PartiSan: Fast and Flexible Sanitization via Run-time Partitioning

Code sanitizers are used to automatically detect security vulnerabilities in C/C ++ code that elude static analysis. This requires that the code paths containing the vulnerability are actually executed with sanitization enabled. Under current practice, sanitization is routinely applied when developers perform continuous integration testing and fuzzing of pre-release software. However, sanitization is not commonly enabled in alpha, beta, and final releases of software, with one of the main obstacles being the added run-time overhead. We present PartiSan, a framework that uses run-time partitioning to bring additional flexibility to the use of sanitizers and to speed up sanitizer execution. Our core idea is to probabilistically partition the overall execution time into sanitized slices that incur a run-time overhead, and unsanitized slices running at near-native speed. Uniquely, we never remove sanitizer checks completely, which leaves adversaries with an unpredictable attack surface and increases coverage. Sanitization is traditionally an all or nothing proposition, which makes sanitizers hard to distribute to a heterogeneous crowd of beta-testers whose hardware ranges from low-end to high-end. PartiSan can automatically adjust the amount of sanitization to fit within a performance budget, or turn off sanitization altogether if a host lacks sufficient resources. The flexibility resulting from run-time partitioning means that we can alternate between different types of sanitizers dynamically; today, developers have to pick a single type of sanitizer ahead of time. In other words, PartiSan broadens the applicability of sanitizers in general and increases coverage in existing scenarios.

[1]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[2]  Wenke Lee,et al.  Bunshin: Compositing Security Mechanisms through Diversification , 2017, USENIX Annual Technical Conference.

[3]  Wenke Lee,et al.  Type Casting Verification: Stopping an Emerging Attack Vector , 2015, USENIX Security Symposium.

[4]  Michael Franz,et al.  Venerable Variadic Vulnerabilities Vanquished , 2017, USENIX Security Symposium.

[5]  Per Larsen,et al.  Thwarting Cache Side-Channel Attacks Through Dynamic Software Diversity , 2015, NDSS.

[6]  Wouter Joosen,et al.  PAriCheck: an efficient pointer arithmetic checker for C programs , 2010, ASIACCS '10.

[7]  Niranjan Hasabnis,et al.  Light-weight bounds checking , 2012, CGO '12.

[8]  Konstantin Serebryany,et al.  ThreadSanitizer: data race detection in practice , 2009, WBIA '09.

[9]  Mathias Payer,et al.  HexType: Efficient Detection of Type Confusion Errors for C++ , 2017, CCS.

[10]  Ahmad-Reza Sadeghi,et al.  Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming , 2015, NDSS.

[11]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[12]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  S. Tucker Taft,et al.  Information technology — Programming Languages — Ada , 2001 .

[14]  Erik van der Kouwe,et al.  TypeSan: Practical Type Confusion Detection , 2016, CCS.

[15]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[16]  Per Larsen,et al.  SoK: Sanitizing for Security , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[17]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[18]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[19]  Anil Kurmus,et al.  A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel , 2014, CCS.

[20]  Ben Niu,et al.  Per-Input Control-Flow Integrity , 2015, CCS.

[21]  George Candea,et al.  High System-Code Security with Low Overhead , 2015, 2015 IEEE Symposium on Security and Privacy.

[22]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[23]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[24]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[25]  Chung-Kil Hur,et al.  Taming undefined behavior in LLVM , 2017, PLDI.

[26]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[27]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[28]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[29]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[30]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).