MemPatrol: Reliable sideline integrity monitoring for high-performance systems

Myoung Jin Nam; Wonhong Nam; Jin Young Choi; Periklis Akritidis

doi:10.1007/978-3-319-60876-1_3

MemPatrol: Reliable sideline integrity monitoring for high-performance systems

Myoung Jin Nam, Wonhong Nam, Jin Young Choi, Periklis Akritidis

School of Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.

Original language	English
Title of host publication	Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017
Editors	Michalis Polychronakis, Michael Meier
Publisher	Springer Verlag
Pages	48-69
Number of pages	22
ISBN (Print)	9783319608754
DOIs	https://doi.org/10.1007/978-3-319-60876-1_3
Publication status	Published - 2017
Event	14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 - Bonn, Germany Duration: 2017 Jul 6 → 2017 Jul 7

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10327 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017
Country/Territory	Germany
City	Bonn
Period	17/7/6 → 17/7/7

Keywords

Buffer overflow attacks
Concurrency
Cryptography
Integrity monitoring
Isolation

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-319-60876-1_3

Cite this

Nam, M. J., Nam, W., Choi, J. Y., & Akritidis, P. (2017). MemPatrol: Reliable sideline integrity monitoring for high-performance systems. In M. Polychronakis, & M. Meier (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017 (pp. 48-69). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10327 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-60876-1_3

MemPatrol: Reliable sideline integrity monitoring for high-performance systems. / Nam, Myoung Jin; Nam, Wonhong; Choi, Jin Young et al.
Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. ed. / Michalis Polychronakis; Michael Meier. Springer Verlag, 2017. p. 48-69 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10327 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Nam, MJ, Nam, W, Choi, JY & Akritidis, P 2017, MemPatrol: Reliable sideline integrity monitoring for high-performance systems. in M Polychronakis & M Meier (eds), Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10327 LNCS, Springer Verlag, pp. 48-69, 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017, Bonn, Germany, 17/7/6. https://doi.org/10.1007/978-3-319-60876-1_3

Nam MJ, Nam W, Choi JY, Akritidis P. MemPatrol: Reliable sideline integrity monitoring for high-performance systems. In Polychronakis M, Meier M, editors, Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Springer Verlag. 2017. p. 48-69. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-60876-1_3

Nam, Myoung Jin ; Nam, Wonhong ; Choi, Jin Young et al. / MemPatrol : Reliable sideline integrity monitoring for high-performance systems. Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. editor / Michalis Polychronakis ; Michael Meier. Springer Verlag, 2017. pp. 48-69 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{5077132b1d784b98a84621962a4abea5,

title = "MemPatrol: Reliable sideline integrity monitoring for high-performance systems",

abstract = "Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application{\textquoteright}s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator{\textquoteright}s control of the trade-off between performance degradation and detection delay.",

keywords = "Buffer overflow attacks, Concurrency, Cryptography, Integrity monitoring, Isolation",

author = "Nam, {Myoung Jin} and Wonhong Nam and Choi, {Jin Young} and Periklis Akritidis",

note = "Funding Information: tSuppon for this research was provided by grant ROI-DAII414 from the National Institute on Drug Abuse. Opinions expressed herein are solely those of the authors. The author would like to thank Travis E. Cal for help in the preparation of this manuscript. *Senior Research Scientist, Affiliated Systems Corporation, Houston, TX. Please address correspondence and reprint requests to Isaac D. Montoya, Affiliated Systems Corporation, 31 04 Edloe, Suite 330, Houston, TX 77027; email: imontoya@affiliatedsystems.com Publisher Copyright: {\textcopyright} Springer International Publishing AG 2017.; 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 ; Conference date: 06-07-2017 Through 07-07-2017",

year = "2017",

doi = "10.1007/978-3-319-60876-1_3",

language = "English",

isbn = "9783319608754",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "48--69",

editor = "Michalis Polychronakis and Michael Meier",

booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017",

}

TY - GEN

T1 - MemPatrol

T2 - 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017

AU - Nam, Myoung Jin

AU - Nam, Wonhong

AU - Choi, Jin Young

AU - Akritidis, Periklis

N1 - Funding Information: tSuppon for this research was provided by grant ROI-DAII414 from the National Institute on Drug Abuse. Opinions expressed herein are solely those of the authors. The author would like to thank Travis E. Cal for help in the preparation of this manuscript. *Senior Research Scientist, Affiliated Systems Corporation, Houston, TX. Please address correspondence and reprint requests to Isaac D. Montoya, Affiliated Systems Corporation, 31 04 Edloe, Suite 330, Houston, TX 77027; email: imontoya@affiliatedsystems.com Publisher Copyright: © Springer International Publishing AG 2017.

PY - 2017

Y1 - 2017

N2 - Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.

AB - Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.

KW - Buffer overflow attacks

KW - Concurrency

KW - Cryptography

KW - Integrity monitoring

KW - Isolation

UR - http://www.scopus.com/inward/record.url?scp=85022328055&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-60876-1_3

DO - 10.1007/978-3-319-60876-1_3

M3 - Conference contribution

AN - SCOPUS:85022328055

SN - 9783319608754

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 48

EP - 69

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017

A2 - Polychronakis, Michalis

A2 - Meier, Michael

PB - Springer Verlag

Y2 - 6 July 2017 through 7 July 2017

ER -

MemPatrol: Reliable sideline integrity monitoring for high-performance systems

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this