MemPatrol

Reliable sideline integrity monitoring for high-performance systems

Myoung Jin Nam, Wonhong Nam, Jin Young Choi, Periklis Akritidis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.

Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017
PublisherSpringer Verlag
Pages48-69
Number of pages22
Volume10327 LNCS
ISBN (Print)9783319608754
DOIs
Publication statusPublished - 2017
Event14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017 - Bonn, Germany
Duration: 2017 Jul 62017 Jul 7

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10327 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017
CountryGermany
CityBonn
Period17/7/617/7/7

Fingerprint

Integrity
High Performance
Vulnerability
Thread
Monitoring
Isolation
Monitor
Degradation
Passive networks
Data storage equipment
Network Monitoring
C++
Monitoring System
Trade-offs
Attack
Cover
Minimise
Evaluate
Operator

Keywords

  • Buffer overflow attacks
  • Concurrency
  • Cryptography
  • Integrity monitoring
  • Isolation

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Nam, M. J., Nam, W., Choi, J. Y., & Akritidis, P. (2017). MemPatrol: Reliable sideline integrity monitoring for high-performance systems. In Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017 (Vol. 10327 LNCS, pp. 48-69). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10327 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-60876-1_3

MemPatrol : Reliable sideline integrity monitoring for high-performance systems. / Nam, Myoung Jin; Nam, Wonhong; Choi, Jin Young; Akritidis, Periklis.

Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Vol. 10327 LNCS Springer Verlag, 2017. p. 48-69 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10327 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Nam, MJ, Nam, W, Choi, JY & Akritidis, P 2017, MemPatrol: Reliable sideline integrity monitoring for high-performance systems. in Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. vol. 10327 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10327 LNCS, Springer Verlag, pp. 48-69, 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assess, DIMVA 2017, Bonn, Germany, 17/7/6. https://doi.org/10.1007/978-3-319-60876-1_3
Nam MJ, Nam W, Choi JY, Akritidis P. MemPatrol: Reliable sideline integrity monitoring for high-performance systems. In Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Vol. 10327 LNCS. Springer Verlag. 2017. p. 48-69. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-60876-1_3
Nam, Myoung Jin ; Nam, Wonhong ; Choi, Jin Young ; Akritidis, Periklis. / MemPatrol : Reliable sideline integrity monitoring for high-performance systems. Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017. Vol. 10327 LNCS Springer Verlag, 2017. pp. 48-69 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{5077132b1d784b98a84621962a4abea5,
title = "MemPatrol: Reliable sideline integrity monitoring for high-performance systems",
abstract = "Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.",
keywords = "Buffer overflow attacks, Concurrency, Cryptography, Integrity monitoring, Isolation",
author = "Nam, {Myoung Jin} and Wonhong Nam and Choi, {Jin Young} and Periklis Akritidis",
year = "2017",
doi = "10.1007/978-3-319-60876-1_3",
language = "English",
isbn = "9783319608754",
volume = "10327 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "48--69",
booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017",

}

TY - GEN

T1 - MemPatrol

T2 - Reliable sideline integrity monitoring for high-performance systems

AU - Nam, Myoung Jin

AU - Nam, Wonhong

AU - Choi, Jin Young

AU - Akritidis, Periklis

PY - 2017

Y1 - 2017

N2 - Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.

AB - Integrity checking using inline reference monitors to check individual memory accesses in C/C++ programs remains prohibitively expensive for the most performance-critical applications. To address this, we developed MemPatrol, a “sideline” integrity monitor that allows us to minimize the amount of performance degradation at the expense of increased detection delay. Inspired by existing proposals, MemPatrol uses a dedicated monitor thread running in parallel with the other threads of the protected application. Previous proposals, however, either rely on costly isolation mechanisms, or introduce a vulnerability window between the attack and its detection. During this vulnerability window, malicious code can cover up memory corruption, breaking the security guarantee of “eventual detection” that comes with strong isolation. Our key contributions are (i) a novel userspace-based isolation mechanism to address the vulnerability window, and (ii) to successfully reduce the overhead incurred by the application’s threads to a level acceptable for a performance-critical application. We evaluate MemPatrol on a highperformance passive network monitoring system, demonstrating its low overheads, as well as the operator’s control of the trade-off between performance degradation and detection delay.

KW - Buffer overflow attacks

KW - Concurrency

KW - Cryptography

KW - Integrity monitoring

KW - Isolation

UR - http://www.scopus.com/inward/record.url?scp=85022328055&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85022328055&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-60876-1_3

DO - 10.1007/978-3-319-60876-1_3

M3 - Conference contribution

SN - 9783319608754

VL - 10327 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 48

EP - 69

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017, 2017

PB - Springer Verlag

ER -