inference found 30 sections– Usually less than one screen away from
definition
• Missed one case– critical char* gargv[MAX_GARGV]– copy pointers – no direct call to malloc– no crash, but security vulnerability
21
Performance - Null-Httpd 0.5.0
• Penalty per single update – more than 5 orders of magnitude
• Penalty per connection – latency protected / latency unprotected
= 1.4
• Possible improvements– The data layout (fewer data)– Merge adjacent update sections
22
Conclusion
• Security-critical data can be identified and protected– Most passed to a few system calls– Run-time protections provided by existing hardware
• Update sections can be inferred– Number depends on application
• Many for Null-Httpd (application design)
• Performance penalty depends on the application– Big for Null-Httpd– Not measured for Wu-FTPD, but expected to be low
23
Questions
Thanks: David Evans, Westley Weimer, Nate Paul, Jeff
Shirley