Enhancing Availability and Security Through FailureOblivious Computing Martin

Enhancing Availability and Security Through Failure-Oblivious Computing Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel Roy, and William Beebee, Jr.

Introduction n Memory errors are a common source of program failures q ML and Java use dynamic checks to eliminate such errors n Assumption: q Invalid memory access unsafe to continue the execution

Failure-Oblivious Computing n Instead of throwing an exception or terminating q q Ignores any memory access errors and continue Read (an out of bounds array element) n q Just read a manufactured value Write (an out of bounds array element) n Discard the value

Wrong Results? n Many programs can continue to run q n As long as errors do not corrupt the program’s address space or data structures Failure-oblivious computing can improve the availability, robustness, and security of such programs

Shouldn’t We Stop at the First Error? n Debugging may not be an option q q n No source code Not enough time Failure-oblivious computing can still provide acceptable service q Better than no service

Servers and Buffer-Overrun Attacks n When a program allocates a fixed-size buffer q q Then fails to check that each input string fits in the buffer A long input string containing executable code can overwrites the stack contents n Can coerce the server into running arbitrary code

Servers and Buffer-Overrun Attacks n Failure-oblivious computing discards the excess characters, preserving the integrity of the stack q q Server detects invalid request and returns an error Converts a dangerous attack into an invalid input

Multiple Items or Outputs n n Many programs (e. g. mail readers) process multiple items Some applications generate multiple outputs q n Some outputs are more important than others Without failure-oblivious computing q Failure to process one can prevent the program to process the rest

Benefits and Drawbacks + Increased resilience q Graceful degradation and continue to operate successfully on most of its inputs + Increased security q Can survive stack overruns + Reduced development costs q Pressured to find and eliminate all disruptive bugs + Reduced administration overhead q Reduce the success rate of attacks

Benefits and Drawbacks + Safer integration q Lowers the risks to use foreign components - May generate unacceptable results q q Inevitable consequence for better resiliency Need to convert unanticipated states into anticipated error states

Scope n Interactive computing environments q q q n Mailers Servers System administration tools Operating systems Document processing systems Mission critical applications q Halting is not an option

Scope n Less appropriate for programs q n No easy way to determine whether the output is correct Safety-critical applications q Safer to terminate the computation

Example n A Mutt procedure q q q n With standard compilers q n Takes an input string Returns an encoded output string Fails to allocate sufficient space Writes succeed, corrupt the address space, and program segfaults With safe-C compilers q Mutt exits before presenting the GUI

Example n With the failure-oblivious compiler q q n The returned string is incorrect Server responds with an error Failure oblivious approach works q Mostly correct programs n With subtle errors

Implementation n Failure oblivious compiler q Generate two kinds of additional code n Checking code q q n Discard erroneous writes Manufactures values for erroneous reads Continuation code q Executes when checking code detects an attempt to perform illegal access

Checking Code n Jones and Kelly’s Scheme q q Track the locations to structs, arrays, variables Each data item is padded with an extra byte n q Initialized to ILLEGAL Check the status of each pointer before dereferencing it

Continuation Code n Write continuation code q n Discards the value Read continuation code q Redirects the read to a preallocated buffer of values n n Iterates through all small integers Increasing the chance to exit loops q n To avoid nontermination Mostly 0 s and 1 s

Continuation Code n Optional logging q n Can be used to track down errors Failure-oblivious computing q Can also reduce the inventive to eliminate errors

Case Studies n Recompiled widely-used open-source programs with known memory errors q q q q Pine (mail user agent) Midnight commander (file manager) Sendmail (mail transfer agent) Mutt (mail user agent) Samba (file server) Ws. Mp 3 (mp 3 server) Apache (http server)

Methodology n Compare each program compiled differently q q q n By a standard C compiler By the CRED safe-C compiler By the failure-oblivious compiler Workloads q Contain inputs that exploit known security vulnerabilities

Pine 4. 44 n Fails to correctly parse certain legal From fields q n n n Possible to execute arbitrary code Standard version: crashed Safe version: terminated with an error message Failure oblivious version: continued to run q Was able to forward the read and forward the message with the problematic From field

Midnight Commander n n Problems with symbolic links in tgz files Standard version: segfaulted Safe version: terminated with an error message Failure-oblivious version: continued to run

Sendmail 8. 11. 6 n n Allows root privilege to execute arbitrary code on the machine running the Sendmail server Standard version: vulnerable to an attack to gain the root shell Safe version: exited with an error message Failure-oblivious version: not vulnerable to the attack

Mutt 1. 4 n n Memory error in the conversion from UTF-8 to UTF-7 string formats Standard version: crashed Safe version: exited with an error message Failure oblivious version: continued to execute q q 6 x slow down Took about 1 second to load 3, 000 messages

Samba 2. 2. 5 n Memory corruption error q n n Standard version: vulnerable to an attack to gain the root shell Safe version: functional until the attack q n A remote user can obtain the root shell The child process exited Failure oblivious version: continued to run q Similar performance compared to the safe version

Ws. Mp 3 0. 0. 5 n n n Memory-error vulnerability Standard version: segfaulted Safe version: crashed the entire server q n Single threaded Failure-oblivious version: survived the attack

Apache 2. 0. 47 n n mod_alias contains a memory-error vulnerability Standard version: child process segfaulted Safe version: child process exited properly Failure-oblivious version: child process redirected the attacking request to a nonexistent URL q The child process stayed alive and processed subsequent requests correctly

Gzip 1. 2. 4 a n Memory error in its file name processing code q n Standard version: segfaulted q n n An attacker can run arbitrary code Remaining files were not processed Safe version: exited at the problematic file Failure-oblivious version: prompted an error message for the problematic files q q Proceeded to process all remaining files 10 x slow down (1. 2 MB/sec)

Discussion n Failure oblivious versions survived all memory-corruption attempts q Work well for this class of applications n n q n One input has a minimal effect on the next input Unless it corrupts the data structures or address space Little performance degradation for interactive programs Safe versions are prone to Do. S attacks q Tend to terminate prematurely

Related Work n Any safe-C compiler can be modified to implement a failure-oblivious compiler q q n Discard writes Manufacture values for unsafe reads Typically < 2 x slow down q q Occasionally 8 x slow down Does not perceptibly degrade the response times of interactive programs n Also I/O-bound programs

Safe Languages n Jave and ML q Modify the exception handling code n n Discard illegal writes Return manufactured values for illegal reads

Traditional Error Recovery n Traditional approaches q q n Reboot Checkpointing Partial system restarts Hardware redundancy Failure-oblivious computing reduces down time and vulnerabilities to persistent errors q Restarting Pine will not solve the problem

Other Approaches n Data structure repair q n Statically detect all buffer-overrun errors q n Failure-oblivious approach is preventive May conservatively reject almost working code Buffer-overrun detection tools q q q Detect overwriting the return address Detect overwriting function pointers Failure-oblivious approach prevents the attack from corrupting the address space

Conclusion n Failure-oblivious computation enhances availability, resilience, and security q Converts dangerous unknown system states to known error cases