簡易檢索 / 詳目顯示
| 研究生: |
許友謙 Sheu, Yu-Chien |
|---|---|
| 論文名稱: |
透過值域傳遞減少 AddressSanitizer之邊界檢查 Reducing Bound Checking in AddressSanitizer with Value Range Propagation |
| 指導教授: |
李政崑
Lee, Jenq-Kuen |
| 口試委員: |
黃元欣
陸思萱 陳崇凱 |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 資訊工程學系 Computer Science |
| 論文出版年: | 2019 |
| 畢業學年度: | 107 |
| 語文別: | 英文 |
| 論文頁數: | 41 |
| 中文關鍵詞: | 緩衝區溢位 、資訊安全 、嵌入式系統 、AddressSanitizer |
| 外文關鍵詞: | Buffer Overflow, Security, Embedded System, AddressSanitizer |
| 相關次數: | 點閱:3 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
隨著連網裝置數量日愈趨上,裝置安全也更加被重視。根據美國國家標準暨
技術研究院的統計,緩衝區溢位在已知的漏洞中占了一成的分量。由此可知,緩
衝區溢位是個重要的問題。緩衝區溢位會造成區段錯誤、阻斷服務攻擊,更甚者,
造成控制流程挾持,使得攻擊者可以任意使用電腦。在過去數十年來已經有許多
人針對緩衝區溢位做了許多研究與保護方式,這些保護方式隨著時間演進,從早
期簡易的想法如整合邊界於指標中轉變到使用哈希表甚至影子記憶體等等,然而
這些保護方式的效能損耗與記憶體使用量都依然偏高。
本論文的目標是透過減少邊界檢查的數量進而降低邊界檢查保護的執行成本。
透過我們實作的值域傳遞系統,在編譯時期我們就可以分析記憶體使用是否合法,
透過去除保護已知合法的記憶體操作進而減少邊界檢查之數量。在本論文中,我
們對值域傳遞做詳細的說明,並且實作一套值域傳遞系統,然後與Google 開發之
緩衝區溢位工具AddressSanitizer 整合,進而去除不必要之邊界檢查。實驗顯示
我們的值域傳遞能偵測到值標所指變數的變化,並且擊敗LLVM 之Scalar
Evolution 分析層。同時整合值域傳遞後的AddressSantizer 較原版減少了55.7%的執行時間,相較於未受保護的程式只增加了1.63%的執行時間。
Buffer Overflow is a major problem that has plagued people for decades and even now there is no perfect solution. Buffer Overflow would cause segmentation fault, Denial-Of-Service Attack, even worse, Control Flow Hijack. Buffer errors almost always occupy over 10% in found vulnerabilities. Solutions of Buffer Overflow have been changed from the initial idea of changing representation of pointer to using hashing table or even shadow memory, but the overhead is still very high in both execution time and memory space.
This thesis targets to reduce bound checkings that we have known there won’t happen Buffer Overflow through Value Range Propagation. We implement Value Range Propagation and know the value ranges of variables through it, and make a detail description about our Value Range Propagation implementation. We integrate Value Range Propagation with AddressSanitizer to eliminate the unnecessary bound checkings. Our experiments show that our Value Range Propagation implementation beats Scalar Evolution pass, and by integrating Value Range Propagation and AddressSanitizer, we can reduce 55.7% execution time compared with original AddressSanitizer and only result to 1.63% overhead compared with unprotected program.
[1] Vulnerability type change by year. National Institute of Standards and Technology. [Online]. Available: https://nvd.nist.gov/general/visualizations/vulnerabilityvisualizations/cwe-over-time
[2] V. Zivojnovic, “Dspstone: A dsp-oriented benchmarking methodology,” Proc. Signal Processing Applications & Technology, Dallas, TX, 1994, pp. 715–720, 1994.
[3] (2017) Ms17-010: Eternalblue’s large non-paged pool overflow in srv driver. TREND MICRO. [Online]. Available: https://blog.trendmicro.com/trendlabs-security-intelligence/ms17-010-eternalblue/
[4] M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, “Meltdown: Reading kernel memory from user space,” in 27th USENIX Security Symposium (USENIX Security 18), 2018.
[5] P. Kocher, J. Horn, A. Fogh, , D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom,“Spectre attacks: Exploiting speculative execution,” in 40th IEEE Symposium on Security and Privacy (S&P’19), 2019.
[6] L.-c. Lam and T.-c. Chiueh, “Checking array bound violation using segmentation hardware,” in 2005 International Conference on Dependable Systems and Networks (DSN’05). IEEE, 2005, pp. 388–397.
[7] R. W. Jones and P. H. Kelly, “Backwards-compatible bounds checking for arrays and pointers in c programs,” in Proceedings of the 3rd International Workshop on Automatic Debugging; 1997 (AADEBUG-97), no. 001. Linköping University Electronic Press, 1997, pp. 13–26.
[8] O. Ruwase and M. S. Lam, “A practical dynamic buffer overflow detector.” in NDSS, vol. 2004, 2004, pp. 159–169.
[9] M. C. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and W. S. Beebee, “Enhancing server availability and security through failureoblivious computing.” in OSDI, vol. 4, 2004, pp. 21–21.
[10] K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov, “Addresssanitizer: A fast address sanity checker,” in Presented as part of the 2012 USENIX Annual Technical Conference (USENIX ATC 12), 2012, pp. 309–318.
[11] The llvm compiler infrastructure. Computer Science Department at the University of Illinois at Urbana-Champaign. [Online]. Available: http://llvm.org/
[12] J. R. Patterson, “Accurate static branch prediction by value range propagation,” in ACM SIGPLAN Notices, vol. 30, no. 6. ACM, 1995, pp. 67–78.
[13] T. Ben-Nun, A. S. Jakobovits, and T. Hoefler, “Neural
code comprehension: A learnable representation of code semantics,”
CoRR, vol. abs/1806.07336, 2018. [Online]. Available:
http://arxiv.org/abs/1806.07336