[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.5555/1251254.1251275guideproceedingsArticle/Chapter ViewAbstractPublication PagesConference Proceedingsacm-pubtype
Article

Enhancing server availability and security through failure-oblivious computing

Published: 06 December 2004 Publication History

Abstract

We present a new technique, failure-oblivious computing, that enables servers to execute through memory errors without memory corruption. Our safe compiler for C inserts checks that dynamically detect invalid memory accesses. Instead of terminating or throwing an exception, the generated code simply discards invalid writes and manufactures values to return for invalid reads, enabling the server to continue its normal execution path.
We have applied failure-oblivious computing to a set of widely-used servers from the Linux-based open-source computing environment. Our results show that our techniques 1) make these servers invulnerable to known security attacks that exploit memory errors, and 2) enable the servers to continue to operate successfully to service legitimate requests and satisfy the needs of their users even after attacks trigger their memory errors.
We observed several reasons for this successful continued execution. When the memory errors occur in irrelevant computations, failure-oblivious computing enables the server to execute through the memory errors to continue on to execute the relevant computation. Even when the memory errors occur in relevant computations, failure-oblivious computing converts requests that trigger unanticipated and dangerous execution paths into anticipated invalid inputs, which the error-handling logic in the server rejects. Because servers tend to have small error propagation distances (localized errors in the computation for one request tend to have little or no effect on the computations for subsequent requests), redirecting reads that would otherwise cause addressing errors and discarding writes that would otherwise corrupt critical data structures (such as the call stack) localizes the effect of the memory errors, prevents addressing exceptions from terminating the computation, and enables the server to continue on to successfully process subsequent requests. The overall result is a substantial extension of the range of requests that the server can successfully process.

References

[1]
{1} Apache HTTP Server exploit. www.securityfocus.com/bid/8911/discussion/.]]
[2]
{2} CERT/CC. Advisories 2002. www.cert.org/advisories.]]
[3]
{3} CNN Report on Code Red. www.cnn.com/2001/TECH/internet/08/08/code.red.II/.]]
[4]
{4} ELM. www.instinct.org/elm/.]]
[5]
{5} Midnight Commander exploit. www.securityfocus.com/bid/8658/discussion/.]]
[6]
{6} Midnight Commander website. www.ibiblio.org/mc/.]]
[7]
{7} Mutt exploit. www.securiteam.com/unixfocus/5FP0T0U9FU.html.]]
[8]
{8} Mutt website. www.mutt.org.]]
[9]
{9} Netcraft website. http://news.netcraft.com/archives/web server survey.html.]]
[10]
{10} Pine exploit. www.securityfocus.com/bid/6120/discussion.]]
[11]
{11} Pine website. www.washington.edu/pine/.]]
[12]
{12} SecuriTeam website. www.securiteam.com.]]
[13]
{13} Security Focus website. www.securityfocus.com.]]
[14]
{14} Sendmail exploit. www.securityfocus.com/bid/7230/discussion/.]]
[15]
{15} Sendmail website. www.sendmail.org.]]
[16]
{16} Stackshield. www.angelfire.com/sk/stackshield.]]
[17]
{17} T. Austin, S. Breach, and G. Sohi. Efficient detection of all pointer and array access errors. In Proceedings of the ACM SIGPLAN '94 Conference on Programming Language Design and Implementation, June 2004.]]
[18]
{18} R. Bodik, R. Gupta, and V. Sarkar. Eliminating array bounds checks on demand. In ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2002.]]
[19]
{19} W. Bush, J. Pincus, and D. Sielaff. A static analyzer for finding dynamic, programming errors. Software - Practice and Experience, 2000.]]
[20]
{20} G. Candea and A. Fox. Recursive restartability: Turning the reboot sledgehammer into a scalpel. In Proceedings of the 8th Workshop on Hot Topics in Operating Systems (HotOS-VIII), pages 110-115, Schloss Elmau, Germany, May 2001.]]
[21]
{21} S. Card, T. Moran, and A. Newell. The Psychology of Human-Computer Interaction. Lawrence Erlbaum Associates, 1983.]]
[22]
{22} J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer. CCured in the real world. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation, June 2003.]]
[23]
{23} C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Conference, January 1998.]]
[24]
{24} J. Darley and B. Latane. Bystander intervention in emergencies: Diffusion of responsibility. Journal of Personality and Social Psychology, pages 377-383, Aug. 1968.]]
[25]
{25} W. E. Deming. Out of the Crisis. MIT Press, 2000.]]
[26]
{26} B. Demsky and M. Rinard. Automatic Detection and Repair of Errors in Data Structures. In Proceedings of the 18th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, October 2003.]]
[27]
{27} D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory safety without runtime checks or garbage collection. In Proceedings of the 2003 Workshop on Languages, Compilers, and Tools for Embedded Systems (LCTES'03), June 2003.]]
[28]
{28} N. Dor, M. Rodeh, and M. Sagiv. CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation, 2003.]]
[29]
{29} D. Engler, M. F. Kaashoek, and J. James O'Toole. Exokernel: An Operating System Architecture for Application-Level Resource Management. In Proceedings of the Fifteenth ACM Symposium on Operating System Principles, Dec. 1995.]]
[30]
{30} J. Gray and A. Reuter. Transaction Processing: Concepts and Techniques. Morgan Kaufmann, 1993.]]
[31]
{31} N. Gupta, L. Jagadeesan, E. Koutsofios, and D. Weiss. Auditdraw: Generating audits the FAST way. In Proceedings of the 3rd IEEE International Symposium on Requirements Engineering, 1997.]]
[32]
{32} R. Gupta. Optimizing array bounds checks using flow analysis. In ACM Letters on Programming Languages and Systems, 2(1-4):135-150, March 1993.]]
[33]
{33} G. Hamilton and P. Kougiouris. The Spring Nucleus: A Microkernel for Objects. In Proceedings of the 1993 Summer Usenix Conference, June 1993.]]
[34]
{34} R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, 1992.]]
[35]
{35} G. Haugk, F. Lax, R. Royer, and J. Williams. The 5ESS(TM) switching system: Maintenance capabilities. AT&T Technical Journal, 64(6 part 2):1385-1416, July-August 1985.]]
[36]
{36} T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, June 2002.]]
[37]
{37} R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of Third International Workshop On Automatic Debugging, May 1997.]]
[38]
{38} S. C. Kendall. Bcc: run-time checking for C programs. In USENIX Summer Conference Proceedings, 1983.]]
[39]
{39} V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution Via Program Shepherding. In Proceedings of 11th USENIX Security Symposium, August 2002.]]
[40]
{40} B. Latane and J. Darley. Group inhibition of bystander intervention in emergencies. Journal of Personality and Social Psychology, pages 215-221, Oct. 1968.]]
[41]
{41} M. Litzkow, M. Livny, and M. Mutka. Condor - A Hunter of Idle Workstations. In Proceedings of the 8th International Conference of Distributed Computing Systems, 1988.]]
[42]
{42} M. Litzkow and M. Solomon. The Evolution of Condor Checkpointing.]]
[43]
{43} M. R. Lyu. Software Fault Tolerance. John Wiley & Sons, 1995.]]
[44]
{44} S. Mourad and D. Andrews. On the reliability of the IBM MVS/XA operating system. IEEE Transactions on Software Engineering, September 1987.]]
[45]
{45} G. C. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. In Symposium on Principles of Programming Languages, 2002.]]
[46]
{46} R. Rashid, D. Julin, D. Orr, R. Sanzi, R. Baron, A. Forin, D. Golub, and M. Jones. Mach: A New Kernel Foundation For UNIX Development. In Proceedings of the 1986 Summer USENIX Conference, July 1986.]]
[47]
{47} M. Rinard. Acceptability-oriented computing. In 2003 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications Companion (OOPSLA '03 Companion) Onwards! Session, Oct. 2003.]]
[48]
{48} M. Rinard, C. Cadar, D. Roy, D. Dumitran, and T. Leu. A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors). In Proceedings of the 20th Annual Computer Security Applications Conference, Dec. 2004.]]
[49]
{49} R. Rugina and M. Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In Proceedings of the ACM SIGPLAN '00 Conference on Programming Language Design and Implementation, June 2000.]]
[50]
{50} O. Ruwase and M. S. Lam. A Practical Dynamic Buffer Overflow Detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, February 2004.]]
[51]
{51} M. I. Seltzer and C. Small. Self-monitoring and self-adapting operating systems. In Proceedings of the Sixth workshop on Hot Topics in Operating Systems, 1997.]]
[52]
{52} S. Sidiroglou, G. Giovanidis, and A. Keromytis. Using execution transactions to recover from buffer overflow attacks. Technical Report CUCS-031-04, Columbia University Computer Science Department, September 2004.]]
[53]
{53} M. Swift, B. Bershad, and H. Levy. Improving the reliability of commodity operating systems. In Proceedings of the Nineteenth ACM Symposium on Operating System Principles, Dec. 2003.]]
[54]
{54} D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In Proceedings of the Year 2000 Network and Distributed System Security Symposium, 2000.]]
[55]
{55} R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proceedings of the Fourteenth ACM Symposium on Operating System Principles, Dec. 1994.]]
[56]
{56} E. Witchel, J. Cates, and K. Asanovic. Mondriaan memory protection. In Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2002.]]
[57]
{57} H. Xi and F. Pfenning. Eliminating Array Bound Checking Through Dependent Types. In Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation, June 1998.]]
[58]
{58} S. H. Yong and S. Horwitz. Protecting C Programs from Attacks via Invalid Pointer Dereferences. In Proceedings of the 9th European software engineering conference held jointly with 10th ACM SIGSOFT international symposium on Foundations of software engineering, 2003.]]
[59]
{59} Y. Zhang, J. Yang, and R. Gupta. Frequent value locality and value-centric data cache design. In Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, Nov. 2000.]]

Cited By

View all
  • (2024)Loupe: Driving the Development of OS Compatibility LayersProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3617232.3624861(249-267)Online publication date: 27-Apr-2024
  • (2021)Cores that don't countProceedings of the Workshop on Hot Topics in Operating Systems10.1145/3458336.3465297(9-16)Online publication date: 1-Jun-2021
  • (2020)Tailoring programs for static analysis via program transformationProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380343(824-834)Online publication date: 27-Jun-2020
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings
OSDI'04: Proceedings of the 6th conference on Symposium on Operating Systems Design & Implementation - Volume 6
December 2004
403 pages

Sponsors

  • USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 06 December 2004

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 11 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Loupe: Driving the Development of OS Compatibility LayersProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3617232.3624861(249-267)Online publication date: 27-Apr-2024
  • (2021)Cores that don't countProceedings of the Workshop on Hot Topics in Operating Systems10.1145/3458336.3465297(9-16)Online publication date: 1-Jun-2021
  • (2020)Tailoring programs for static analysis via program transformationProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380343(824-834)Online publication date: 27-Jun-2020
  • (2019)HOPEProceedings of the 48th International Conference on Parallel Processing10.1145/3337821.3337899(1-11)Online publication date: 5-Aug-2019
  • (2019)Ignis: scaling distribution-oblivious systems with light-touch distributionProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314586(1010-1026)Online publication date: 8-Jun-2019
  • (2018)MaelstromProceedings of the 13th USENIX conference on Operating Systems Design and Implementation10.5555/3291168.3291196(373-389)Online publication date: 8-Oct-2018
  • (2018)Semantic crash bucketingProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238200(612-622)Online publication date: 3-Sep-2018
  • (2018)HYDRAProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3230861(1-10)Online publication date: 27-Aug-2018
  • (2018)Sandboxed execution of C and other unsafe languages on the Java virtual machineCompanion Proceedings of the 2nd International Conference on the Art, Science, and Engineering of Programming10.1145/3191697.3213795(227-229)Online publication date: 9-Apr-2018
  • (2018)Automatic Software RepairACM Computing Surveys10.1145/310590651:1(1-24)Online publication date: 23-Jan-2018
  • Show More Cited By

View Options

View options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media