Nikolai Joukov
Gopalan Sivathanu
Erez Zadok
ABSTRACT
Improper access of data buffers is one of the most common errors in programs written in assembler, C, C++, and several other languages. Existing programs and OSs frequently access the data beyond the allocated buffers or access buffers that were already freed. Such programs and OSs may run for years before their problems can be detected because improper memory accesses frequently result in a silent data corruption. Not surprisingly, most computer worms exploit buffer overflow errors to gain complete control over computer systems. Only after recent worm epidemics, did code developers begin to realize the scale of the problem and the number of potential memory-access violations in existing code.Due to the syntax and flexibility of many programming languages, memory access violation problems cannot be detected at compile time. Tools that verify correctness before every memory access impose unacceptably high overheads. As a result, most of the developed techniques focus on preventing the hijacking of control by hackers and worms due to stack overflows. Consequently, hidden data corruption is given less attention.Memory access violations can be efficiently detected using the hardware support of the paging and virtual memory.Kefence is the general run-time solution we developed that allows to detect and avoid in-kernel overflow, underflow, and stale access problems for internal kernel buffers. Kefence is especially applicable to file system code because file systems operate at a high level of abstraction and require no direct access to the physical memory. At the same time, file systems use a large number of kernel buffers and file system errors are most harmful for users because users' persistent data can be corrupted.
- A. Aranya, C. P. Wright, and E. Zadok. Tracefs: A File System to Trace Them All. In Proceedings of the Third USENIX Conference on File and Storage Technologies (FAST 2004), pages 129--143, San Francisco, CA, March/April 2004. USENIX Association. Google Scholar
Digital Library
- P. J. Braam. The Lustre Storage Architecture. www.lustre.org/documentation.html, October 2002.Google Scholar
- CERT Coordination Center. CERT/CC Overview incident and Vulnerability Trends Technical Report. www.cert.org/present/cert-overview-trends.Google Scholar
- T. Chiueh and F. Hsu. RAD: A Compile-time Solution to Buffer Overflow Attacks. In Proceedings of the 21rst International Conference on Distributed Computing Systems (ICDCS), pages 409--420, Phoenix, AZ, April 2001. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, H. Hintongif, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Qian Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the Seventh USENIX Security Symposium, pages 63--78, San Antonio, TX, January 1998. Google ScholarDigital Library
- Intel. Intel Itanium 2 Processor Reference Manual For Software Development and Optimization. Intel Corporation, 2004.Google Scholar
- J. Katcher. PostMark: A New Filesystem Benchmark. Technical Report TR3022, Network Appliance, 1997. www.netapp.com/tech_library/3022.html.Google Scholar
- BSD Library Functions Manual. libgmalloc(3).Google Scholar
- V. Markstein, J. Cocke, and P. Markstein. Optimization of Range Checking. In Proceedings of the 17th Symposium on Compiler Construction (SIGPLAN'82), pages 114--119, June 1982. Google ScholarDigital Library
- B. Milekic. memguard(9).Google Scholar
- A. Morton. Re: {patch, 2.5} _ _vmalloc allocates spurious page?, October 2002. www.uwsg.iu.edu/hypermail/linux/kernel/0210.1/2532.html.Google Scholar
- J. Navarro, S. Iyer, P. Druschel, and A. Cox. Practical, transparent operating system support for superpages. In Proceedings of the Fifth Symposium on Operating System Design and Implementation (OSDI '02), pages 89--104, Boston, MA, December 2002. USENIX Association. Google ScholarDigital Library
- T. Nguyen and F. Irigoin. Efficient and Effective Array Bound Checking. ACM Transactions on Programming Languages and Systems, 27(3):527--570, May 2005. Google ScholarDigital Library
- W. Oney. Programming the Microsoft Windows Driver Model. Microsoft Press, Redmond, WA, second edition, 2003. Google ScholarDigital Library
- J. S. Pendry, N. Williams, and E. Zadok. Am-utils User Manual, 6.1b3 edition, July 2003. www.am-utils.org.Google Scholar
- B. Perens. efence(3), April 1993.Google Scholar
- H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the Effectiveness of Address-Space Randomization. In Proceedings of 11th ACM Conference on Computer and Communications Security (CCS), pages 298--307, October 2004. Google ScholarDigital Library
- D. A. Solomon and M. E. Russinovich. Inside Microsoft Windows 2000. Microsoft Press, Redmond, WA, 2000. Google ScholarDigital Library
- M. Szeredi. Filesystem in Userspace. fuse.sourceforge.net, February 2005.Google Scholar
- E. Zadok and I. Bǎdulescu. A stackable file system interface for Linux. In LinuxExpo Conference Proceedings, pages 141--151, Raleigh, NC, May 1999.Google Scholar
- E. Zadok and J. Nieh. FiST: A Language for Stackable File Systems. In Proceedings of the Annual USENIX Technical Conference, pages 55--70, San Diego, CA, June 2000. USENIX Association. Google ScholarDigital Library
Index Terms
- An electric fence for kernel buffers
Recommendations
Exploring security vulnerabilities by exploiting buffer overflow using the MIPS ISA
SIGCSE '03: Proceedings of the 34th SIGCSE technical symposium on Computer science educationBy exploiting a well known security vulnerability in many C library implementations, it is possible for an unprivileged user to gain unrestricted system privileges. With an understanding of how the process execution stack is allocated and managed during ...
Exploring security vulnerabilities by exploiting buffer overflow using the MIPS ISA
By exploiting a well known security vulnerability in many C library implementations, it is possible for an unprivileged user to gain unrestricted system privileges. With an understanding of how the process execution stack is allocated and managed during ...
The Conquest file system: Better performance through a disk/persistent-RAM hybrid design
Modern file systems assume the use of disk, a system-wide performance bottleneck for over a decade. Current disk caching and RAM file systems either impose high overhead to access memory content or fail to provide mechanisms to achieve data persistence ...
Comments