nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

MemPatrol: Reliable Sideline Integrity Monitoring for High-Performance Systems

verfasst von : Myoung Jin Nam, Wonhong Nam, Jin-Young Choi, Periklis Akritidis

Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a high-performance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel On the Trade-Offs in Oblivious Execution Techniques

Nächstes Kapitel Measuring and Defeating Anti-Instrumentation-Equipped Malware

Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow Integrity. In: ACM CCS 2005, Alexandria, VA, USA (2005)

Akritidis, P.: Cling: a memory allocator to mitigate dangling pointers. In: USENIX Security 2010, Washington, DC, USA (2010)

Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: IEEE S&P 2008, Oakland, CA, USA (2008)

Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: ACM PLDI 1994, Orlando, FL, USA (1994)

Bauman, E., Ayoade, G., Lin, Z.: A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Comput. Surv. 48(1), 10 (2015)CrossRef

Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security 1998, San Antonio, TX, USA (1998)

Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University (2004)

Gueron, S.: Intel Advanced Encryption Standard (AES) Instruction Set White Paper, Rev. 3.0 edn. (2010)

Hofmann, O.S., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: ACM ASPLOS XVI, Newport Beach, CA, USA (2011)

10.

Intel: Data Plane Development Kit (DPDK). http://DPDK.org

11.

Intel: MPX Performance Evaluation. https://intel-mpx.github.io/performance

12.

Jee, K., Kemerlis, V.P., Keromytis, A.D., Portokalidis, G.: ShadowReplica: efficient parallelization of dynamic data flow tracking. In: ACM CCS 2013, Berlin, Germany (2013)

13.

Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: ACM AADEBUG 1997, Linköping, Sweden (1997)

14.

Koromilas, L., Vasiliadis, G., Athanasopoulos, E., Ioannidis, S.: GRIM: leveraging GPUs for kernel integrity monitoring. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 3–23. Springer, Cham (2016). doi:10.1007/978-3-319-45719-2_1 CrossRef

15.

Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX OSDI 2014, Broomfield, CO, USA (2014)

16.

Mashtizadeh, A.J., Bittau, A., Boneh, D., Mazières, D.: CCFI: cryptographically enforced control flow integrity. In: ACM CCS 2015, Denver, CO, USA (2015)

17.

Ming, J., Wu, D., Xiao, G., Wang, J., Liu, P.: TaintPipe: pipelined symbolic taint analysis. In: USENIX Security 2015, Washington, DC, USA (2015)

18.

Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: ACM CCS 2012, Raleigh, NC, USA (2012)

19.

Müller, T., Freiling, F.C., Dewald, A.: TRESOR runs encryption securely outside RAM. In: USENIX Security 2011, San Francisco, CA, USA (2011)

20.

Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: ACM PLDI 2009, Dublin, Ireland (2009)

21.

Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: ACM ISMM 2010, Toronto, ON, Canada (2010)

22.

Nikiforakis, N., Piessens, F., Joosen, W.: HeapSentry: kernel-assisted protection against heap overflows. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 177–196. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39235-1_11 CrossRef

23.

Niometrics: NCORE DPI System. http://www.niometrics.com

24.

Oikonomopoulos, A., Athanasopoulos, E., Bos, H., Giuffrida, C.: Poking holes in information hiding. In: USENIX Security 2016, Austin, TX, USA (2016)

25.

PaX: MPROTECT (2003). https://pax.grsecurity.net/docs/mprotect.txt

26.

Petroni, Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: USENIX Security 2004, San Diego, CA, USA (2004)

27.

Robertson, W., Kruegel, C., Mutz, D., Valeur, F.: Run-time detection of heap-based overflows. In: USENIX LISA 2003, San Diego, CA, USA (2003)

28.

Salamat, B., Gal, A., Jackson, T., Wagner, G., Manivannan, K., Franz, M.: Multi-variant program execution: using multi-core systems to defuse buffer-overflow vulnerabilities. In: IEEE CISIS 2008, Barcelona, Spain (2008)

29.

Salamat, B., Jackson, T., Gal, A., Franz, M.: Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space. In: ACM EuroSys 2009, Nuremberg, Germany (2009)

30.

SELinux Wiki: Main Page – SELinux Wiki (2013). http://selinuxproject.org

31.

Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: AddressSanitizer: a fast address sanity checker. In: USENIX ATC 2012, Boston, MA, USA (2012)

32.

Simmons, P.: Security through amnesia: a software-based solution to the cold boot attack on disk encryption. In: ACM ACSAC 2011, Orlando, FL, USA (2011)

33.

Tian, D., Zeng, Q., Wu, D., Liu, P., Hu, C.: Kruiser: semi-synchronized non-blocking concurrent kernel heap buffer overflow monitoring. In: ISOC NDSS 2012, San Diego, CA, USA (2012)

34.

Wagner, J., Kuznetsov, V., Candea, G., Kinder, J.: High system-code security with low overhead. In: IEEE S&P 2015, Oakland, CA, USA (2015)

35.

Willhalm, T., Dementiev, R., Fay, P.: Intel Performance Counter Monitor - A better way to measure CPU utilization (2012). http://www.intel.com/software/pcm

36.

Yee, B., Sehr, D., Dardyk, G., Chen, J.B., Muth, R., Orm, T., Okasaka, S., Narula, N., Fullagar, N., Inc, G.: Native client: a sandbox for portable, untrusted x86 native Code. In: IEEE S&P 2009, Oakland, CA, USA (2009)

37.

Zeng, Q., Wu, D., Liu, P.: Cruiser: concurrent heap buffer overflow monitoring using lock-free data structures. In: ACM PLDI 2011, San Jose, CA, USA (2011)

Titel: MemPatrol: Reliable Sideline Integrity Monitoring for High-Performance Systems
verfasst von: Myoung Jin Nam
Wonhong Nam
Jin-Young Choi
Periklis Akritidis
Verlag: Springer International Publishing
Buch: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-319-60875-4

Electronic ISBN: 978-3-319-60876-1

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-3-319-60876-1_3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"