research-article

Public Access

PtrSplit: Supporting General Pointers in Automatic Program Partitioning

Authors:

Trent JaegerAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

Pages 2359 - 2371

https://doi.org/10.1145/3133956.3134066

Published: 30 October 2017 Publication History

Abstract

Partitioning a security-sensitive application into least-privileged components and putting each into a separate protection domain have long been a goal of security practitioners and researchers. However, a stumbling block to automatically partitioning C/C++ applications is the presence of pointers in these applications. Pointers make calculating data dependence, a key step in program partitioning, difficult and hard to scale; furthermore, C/C++ pointers do not carry bounds information, making it impossible to automatically marshall and unmarshall pointer data when they are sent across the boundary of partitions. In this paper, we propose a set of techniques for supporting general pointers in automatic program partitioning. Our system, called PtrSplit, constructs a Program Dependence Graph (PDG) for tracking data and control dependencies in the input program and employs a parameter-tree approach for representing data of pointer types; this approach is modular and avoids global pointer analysis. Furthermore, it performs selective pointer bounds tracking to enable automatic marshalling/unmarshalling of pointer data, even when there is circularity and arbitrary aliasing. As a result, PtrSplit can automatically generate executable partitions for C applications that contain arbitrary pointers.

Supplemental Material

MP4 File

Download
1605.26 MB

References

[1]

Adam Barth, Collin Jackson, Charles Reis, and Google Chrome. 2008. The security architecture of the Chromium browser. Technical Report.

[2]

David M. Beazley. 1997. SWIG Users Manual: Version 1.1.

[3]

Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. 2008. Wedge: splitting applications into reduced-privilege compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation. 309--322.

[4]

Don Box. 1997. Essential COM. Addison-Wesley Professional.

[5]

David Brumley and Dawn Song. 2004. Privtrans: Automatically Partitioning Programs for Privilege Separation. In 13th Usenix Security Symposium. 57--72.

[6]

Nathan Burow, Derrick McKee, Scott A. Carr, and Mathias Payer. 2017. CUP: Comprehensive User-Space Protection for C/C++. (2017). https://arxiv.org/abs/ 1704.05004v1.

[7]

Stephen Chong, Jed Liu, Andrew Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng. 2007. Secure Web Applications via Automatic Partitioning. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP). 31--44.

Digital Library

[8]

John Criswell, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve. 2007. Secure virtual architecture: a safe execution environment for commodity operating systems. SIGOPS Oper. Syst. Rev. 41 (Oct. 2007), 351--366. Issue 6.

Digital Library

[9]

Dinakar Dhurjati and Vikram S. Adve. 2006. Backwards-compatible array bounds checking for C with very low overhead. In ICSE. 162--171.

Digital Library

[10]

Petros Efstathopoulos, Maxwell Krohn, Steve Vandebogart, Cliff Frey, David Ziegler, Eddie Kohler, David Mazières, M. Frans Kaashoek, and Robert Morris. 2005. Labels and event processes in the Asbestos operating system. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP). 17--30.

Digital Library

[11]

Jeanne Ferrante, Karl J. Ottenstein, and Joe D. Warren. 1987. The Program Dependence Graph and its Use in Optimization. ACM Transactions on Programming Languages and Systems 9, 3 (July 1987), 319--349.

Digital Library

[12]

Google Inc. GRPC: A high performance, open-source universal RPC framework. Google Inc. http://www.grpc.io.

[13]

Charles Jacobsen, Muktesh Khole, Sarah Spall, Scotty Bauer, and Anton Burtsev. 2016. Lightweight Capability Domains: Towards Decomposing the Linux Kernel. SIGOPS Oper. Syst. Rev. 49, 2 (Jan. 2016), 44--50.

Digital Library

[14]

Gregory J.Duck and Roland H.C. Yap. 2016. Heap Bounds Protection with Low Fat Pointers. In CC.

Digital Library

[15]

Gregory J.Duck, Roland H. C. Yap, and Lorenzo Cavallaro. 2017. Stack Bounds Protection with Low Fat Pointers. In NDSS.

[16]

Douglas Kilpatrick. 2003. Privman: A library for partitioning applications. In USENIX Annual Technical Conference, FREENIX track. 273--284.

[17]

Maxwell Krohn, Alexander Yip, Micah Brodsky, Natan Cliffer, M. Frans Kaashoek, Eddie Kohler, and Robert Morris. 2007. Information flow control for standard OS abstractions. In ACM SIGOPS Symposium on Operating Systems Principles (SOSP). 321--334.

Digital Library

[18]

C. Lattner, A. Lanharth, and V. Adve. 2007. Making context-sensitive points-to analysis with heap cloning practical for the real world. In ACM Conference on Programming Language Design and Implementation (PLDI). 278--289.

Digital Library

[19]

D. Liang and M. J. Harrold. 1998. Slicing objects using system dependence graphs. In ICSM. 358--367.

[20]

Joshua Lind, Christian Priebe, Divya Muthukumaran, Dan O'Keeffe, Pierre-Louis Aublin, Florian Kelbert, Tobias Reiher, David Goltzsche, David M. Eyers, Rüdiger Kapitza, Christof Fetzer, and Peter R. Pietzuch. 2017. Glamdring: Automatic Application Partitioning for Intel SGX. In USENIX Annual Technical Conference (ATC). 285--298.

[21]

Yutao Liu, Tianyu Zhou, Kexin Chen, Haibo Chen, and Yubin Xia. 2015. Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation. In 22nd ACM Conference on Computer and Communications Security (CCS). 1607-- 1619.

Digital Library

[22]

Andrea Mambretti, Kaan Onarlioglu, Collin Mulliner, William Robertson, Engin Kirda, Federico Maggi, and Stefano Zanero. 2016. Trellis: Privilege Separation for Multi-user Applications Made Easy. In International Symposium on Research in Attacks, Intrusions and Defenses. 437--456.

[23]

Andrew Myers and Barbara Liskov. 2000. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering Methodology 9 (Oct. 2000), 410--442. Issue 4.

[24]

Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2009. SoftBound: highly compatible and complete spatial memory safety for C. In PLDI. 245--258.

[25]

George Necula, Scott McPeak, and Westley Weimer. 2002. CCured: type-safe retrofitting of legacy code. In 29th ACM Symposium on Principles of Programming Languages (POPL). 128--139.

Digital Library

[26]

Ben Niu and Gang Tan. 2014. Modular Control Flow Integrity. In ACM Conference on Programming Language Design and Implementation (PLDI). 577--587.

[27]

Oracle. Introduction to TI-RPC. Oracle. https://docs.oracle.com/cd/E18752_01/ html/816--1435/rpcintro-46812.html.

[28]

Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing privilege escalation. In 12th Usenix Security Symposium. 231--242.

[29]

Charles Reis and Steven D. Gribble. 2009. Isolating web programs in modern browser architectures. In EuroSys. 219--232.

Digital Library

[30]

Konstantin Rubinov, Lucia Rosculete, Tulika Mitra, and Abhik Roychoudhury. 2016. Automated partitioning of Android applications for trusted execution environments. In International Conference on Software engineering (ICSE). 923-- 934.

Digital Library

[31]

Robert Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. 2010. Capsicum: Practical Capabilities for UNIX. In 19th Usenix Security Symposium. 29--46.

[32]

Yang Liu Yongzheng Wu, Jun Sun and Jin Song Dong. 2013. Automatically partition software into least privilege components using dynamic data dependency analysis. In ASE. 323--333.

[33]

Steve Zdancewic, Lantian Zheng, Nathaniel Nystrom, and Andrew Myers. 2002. Secure program partitioning. ACM Transactions on Compututer Systems (TOCS) 20, 3 (2002), 283--328.

Digital Library

[34]

Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. 2006. Making Information Flow Explicit in HiStar. In USENIX Symposium on Operating Systems Design and Implementation (OSDI). 263--278.

[35]

Lantian Zheng, Stephen Chong, Andrew Myers, and Steve Zdancewic. 2003. Using Replication and Partitioning to Build Secure Distributed Systems. In IEEE Symposium on Security and Privacy (S&P). 236--250.

Cited By

Tanigassalame SPipereau YChader AToljaga JThomas G(2024)FastSGX: A Message-Passing Based Runtime for SGXAdvanced Information Networking and Applications10.1007/978-3-031-57916-5_7(74-85)Online publication date: 9-Apr-2024
https://doi.org/10.1007/978-3-031-57916-5_7
Ahad AWang GKim CJana SLin ZKwon YAamodt TSwift MJerger N(2023)FreePart: Hardening Data Processing Software via Framework-based Partitioning and IsolationProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624760(169-188)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624760
Larose OVasconcelos V(2023)Dynamic Library CompartmentalizationCompanion Proceedings of the 2023 ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for Humanity10.1145/3618305.3623604(51-52)Online publication date: 22-Oct-2023
https://dl.acm.org/doi/10.1145/3618305.3623604
Show More Cited By

Index Terms

PtrSplit: Supporting General Pointers in Automatic Program Partitioning
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis

Recommendations

Program-mandering: Quantitative Privilege Separation
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Privilege separation is an effective technique to improve software security. However, past partitioning systems do not allow programmers to make quantitative tradeoffs between security and performance. In this paper, we describe our toolchain called PM. ...
Read More
Interprocedural pointer alias analysis

We present practical approximation methods for computing and representing interprocedural aliases for a program written in a language that includes pointers, reference parameters, and recursion. We present the following contributions: (1) a framework ...
Read More
Side-effect analysis with fast escape filter
SOAP '12: Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis

Side-effect analysis is a fundamental static analysis used to determine the memory locations modified or used by each program entity. For the programs with pointers, the analysis can be very imprecise. To improve the precision of side-effect analysis, ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Defense Advanced Research Projects Agency (DARPA)
National Science Foundation

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
1,230
Total Downloads

Downloads (Last 12 months)284
Downloads (Last 6 weeks)25

Other Metrics

View Author Metrics

Citations

Cited By

Tanigassalame SPipereau YChader AToljaga JThomas G(2024)FastSGX: A Message-Passing Based Runtime for SGXAdvanced Information Networking and Applications10.1007/978-3-031-57916-5_7(74-85)Online publication date: 9-Apr-2024
https://doi.org/10.1007/978-3-031-57916-5_7
Ahad AWang GKim CJana SLin ZKwon YAamodt TSwift MJerger N(2023)FreePart: Hardening Data Processing Software via Framework-based Partitioning and IsolationProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624760(169-188)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624760
Larose OVasconcelos V(2023)Dynamic Library CompartmentalizationCompanion Proceedings of the 2023 ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for Humanity10.1145/3618305.3623604(51-52)Online publication date: 22-Oct-2023
https://dl.acm.org/doi/10.1145/3618305.3623604
Zhou JCriswell JHicks M(2023)Fat Pointers for Temporal Memory Safety of CProceedings of the ACM on Programming Languages10.1145/35860387:OOPSLA1(316-347)Online publication date: 6-Apr-2023
https://dl.acm.org/doi/10.1145/3586038
Dinh Duy KCho KNoh TLee HMeng WJensen CCremers CKirda E(2023)Capacity: Cryptographically-Enforced In-Process Capabilities for Modern ARM ArchitecturesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623079(874-888)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623079
Lee HSong CKang B(2023)Harnessing the x86 Intermediate Rings for Intra-Process IsolationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.319252420:4(3251-3268)Online publication date: 1-Jul-2023
https://dl.acm.org/doi/10.1109/TDSC.2022.3192524
Huang KSampson JJaeger T(2023)Assessing the Impact of Efficiently Protecting Ten Million Stack Objects from Memory Errors Comprehensively2023 IEEE Secure Development Conference (SecDev)10.1109/SecDev56634.2023.00021(67-74)Online publication date: 18-Oct-2023
https://doi.org/10.1109/SecDev56634.2023.00021
Gülmez MNyman TBaumann CMühlberg J(2023)Friend or Foe Inside? Exploring In-Process Isolation to Maintain Memory Safety for Unsafe Rust2023 IEEE Secure Development Conference (SecDev)10.1109/SecDev56634.2023.00020(54-66)Online publication date: 18-Oct-2023
https://doi.org/10.1109/SecDev56634.2023.00020
Lu K(2023)Practical Program Modularization with Type-Based Dependence Analysis2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179412(1256-1270)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179412
Huang JHan HXu FChen B(2023)SAPPX: Securing COTS Binaries with Automatic Program Partitioning for Intel SGX2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE59848.2023.00016(148-159)Online publication date: 9-Oct-2023
https://doi.org/10.1109/ISSRE59848.2023.00016
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents