skip to main content
10.1145/1993498.1993541acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

Cruiser: concurrent heap buffer overflow monitoring using lock-free data structures

Published: 04 June 2011 Publication History

Abstract

Security enforcement inlined into user threads often delays the protected programs; inlined resource reclamation may interrupt program execution and defer resource release. We propose software cruising, a novel technique that migrates security enforcement and resource reclamation from user threads to a concurrent monitor thread. The technique leverages the increasingly popular multicore and multiprocessor architectures and uses lock-free data structures to achieve non-blocking and efficient synchronization between the monitor and user threads. As a case study, software cruising is applied to the heap buffer overflow problem. Previous mitigation and detection techniques for this problem suffer from high performance overhead, legacy code compatibility, semantics loyalty, or tedious manual program transformation. We present a concurrent heap buffer overflow detector, Cruiser, in which a concurrent thread is added to the user program to monitor heap integrity, and custom lock-free data structures and algorithms are designed to achieve high efficiency and scalability. The experiments show that our approach is practical: it imposes an average of 5% performance overhead on SPEC CPU2006, and the throughput slowdown on Apache is negligible on average.

References

[1]
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In CCS '05, pages 340--353.
[2]
P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In Usenix Security '09, pages 51--66.
[3]
AlephOne. Smashing the stack for fun and profit. Phrack, 7 (49), 1996.
[4]
T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient detection of all pointer and array access errors. In PLDI '04, pages 290--301.
[5]
K. Avijit and P. Gupta. Tied, libsafeplus, tools for runtime buffer overflow protection. In Usenix Security '04, pages 4--4.
[6]
E. G. Barrantes, D. H. Ackley, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In CCS '03, pages 281--289.
[7]
E. Bhatkar, D. C. Duvarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In Usenix Security '03, pages 105--120.
[8]
Bulba and Kil3r. Bypassing StackGuard and StackShield. Phrack, 10 (56), May 2000.
[9]
M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. In OSDI '06, pages 147--160.
[10]
CERT Advisory, CA-2001-19 CodeRed worm.
[11]
CERT Advisory, CA-2002-33 Heap Overflow Vulnerability in Microsoft Data Access Components.
[12]
CERT Advisory, CA-2003-20 SQLSlammer worm.
[13]
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Usenix Security '05, pages 177--192, 2005.
[14]
T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks. In ICDCS '01, pages 409--417.
[15]
M. Conover. w00w00 on heap overflows, 1999. www.w00w00.org/ files/articles/heaptut.txt.
[16]
C. Cowan and S. Beattie. PointGuard: protecting pointers from buffer overflow vulnerabilities. In Usenix Security '03, pages 91--104.
[17]
C. Cowan and C. Pu. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In Usenix Security '98, pages 63--78, January 1998.
[18]
B. Cox, D. Evans, A. Filipi, J. Rowanhill, W. Hu, J. Davidson, J. Knight, A. Nguyen-Tuong, and J. Hiser. N-variant systems: a secretless framework for security through diversity. In Usenix Security '06, pages 105--120.
[19]
E. D.Berger. HeapShield: Library-based heap overflow protection for free. Tech. report, Univ. of Massachusetts Amherst, 2006.
[20]
N. Dor, M. Rodeh, and M. Sagiv. CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In PLDI '03, pages 155--167, June 2003.
[21]
T. Durden. Bypassing PaX ASLR protection. Phrack, 2002.
[22]
E. Fence. Malloc debugger. http://directory.fsf.org/project/ElectricFence/.
[23]
M. Frantzen and M. Shuey. Stackghost: Hardware facilitated stack protection. In Usenix Security '01, pages 55--66.
[24]
J. Giacomoni, T. Moseley, and M. Vachharajani. Fastforward for efficient pipeline parallelism: a cache-optimized concurrent lock-free queue. In PPoPP '08, pages 43--52.
[25]
N. Hardy. The confused deputy. ACM Oper. Syst. Rev., 22 (4): 36--38.
[26]
T. L. Harris. A pragmatic implementation of non-blocking linked lists. In DISC '01, pages 300--314.
[27]
R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In the Winter 1992 Usenix Conference, pages 125--136.
[28]
M. Herlihy. A methodology for implementing highly concurrent data structures. In PPoPP '90, pages 197--206.
[29]
IBM. ProPolice detector. www.trl.ibm.com/projects/security/ssp/.
[30]
IBM System/370 Extended Architecture, Principles of Operations. IBM Publication No. SA22-7085, 1983.
[31]
T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Usenix ATC '02, pages 275--288, June 2002.
[32]
R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In the International Workshop on Automatic Debugging, 1997.
[33]
M. Kaempf. Vudo malloc tricks. Phrack, 11 (57), 2001.
[34]
V. Kiriansky, D. Bruening, and S. P. Amarasinghe. Secure execution via program shepherding. In Usenix Security '02, pages 191--206.
[35]
L. Lamport. Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng., 3 (2): 125--143, 1977.
[36]
D. Lea. dlmalloc. http://g.oswego.edu/.
[37]
P. Lee, T. Bu, and G. Chandranmenon. A lock-free, cache-efficient multi-core synchronization mechanism for line-rate network traffic monitoring. In IPDPS '10, pages 1--12.
[38]
R. Lemos. Counting the cost of Slammer, 2003. http://news.cnet.com/ Counting-the-cost-of-Slammer/2100-1002_3-982955.html.
[39]
M. M. Michael. Hazard pointers: Safe memory reclamation for lock-free objects. IEEE Trans. Parallel Distrib. Syst., 15 (6): 491--504, 2004.
[40]
M. M. Michael. High performance dynamic lock-free hash tables and list-based sets. In SPAA '02, pages 73--82.
[41]
MSDN. Structured exception handling. http://msdn.microsoft.com/en-us/library/ms680657(VS.85).aspx.
[42]
G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27 (3): 477--526, 2005.
[43]
NIST. National Vulnerability Database. http://nvd.nist.gov/.
[44]
NIST. SAMATE Reference Dataset. http://samate.nist.gov/SRD.
[45]
G. Novark and E. D. Berger. Dieharder: securing the heap. In CCS '10, pages 573--584.
[46]
Open Source project. Amino concurrent building blocks. http://amino-cbbs.sourceforge.net/.
[47]
Open Source Project. libsigsegv. http://libsigsegv.sourceforge.net/.
[48]
S. Prakash, Y.-H. Lee, and T. Johnson. A nonblocking algorithm for shared queues using compare-and-swap. IEEE Trans. Comput., 43 (5): 548--559, 1994.
[49]
M. Prasad and T. Chiueh. A binary rewriting defense against stack based buffer overflow attacks. In Usenix ATC '03, pages 211--224.
[50]
G. Richarte. Four different tricks to bypass StackShield and StackGuard protection. Tech. report, Core Security Tech., 2002.
[51]
W. Robertson, C. Kruegel, D. Mutz, and F. Valeur. Run-time detection of heap-based overflows. In LISA '03, pages 51--60.
[52]
O. Ruwase and M. S. Lam. A practical dynamic buffer overflow detector. In NDSS '04, pages 159--169.
[53]
B. Salamat, T. Jackson, A. Gal, and M. Franz. Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space. In EuroSys '09, pages 33--46.
[54]
SecuriTeam. http://www.securiteam.com/.
[55]
SecurityFocus. CVS directory request double free heap corruption, 2003.
[56]
SecurityFocus. Mozilla Firefox and Seamonkey regular expression parsing heap buffer overflow, 2009.
[57]
SecurityFocus. Wu-ftpd file globbing heap corruption, 2001.
[58]
SecurityFocus. libHX 'HX_split()' remote heap-based buffer overflow, 2010.
[59]
SecurityFocus. Lynx browser 'convert_to_idna()' function remote heap based buffer overflow, 2010.
[60]
SecurityFocus. http://www.securityfocus.com/.
[61]
SecurityFocus. Sudo password prompt heap overflow, 2002.
[62]
O. Shalev and N. Shavit. Split-ordered lists: Lock-free extensible hash tables. J. ACM, 53 (3): 379--405, 2006.
[63]
Solar Designer. Non-executable user stack, 1997. http://www.open wall.com/linux/.
[64]
StackShield. http://www.angelfire.com/sk/stackshield/, January 2000.
[65]
The PaX project. http://pax.grsecurity.net/.
[66]
T. K. Tsai and N. Singh. Libsafe: Transparent system-wide protection against buffer overflow attacks. In DSN '02, pages 541--541.
[67]
US-CERT. Vulnerability notes database. www.kb.cert.org/vuls.
[68]
Valgrind. http://valgrind.org/.
[69]
D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In NDSS'00, pages 3--17.
[70]
J. Xu, Z. Kalbarczyk, S. Patel, and R. Iyer. Architecture support for defending against buffer overflow attacks. In Workshop Evaluating & Architecting Sys. Depend., 2002.
[71]
M. Zhivich, T. Leek, and R. Lippmann. Dynamic buffer overflow detection. In Workshop on the Evaluation of Software Defect Detection Tools, 2005.

Cited By

View all
  • (2023)A Smart Status Based Monitoring Algorithm for the Dynamic Analysis of Memory SafetyACM Transactions on Software Engineering and Methodology10.1145/363722733:4(1-47)Online publication date: 11-Dec-2023
  • (2023)A Source-Level Instrumentation Framework for the Dynamic Analysis of Memory SafetyIEEE Transactions on Software Engineering10.1109/TSE.2022.321058049:4(2107-2127)Online publication date: 1-Apr-2023
  • (2022)Semi-Synchronized Non-Blocking Concurrent Kernel CruisingIEEE Transactions on Cloud Computing10.1109/TCC.2020.297018310:2(1428-1444)Online publication date: 1-Apr-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2011
668 pages
ISBN:9781450306638
DOI:10.1145/1993498
  • General Chair:
  • Mary Hall,
  • Program Chair:
  • David Padua
  • cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 46, Issue 6
    PLDI '11
    June 2011
    652 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/1993316
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 June 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. buffer overflow
  2. concurrency
  3. lock-free
  4. multicore
  5. non-blocking algorithms
  6. program monitor
  7. software cruising

Qualifiers

  • Research-article

Conference

PLDI '11
Sponsor:

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)18
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)A Smart Status Based Monitoring Algorithm for the Dynamic Analysis of Memory SafetyACM Transactions on Software Engineering and Methodology10.1145/363722733:4(1-47)Online publication date: 11-Dec-2023
  • (2023)A Source-Level Instrumentation Framework for the Dynamic Analysis of Memory SafetyIEEE Transactions on Software Engineering10.1109/TSE.2022.321058049:4(2107-2127)Online publication date: 1-Apr-2023
  • (2022)Semi-Synchronized Non-Blocking Concurrent Kernel CruisingIEEE Transactions on Cloud Computing10.1109/TCC.2020.297018310:2(1428-1444)Online publication date: 1-Apr-2022
  • (2021)Parallel shadow execution to accelerate the debugging of numerical errorsProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468585(615-626)Online publication date: 20-Aug-2021
  • (2021)Runtime detection of memory errors with smart statusProceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3460319.3464807(296-308)Online publication date: 11-Jul-2021
  • (2021)Efficient Buffer Overflow Detection on GPUIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2020.304296532:5(1161-1177)Online publication date: 1-May-2021
  • (2020)ProberProceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416533(1116-1128)Online publication date: 21-Dec-2020
  • (2020)BoundWarden: Thread-enforced spatial memory safety through compile-time transformationsScience of Computer Programming10.1016/j.scico.2020.102519(102519)Online publication date: Jul-2020
  • (2019)CSOD: context-sensitive overflow detectionProceedings of the 2019 IEEE/ACM International Symposium on Code Generation and Optimization10.5555/3314872.3314881(50-60)Online publication date: 16-Feb-2019
  • (2019)Detecting memory errors at runtime with source-level instrumentationProceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3293882.3330581(341-351)Online publication date: 10-Jul-2019
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media