6.4 Trap Address Conflict
6.4.3 Write to Library Page Fault Elimination
In current version of 32-bit Beagle2, write to the locations in the dy-namic libraries will cause segmentation faults. That is because the libraries are located at lower memory part, and we cannot find a common UAB from the stack and the library section. In Figure 21, which we have analyzed in section 6.3.1, the ‘other’ part of running WsMp3d Webserver is around 36%.
A few of the write operations access the global data before the heap and most of them write to the buffers in libraries. If we can use the technique men-tioned above in the 64-bit environment, then we can eliminate the redundant segmentation faults from writing the library section, which accounts for most of the overhead.
7 Conclusion
We propose a simple and novel method to redirect non-stack memory reference to trap areas to achieve asynchronous memory modification veri-fication. The overhead of our reference redirection is relatively lower than other mechanisms, which must perform a table look-up. The overall perfor-mance enhancement is remarkable when objects on stack region are accessed more often than other area. To reduce the signal handling overhand when accessing non-stack area, a hybrid solution exists which can do active bound checking with external library functions and bypass the redundant segmen-tation faults. In addition, with asynchronous checking, memory leakage of dynamic allocated chunks will not slow the whole process down. This proves that the control interception detection tool with our optimization applied is suitable for online detection, fuzz testing, or being configured as a monitor to filter successful penetration exploit data.
Bibliography
[1] N. Nethercote and J. Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the 2007 PLDI con-ference, volume 42, pages 89–100. ACM New York, NY, USA, 2007.
[2] C.H. Tsai and S.K. Huang. Detection and Diagnosis of Control Inter-ception. Lecture Notes in Computer Sciencs, 4861:412, 2007.
[3] C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows:
Attacks and defenses for the vulnerability of the decade. Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems], pages 227–237, 2003.
[4] A. One. Smashing the stack for fun and profit. Phrack magazine, 49(7), 1996.
[5] D. Lea and W. Gloger. dlmalloc: A memory allocator, 2000.
[6] S. Chen, J. Xu, E.C. Sezer, P. Gauriar, and R.K. Iyer. Non-control-data attacks are realistic threats. USENIX Security Symposium, 2005.
[7] C.H. Tsai and S.K. Huang. Testing Heap Overflow Bugs Caused by Integer Overflows. 2006 ICS Conference, 2006.
[8] Anonymous. Once upon a free. Phrack Magazine, 11(57), 2001.
[9] J. Ferguson. Understanding the Heap by Break-ing It. https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf, 2007.
[10] J. Levon and P. Elie. Oprofile: A system profiler for linux.
http://oprofile.sourceforge.net, 2005.
[11] GNU. GNU’s GDB Debugger. http://www.gnu.org/software/gdb/.
[12] B. Beander. VAX DEBUG: An interactive, symbolic, multilingual de-bugger. ACM SIGSOFT Software Engineering Notes, 1983.
[13] R. Wahbe, S. Lucco, and S.L. Graham. Practical data breakpoints:
Design and implementation. ACM SIGPLAN Notices, 28(6):1–12, 1993.
[14] G.W. Thelen. Debugging using virtual watchpoints, June 28 2005. US Patent App. 11/169,235.
[15] C.P. Chen, J.V. Olivier, J.P. Hoeflinger, and B.R. Brett. Manage-ment of watchpoints in debuggers, September 30 2005. US Patent App.
11/241,606.
[16] Q. Zhao, R. Rabbah, S. Amarasinghe, L. Rudolph, and W.F. Wong.
How to do a million watchpoints: Efficient Debugging using Dynamic Instrumentation. Lecture Notes in Computer Science, 4959:147, 2008.
[17] C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Conference, volume 78. San Antonio: USENIX Press, 1998.
[18] S.S. Vendicator. A stack smashing technique protection tool for Linux.
http://www.angelfire.com/sk/stackshield/info.html, 2000.
[19] C. Kil, E.C. Sezer, P. Ning, and X. Zhang. Automated Security Debug-ging Using Program Structural Constraints. In Computer Security Ap-plications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pages 453–462, 2007.
[20] Apple Inc. GDB Release Notes: Changes since MacOS X 10.1. Apple De-veloper Connection, Reference Library, Release Notes, Tools, Compiling
& Debugging, 2001.
[21] R. Wahbe, S. Lucco, T.E. Anderson, and S.L. Graham. Efficient software-based fault isolation. In Proceedings of the fourteenth ACM symposium on Operating systems principles, pages 203–216. ACM New York, NY, USA, 1994.
[22] E.D. Berger and B.G. Zorn. DieHard: Probabilistic memory safety for unsafe languages. In Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, pages 158–168.
ACM New York, NY, USA, 2006.
[23] D. Workgroup. Dwarf Debugging Information Format Version 3. Free Standards Group, http://dwarf.freestandards.org/Dwarf3.pdf, Tech. Rep, 2005.
[24] M.J. Eager and E. Consulting. Introduction to the DWARF debugging format, 2007.
[25] P. Brook and D. Jacobowitz. Reversible Debugging. In GCC Developers Summit, page 69, 2007.
[26] MSDN Library. Prolog and Epilog. MSDN Library:
http://msdn.microsoft.com/en-us/library/tawsa7cb.aspx.
[27] I. Corportation. IA-32 Intel Architecture software developers manual.
Intel Corportation, 2001.
[28] CERT. CERT Advisory CA-2001-21 Buffer Overflow in telnetd.
http://www.cert.org/advisories/CA-2001-21.html, 2001.
[29] H. Shacham, M. Page, B. Pfaff, E.J. Goh, N. Modadugu, and D. Boneh.
On the effectiveness of address-space randomization.
[30] D. Maynor and KK Mookhey. Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Syngress Press, 2007.
[31] F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, and Y. Wu. Lift: A low-overhead practical information flow tracking system for detecting secu-rity attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, pages 135–148. IEEE Computer Soci-ety Washington, DC, USA, 2006.
[32] A. Baratloo, T. Tsai, and N. Singh. Libsafe: Protecting critical elements of stacks. White Paper http://www. research. avayalabs.
com/project/libsafe, 1999.
A Appendix
A.1 Evaluation 1’s Simplified Code
1 int heapChunkNum=atoi(argv[1]);
2 int heapWrite=atoi(argv[2]);
3 int localWrite=10000000-heapWrite;
4 for(i=0;i<heapChunkNum-1;i++)
5 malloc(100);
6 for(i=0;i<heapWrite;i++)
7 *heap=’k’;
8 for(i=0;i<localWrite;i++)
9 local=’k’;