Achieving Trusted Systems by Providing Security and Reliability

1. Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman Objective and Approach Accomplishments Threat of Hardware Memory Errors(DSN’01, DSN’02) Achieving Trusted Systems by Providing Security and Reliability • Study impact of hardware errors on system security • IEEE Dependable Systems and Networks (DSN’01and DSN’02) • State machine modeling of realistic security vulnerabilities • DSN’03 • Memory layout randomization-based defensive technique • IEEE Reliable Distributed Systems (SRDS’03) • Architecture level support for reliability and security • EASY’02,DSN’04 and DSN’05 • Formal reasoning on security vulnerabilities • IFIP Information Security (SEC’04) • Non-control-data attack: a new security threat • USENIX Security (Security’05) • Objective • design and validate secure and reliable computing systems to support critical infrastructures. • Approach • analyze raw data on security vulnerabilities and attacks • generate stochastic and state machine models depicting security threats • apply formal reasoning to uncover security vulnerabilities due to inconsistencies between system specifications and implementations • implement defensive techniques at compiler, operating system and hardware levels Due to hardware memory errors, users can log in with arbitrary passwords  Network server (FTP and SSH) Attacker Due to hardware memory errors, packets can penetrate firewalls Target host Attacker Firewall (IPChains and Netfilter) • Emulate random hardware memory errors • Stochastic model: quantitatively assess the threat in real environments Identifying New Security Threats(USENIX Security’05) Memory Layout Randomization-based Defense Technique(SRDS’03) Modeling and Analyzing Software Security Vulnerabilities (DSN’03) • Observation • Success of memory corruption attacks require attacker’s knowledge about the memory layout of the victim process • Technique • Modify the loader so that every time when an application process starts, its memory layout is randomized. • Attack attempts crash the process rather than take control over the application. • Randomized memory regions • Stack • Heap • Shared Libraries • Global offset table WU-FTP Server Format String Attack NULL-HTTP Server Heap Corruption Attack • Most current attacks are control-data attacks • Corrupting function pointers or return addresses to run malicious code. • Many defensive techniques are proposed to defeat control-data attacks, e.g., syscall-based IDS, non-executable memory and control data protection. • New threat: non-control-data attacks • User identity data, configuration data, user input data and decision-making Booleans • Non-control-data attacks can obtain the root privilege by exploiting vulnerabilities of FTP, SSH, HTTP and Telnet servers • More comprehensive defensive techniques are needed. • State machine based modeling of buffer overflow, format string, heap corruption, and integer overflow Formal Analysis on Security Vulnerabilities (SEC’04) Architectural Supports for Security and Reliability Future Directions (EASY’02, DSN’04, DSN’05) • The root cause of many vulnerabilities ( > 66% of CERT advisories): pointer taintedness • Pointer taintedness: a pointer value is derived directly or indirectly from user input • Formally defined semantics of pointer taintedness enables extracting security preconditions in application source code • Implement a compiler and a theorem prover to analyze C-code to extract conditions of pointer taitnedness. • Usefulness of extracted security preconditions • Vulnerability avoidance – removal of vulnerabilities from the source code • Generation of assertions for runtime vulnerability masking • Hardware-level checking: enhancing processors to detect pointer taintedness. • Combination of static code analysis and architecture support • To automatically derive predicates to be checked by processor at runtime • Reliability and security support for embedded systems • Migrate our current techniques to embedded systems • New topics: cell phone viruses, reduced power consumption, tamper-resistance hardware, crypto and authentication hardware/software • Reliability and Security Engine (RSE) • A reconfigurable processor framework to embed reliability and security checking modules. • Modules perform low-latency detections. • Reliability • data range check, instruction sequence check, hang/crash detection and hardware checkpointing • Security: • secure return address stack, memory layout randomization and pointer taintedness detection