New aspect-oriented constructs for security hardening concerns

In this paper, we present new pointcuts and primitives to Aspect-Oriented Programming (AOP) languages that are needed for systematic hardening of security concerns. The two proposed pointcuts allow to identify particular join points in a program's control-flow graph (CFG). The first one is the GAFlow, Closest Guaranteed Ancestor, which returns the closest ancestor join point to the pointcuts of interest that is on all their runtime paths. The second one is the GDFlow, Closest Guaranteed Descendant, which returns the closest child join point that can be reached by all paths starting from the pointcut of interest. The two proposed primitives are called ExportParameter and ImportParameter and are used to pass parameters between two pointcuts. They allow to analyze a program's call graph in order to determine how to change function signatures for passing the parameters associated with a given security hardening. We find these pointcuts and primitives to be necessary because they are needed to perform many security hardening practices and, to the best of our knowledge, none of the existing ones can provide their functionalities. Moreover, we show the viability and correctness of the proposed pointcuts and primitives by elaborating and implementing their algorithms and presenting the result of explanatory case studies.     

Analysis of dependencies in advanced transaction models

Transactional dependencies play an important role in coordinating and executing the subtransactions in advanced transaction processing models, such as, nested transactions and workflow transactions. Researchers have formalized the notion of transactional dependencies and have shown how various advanced transaction models can be expressed using different kinds of dependencies. Incorrect specification of dependencies can result in unpredictable behavior of the advanced transaction, which, in turn, can lead to unavailability of resources and information integrity problems. In this work, we focus on how to correctly specify dependencies in an advanced transaction. We enumerate the different kinds of dependencies that may be present in an advanced transaction and classify them into two broad categories: event ordering and event enforcement dependencies. Different event ordering and event enforcement dependencies in an advanced transaction often interact in subtle ways resulting in conflicts and redundancies. We describe the different types of conflicts that can arise due to the presence of multiple dependencies and describe how one can detect such conflicts. An advanced transaction may also contain redundant dependencies—these are dependencies that can be logically derived from other dependencies. We show how such extraneous dependencies can be eliminated to get an equivalent set of dependencies that has the same effect as the original set. Our dependency analysis is done in the context of a generalized advanced transaction model that is capable of expressing different kinds of advanced transactions. Recommended by: Amit Sheth     

上下文敏感的控制流完整性保护的改进方法

面对控制流劫持攻击的威胁,业界使用控制流完整性保护技术来保障进程的执行安全。传统的控制流完整性验证保护机制依赖于动态二进制改写技术,在分析、实施等过程中难度较大,且有可能带来二进制兼容的问题。通过研究近几年提出的上下文敏感的控制流保护技术PathArmor,分析了其检测进程控制流的时机。然后针对PathArmor只在进程做系统调用时才进行检测的机制,提出了改进的方法。该方法依据内核页错误中断处理机制,通过修改用户页面的保护属性主动触发可执行页面的执行错误;接着,修改页错误中断处理过程,钩挂do_page_fault以处理主动触发的执行错误。用户进程代码和数据的完整性得以保证的同时,得到了更多陷入内核接受检查的机会。在Nginx,bzip2,SQLite等典型应用环境下的实验结果表明,改进的方法能够明显增加系统安全分析的粒度,更好地保护程序的控制流。     

Analysis on demand: Instantaneous soundness checking of industrial business process models

We report on a case study on control-flow analysis of business process models. We checked 735 industrial business process models from financial services, telecommunications, and other domains. We investigated these models for soundness (absence of deadlock and lack of synchronization) using three different approaches: the business process verification tool Woflan, the Petri net model checker LoLA, and a recently developed technique based on SESE decomposition. We evaluate the various techniques used by these approaches in terms of their ability of accelerating the check. Our results show that industrial business process models can be checked in a few milliseconds, which enables tight integration of modeling with control-flow analysis. We also briefly compare the diagnostic information delivered by the different approaches and report some first insights from industrial applications.     

系统服务Rootkits隐藏行为分析

用挂钩系统服务来实现进程、文件、注册表、端口等对象的隐藏是最常见的rootkits实现方式.然而大量的检测方法并不能将rootkits和其所隐藏的对象对应起来.本文分析了用户层和内核层系统服务rootkits的隐藏行为,建立了6种模型.在检测出系统服务rootkits的基础上,提出了一种分析其二进制执行代码,匹配模型,找出隐藏对象的方法,实现了一个隐藏行为分析原型.实验结果证明这种隐藏行为分析方法能有效分析出隐藏对象.     

Rewriting executable files to measure program behavior

Inserting instrumentation code in a program is an effective technique for detecting, recording, and measuring many aspects of a program's performance. Instrumentation code can be added at any stage of the compilation process by specially-modified system tools such as a compiler or linker or by new tools from a measurement system. For several reasons, adding instrumentation code after the compilation process—by rewriting the executable file—presents fewer complications and leads to more complete measurements. This paper describes the difficulties in adding code to executable files that arose in developing the profiling and tracing tools qp and qpt. The techniques used by these tools to instrument programs on MIPS and SPARC processors are applicable in other instrumentation systems running on many processors and operating systems. In addition, many difficulties could have been avoided with minor changes to compilers and executable file formats. These changes would simplify this approach to measuring program performance and make it more generally useful.     

一种用于容错处理器的指令复制方法

介绍一种在容错处理器中实现指令复制的方法。处理器的容错机制是通过修改超标量体系结构,利用时间冗余技术实现的。指令复制是容错机制的一种重要功能。详细描述了其实现方法,同时论述了结合指令复制方法对程序控制流的正确性进行检测的问题。     

一种检测程序控制流故障的方法

本文介绍一种在容错处理器中实现控制流故障检测的方法。处理器的容错机制是通过修改超标量体系结构,利用时间冗余技术实现的。处理器支持两个指令流并发执行,本文提出的控制流检测算法是通过比较两个时间冗余的指令流的执行结果实现的,与同类实现方案相比,此方法可以进一步节省硬件资源以及额外的处理器执行时间。     

Linear Approximation of Execution-Time Constraints

This paper defines an algorithm for predicting worst-case and best-case execution times, and determining execution-time constraints of control-flow paths through real-time programs using their partial correctness semantics. The algorithm produces a linear approximation of path traversal conditions, worst-case and best-case execution times and strongest postconditions for timed paths in abstract real-time programs. Also shown are techniques for determining the set of control-flow paths with decidable worst-case and best-case execution times. The approach is based on a weakest liberal precondition semantics and relies on supremum and infimum calculations similar to standard computations from linear programming and Presburger arithmetic. The methodology is applicable to any executable language with a predicate transformer semantics and hence provides a verification basis for both high-level language and assembly code execution-time analysis.