Award Abstract # 1223710
TWC: Phase: Small: Software Cruising for System Security

NSF Org: CNS
Division Of Computer and Network Systems
Recipient: THE PENNSYLVANIA STATE UNIVERSITY
Initial Amendment Date: August 30, 2012
Latest Amendment Date: August 30, 2012
Award Number: 1223710
Award Instrument: Standard Grant
Program Manager: Sol Greenspan
sgreensp@nsf.gov  (703)292-7841
CNS  Division Of Computer and Network Systems
CSE  Direct For Computer & Info Scie & Enginr
Start Date: September 1, 2012
End Date: August 31, 2016 (Estimated)
Total Intended Award Amount: $499,745.00
Total Awarded Amount to Date: $499,745.00
Funds Obligated to Date: FY 2012 = $499,745.00
History of Investigator:
  • Dinghao Wu (Principal Investigator)
     dwu@ist.psu.edu
  • Peng Liu (Co-Principal Investigator)
Recipient Sponsored Research Office: Pennsylvania State Univ University Park
 201 OLD MAIN
 UNIVERSITY PARK
 PA  US  16802-1503
(814)865-1372
Sponsor Congressional District: 15
Primary Place of Performance: Pennsylvania State Univ University Park
 313E ISTBuilding
 University Park
 PA  US  16802-7000
Primary Place of Performance
Congressional District:
Unique Entity Identifier (UEI): NPM2J7MSCF61
Parent UEI:
NSF Program(s): Secure &Trustworthy Cyberspace
Primary Program Source: 01001213DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 7434, 7923
Program Element Code(s): 806000
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

Software bugs and vulnerabilities are primary causes for cyber-security breaches in today's society. Runtime monitoring, a technique to enforce safety and security properties at program execution time, is essential to detect intrusions and keep the system healthy. One of the main obstacles to adopt runtime monitoring techniques in practice is high performance overhead. Inlined security monitoring enforcement often delays and blocks the execution of protected programs. Conventional concurrent runtime monitors have not been able to leverage the multicore architectures for performance due to synchronization issues. If conventional synchronization primitives are used, when the monitor is crashed or blocked due to external events, the protected program will also be blocked even if the monitor is not monitoring. The goal of this proposal is to develop an innovative security monitoring technology, called Software Cruising, to explore multicore architectures for non-blocking concurrent security monitoring using lock-free data structures and algorithms. Software cruising eliminates the blocking effect and achieves efficient and scalable security monitoring. This can result in a game-changing capability in large-scale security monitoring for both cloud-based and traditional computing systems and applications.

The software cruising applications include, but are not limited to, heap buffer integrity checking, kernel memory cruising, data structure and object invariant checking, rootkit detection, and information provenance and flow checking. Three related sets of prototypical toolkits?Cruiser, Kruiser, and iCruiser?will be developed to demonstrate the effectiveness and practicality of large-scale software cruising. Cruiser is for lock-free heap buffer overflow monitoring of user-space programs. Kruiser is for kernel cruising on OS kernel heap buffer overflows and other security vulnerabilities. iCruiser is for user- and kernel-space data structure and object invariant cruising. The proposed research, upon completion, would make large-scale security monitoring more efficient and scalable in the increasingly popular multicore architecture and cloud environment, and thus significantly enhance system security. With the proposed tech transfer effort, applications as well as OS kernels will have better protection with the deployed software cruising technology. Broader impacts will also result from the education, outreach, and dissemination initiatives. Educational resources from this project, including course modules on software cruising and teaching laboratory designs, will be incorporated into online courses and disseminated through a dedicated web site. The project outcomes of this project will be disseminated broadly through publications, software releases, and technology transfer.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

(Showing: 1 - 10 of 22)
D. Tian, X. Xiong, C. Hu, and P. Liu "Defeating Buffer Overflow Attacks via Virtualization" Elsevier Journal on Computers & Electrical Engineering , 2014
Jhi, Yoon-Chan and Jia, Xiaoqi and Wang, Xinren and Zhu, Sencen and Liu, Peng and Wu, Dinghao "Program Characterization Using Runtime Values and Its Application to Software Plagiarism Detection" IEEE Transactions on Software Engineering , v.PP , 2015
Ming, Jiang and Xin, Zhi and Lan, Pengwei and Wu, Dinghao and Liu, Peng and Mao, Bing "Impeding behavior-based malware analysis via replacement attacks to malware specifications" Journal of Computer Virology and Hacking Techniques , 2016 , p.1--15
Ming, Jiang and Xu, Dongpeng and Wu, Dinghao "MalwareHunt: semantics-based malware diffing speedup by normalized basic block memoization" Journal of Computer Virology and Hacking Techniques , 2016 , p.1--12
Ming, Jiang and Zhang, Fangfang and Wu, Dinghao and Liu, Peng and Zhu, Sencun "Deviation-Based Obfuscation-Resilient Program Equivalence Checking With Application to Software Plagiarism Detection" IEEE Transactions on Reliability , 2016
Yoon-Chan Jhi and Xiaoqi Jia and Xinran Wang and Sencun Zhu and Peng Liu and Dinghao Wu "Program Characterization Using Runtime Values and Its Application to Software Plagiarism Detection" IEEE Transactions on Software Engineering , v.41 , 2015 , p.925--943
Wang, Shuai and Wang, Pei and Liu, Xiao and Zhang, Danfeng and Wu, Dinghao "CacheD: Identifying Cache-Based Timing Channels in Production Software" Proceedings of the 26th USENIX Security Symposium , 2017 Citation Details
Jhi, Yoon-Chan and Jia, Xiaoqi and Wang, Xinran and Zhu, Sencun and Liu, Peng and Wu, Dinghao "Program Characterization Using Runtime Values and Its Application to Software Plagiarism Detection" IEEE Transactions on Software Engineering , v.41 , 2015 https://doi.org/10.1109/TSE.2015.2418777 Citation Details
Liu, Xiao and Wang, Shuai and Wang, Pei and Wu, Dinghao "Automatic Grading of Programming Assignments: An Approach Based on Formal Semantics" Proceedings - International Conference on Software Engineering , 2019 Citation Details
Liu, Xiao and Li, Xiaoting and Prajapati, Rupesh and Wu, Dinghao. "DeepFuzz: Automatic Generation of Syntax Valid C Programs for Fuzz Testing" Proceedings of the ... AAAI Conference on Artificial Intelligence , 2019 Citation Details
Xu, Dongpeng and Ming, Jiang and Fu, Yu and Wu, Dinghao. "VMHunt: A Verifiable Approach to Partially-Virtualized Binary Code Simplification" Proceedings of the ACM Conference on Computer and Communications Security , 2018 Citation Details
(Showing: 1 - 10 of 22)

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

This project introduces a novel concurrent software monitoring technology, called Software Cruising. It leverages multicore architectures and utilizes lock-free data structures and algorithms to achieve efficient and scalable security monitoring. Applications include, but are not limited to, heap buffer integrity checking, kernel memory cruising, data structure and object invariant checking, rootkit detection, and information provenance and flow checking. In the software cruising framework, one or more dedicated threads, called cruising threads, are running concurrently with the monitored user or kernel code, to constantly check, or cruise, for security violations. Customized lock-free non-blocking data structures and algorithms are designed to reduce the communication or synchronization overhead between the monitor threads and the application code. We believe the software cruising technology would result in a game-changing capability in security monitoring for the cloud-based and traditional computing and network systems. 

We have developed three prototypical cruising systems: Cruiser, a lock-free concurrent heap buffer overflow monitor in user space; Kruiser, a semi-synchronized non-blocking operating system kernel cruiser; and iCruiser, a monitoring tool for checking data structure integrity under attacks. Our experimental results showed that software cruising can be deployed in practice with modest overhead. In user space, heap buffer overflow cruising incurs only about 5% performance overhead on average for the SPEC CPU2006 benchmark, and the Apache throughput slowdown is only 3% maximum and negligible on average. In kernel space, it is negligible for SPEC, and 3.8% for Apache. Both technologies can be deployed in large scale for cloud data centers and server farms in an automated manner. For data structure integrity checking, new techniques such as secure canary are designed to increase the system security.

We have also developed TaintPipe, a tool that decouples taint analysis using the software cruising technology. Taint analysis has a wide variety of compelling applications in security tasks, from software attack detection to data lifetime analysis, but the high overhead associated with dynamic taint analysis has been severely restricted its application scope. By adopting the idea of software cruising, we parallelize the taint analysis using a pipeline style, which has resulted significant performance improvement (about 2.4 times speedup on execution time) over the existing technology.

The Uroboros tool (Reassembleable Disassembling, Usenix Security 2015) we developed for reverse engineering binary executables (e.g., for applying software cruising to binary code directly, or other security retrofitting on binary code) advocates a new direction on reverse engineering and binary code retrofitting. 

The project has resulted in significant publications in top tier venues including PLDI, NDSS, USENIX Security, ASE, and DSN. We have published more than 30 research papers on this project. In particular, the Cruiser result is published in PLDI, kruiser is published in NDSS, TaintPipe and Uroboros are published in USENIX Security, and StraightTaint in ASE.

We have also open source released the Cruiser and Uroboros prototypes to facilitate further research and dissemination. The source code is available at Cruiser: https://code.google.com/p/cruiser-psu/ and Uroboros: https://github.com/s3team/uroboros.

 


Last Modified: 10/05/2016
Modified by: Dinghao Wu

Images (1 of )

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page

Top