15-740 Computer Architecture
Vulnerability-Specific Execution Filtering with Log-Based Architecture Lifeguards
updates
October 25th
We have released the project proposal.
November 20th
We have released the milestone report.
December 4th
We have released the final report.
documents
Project Proposal
We plan to apply Vulnerability-Specific Execution Filtering (VSEF) to Log-Based Architecture (LBA) lifeguards. The principal idea behind VSEF is to focus computer security defenses on specific and known exploits in order to reduce overhead. Prior work demonstrated that by restricting analysis only to relevant instructions and data structures incurred overhead can be as small as 3%. However, initial implementation leveraged binary instrumentation systems that slowed down execution by a factor of two or more. We hope to apply the general technique of VSEF to LBA, where instrumentation is hardware accelerated, in order to bring the execution overhead to a negligible level. Our primary goal (75%) is to construct an LBA lifeguard that can leverage a VSEF generated filter to stop known attacks.
Milestone Report
In line with our originally stated goals we are on our way to modifying LBA to handle execution filters. The difficulty in setting up the system has pushed us behind schedule in preparing the evaluation and benchmarking. Finally, we are a bit behind on preparing the literature review.
Milestone Report
Instruction-grain dynamic monitoring tools can detect bugs and prevent security violations in executing programs. Traditionally, instructions from the monitoring tool are inserted into the currently executing program using well-established techniques such as binary rewriting, software-based emulation, or binary instrumentation in order to provide timely detection and possibly mitigation. Those techniques not only interrupt and temporarily halt the program execution, but also disrupt the resource allocation of the application (e.g. evicting register values to hold monitoring information). The Log-Based Architecture (LBA) has been proposed as a method to utilize extra hardware resources (i.e. extra processing cores) in order to provide the expensive quality assurance properties of dynamic monitoring tools with only minimal slowdown.
The support and optimizations of LBA can reduce typical monitoring overhead by an order of magnitude or greater. However, the monitoring of non-trivial properties on LBA can still slow application execution by 2-3x. In this work, we apply vulnerability-specific execution filtering to instrument only instructions critical to specific application vulnerabilities and reduce the overall slowdown to less than 25% for typical executions. Additionally we perform a brief comparison of LBA to the state-of-the-art software-based taint tracking tool, Minemu. Lastly, we discuss the possibilities presented in future work by the minimal overheads imposed by this configuration.
downloads
Preliminary Results
At this time we would like to share some preliminary results that show that running LBA with our filter can reduce overhead compared to running LBA without the filter.