Abstract
Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.
Original language | English |
---|---|
Title of host publication | Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017 |
Editors | Michalis Polychronakis, Michael Meier |
Publisher | Springer Verlag |
Pages | 48-69 |
Number of pages | 22 |
ISBN (Print) | 9783319608754 |
DOIs | |
Publication status | Published - 2017 |
Event | 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 - Bonn, Germany Duration: 2017 Jul 6 → 2017 Jul 7 |
Publication series
Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|
Volume | 10327 LNCS |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Other
Other | 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 |
---|---|
Country/Territory | Germany |
City | Bonn |
Period | 17/7/6 → 17/7/7 |
Bibliographical note
Publisher Copyright:© Springer International Publishing AG 2017.
Keywords
- Buffer overflow attacks
- Concurrency
- Cryptography
- Integrity monitoring
- Isolation
ASJC Scopus subject areas
- Theoretical Computer Science
- General Computer Science