Effective memory protection using dynamic tainting

Authors:
James Clause;Ioannis Doudalis;Alessandro Orso;Milos Prvulovic
Affiliations:
Georgia Institute of Technology, Atlanta, GA;Georgia Institute of Technology, Atlanta, GA;Georgia Institute of Technology, Atlanta, GA;Georgia Institute of Technology, Atlanta, GA
Venue:
Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering
Year:
2007

Citing 17
Cited 12

A system and language for building system-specific, static analyses

PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Cyclone: A Safe Dialect of C

ATEC '02 Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference
CSSV: towards a realistic tool for statically detecting all buffer overflows in C

PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
A practical flow-sensitive and context-sensitive C and C++ memory leak detector

PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors

Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
An efficient and backwards-compatible transformation to ensure memory safety of C programs

Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
Minos: Control Data Attack Prevention Orthogonal to Memory Model

Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
RIFLE: An Architectural Framework for User-Centric Information-Flow Security

Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs

HPCA '05 Proceedings of the 11th International Symposium on High-Performance Computer Architecture
Pin: building customized program analysis tools with dynamic instrumentation

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CCured: type-safe retrofitting of legacy software

ACM Transactions on Programming Languages and Systems (TOPLAS)
Backwards-compatible array bounds checking for C with very low overhead

Proceedings of the 28th international conference on Software engineering
Using Valgrind to detect undefined value errors with bit-precision

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Raksha: a flexible information flow architecture for software security

Proceedings of the 34th annual international symposium on Computer architecture
Understanding data lifetime via whole system simulation

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Dytan: a generic dynamic taint analysis framework

Proceedings of the 2007 international symposium on Software testing and analysis
MemTracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging

HPCA '07 Proceedings of the 2007 IEEE 13th International Symposium on High Performance Computer Architecture

Data Protection in Memory Using Byte Reordering

PAISI, PACCF and SOCO '08 Proceedings of the IEEE ISI 2008 PAISI, PACCF, and SOCO international workshops on Intelligence and Security Informatics
Penumbra: automatically identifying failure-relevant inputs using dynamic tainting

Proceedings of the eighteenth international symposium on Software testing and analysis
Orthrus: efficient software integrity protection on multi-cores

Proceedings of the fifteenth edition of ASPLOS on Architectural support for programming languages and operating systems
PAriCheck: an efficient pointer arithmetic checker for C programs

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
SUDS: an infrastructure for creating dynamic software defect detection tools

Automated Software Engineering
Dynamic tainting for deployed Java programs

Proceedings of the ACM international conference companion on Object oriented programming systems languages and applications companion
A profiling method by PCB hooking and its application for memory fault detection in embedded system operational test

Information and Software Technology
Flexible and Efficient Instruction-Grained Run-Time Monitoring Using On-Chip Reconfigurable Fabric

MICRO '43 Proceedings of the 2010 43rd Annual IEEE/ACM International Symposium on Microarchitecture
Worst-case execution time analysis for parallel run-time monitoring

Proceedings of the 49th Annual Design Automation Conference
Uncovering performance problems in Java applications with reference propagation profiling

Proceedings of the 34th International Conference on Software Engineering
Learning fine-grained structured input for memory corruption detection

ISC'12 Proceedings of the 15th international conference on Information Security
MemSafe: ensuring the spatial and temporal memory safety of C at runtime

Software—Practice & Experience

Quantified Score

Hi-index	0.00

Visualization

Abstract

Programs written in languages that provide direct access tomemory through pointers often contain memory-related faults, which may cause non-deterministic failures and even security vulnerabilities. In this paper, we present a new technique based on dynamic tainting for protecting programs from illegal memory accesses. When memory is allocated, at runtime, our technique taints both the memory and the corresponding pointer using the same taint mark. Taint marks are then suitably propagated while the program executes and are checked every time a memory address m is accessed through a pointer p; if the taint marks associated with mand p differ, the execution is stopped and the illegalaccess is reported. To allow for a low-overhead, hardware-assisted implementation of the approach, we make several key technical and engineering decisions in the definition of our technique. In particular, we use a configurable, low number of reusable taint marks instead of a unique mark for each area of memory allocated, which reduces the overhead of the approach without limiting its flexibility and ability to target most memory-related faults and attacks known to date. We also define the technique at the binary level, which lets us handle the (very) common case of applications that use third-party libraries whose source code is unavailable. To investigate the effectiveness and practicality of our approach, we implemented it for heap-allocated memory and performed a preliminary empirical study on a set of programs. Our results show that (1) our technique can identify a large class of memory-related faults, even when using only two unique taint marks, and (2)a hardware-assisted implementation of the technique could achieve overhead in the single digits