Transcript a4academics.com

Effective and Efficient memory
Protection Using Dynamic
Tainting
Click to edit the outline

[James Clause,Doudalis And Guru
Venkataramani
text
format
Members,IEEE]

Second Outline
Level

Third Outline
Level

Fourth
Outline Level
 Fifth
Outline
OVERVIEW

IMA..?

An example IMA

Technique-A general approach

Tainting

Taint propagation

checking

Limiting the no.of taint marks
IMA??

Illegal memory access(IMA):An important class of memory
related faults

Currently free area ‘m’, of required size is allocated

Starting address of m can be assigned to a pointer ‘p’

Access to m is legal only if it is referenced by p or a pointer
derived from p and access occur during the interval when p is
valid

All other accesses are ‘Illegal Memory Accesses’ or IMAs
AN example IMA
void prRandStr ( int n)
1. int i, seed;
2. char *buffer;
3. buffer = (char*) malloc (n);
4. if (buffer == NULL) return;
5. getSeedFromUser (&seed);
6. srand (seed);
Technique-A general approach
Dynamic tainting: a technigue for marking and
tracking certain data at run time

Marking two kinds of data : memory in data
space and pointers

When m is allocated, it is tainted with t

When p is created with m as referent, p is also
tainted with t

When memory is accessed, taint marks is
checked
3 PARTS
1)Tainting
Static Memory Allocation
Pointers to Statically Allocated Memory
Dynamically Allocated Memory
Pointers to Dynamically Allocated Memory
2)Taint Propagation
Propagation of Memory taints
Tainting

Initializing taint marks

4 cases
1.
Static Memory Allocation
2.
Pointer to statically allocated memory
3.
Dynamic Memory Allocation
4.
Pointer to dynamic allocated memory
Tainting of statically allocated
memory

Upon program entry/ function entry, memory
for each variable is identified and each is
tainted with a fresh taint mark

Memory area for a variable is identified using
starting address and size needed to store the
variable
Pointer to Statically Allocated
Memory

For scalar Variable – ‘Address – of’ or ‘&’
returns starting memory address

When ‘&’ operator is used on a variable,
pointer is tainted with same taint mark as that
of the memory location

For Statically allocated arrays – Name of the
array is pointer to first location, which get
tainted
Dynamic Memory Allocations

Occurs as a result of a call to a memoryallocation function. E.g. malloc

To taint, when the function is about to return,
the memory allocated is identified as [r,r+size)
and taints the region with a fresh taint mark

r-value returned by m/y allocation function

size –amount of m/y requested
Pointers to Dynamically
allocated Memory

Created either directly (as return value of
allocation function) or indirectly (from
another pointer)

When a memory area is tainted as a result of
call to a memory allocation function, the
return value, i.e the corresponding pointer is
also tainted with the same mark.

When other pointers are derived from that
pointer, the taint mark is propagated to them.
Taint Propagation

Detects how taint marks flow along data as
program executes.

2 concepts:
1. Propagation of
memory taints
2. Propagation of
pointer taints
Propagation of Memory Taints

Not actually propagated.

Taint marks are associated with a memory
area when it is allocated and removed when
deallocated

Pointers remain tainted

If such a pointer is used to access memory ,an
IMA still detected.

Dynamically allocated memory – deallocated
and taint mark will be removed by calling a
memory deallocation function, e.g.: free

Statically allocated memory- deallocated and
taint mark is removed when the function
returns (local variable) or when program exits
(global variables)
Propagation of Pointer Taints

Taint marks associated with pointers
propagated to derived pointers.

The rules models all possible operations on
pointers and associate,for each operation an
action that assigns to the result of the
operation the correct pointer taint mark.
Propagation rules
Add, Subtract

c = a +/- b

a tainted with ta, b tainted with tb

Then c will be tainted with ta + tb or ta – tb
Multiply, Divide, Modulo, Bitwise OR, XOR

Result of these operations are never tainted
Bitwise AND

c=a&b

If a and b both tainted/ untainted, c is not
tainted, else it is tainted
Bitwise NOT

c=~a

Alternative to subtraction

tc = - ta
checking

For each memory access, taint mark of the
pointer and memory is checked. If they are not
the same, an IMA is detected
Limiting number of taints

Ideal condition – unlimited number of taints

Realistically, number of taints should be
limited
 Memory consumption
 Complexity of hardware

While retaining ability to detect maximum
IMAs

Each taint mark is represented with n bits

Number of taint marks is limited to 2^n

Probability of detecting each IMA will be
P = 1- (1/ 2^n)
Software Implementation

An additional pass is added in compiler
(LLVM) to taint all stack and global defined
arrays.

Taint propagation may be implemented using
any dynamic tainting framework
Hardware Based
Implementation
1.
Taint Processing and Storage

2 options: data widening, decoupling

Data widening: extending data with a few bits
to represent the taint information

Decoupling: Taint information is stored as a
packed array in a reserved part of the
application’s virtual address space

This address space is managed by OS similar
Taint Propagation and Access Checking

2 options: hard wiring / programming an
accelerator

Hardwiring would require modifications in the
hard wiring for making changes in future,
whereas it would be easier to reprogram the
accelerator

But for adding different propagation strategies
for each pointer operations, exceptions should
be made for each operator in case of software
accelerator

Easier to add a hardwire support for taint
operations

As a result of all these considerations, a hard
wiring approach is opted for taint propagation
and access checking
In short,

Taint processing and Initialization is done
using decoupling

Taint Propagation and Checking is done using
Hard wiring technique
Conclusion

A dynamic technique for detecting IMAs was
studied

With minimum number of taint bits,
maximum number of IMAs are detected

Only actual IMAs are reported and no false
detections are made
Future Scope

Technique can be improved to use software
accelerators instead of hard wiring techniques
for taint propagation and checking

Can be improved to increase probability of
detecting IMAs with reduced resource
utilisation
References
1.
IEEE Transactions on Computers, vol 61, no 1, January
2012, “Effective and Efficient Memory Protection using
Dynamic Tainting” by Ioannis Doudalis, James Clause,
Guru Venkataramani, Milos Prvulovic,and Alessandro Orso.
2.
G. Venkataramani, Doudalis, y.solihin”FlexiTaint :A
programmable accelerator for dynamic taint propagation”
3.
Doudalis, James Clause,A.orso”Effective memory
protection
using dynamic tainting”.proc.22nd IEEE 2007.
THANK YOU…
Questions….