1 / 22

Defensive Programming Using an Annotation Toolkit to Build DoS-Resistant Software

Defensive Programming Using an Annotation Toolkit to Build DoS-Resistant Software. Xiaohu (Tiger) Qie Ruoming Pang and Larry Peterson Princeton University. How to DoS a Networked System. Exhaust resource on a remote target  Making normal service unavailable

virginia-irwin
Download Presentation

Defensive Programming Using an Annotation Toolkit to Build DoS-Resistant Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defensive ProgrammingUsing an Annotation Toolkit to Build DoS-Resistant Software Xiaohu (Tiger) Qie Ruoming Pang and Larry Peterson Princeton University OSDI'02, Boston, MA

  2. How to DoS a Networked System • Exhaust resource on a remote target Making normal service unavailable  Seriously degrade service quality • Examples • Christmas tree packets • Flood of packets with IP options • Router CPU swamped  Too busy to run routing protocols • Ping flood • TCP SYN flood OSDI'02, Boston, MA

  3. How to Slow-DoS a Web Server • Web Servers limit the number of connections • Idea: Slow down TCP • Slow sender: • ‘G’, ‘E’, ‘T’, ‘ ’, ‘/’, ‘/’, ‘/’, ... • Slow receiver and acker: • Request a big file • Open receive window lazily • Pretend packets were lost • Tie up all connections for as long as you want • Other victims: NIS servers, NAT boxes ... OSDI'02, Boston, MA

  4. Resources and Vulnerabilities Renewable Resources CPU cycles Network BW Disk BW Non-renewable Resources Processes File descriptors Buffers Admission control Busy Attack Vulnerability Claim-and-hold Attack Vulnerability  Recycle OSDI'02, Boston, MA

  5. Proposal: Defensive Programming • Program for Robustness • Integrate software functionality and protection • Highlight resource control • Pro-active, Systematic and Fine-grained protection • Annotation Toolkit • Sensors and Actuators • Protect both renewable and non-renewable resources • Low programming burden OSDI'02, Boston, MA

  6. OS Protection Static Analysis Anomaly Detection Profiling Related Work Annotation Toolkit OSDI'02, Boston, MA

  7. Outline • Attack and Resource Characterization • Toolkit Description • Case Study • Conclusions OSDI'02, Boston, MA

  8. X R X R S X X S Renewable Resource Protection • Divide program functionality into services • Balance resource consumption • Confine damage of a DoS attack within a service S R S S X R Client Request S S S R S S Services Renewable Resources OSDI'02, Boston, MA

  9. rate < ??? RL foo foo rate < ??? bar tee RL RL rate < 100? STOP RL bar tee No Yes RESOURCE RESOURCE Rate Limiting Options Resource not balanced among services Hard to set appropriate limits OSDI'02, Boston, MA

  10. Rate Sensor & Service Admission void foo() { ... bar(); send_pkt(); } void bar() { ... send_pkt(); } void send_pkt() { ... } void foo() { SERVICE_ADMISSION; bar(); send_pkt(); } void bar() { SERVICE_ADMISSION; send_pkt(); } void send_pkt() { RATE_SENSOR(100HZ); } A foo A A bar tee RATE SENSOR RESOURCE OSDI'02, Boston, MA

  11. Time Sensor TIME_SENSOR void entry() { TIME_SENSOR(100); foo(); bar(); } void foo() { SERVICE_ADMISSION; } void bar() { SERVICE_ADMISSION; compute_pi(); } void compute_pi() { SERVICE_ADMISSION; } A foo A MaxTime bar A compute_pi Deadline OSDI'02, Boston, MA

  12. Non-Renewable Resource Protection • Inspect principals that hold resources • Reclaim resources from “unproductive” principals • Starvation avoidance R R R Incoming Requests Accepted Requests Non-Renewable Resources Principals OSDI'02, Boston, MA

  13. Non-Renewable Resource Protection • Timer-based recycle • Idle timer • One shot timer • Progress-based recycle • User-defined progress metric • E.g. output generated, state transitions made • Reclaim resources from the “slowest” principal • User-defined pressure metric to trigger reclamation OSDI'02, Boston, MA

  14. C DoConnReadingBackend() { switch(ProcessRequestReading()) { case PRR_DONE: PROGRESS_SENSOR(10000); /* switch to sending */ break; ... Dispatcher Read/Parse Request PROGRESS SENSOR DoSingleWriteBackend() { sz = writev(...); /* Ok, we wrote something. */ PROGRESS_SENSOR(sz); if (all data are sent) { /* conection is finished! */ DoneWithConnection(c, FALSE); return; } ... File Directory CGI PROGRESS SENSOR Send Response PROGRESS SENSOR Progress Sensor & Reclamation Checkpoint OSDI'02, Boston, MA

  15. Toolkit Implementation • Sensors and Actuators • 11 C-macros / library functions • Managing renewable resources • RATE_SENSOR, TIME_SENSOR • SERVICE_ADMISSION • Managing non-renewable resources • PRESSURE_SENSOR, PROGRESS_SENSOR ... • RECLAMATION_CHECKPOINT • Compiler assistance • Auxiliary code generation • Annotation coverage check OSDI'02, Boston, MA

  16. Case Study: Flash Web Server • Flash • Event-driven architecture • ~12,000 lines of code • Annotating Flash Web Server • 46 services (mainly event handlers) • TIME_SENSOR in main loop, enclosing all services • PRESSURE_SENSOR tracks connection availability • PROGRESS_SENSOR in every stage • Added ~60 annotations OSDI'02, Boston, MA

  17. Services in Flash Main Loop    StartRequest RegularFileStuff RegularFileStuff ProcessColdRequest ProcessColdRequest ScheduleDirHelp SendDirRedirect          CGIStuff ProcessColdRequestBackend2 ExpandSymlinks ExpandSymlinks    OSDI'02, Boston, MA

  18. Slash Attack • O(N^2) memory read/write: • ~150ms for 10,000 slashes • “GET //////////////////…///xyz” • 7 requests per second saturates server /* Remove any leading slashes. */ while ( rest[0] == '/' ) { (void) strcpy( rest, &(rest[1]) ); --restlen; } OSDI'02, Boston, MA

  19. Flash Under Slash Attack • Normal Client: • Requests a 10KB file in the hot name cache • Attacker: • Requests cold URLs with 10000 slashes • 10 requests per second • Average client-perceived response time: OSDI'02, Boston, MA

  20. Limitations • Effectiveness depends on service granularity • All clients requesting cold URLs are affected • Possible solution: refine classification granularity • How to set parameters • Don’t have to be precise – for disaster control only • Fine tune from behavior profile OSDI'02, Boston, MA

  21. Conclusions • Defensive Programming: • Protect from inside • A useful additional layer of protection • Toolkit: • Renewable resources balanced among services • Non-renewable resources recycled based on progress • Systematic deployment of sensors and actuators • Not to look for specific “bugs” • Low programming burden OSDI'02, Boston, MA

  22. More Information • http://www.cs.princeton.edu/nsg Thank you! OSDI'02, Boston, MA

More Related