TY - GEN
T1 - MemPatrol
T2 - 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017
AU - Nam, Myoung Jin
AU - Nam, Wonhong
AU - Choi, Jin Young
AU - Akritidis, Periklis
N1 - Funding Information:
tSuppon for this research was provided by grant ROI-DAII414 from the National Institute on Drug Abuse. Opinions expressed herein are solely those of the authors. The author would like to thank Travis E. Cal for help in the preparation of this manuscript. *Senior Research Scientist, Affiliated Systems Corporation, Houston, TX. Please address correspondence and reprint requests to Isaac D. Montoya, Affiliated Systems Corporation, 31 04 Edloe, Suite 330, Houston, TX 77027; email: imontoya@affiliatedsystems.com
Publisher Copyright:
© Springer International Publishing AG 2017.
PY - 2017
Y1 - 2017
N2 - Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.
AB - Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.
KW - Buffer overflow attacks
KW - Concurrency
KW - Cryptography
KW - Integrity monitoring
KW - Isolation
UR - http://www.scopus.com/inward/record.url?scp=85022328055&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-60876-1_3
DO - 10.1007/978-3-319-60876-1_3
M3 - Conference contribution
AN - SCOPUS:85022328055
SN - 9783319608754
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 48
EP - 69
BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017
A2 - Polychronakis, Michalis
A2 - Meier, Michael
PB - Springer Verlag
Y2 - 6 July 2017 through 7 July 2017
ER -