Identification and Protection of Security-

Critical Data

Nora SovarelUniversity of Virginia

Computer ScienceJune 6, 2006

MCS Project Presentation

2

Security-Critical Data

• Corruption may lead to compromised security

• Control data– Used as or used to calculate Instruction Pointer– Numerous defenses

• StackGuard, Write or Exec, Shadow Stack• Instruction Set Randomization ([Barrantes+,CCS’03],

[Kc+,CCS’03])

• Control Flow Integrity ([Abadi+, CCS’05]), DIRA ([Smirnov and Chiueh, NDSS’05])

• Non-control data

3

CGI-BIN=“/bin”

POST commands

Non-Control Data Attack

• Heap corruption attack against configuration data ([Chen+,USENIX’05])

CGI-BIN=“/usr/local/httpd/cgi-bin”

SERVER POST …

rm –rf * /

CGI-BIN=“/bin”

4

Non-Control Data

• Execution is altered by changing data – Configuration data - CGI-BIN path– User input – validated and then corrupted– User identity data - uid, root access if

changed to 0– Decision making data - if condition

[Chen+,USENIX’05]

5

Non-Control Data Characteristics

• Long lifetime– Many opportunities to corrupt it

• Rarely updated• Passed as parameters to system calls

– execve, setuid, fopen, fwrite

• Special cases– If condition– Saved registers

6

Approach

• Store security-critical data in secure store– Protected by hardware – Writes allowed only in specially marked code

sections– Corruption attempt generates segmentation fault

• Program – Need to mark data and update sections

• By programmer – language extension• Automatically - inference

– Automatic program transformation• Store marked data in secure store• Insert system calls for update sections

7

Variable lifetime

init r w r r w

read-onlyread-write

Variable

Secure Store

read-write

8

Requirements

• No system calls injected• No system calls skipped

• Operating System support• Hardware support

• Acceptable performance penalty• Reasonable programmer effort

Use an existing controldata defense

mprotect NX/XD bit

Case studies

9

Roadmap

• Motivation• Approach• Design

– Language Extensions– Inference– Program Transformation

• Implementation• Case Studies

10

C Language Extentions

• critical - Type qualifier – Marks security critical data– Data allocated in special storage

• update – statement

update := update statement

11

Inference

• Security-critical data– Future Work

• Update Sections– Data marked using attributes– Assignment to critical data– Call to library function - predefined list– User defined function

• specialization for each combination of critical/non-critical parameters

– Some user guidance required

12

User Defined Functionsvoid set(int *p, int v) { *p = v;}

…int critical *p;…set(p,1);…

void set( int *p, int v) { *p = v;}void set1( critical int *p, int v) { enable_update(); *p = v; disable_update();}…int *critical p;…set1(p,1);…

13

Program Transformation

• Puts security-critical data in secure store– Heap– Static data– Stack

• Sets the initial access rights • Inserts enable/disable protection calls

14

Example

critical int *x;…x=malloc(…)…update {statement;}…free(x);…

int *x;…x=secure_malloc(…)…enable_update();statement; disable_update();…secure_free(x);…

15

Implementation

• Secure heap – modified Doug Lea memory allocator

• Enable/disable protection• Update section inference – CIL module

• Future Work– Data Inference, secure stack, secure

global data section

16

Case Studies - Goals

• Security-critical data and update sections– How many?– How they can be automatically

inferred?

• Measure the performance (Null-Httpd)

• Verify the update section inference (Wu-FTPD)

17

Case Studies - Applications

Null-Httpd 0.5.0• 2,300 LOC• Web server

– Static HTML– CGI (Perl, PHP)

• Thread for each request

• Process for each script

Wu-FTPD 2.6.0• 18,000 LOC• FTP server• Fork to execute

external applications (ls,zip,tar)

18

Security-Critical Data

Wu-FTPD 2.6.0• Static data

– passwd structure

• Mostly local variables - uid, args

• execve, seteuid

Null-Httpd 0.5.0• Mostly static data

– Configuration parameters

– Connection data

• Local Variables - args, env

• write/send, execve

19

Update Sections - Null-Httpd 0.5.0

• 117 sections– The granularity of critical– The application architecture

• snprintf – more than half of the sections• strcat, strncpy• Interesting cases

– potential deadlock - recv, read – aliasing - strchr

20

Update Sections – Wu-FTPD 2.6.0

• Inference found 30 sections– Usually less than one screen away from

definition

• Missed one case– critical char* gargv[MAX_GARGV]– copy pointers – no direct call to malloc– no crash, but security vulnerability

21

Performance - Null-Httpd 0.5.0

• Penalty per single update – more than 5 orders of magnitude

• Penalty per connection – latency protected / latency unprotected

= 1.4

• Possible improvements– The data layout (fewer data)– Merge adjacent update sections

22

Conclusion

• Security-critical data can be identified and protected– Most passed to a few system calls– Run-time protections provided by existing hardware

• Update sections can be inferred– Number depends on application

• Many for Null-Httpd (application design)

• Performance penalty depends on the application– Big for Null-Httpd– Not measured for Wu-FTPD, but expected to be low

23

Questions

Thanks: David Evans, Westley Weimer, Nate Paul, Jeff

Shirley