Cruiser
Overview
Security enforcement inlined into user threads often delays the protected
programs; inlined resource reclamation may defer resource
release and reuse. We propose software cruising, a novel technique
that migrates security enforcement and resource reclamation from
user threads to a concurrent monitor thread. The technique leverages
multicore and multiprocessor architectures and uses lock-free
data structures to achieve non-blocking and efficient synchronization
between the monitor and user threads.
As a case study, software
cruising is applied to the heap buffer overflow problem. Previous
mitigation and detection techniques for this problem suffer
from high performance overhead, legacy code compatibility, semantics
loyalty, or tedious manual program transformation. We
present a concurrent heap buffer overflow detector, CRUISER, in
which a concurrent thread is added to the user program to monitor
heap integrity and custom lock-free data structures and algorithms
are designed to achieve high efficiency and scalability. The experiments
show that our approach is practical: it imposes an average of
7% performance overhead on SPEC CPU2006, and the throughput
slowdown on Apache is negligible on average.
People
Publications
-
Cruiser: Concurrent Buffer Overflow Monitoring Using Lock-free Data Structures,
by Qiang Zeng, Dinghao Wu, and Peng Liu.
In Proceedings of the 2011 ACM SIGPLAN Conference on Programming
Language Design and Implementation (PLDI 2011), San Jose, CA, USA, June 4–8, 2011.
-
Kruiser: Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring,
by Donghai Tian, Qiang Zeng, Dinghao Wu, Peng Liu, and Changzhen Hu.
In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS 2012),
San Diego, California, February 5–8, 2012.