Effective and Efficient memory Protection Using Dynamic Tainting

    16 Votes

Illegal memory access(IMA) ia an important class of memory related faults. Currently free area "m", of required size is allocated. Starting address of m can be assigned to a pointer "p". Access to m is legal only if it is referenced by p or a pointer derived from p and access occur during the interval when p is valid. All other accesses are "Illegal Memory Accesses" or IMAs.

Dynamic tainting is a technigue for marking and tracking certain data at run time. They mark two kinds of data, memory in data space and pointers. When m is allocated, it is tainted with t. When p is created with m as referent, p is also tainted with t. When memory is accessed, taint marks is checked. Tainting is done in 3 parts

Tainting - It is used to initialize taint marks

Static Memory Allocation - Upon program entry/ function entry, memory for each variable is identified and each is tainted with a fresh taint mark. Memory area for a variable is identified using starting address and size needed to store the variable

Pointers to Statically Allocated Memory - For scalar Variable "Address – of" or "&" returns starting memory address. When "&" operator is used on a variable, pointer is tainted with same taint mark as that of the memory location. For Statically allocated arrays – Name of the array is pointer to first location, which get tainted

Dynamically Allocated Memory - Occurs as a result of a call to a memory-allocation function. E.g. malloc. To taint, when the function is about to return, the memory allocated is identified as [r,r+size) and taints the region with a fresh taint mark. R-value returned by m/y allocation function. 

Pointers to Dynamically Allocated Memory - Created either directly (as return value of allocation function) or indirectly (from another pointer). When a memory area is tainted as a result of call to a memory allocation function, the return value, i.e the corresponding pointer is also tainted with the same mark. When other pointers are derived from that pointer, the taint mark is propagated to them.

Taint Propagation - Detects how taint marks flow along data as program executes

Propagation of Memory taints - It is not actually propagated. Taint marks are associated with a memory area when it is allocated and removed when deallocated.Pointers remain tainted. If such a pointer is used to access memory, an IMA still detected. Dynamically allocated memory – deallocated and taint mark will be removed by calling a memory deallocation function, e.g.: free. Statically allocated memory- deallocated and taint mark is removed when the function returns (local variable) or when program exits (global variables).

Propagation of Pointer taints - Taint marks associated with pointers propagated to derived pointers. The rules models all possible operations on pointers and associate,for each operation an action that assigns to the result of the operation the correct pointer taint mark.

Checking

For each memory access, taint mark of the pointer and memory is checked. If they are not the same, an IMA is detected 

Attachments:
Download this file (Effective and Efficient memory Protection Using Dynamic Tainting.ppt)Effective and Efficient memory Protection Using Dynamic Tainting.ppt[PPT Presentation]268 Kb