Successfully reported this slideshow.
College of ComputingGeorgia Institute of TechnologySupported in part by:NSF awards CCF-0541080 and CCR-0205422 to Georgia ...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int...
Previous workStatic techniques•Language basede.g., Jim et al. 02, Necula et al. 05•Analysis basede.g., Dor et al. 03, Hall...
Previous workStatic techniques•Language basede.g., Jim et al. 02, Necula et al. 05•Analysis basede.g., Dor et al. 03, Hall...
Previous workStatic techniques•Language basede.g., Jim et al. 02, Necula et al. 05•Analysis basede.g., Dor et al. 03, Hall...
Previous workStatic techniques•Language basede.g., Jim et al. 02, Necula et al. 05•Analysis basede.g., Dor et al. 03, Hall...
Previous workStatic techniques•Language basede.g., Jim et al. 02, Necula et al. 05•Analysis basede.g., Dor et al. 03, Hall...
Approach overview
1 Assigntaint marksApproach overview
1 Assigntaint marksApproach overviewP1A
P11A11 Assigntaint marksApproach overview
1 Assigntaint marksApproach overviewP1P212AB12
1 Assigntaint marksApproach overviewP3P1P2312AC B123
1 Assigntaint marksApproach overviewP3P1P2312P5AC B123P4
1 Assigntaint marksApproach overview2 Propagatetaint marksP3P1P2312P5AC B123P4
1 Assigntaint marksApproach overview2 Propagatetaint marksP3P1P2312P5AC B123P4
1 Assigntaint marksApproach overview2 Propagatetaint marksP3P1P2312P53AC B123P41
1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312P53AC B123P41
1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312P53AC B123P41
1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312P53AC B123P41
1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312P53AC B123P41✔
1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312AC B123P4P531
1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312AC B123P4P531
1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312AC B123P4✘P531
Outline• Our approach1. Assigning taint marks2. Propagating taint marks3. Checking taint marks• Empirical evaluation• Conc...
Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“...
Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“...
Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“...
Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“...
Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“...
Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“...
Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“...
Memory Pointers1 Assigning taint marksStaticDynamicbuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter s...
Memory Pointers1 Assigning taint marksStaticDynamicbuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter s...
Memory Pointers1 Assigning taint marksStaticDynamicbuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter s...
Memory Pointers1 Assigning taint marksStaticDynamicbuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter s...
Memory Pointers1 Assigning taint marksStaticDynamicbuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter s...
Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“...
Memory Pointers1 Assigning taint marksStaticDynamic1 Identify the rangesof allocated memory2 Assign a unique taintmark to ...
Memory Pointers1 Assigning taint marksStaticDynamic1 Identify the rangesof allocated memory2 Assign a unique taintmark to ...
Memory Pointers1 Assigning taint marksStaticDynamic1 Identify the rangesof allocated memory2 Assign a unique taintmark to ...
Memory Pointers1 Assigning taint marksStaticDynamic1 Identify the rangesof allocated memory2 Assign a unique taintmark to ...
Memory Pointers1 Assigning taint marksStaticDynamic1 Identify the rangesof allocated memory2 Assign a unique taintmark to ...
Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“...
Memory Pointers1 Assigning taint marksStaticDynamic1 Identify pointercreation sites2 Assign the pointer the same taintmark...
Memory Pointers1 Assigning taint marksStaticDynamic1 Identify pointercreation sites2 Assign the pointer the same taintmark...
Memory Pointers1 Assigning taint marksStaticDynamic1 Identify pointercreation sites2 Assign the pointer the same taintmark...
Memory Pointers1 Assigning taint marksStaticDynamic1 Identify pointercreation sites2 Assign the pointer the same taintmark...
Memory Pointers1 Assigning taint marksStaticDynamic1 Identify pointercreation sites2 Assign the pointer the same taintmark...
Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“...
ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XOROverviewP11P2
ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XOROverview +, −, ×, ÷,and, or, xor,....
ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XOROverview +, −, ×, ÷,and, or, xor,....
ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XOROverview• Propagation must take in...
ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XOROverview• Propagation must take in...
ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XORAddition, SubtractionA +/− B = CA ...
ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XORAND The result of anding a pointer...
ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XORMultiplication, Division,OR, XORWe...
Checking taint marksWhen memory is accessed through a pointer:compare the memory taint mark and the pointer taint mark3Poi...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc...
Limiting the number oftaint marksAn unlimited number of taint marks makes ahardware implementation infeasible• increases t...
Limiting the number oftaint marksAn unlimited number of taint marks makes ahardware implementation infeasible• increases t...
Effects on the approachWith an random assignment of n taint marks thedetection probability is:IMAs are detected probabilis...
Effects on the approachWith an random assignment of n taint marks thedetection probability is:IMAs are detected probabilis...
Effects on the approachWith an random assignment of n taint marks thedetection probability is:1. The technique can be tune...
Effects on the approachWith an random assignment of n taint marks thedetection probability is:1. The technique can be tune...
Empirical evaluationRQ1: Is the efficiency of our approach sufficient for itto be applied to deployed software?RQ2:What is t...
RQ1: experimental method• Hardware implementation• Cycle accurate simuator (SESC)• Treat taint marks as first class citizen...
RQ1: experimental method• Hardware implementation• Cycle accurate simuator (SESC)• Treat taint marks as first class citizen...
RQ1: results051015202530bzip2craftyeongapgccgzipmcfparserperlbmktwolfvortexvpraverage%overhead(time)2 marks8 marks16 marks...
RQ1: results051015202530bzip2craftyeongapgccgzipmcfparserperlbmktwolfvortexvpraverage%overhead(time)2 marks8 marks16 marks...
RQ1: results051015202530bzip2craftyeongapgccgzipmcfparserperlbmktwolfvortexvpraverage%overhead(time)2 marks8 marks16 marks...
RQ1: results051015202530bzip2craftyeongapgccgzipmcfparserperlbmktwolfvortexvpraverage%overhead(time)2 marks8 marks16 marks...
RQ2: experimental method• Software implementation• Binary instrumenter (Pin)• Use instrumentation to assign, propagate, an...
RQ2: resultsApplication IMA location Type Detectedbc-1.06 more_arrays: 177 buffer overflow ✔ (5/5)bc-1.06 lookup: 577 buffe...
RQ2: resultsApplication IMA location Type Detectedbc-1.06 more_arrays: 177 buffer overflow ✔ (5/5)bc-1.06 lookup: 577 buffe...
RQ2: resultsApplication IMA location Type Detectedbc-1.06 more_arrays: 177 buffer overflow ✔ (5/5)bc-1.06 lookup: 577 buffe...
Future work• Complete implementation that handlesstatic memory• Additional experiments with a wider rangeof IMAs• Further ...
Conclusions• Definition of an approach for preventing illegalmemory accesses in deployed software• uses dynamic taint analy...
Upcoming SlideShare
Loading in …5
×

Effective Memory Protection Using Dynamic Tainting (ASE 2007)

481 views

Published on

Published in: Technology, Health & Medicine
  • Be the first to comment

Effective Memory Protection Using Dynamic Tainting (ASE 2007)

  1. 1. College of ComputingGeorgia Institute of TechnologySupported in part by:NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech,DHS and US Air Force Contract No. FA8750-05-2-0214Effective Memory ProtectionUsing Dynamic TaintingIoannis DoudalisMilos Prvulovic(hardware)James ClauseAlessandro Orso(software)and
  2. 2. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memory
  3. 3. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memory
  4. 4. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memory
  5. 5. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:
  6. 6. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:
  7. 7. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:
  8. 8. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:
  9. 9. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n: 3
  10. 10. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n: 3
  11. 11. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n: 3
  12. 12. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n: 3
  13. 13. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:930
  14. 14. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:98232
  15. 15. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memoryi <= n ➜ i < nbuf:np:i:n:98232
  16. 16. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:98232
  17. 17. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:98232
  18. 18. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:982337
  19. 19. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:982337
  20. 20. void main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}Illegal memory accesses (IMA)Memorybuf:np:i:n:982337Illegal memory accesses• Caused by common programming mistakes• Cause non-deterministic failures• Cause security vulnerabilities
  21. 21. Previous workStatic techniques•Language basede.g., Jim et al. 02, Necula et al. 05•Analysis basede.g., Dor et al. 03, Hallem et al. 02, Heine and Lam03, Xie et al. 03Dynamic techniques•Analysis basede.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xuet al. 04, Hastings and Joyce 92, Seward andNethercote 05•Hardware basede.g., Qin et al. 05,Venkataramani et al. 07, Crandalland Chong 04, Dalton et al. 07,Vachharajani et al. 04
  22. 22. Previous workStatic techniques•Language basede.g., Jim et al. 02, Necula et al. 05•Analysis basede.g., Dor et al. 03, Hallem et al. 02, Heine and Lam03, Xie et al. 03Dynamic techniques•Analysis basede.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xuet al. 04, Hastings and Joyce 92, Seward andNethercote 05•Hardware basede.g., Qin et al. 05,Venkataramani et al. 07, Crandalland Chong 04, Dalton et al. 07,Vachharajani et al. 04}Require source code
  23. 23. Previous workStatic techniques•Language basede.g., Jim et al. 02, Necula et al. 05•Analysis basede.g., Dor et al. 03, Hallem et al. 02, Heine and Lam03, Xie et al. 03Dynamic techniques•Analysis basede.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xuet al. 04, Hastings and Joyce 92, Seward andNethercote 05•Hardware basede.g., Qin et al. 05,Venkataramani et al. 07, Crandalland Chong 04, Dalton et al. 07,Vachharajani et al. 04}}Require source codeUnacceptable overhead
  24. 24. Previous workStatic techniques•Language basede.g., Jim et al. 02, Necula et al. 05•Analysis basede.g., Dor et al. 03, Hallem et al. 02, Heine and Lam03, Xie et al. 03Dynamic techniques•Analysis basede.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xuet al. 04, Hastings and Joyce 92, Seward andNethercote 05•Hardware basede.g., Qin et al. 05,Venkataramani et al. 07, Crandalland Chong 04, Dalton et al. 07,Vachharajani et al. 04}}Require source codeUnacceptable overhead} Extensive modification
  25. 25. Previous workStatic techniques•Language basede.g., Jim et al. 02, Necula et al. 05•Analysis basede.g., Dor et al. 03, Hallem et al. 02, Heine and Lam03, Xie et al. 03Dynamic techniques•Analysis basede.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xuet al. 04, Hastings and Joyce 92, Seward andNethercote 05•Hardware basede.g., Qin et al. 05,Venkataramani et al. 07, Crandalland Chong 04, Dalton et al. 07,Vachharajani et al. 04}}Require source codeUnacceptable overheadWe define our approach to overcome theselimitations• Operate at the binary level• Use hardware to reduce overhead• Minimal, practical modifications} Extensive modification
  26. 26. Approach overview
  27. 27. 1 Assigntaint marksApproach overview
  28. 28. 1 Assigntaint marksApproach overviewP1A
  29. 29. P11A11 Assigntaint marksApproach overview
  30. 30. 1 Assigntaint marksApproach overviewP1P212AB12
  31. 31. 1 Assigntaint marksApproach overviewP3P1P2312AC B123
  32. 32. 1 Assigntaint marksApproach overviewP3P1P2312P5AC B123P4
  33. 33. 1 Assigntaint marksApproach overview2 Propagatetaint marksP3P1P2312P5AC B123P4
  34. 34. 1 Assigntaint marksApproach overview2 Propagatetaint marksP3P1P2312P5AC B123P4
  35. 35. 1 Assigntaint marksApproach overview2 Propagatetaint marksP3P1P2312P53AC B123P41
  36. 36. 1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312P53AC B123P41
  37. 37. 1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312P53AC B123P41
  38. 38. 1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312P53AC B123P41
  39. 39. 1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312P53AC B123P41✔
  40. 40. 1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312AC B123P4P531
  41. 41. 1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312AC B123P4P531
  42. 42. 1 Assigntaint marksApproach overview3 Checktaint marks2 Propagatetaint marksP3P1P2312AC B123P4✘P531
  43. 43. Outline• Our approach1. Assigning taint marks2. Propagating taint marks3. Checking taint marks• Empirical evaluation• Conclusions
  44. 44. Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memoryvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory
  45. 45. Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangevoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each range
  46. 46. Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangevoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:
  47. 47. Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangevoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:{[&np, &np + sizeof(int *))
  48. 48. Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangevoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:
  49. 49. Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangevoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321
  50. 50. Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memoryvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory
  51. 51. Memory Pointers1 Assigning taint marksStaticDynamicbuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to
  52. 52. Memory Pointers1 Assigning taint marksStaticDynamicbuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points toaddress-of operator (&)
  53. 53. Memory Pointers1 Assigning taint marksStaticDynamicbuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to
  54. 54. Memory Pointers1 Assigning taint marksStaticDynamicbuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:4321
  55. 55. Memory Pointers1 Assigning taint marksStaticDynamicbuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to
  56. 56. Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memoryvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory
  57. 57. Memory Pointers1 Assigning taint marksStaticDynamic1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations
  58. 58. Memory Pointers1 Assigning taint marksStaticDynamic1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocationsbuf:np:i:n:423213
  59. 59. Memory Pointers1 Assigning taint marksStaticDynamic1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocationsbuf:np:i:n:423213[ret, ret + arg0){
  60. 60. Memory Pointers1 Assigning taint marksStaticDynamic1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocationsbuf:np:i:n:423213
  61. 61. Memory Pointers1 Assigning taint marksStaticDynamic1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocationsbuf:np:i:n:423215553
  62. 62. Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memoryvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory
  63. 63. Memory Pointers1 Assigning taint marksStaticDynamic1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory
  64. 64. Memory Pointers1 Assigning taint marksStaticDynamic1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memoryreturn value of malloc
  65. 65. Memory Pointers1 Assigning taint marksStaticDynamic1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory
  66. 66. Memory Pointers1 Assigning taint marksStaticDynamic1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memorybuf:np:i:n:423215553
  67. 67. Memory Pointers1 Assigning taint marksStaticDynamic1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory
  68. 68. Memory Pointers1 Assigning taint marksStaticDynamicvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memoryvoid main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Static memory allocations1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:4321void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to statically allocated memory1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points to1 Identify the rangesof allocated memory2 Assign a unique taintmark to each rangebuf:np:i:n:423213void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Dynamic memory allocations1 Identify pointercreation sites2 Assign the pointer the same taintmark as the memory it points tobuf:np:i:n:423215553void main() {int *np, n, i, *buf;np = &n;printf(“Enter size: “);scanf(“%d”, np);buf = malloc(n * sizeof(int));for(i = 0; i <= n; i++)*(buf + i) = rand()%10;...}Pointers to dynamically allocated memory
  69. 69. ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XOROverviewP11P2
  70. 70. ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XOROverview +, −, ×, ÷,and, or, xor,...P11P2
  71. 71. ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XOROverview +, −, ×, ÷,and, or, xor,...P11P2Should the result be tainted?If so, how?
  72. 72. ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XOROverview• Propagation must take into account bothoperation semantics and programmer intent+, −, ×, ÷,and, or, xor,...P11P2Should the result be tainted?If so, how?
  73. 73. ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XOROverview• Propagation must take into account bothoperation semantics and programmer intent• Our policy is based on knowledge ofC/C++/assembly and patterns observed inreal software+, −, ×, ÷,and, or, xor,...P11P2Should the result be tainted?If so, how?
  74. 74. ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XORAddition, SubtractionA +/− B = CA B CMost common use of addition andsubtraction is to add or subtract apointer and an offset1 11 /1 notaint...
  75. 75. ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XORAND The result of anding a pointer and amask should be treated differentlydepending on the value of the maskc = a & 0xffffff00 - base addressc = a & 0x000000ff - offsetA & B = CA B C1 or1notaint...
  76. 76. ANDAddition, SubtractionOverviewPropagating taint marks2Multiplication, Division,OR, XORMultiplication, Division,OR, XORWe found zero cases where theresult of any of these operationswas a pointer
  77. 77. Checking taint marksWhen memory is accessed through a pointer:compare the memory taint mark and the pointer taint mark3Pointer Memory IMA?noyesyesyesyes12 2233
  78. 78. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}
  79. 79. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}
  80. 80. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}
  81. 81. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:i:n:4321
  82. 82. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:i:n:4321
  83. 83. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:i:n:4 2321
  84. 84. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:i:n:4 2321
  85. 85. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:i:n:4 2321
  86. 86. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:i:n:4 2321✔
  87. 87. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:i:n:4 2321
  88. 88. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:i:n:4 23213
  89. 89. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:i:n:4 23213
  90. 90. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:5i:n:4 23215553
  91. 91. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:5i:n:4 23215553
  92. 92. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:5i:n:4 232155530
  93. 93. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}+ =5 5buf:np:5i:n:4 232155530
  94. 94. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}+ =5 5buf:np:5i:n:4 232155530✔
  95. 95. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:5i:n:4 232155530
  96. 96. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:5i:n:4 2321555930
  97. 97. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:5i:n:4 232155598232
  98. 98. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:5i:n:4 232155598232
  99. 99. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:5i:n:4 232155598233+ =5 5
  100. 100. Preventing IMAsvoid main() {1. int *np, n, i, *buf;2. np = &n;3. printf(“Enter size: “);4. scanf(“%d”, np);5. buf = malloc(n * sizeof(int));6. for(i = 0; i <= n; i++)7. *(buf + i) = rand()%10;...}buf:np:5i:n:4 232155598233+ =5 5✘
  101. 101. Limiting the number oftaint marksAn unlimited number of taint marks makes ahardware implementation infeasible• increases the overhead (time and space)• complicates the design
  102. 102. Limiting the number oftaint marksAn unlimited number of taint marks makes ahardware implementation infeasible• increases the overhead (time and space)• complicates the design➡ Assign taint marks from a limited, reusablepool
  103. 103. Effects on the approachWith an random assignment of n taint marks thedetection probability is:IMAs are detected probabilisticallyp = 11n
  104. 104. Effects on the approachWith an random assignment of n taint marks thedetection probability is:IMAs are detected probabilistically2 marks = 50%, 4 marks = 75%, 16 marks = 93.75%, 256 marks = 99.6%p = 11n
  105. 105. Effects on the approachWith an random assignment of n taint marks thedetection probability is:1. The technique can be tuned by increasing or decreasingthe number of taint marksIMAs are detected probabilistically2 marks = 50%, 4 marks = 75%, 16 marks = 93.75%, 256 marks = 99.6%p = 11n
  106. 106. Effects on the approachWith an random assignment of n taint marks thedetection probability is:1. The technique can be tuned by increasing or decreasingthe number of taint marks2. In practice the approach is successful with only a smallnumber (2) of taint marksIMAs are detected probabilistically2 marks = 50%, 4 marks = 75%, 16 marks = 93.75%, 256 marks = 99.6%p = 11n
  107. 107. Empirical evaluationRQ1: Is the efficiency of our approach sufficient for itto be applied to deployed software?RQ2:What is the effectiveness of our technique whenusing limited number of taint marks?
  108. 108. RQ1: experimental method• Hardware implementation• Cycle accurate simuator (SESC)• Treat taint marks as first class citizens• Subjects• SPEC CPU2000 benchmark (12 applications)• Calculate the overhead imposed by ourapproach for each subject application
  109. 109. RQ1: experimental method• Hardware implementation• Cycle accurate simuator (SESC)• Treat taint marks as first class citizens• Subjects• SPEC CPU2000 benchmark (12 applications)• Calculate the overhead imposed by ourapproach for each subject applicationCurrent implementation assigns taint marks only todynamically allocated memory, but propagation andchecking are fully implemented
  110. 110. RQ1: results051015202530bzip2craftyeongapgccgzipmcfparserperlbmktwolfvortexvpraverage%overhead(time)2 marks8 marks16 marks256 marks
  111. 111. RQ1: results051015202530bzip2craftyeongapgccgzipmcfparserperlbmktwolfvortexvpraverage%overhead(time)2 marks8 marks16 marks256 marks• Even with 256 marks, the average overhead isin the single digits
  112. 112. RQ1: results051015202530bzip2craftyeongapgccgzipmcfparserperlbmktwolfvortexvpraverage%overhead(time)2 marks8 marks16 marks256 marks• All attacks were detected with two taint marks• Even with 256 marks, the average overhead isin the single digits
  113. 113. RQ1: results051015202530bzip2craftyeongapgccgzipmcfparserperlbmktwolfvortexvpraverage%overhead(time)2 marks8 marks16 marks256 marks• All attacks were detected with two taint marks• Software-only implementations impose twoorders of magnitude more overhead• Even with 256 marks, the average overhead isin the single digits
  114. 114. RQ2: experimental method• Software implementation• Binary instrumenter (Pin)• Use instrumentation to assign, propagate, and checktaint marks• Subjects• SPEC CPU2000 benchmark (12 applications)• 5 applications with 7 known IMAs• Run both each applications protected by oursoftware implementation and check that only theknown illegal memory accesses are detected (5times)
  115. 115. RQ2: resultsApplication IMA location Type Detectedbc-1.06 more_arrays: 177 buffer overflow ✔ (5/5)bc-1.06 lookup: 577 buffer overflow ✔ (5/5)gnupg-1.4.4 parse_comment: 2095 integer overflow ✔ (5/5)mutt-1.4.2.li utf8_to_utf7: 199 buffer overflow ✔ (5/5)php-5.2.0 php_char_to_str_ex: 3152 integer overflow ✔ (5/5)pine-4.44 rfc882_cat: 260 buffer overflow ✔ (5/5)squid-2.3 ftpBuildTitleUrl: 1024 buffer overflow ✔ (5/5)Applications with known IMAs
  116. 116. RQ2: resultsApplication IMA location Type Detectedbc-1.06 more_arrays: 177 buffer overflow ✔ (5/5)bc-1.06 lookup: 577 buffer overflow ✔ (5/5)gnupg-1.4.4 parse_comment: 2095 integer overflow ✔ (5/5)mutt-1.4.2.li utf8_to_utf7: 199 buffer overflow ✔ (5/5)php-5.2.0 php_char_to_str_ex: 3152 integer overflow ✔ (5/5)pine-4.44 rfc882_cat: 260 buffer overflow ✔ (5/5)squid-2.3 ftpBuildTitleUrl: 1024 buffer overflow ✔ (5/5)Applications with known IMAsAll attacks were detected with two taint marks
  117. 117. RQ2: resultsApplication IMA location Type Detectedbc-1.06 more_arrays: 177 buffer overflow ✔ (5/5)bc-1.06 lookup: 577 buffer overflow ✔ (5/5)gnupg-1.4.4 parse_comment: 2095 integer overflow ✔ (5/5)mutt-1.4.2.li utf8_to_utf7: 199 buffer overflow ✔ (5/5)php-5.2.0 php_char_to_str_ex: 3152 integer overflow ✔ (5/5)pine-4.44 rfc882_cat: 260 buffer overflow ✔ (5/5)squid-2.3 ftpBuildTitleUrl: 1024 buffer overflow ✔ (5/5)Application IMA location Type Detectedvortex SendMsg: 279null-pointerdereference✔ (5/5)Applications with known IMAsSPEC Benchmarks (“IMA free”)All attacks were detected with two taint marks
  118. 118. Future work• Complete implementation that handlesstatic memory• Additional experiments with a wider rangeof IMAs• Further optimization of the hardwareimplementation
  119. 119. Conclusions• Definition of an approach for preventing illegalmemory accesses in deployed software• uses dynamic taint analysis to protect memory• uses probabilistic detection to achieve acceptableoverhead• Empirical evaluation showing that the approach• is effective at detecting IMA in real applications• can be implemented efficiently in hardware

×