PtrSplit: Supporting General Pointers in Automatic Program Partitioning

Partitioning a security-sensitive application into least-privileged components and putting each into a separate protection domain have long been a goal of security practitioners and researchers. However, a stumbling block to automatically partitioning C/C++ applications is the presence of pointers in these applications. Pointers make calculating data dependence, a key step in program partitioning, difficult and hard to scale; furthermore, C/C++ pointers do not carry bounds information, making it impossible to automatically marshall and unmarshall pointer data when they are sent across the boundary of partitions. In this paper, we propose a set of techniques for supporting general pointers in automatic program partitioning. Our system, called PtrSplit, constructs a Program Dependence Graph (PDG) for tracking data and control dependencies in the input program and employs a parameter-tree approach for representing data of pointer types; this approach is modular and avoids global pointer analysis. Furthermore, it performs selective pointer bounds tracking to enable automatic marshalling/unmarshalling of pointer data, even when there is circularity and arbitrary aliasing. As a result, PtrSplit can automatically generate executable partitions for C applications that contain arbitrary pointers.

[1]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[2]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[3]  William K. Robertson,et al.  Trellis: Privilege Separation for Multi-user Applications Made Easy , 2016, RAID.

[4]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[5]  Andrew C. Myers,et al.  Secure program partitioning , 2002, TOCS.

[6]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[7]  Mathias Payer,et al.  CUP: Comprehensive User-Space Protection for C/C++ , 2017, AsiaCCS.

[8]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[9]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[10]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[11]  Tulika Mitra,et al.  Automated Partitioning of Android Applications for Trusted Execution Environments , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[12]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[13]  Roland H. C. Yap,et al.  Stack Bounds Protection with Low Fat Pointers , 2017, NDSS.

[14]  Yutao Liu,et al.  Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation , 2015, CCS.

[15]  Donglin Liang,et al.  Slicing objects using system dependence graphs , 1998, Proceedings. International Conference on Software Maintenance (Cat. No. 98CB36272).

[16]  Jun Sun,et al.  Automatically partition software into least privilege components using dynamic data dependency analysis , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[17]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[18]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[19]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[20]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[21]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[22]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[23]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[24]  Ben Niu,et al.  Modular control-flow integrity , 2014, PLDI.

[25]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[26]  Anton Burtsev,et al.  Lightweight capability domains: towards decomposing the Linux kernel , 2015, OPSR.

[27]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[28]  Grady Booch,et al.  Essential COM , 1998 .

[29]  Andrew C. Myers,et al.  Using replication and partitioning to build secure distributed systems , 2003, 2003 Symposium on Security and Privacy, 2003..

[30]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[31]  David M. Eyers,et al.  Glamdring: Automatic Application Partitioning for Intel SGX , 2017, USENIX Annual Technical Conference.

[32]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.