Crispin Cowan

Buffer overflows: attacks and defenses for the vulnerability of the decade

Buffer overflows have been the most common form of security vulnerability for the last ten years. More over, buffer overflow vulnerabilities dominate the area of remote network penetration vulnerabilities, where an anonymous Internet user seeks to gain partial or total control of a host. If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of the most serious security threats would also be eliminated. In this paper, we survey the various types of buffer overflow vulnerabilities and attacks, and survey the various defensive measures that mitigate buffer overflow vulnerabilities, including our own StackGuard method. We then consider which combinations of techniques can eliminate the problem of buffer overflow vulnerabilities, while preserving the functionality and performance of existing systems.

Optimistic incremental specialization: streamlining a commercial operating system

Conventional operating system code is written to deal with all possible system states, and performs considerable interpretati on to determine the current system state before taking action. A consequence of this approach is that kernel calls which perform little ac tual work take a long time to execute. To address this problem, we use specialized operating system code that reduces interpretation for common cases, but still behaves correctly in the fully general c ase. We describe how specialized operating system code can be generated and bound incrementallyas the information on which it depends becomes available. We extend our specialization techniques to include the notion of optimistic incremental specialization : a technique for generating specialized kernel code optimistically for sys tem states that are likely to occur, but not certain. The ideas outlined in this paper allow the conventional kernel design tenet of “optimi zing for the common case” to be extended to the domain of adaptive operating systems. We also show that aggressive use of specialization can produce in-kernel implementations of operating system functionality with performance comparable to user-level implementations. We demonstrate that these ideas are applicable in real-world operating systems by describing a re-implementation of the HP-UX file system. Our specializedread system call reduces the cost of a single byte read by a factor of 3, and an 8 KB read by 26%, while preserving the semantics of the HP-UXread call. By relaxing the semantics of HP-UXread we were able to cut the cost of a single byte read system call by more than an order of magnitude.

A Distributed Real-Time MPEG Video Audio Player

This paper presents the design, implementation and experimental analysis of a distributed, real-time MPEG video and audio player. The player is designed for use across the Internet, a shared environment with variable traffic and with great diversity in network bandwidth and host processing speed. We use a novel toolkit approach to build software feedback mechanisms for client/server synchronization, dynamic Quality-of-Service control, and system adaptiveness. Our experimental results show that the feedback mechanisms are effective, and that the player performs very well in the Internet environment.

Player for adaptive MPEG video streaming over the Internet

This paper describes the design and implementation of a real-time, streaming, Internet video and audio player. The player has a number of advanced features including dynamic adaptation to changes in available bandwidth, latency and latency variation; a multi-dimensional media scaling capability driven by user-specified quality of service (QoS) requirements; and support for complex content comprising multiple synchronized video and audio streams. The player was developed as part of the QUASAR project at Oregon Graduate Institute, is freely available, and serves as a testbed for research in adaptive resource management and QoS control.

Specialization tools and techniques for systematic optimization of system software

Specialization has been recognized as a powerful technique for optimizing operating systems. However, specialization has not been broadly applied beyond the research community because current techniques based on manual specialization, are time-consuming and error-prone. The goal of the work described in this paper is to help operating system tuners perform specialization more easily. We have built a specialization toolkit that assists the major tasks of specializing operating systems. We demonstrate the effectiveness of the toolkit by applying it to three diverse operating system components. We show that using tools to assist specialization enables significant performance optimizations without error-prone manual modifications. Our experience with the toolkit suggests new ways of designing systems that combine high performance and clean structure.

Declarative specialization of object-oriented programs

Designing and implementing generic software components is encouraged by languages such as object-oriented ones and commonly advocated in most application areas. Generic software components have many advantages among which the most important is reusability. However, it comes at a price: genericity often incurs a loss of efficiency.This paper presents an approach aimed at reconciling genericity and efficiency. To do so, we introduce declarations to the Java language to enable a programmer to specify how generic programs should be specialized for a particular usage pattern. Our approach has been implemented as a compiler from our extended language into standard Java.

Adaptive methods for distributed video presentation

This paper describes problems and solutions for delivering real-time, multi-media presentations across the Internet. A key characteristic of presentations of continuous media datatypes, such as digital video and audio, is their need for predictable real-time data delivery. For example, an NTSC quality video presentation requires video frames to be displayed every 1/30th of a second. Variations in this display rate can be observable as stalls or glitches in the video stream and reduce the quality of the presentation [6]. Delivering such presentations across the Internet is di cult because highly variable bandwidth and latency make it di cult to predict the arrival time of network packets containing video or audio data. Our solution is for distributed multi-media systems to adapt dynamically to these changing network conditions. This paper describes the use of software feedback to make multimedia presentations adaptive, and shows how video can be played across an unpredictable network such as the Internet without bene t of resource reservations. The Internets unpredictable latency and bandwidth characteristics arise because di erent links in the network have performance that varies by several orders of magnitude. Hence, the location of a video client relative to its video server in uences the performance characteristics of the connection. Furthermore, even if the capability of the hardware in question can be established, the available bandwidth varies wildly from moment to moment because the Internet is a shared resource: just a few concurrent large data transfers can easily take up most of a connections bandwidth. In this environment, adaptive methods are essential to maintaining video quality.

Fast concurrent dynamic linking for an adaptive operating system

The need for customizable and application-specific operating systems has been recognized for many years. A customizable operating system is one that can adapt to some particular circumstance to gain some functional or performance benefits. Microkernels have attempted to address this problem, but suffer performance degradation due to the cost of inter-process protection barriers. Commercial operating systems that can efficiently adapt themselves to changing circumstances have failed to appear, in part due to the difficulty of providing an interface that is efficient to invoke, provides a protection barrier, and can be dynamically reconfigured. Providing such a safe, efficient, and dynamic interface in a concurrent operating system requires an effective concurrency control mechanism to prevent conflicts between system components proposing to execute specialized components, and those components responsible for dynamically replacing specialized components. We outline our basic approach to specialization of operating systems, and detail our dynamic replacement mechanism and its concurrency control features.

Defcon Capture the Flag: defending vulnerable code from intense attack

Immunix/spl trade/ is a Linux system hardened with several DARPA-funded security technologies to produce a highly survivable server appliance platform. The Immunix technologies include: StackGuard, FormatGuard, RaceGuard, SubDomain, and LSM (Linux Security Modules). Combined, these technologies make it very difficult for an attacker to break into an Immunix server, despite the presence of unpatched vulnerabilities, while also preserving a high degree of compatibility with standard Linux systems. The Defcon Capture-the-Flag (CtF) contest is the largest open security hacking game. The 2002 game was designed to make it particularly difficult for defenders to defend their servers by forcing players to host software known to be vulnerable. Our DISCEX III paper describes our experience playing an Immunix server in this game: we placed second overall, and no one was able to take control of the Immunix server.

Specialization classes: an object framework for specialization

This paper presents an object-oriented framework for specifying specializations in long-running programs such as operating systems. This model is based on the following concepts: Inheritance allows replacement implementations of member functions. We thus use a graph of sub-classes to specify a set of potential specializations of a given facility by replacing generic implementations with specialized implementations. Specializations in long-running programs are temporary, because the particular circumstances that permit the use of a specialized implementation are likely to change eventually. We thus support temporary and even optimistic specializations. Ensuring that it is valid to use a specialized implementation can be more difficult than creating the specialized implementation. We thus use a formal method to specify when a specialization is valid. This lets us automatically detect when specialization circumstances have changed, and also automatically generate specialized implementations using partial evaluation.