Identification and Protection
of Security-Critical Data
MCS Project Presentation
June 6, 2006
Nora Sovarel
University of Virginia
Computer Science
Security-Critical Data
• Corruption may lead to compromised security
• Control data
– Used as or used to calculate Instruction Pointer
– Numerous defenses
• StackGuard, Write or Exec, Shadow Stack
• Instruction Set Randomization ([Barrantes+,CCS’03], [Kc+,CCS’03])
• Control Flow Integrity ([Abadi+, CCS’05]), DIRA ([Smirnov and
Chiueh, NDSS’05])
• Non-control data
2
Non-Control Data Attack
• Heap corruption attack against
configuration data ([Chen+,USENIX’05])
SERVER
POST
POST …
commands
rm –rf * /
CGI-BIN=“/usr/local/httpd/cgi-bin”
CGI-BIN=“/bin”
3
Non-Control Data
• Execution is altered by changing data
– Configuration data - CGI-BIN path
– User input – validated and then corrupted
– User identity data - uid, root access if changed
to 0
– Decision making data - if condition
[Chen+,USENIX’05]
4
Non-Control Data Characteristics
• Long lifetime
– Many opportunities to corrupt it
• Rarely updated
• Passed as parameters to system calls
– execve, setuid, fopen, fwrite
• Special cases
– If condition
– Saved registers
5
Approach
• Store security-critical data in secure store
– Protected by hardware
– Writes allowed only in specially marked code sections
– Corruption attempt generates segmentation fault
• Program
– Need to mark data and update sections
• By programmer – language extension
• Automatically - inference
– Automatic program transformation
• Store marked data in secure store
• Insert system calls for update sections
6
Variable lifetime
Variable
init
read-only
read-write
r
w
r
r
read-write
Secure Store
7
w
Requirements
• No system calls injected
• No system calls skipped
Use an existing control
data defense
• Operating System support
• Hardware support
• Acceptable performance penalty
• Reasonable programmer effort
8
mprotect
NX/XD bit
Case studies
Roadmap
• Motivation
• Approach
• Design
– Language Extensions
– Inference
– Program Transformation
• Implementation
• Case Studies
9
C Language Extentions
• critical - Type qualifier
– Marks security critical data
– Data allocated in special storage
• update – statement
update := update statement
10
Inference
• Security-critical data
– Future Work
• Update Sections
–
–
–
–
Data marked using attributes
Assignment to critical data
Call to library function - predefined list
User defined function
• specialization for each combination of critical/non-critical
parameters
– Some user guidance required
11
User Defined Functions
void set(int *p, int v) {
*p = v;
}
…
int critical *p;
…
set(p,1);
…
void set( int *p, int v) {
*p = v;
}
void set1( critical int *p, int v) {
enable_update();
*p = v;
disable_update();
}
…
int *critical p;
…
set1(p,1);
…
12
Program Transformation
• Puts security-critical data in secure store
– Heap
– Static data
– Stack
• Sets the initial access rights
• Inserts enable/disable protection calls
13
Example
critical int *x;
…
x=malloc(…)
…
update {
statement;
}
…
free(x);
…
int *x;
…
x=secure_malloc(…)
…
enable_update();
statement;
disable_update();
…
secure_free(x);
…
14
Implementation
• Secure heap – modified Doug Lea memory
allocator
• Enable/disable protection
• Update section inference – CIL module
• Future Work
– Data Inference, secure stack, secure global
data section
15
Case Studies - Goals
• Security-critical data and update
sections
– How many?
– How they can be automatically inferred?
• Measure the performance (Null-Httpd)
• Verify the update section inference
(Wu-FTPD)
16
Case Studies - Applications
Null-Httpd 0.5.0
• 2,300 LOC
• Web server
– Static HTML
– CGI (Perl, PHP)
• Thread for each
request
• Process for each
script
Wu-FTPD 2.6.0
• 18,000 LOC
• FTP server
• Fork to execute
external applications
(ls,zip,tar)
17
Security-Critical Data
Null-Httpd 0.5.0
• Mostly static data
Wu-FTPD 2.6.0
• Static data
– Configuration
parameters
– Connection data
– passwd structure
• Local Variables args, env
• Mostly local variables uid, args
• write/send, execve
• execve, seteuid
18
Update Sections - Null-Httpd 0.5.0
• 117 sections
– The granularity of critical
– The application architecture
• snprintf – more than half of the sections
• strcat, strncpy
• Interesting cases
– potential deadlock - recv, read
– aliasing - strchr
19
Update Sections – Wu-FTPD 2.6.0
• Inference found 30 sections
– Usually less than one screen away from
definition
• Missed one case
– critical char* gargv[MAX_GARGV]
– copy pointers – no direct call to malloc
– no crash, but security vulnerability
20
Performance - Null-Httpd 0.5.0
• Penalty per single update – more than 5
orders of magnitude
• Penalty per connection
– latency protected / latency unprotected = 1.4
• Possible improvements
– The data layout (fewer data)
– Merge adjacent update sections
21
Conclusion
• Security-critical data can be identified and
protected
– Most passed to a few system calls
– Run-time protections provided by existing hardware
• Update sections can be inferred
– Number depends on application
• Many for Null-Httpd (application design)
• Performance penalty depends on the application
– Big for Null-Httpd
– Not measured for Wu-FTPD, but expected to be low
22
Questions
Thanks:
David Evans, Westley Weimer, Nate Paul, Jeff Shirley
23