Abstract
Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a high-performance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow Integrity. In: ACM CCS 2005, Alexandria, VA, USA (2005)
Akritidis, P.: Cling: a memory allocator to mitigate dangling pointers. In: USENIX Security 2010, Washington, DC, USA (2010)
Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: IEEE S&P 2008, Oakland, CA, USA (2008)
Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: ACM PLDI 1994, Orlando, FL, USA (1994)
Bauman, E., Ayoade, G., Lin, Z.: A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Comput. Surv. 48(1), 10 (2015)
Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security 1998, San Antonio, TX, USA (1998)
Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University (2004)
Gueron, S.: Intel Advanced Encryption Standard (AES) Instruction Set White Paper, Rev. 3.0 edn. (2010)
Hofmann, O.S., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: ACM ASPLOS XVI, Newport Beach, CA, USA (2011)
Intel: Data Plane Development Kit (DPDK). http://DPDK.org
Intel: MPX Performance Evaluation. https://intel-mpx.github.io/performance
Jee, K., Kemerlis, V.P., Keromytis, A.D., Portokalidis, G.: ShadowReplica: efficient parallelization of dynamic data flow tracking. In: ACM CCS 2013, Berlin, Germany (2013)
Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: ACM AADEBUG 1997, Linköping, Sweden (1997)
Koromilas, L., Vasiliadis, G., Athanasopoulos, E., Ioannidis, S.: GRIM: leveraging GPUs for kernel integrity monitoring. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 3–23. Springer, Cham (2016). doi:10.1007/978-3-319-45719-2_1
Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX OSDI 2014, Broomfield, CO, USA (2014)
Mashtizadeh, A.J., Bittau, A., Boneh, D., Mazières, D.: CCFI: cryptographically enforced control flow integrity. In: ACM CCS 2015, Denver, CO, USA (2015)
Ming, J., Wu, D., Xiao, G., Wang, J., Liu, P.: TaintPipe: pipelined symbolic taint analysis. In: USENIX Security 2015, Washington, DC, USA (2015)
Moon, H., Lee, H., Lee, J., Kim, K., Paek, Y., Kang, B.B.: Vigilare: toward snoop-based kernel integrity monitor. In: ACM CCS 2012, Raleigh, NC, USA (2012)
Müller, T., Freiling, F.C., Dewald, A.: TRESOR runs encryption securely outside RAM. In: USENIX Security 2011, San Francisco, CA, USA (2011)
Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: ACM PLDI 2009, Dublin, Ireland (2009)
Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: ACM ISMM 2010, Toronto, ON, Canada (2010)
Nikiforakis, N., Piessens, F., Joosen, W.: HeapSentry: kernel-assisted protection against heap overflows. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 177–196. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39235-1_11
Niometrics: NCORE DPI System. http://www.niometrics.com
Oikonomopoulos, A., Athanasopoulos, E., Bos, H., Giuffrida, C.: Poking holes in information hiding. In: USENIX Security 2016, Austin, TX, USA (2016)
PaX: MPROTECT (2003). https://pax.grsecurity.net/docs/mprotect.txt
Petroni, Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: USENIX Security 2004, San Diego, CA, USA (2004)
Robertson, W., Kruegel, C., Mutz, D., Valeur, F.: Run-time detection of heap-based overflows. In: USENIX LISA 2003, San Diego, CA, USA (2003)
Salamat, B., Gal, A., Jackson, T., Wagner, G., Manivannan, K., Franz, M.: Multi-variant program execution: using multi-core systems to defuse buffer-overflow vulnerabilities. In: IEEE CISIS 2008, Barcelona, Spain (2008)
Salamat, B., Jackson, T., Gal, A., Franz, M.: Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space. In: ACM EuroSys 2009, Nuremberg, Germany (2009)
SELinux Wiki: Main Page – SELinux Wiki (2013). http://selinuxproject.org
Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: AddressSanitizer: a fast address sanity checker. In: USENIX ATC 2012, Boston, MA, USA (2012)
Simmons, P.: Security through amnesia: a software-based solution to the cold boot attack on disk encryption. In: ACM ACSAC 2011, Orlando, FL, USA (2011)
Tian, D., Zeng, Q., Wu, D., Liu, P., Hu, C.: Kruiser: semi-synchronized non-blocking concurrent kernel heap buffer overflow monitoring. In: ISOC NDSS 2012, San Diego, CA, USA (2012)
Wagner, J., Kuznetsov, V., Candea, G., Kinder, J.: High system-code security with low overhead. In: IEEE S&P 2015, Oakland, CA, USA (2015)
Willhalm, T., Dementiev, R., Fay, P.: Intel Performance Counter Monitor - A better way to measure CPU utilization (2012). http://www.intel.com/software/pcm
Yee, B., Sehr, D., Dardyk, G., Chen, J.B., Muth, R., Orm, T., Okasaka, S., Narula, N., Fullagar, N., Inc, G.: Native client: a sandbox for portable, untrusted x86 native Code. In: IEEE S&P 2009, Oakland, CA, USA (2009)
Zeng, Q., Wu, D., Liu, P.: Cruiser: concurrent heap buffer overflow monitoring using lock-free data structures. In: ACM PLDI 2011, San Jose, CA, USA (2011)
Acknowledgment
The authors would like to thank our shepherd, Vasileios Kemerlis, and the anonymous reviewers for their valuable feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Nam, M.J., Nam, W., Choi, JY., Akritidis, P. (2017). MemPatrol: Reliable Sideline Integrity Monitoring for High-Performance Systems. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-60876-1_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60875-4
Online ISBN: 978-3-319-60876-1
eBook Packages: Computer ScienceComputer Science (R0)