Article

Enhancing server availability and security through failure-oblivious computing

Authors:

Cristian Cadar,

Daniel Dumitran,

William S. Beebee, Jr.Authors Info & Claims

OSDI'04: Proceedings of the 6th conference on Symposium on Operating Systems Design & Implementation - Volume 6

Page 21

Published: 06 December 2004 Publication History

Abstract

We present a new technique, failure-oblivious computing, that enables servers to execute through memory errors without memory corruption. Our safe compiler for C inserts checks that dynamically detect invalid memory accesses. Instead of terminating or throwing an exception, the generated code simply discards invalid writes and manufactures values to return for invalid reads, enabling the server to continue its normal execution path.

We have applied failure-oblivious computing to a set of widely-used servers from the Linux-based open-source computing environment. Our results show that our techniques 1) make these servers invulnerable to known security attacks that exploit memory errors, and 2) enable the servers to continue to operate successfully to service legitimate requests and satisfy the needs of their users even after attacks trigger their memory errors.

We observed several reasons for this successful continued execution. When the memory errors occur in irrelevant computations, failure-oblivious computing enables the server to execute through the memory errors to continue on to execute the relevant computation. Even when the memory errors occur in relevant computations, failure-oblivious computing converts requests that trigger unanticipated and dangerous execution paths into anticipated invalid inputs, which the error-handling logic in the server rejects. Because servers tend to have small error propagation distances (localized errors in the computation for one request tend to have little or no effect on the computations for subsequent requests), redirecting reads that would otherwise cause addressing errors and discarding writes that would otherwise corrupt critical data structures (such as the call stack) localizes the effect of the memory errors, prevents addressing exceptions from terminating the computation, and enables the server to continue on to successfully process subsequent requests. The overall result is a substantial extension of the range of requests that the server can successfully process.

References

[1]

{1} Apache HTTP Server exploit. www.securityfocus.com/bid/8911/discussion/.]]

[2]

{2} CERT/CC. Advisories 2002. www.cert.org/advisories.]]

[3]

{3} CNN Report on Code Red. www.cnn.com/2001/TECH/internet/08/08/code.red.II/.]]

[4]

{4} ELM. www.instinct.org/elm/.]]

[5]

{5} Midnight Commander exploit. www.securityfocus.com/bid/8658/discussion/.]]

[6]

{6} Midnight Commander website. www.ibiblio.org/mc/.]]

[7]

{7} Mutt exploit. www.securiteam.com/unixfocus/5FP0T0U9FU.html.]]

[8]

{8} Mutt website. www.mutt.org.]]

[9]

{9} Netcraft website. http://news.netcraft.com/archives/web server survey.html.]]

[10]

{10} Pine exploit. www.securityfocus.com/bid/6120/discussion.]]

[11]

{11} Pine website. www.washington.edu/pine/.]]

[12]

{12} SecuriTeam website. www.securiteam.com.]]

[13]

{13} Security Focus website. www.securityfocus.com.]]

[14]

{14} Sendmail exploit. www.securityfocus.com/bid/7230/discussion/.]]

[15]

{15} Sendmail website. www.sendmail.org.]]

[16]

{16} Stackshield. www.angelfire.com/sk/stackshield.]]

[17]

{17} T. Austin, S. Breach, and G. Sohi. Efficient detection of all pointer and array access errors. In Proceedings of the ACM SIGPLAN '94 Conference on Programming Language Design and Implementation, June 2004.]]

Digital Library

[18]

{18} R. Bodik, R. Gupta, and V. Sarkar. Eliminating array bounds checks on demand. In ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2002.]]

Digital Library

[19]

{19} W. Bush, J. Pincus, and D. Sielaff. A static analyzer for finding dynamic, programming errors. Software - Practice and Experience, 2000.]]

Digital Library

[20]

{20} G. Candea and A. Fox. Recursive restartability: Turning the reboot sledgehammer into a scalpel. In Proceedings of the 8th Workshop on Hot Topics in Operating Systems (HotOS-VIII), pages 110-115, Schloss Elmau, Germany, May 2001.]]

Digital Library

[21]

{21} S. Card, T. Moran, and A. Newell. The Psychology of Human-Computer Interaction. Lawrence Erlbaum Associates, 1983.]]

Digital Library

[22]

{22} J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer. CCured in the real world. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation, June 2003.]]

Digital Library

[23]

{23} C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Conference, January 1998.]]

Digital Library

[24]

{24} J. Darley and B. Latane. Bystander intervention in emergencies: Diffusion of responsibility. Journal of Personality and Social Psychology, pages 377-383, Aug. 1968.]]

[25]

{25} W. E. Deming. Out of the Crisis. MIT Press, 2000.]]

[26]

{26} B. Demsky and M. Rinard. Automatic Detection and Repair of Errors in Data Structures. In Proceedings of the 18th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, October 2003.]]

Digital Library

[27]

{27} D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory safety without runtime checks or garbage collection. In Proceedings of the 2003 Workshop on Languages, Compilers, and Tools for Embedded Systems (LCTES'03), June 2003.]]

Digital Library

[28]

{28} N. Dor, M. Rodeh, and M. Sagiv. CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation, 2003.]]

Digital Library

[29]

{29} D. Engler, M. F. Kaashoek, and J. James O'Toole. Exokernel: An Operating System Architecture for Application-Level Resource Management. In Proceedings of the Fifteenth ACM Symposium on Operating System Principles, Dec. 1995.]]

Digital Library

[30]

{30} J. Gray and A. Reuter. Transaction Processing: Concepts and Techniques. Morgan Kaufmann, 1993.]]

Digital Library

[31]

{31} N. Gupta, L. Jagadeesan, E. Koutsofios, and D. Weiss. Auditdraw: Generating audits the FAST way. In Proceedings of the 3rd IEEE International Symposium on Requirements Engineering, 1997.]]

Digital Library

[32]

{32} R. Gupta. Optimizing array bounds checks using flow analysis. In ACM Letters on Programming Languages and Systems, 2(1-4):135-150, March 1993.]]

Digital Library

[33]

{33} G. Hamilton and P. Kougiouris. The Spring Nucleus: A Microkernel for Objects. In Proceedings of the 1993 Summer Usenix Conference, June 1993.]]

Digital Library

[34]

{34} R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, 1992.]]

[35]

{35} G. Haugk, F. Lax, R. Royer, and J. Williams. The 5ESS(TM) switching system: Maintenance capabilities. AT&T Technical Journal, 64(6 part 2):1385-1416, July-August 1985.]]

[36]

{36} T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, June 2002.]]

Digital Library

[37]

{37} R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of Third International Workshop On Automatic Debugging, May 1997.]]

[38]

{38} S. C. Kendall. Bcc: run-time checking for C programs. In USENIX Summer Conference Proceedings, 1983.]]

[39]

{39} V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution Via Program Shepherding. In Proceedings of 11th USENIX Security Symposium, August 2002.]]

Digital Library

[40]

{40} B. Latane and J. Darley. Group inhibition of bystander intervention in emergencies. Journal of Personality and Social Psychology, pages 215-221, Oct. 1968.]]

[41]

{41} M. Litzkow, M. Livny, and M. Mutka. Condor - A Hunter of Idle Workstations. In Proceedings of the 8th International Conference of Distributed Computing Systems, 1988.]]

[42]

{42} M. Litzkow and M. Solomon. The Evolution of Condor Checkpointing.]]

[43]

{43} M. R. Lyu. Software Fault Tolerance. John Wiley & Sons, 1995.]]

Digital Library

[44]

{44} S. Mourad and D. Andrews. On the reliability of the IBM MVS/XA operating system. IEEE Transactions on Software Engineering, September 1987.]]

Digital Library

[45]

{45} G. C. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. In Symposium on Principles of Programming Languages, 2002.]]

Digital Library

[46]

{46} R. Rashid, D. Julin, D. Orr, R. Sanzi, R. Baron, A. Forin, D. Golub, and M. Jones. Mach: A New Kernel Foundation For UNIX Development. In Proceedings of the 1986 Summer USENIX Conference, July 1986.]]

[47]

{47} M. Rinard. Acceptability-oriented computing. In 2003 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications Companion (OOPSLA '03 Companion) Onwards! Session, Oct. 2003.]]

Digital Library

[48]

{48} M. Rinard, C. Cadar, D. Roy, D. Dumitran, and T. Leu. A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors). In Proceedings of the 20th Annual Computer Security Applications Conference, Dec. 2004.]]

Digital Library

[49]

{49} R. Rugina and M. Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In Proceedings of the ACM SIGPLAN '00 Conference on Programming Language Design and Implementation, June 2000.]]

Digital Library

[50]

{50} O. Ruwase and M. S. Lam. A Practical Dynamic Buffer Overflow Detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, February 2004.]]

[51]

{51} M. I. Seltzer and C. Small. Self-monitoring and self-adapting operating systems. In Proceedings of the Sixth workshop on Hot Topics in Operating Systems, 1997.]]

Digital Library

[52]

{52} S. Sidiroglou, G. Giovanidis, and A. Keromytis. Using execution transactions to recover from buffer overflow attacks. Technical Report CUCS-031-04, Columbia University Computer Science Department, September 2004.]]

[53]

{53} M. Swift, B. Bershad, and H. Levy. Improving the reliability of commodity operating systems. In Proceedings of the Nineteenth ACM Symposium on Operating System Principles, Dec. 2003.]]

Digital Library

[54]

{54} D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In Proceedings of the Year 2000 Network and Distributed System Security Symposium, 2000.]]

[55]

{55} R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proceedings of the Fourteenth ACM Symposium on Operating System Principles, Dec. 1994.]]

Digital Library

[56]

{56} E. Witchel, J. Cates, and K. Asanovic. Mondriaan memory protection. In Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2002.]]

Digital Library

[57]

{57} H. Xi and F. Pfenning. Eliminating Array Bound Checking Through Dependent Types. In Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation, June 1998.]]

Digital Library

[58]

{58} S. H. Yong and S. Horwitz. Protecting C Programs from Attacks via Invalid Pointer Dereferences. In Proceedings of the 9th European software engineering conference held jointly with 10th ACM SIGSOFT international symposium on Foundations of software engineering, 2003.]]

Digital Library

[59]

{59} Y. Zhang, J. Yang, and R. Gupta. Frequent value locality and value-centric data cache design. In Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, Nov. 2000.]]

Digital Library

Cited By

Lefeuvre HGain GBădoiu VDinca DSchiller VRaiciu CHuici FOlivier PTsafrir DMUSUVATHI MGupta RAbu-Ghazaleh N(2024)Loupe: Driving the Development of OS Compatibility LayersProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3617232.3624861(249-267)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3617232.3624861
Hochschild PTurner PMogul JGovindaraju RRanganathan PCuller DVahdat AAngel SKasikci BKohler E(2021)Cores that don't countProceedings of the Workshop on Hot Topics in Operating Systems10.1145/3458336.3465297(9-16)Online publication date: 1-Jun-2021
https://dl.acm.org/doi/10.1145/3458336.3465297
van Tonder RLe Goues CRothermel GBae D(2020)Tailoring programs for static analysis via program transformationProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380343(824-834)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380343
Show More Cited By

Index Terms

Recommendations

Enhancing Java server availability with JAS

The Java programming language is increasingly used in the implementation of servers with stringent availability, reliability, and performance requirements. Our Java Application Supervisor (JAS) software system is an attachment to a Java runtime ...
A Fast Failure Detection and Failover Scheme for SIP High Availability Networks
PRDC '07: Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing

The SIP proxy server, which is an important building block of a SIP network, can be in a form of a cluster to prevent service unavailability caused by software or hardware failures. The design of a SIP proxy server cluster with a single dispatcher in a ...
Client/Server Computing for Dummies

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

OSDI'04: Proceedings of the 6th conference on Symposium on Operating Systems Design & Implementation - Volume 6

December 2004

403 pages

Sponsors

USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 06 December 2004

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

180
Total Citations
View Citations
20
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lefeuvre HGain GBădoiu VDinca DSchiller VRaiciu CHuici FOlivier PTsafrir DMUSUVATHI MGupta RAbu-Ghazaleh N(2024)Loupe: Driving the Development of OS Compatibility LayersProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3617232.3624861(249-267)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3617232.3624861
Hochschild PTurner PMogul JGovindaraju RRanganathan PCuller DVahdat AAngel SKasikci BKohler E(2021)Cores that don't countProceedings of the Workshop on Hot Topics in Operating Systems10.1145/3458336.3465297(9-16)Online publication date: 1-Jun-2021
https://dl.acm.org/doi/10.1145/3458336.3465297
van Tonder RLe Goues CRothermel GBae D(2020)Tailoring programs for static analysis via program transformationProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380343(824-834)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380343
Yasugi MMuraoka DHiraishi TUmatani SEmoto K(2019)HOPEProceedings of the 48th International Conference on Parallel Processing10.1145/3337821.3337899(1-11)Online publication date: 5-Aug-2019
https://dl.acm.org/doi/10.1145/3337821.3337899
Vasilakis NKarel BPalkhiwala YSonchack JDeHon ASmith JMcKinley KFisher K(2019)Ignis: scaling distribution-oblivious systems with light-touch distributionProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314586(1010-1026)Online publication date: 8-Jun-2019
https://dl.acm.org/doi/10.1145/3314221.3314586
Veeraraghavan KMeza JMichelson SPanneerselvam SGyori AChou DMargulis SObenshain DPadmanabha SShah ASong YXu TArpaci-Dusseau AVoelker G(2018)MaelstromProceedings of the 13th USENIX conference on Operating Systems Design and Implementation10.5555/3291168.3291196(373-389)Online publication date: 8-Oct-2018
https://dl.acm.org/doi/10.5555/3291168.3291196
van Tonder RKotheimer JLe Goues CHuchard MKästner CFraser G(2018)Semantic crash bucketingProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238200(612-622)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3238147.3238200
Benyo BClark SPaulos APal P(2018)HYDRAProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3230861(1-10)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3230861
Rigger MMarr SSartor J(2018)Sandboxed execution of C and other unsafe languages on the Java virtual machineCompanion Proceedings of the 2nd International Conference on the Art, Science, and Engineering of Programming10.1145/3191697.3213795(227-229)Online publication date: 9-Apr-2018
https://dl.acm.org/doi/10.1145/3191697.3213795
Monperrus M(2018)Automatic Software RepairACM Computing Surveys10.1145/310590651:1(1-24)Online publication date: 23-Jan-2018
https://dl.acm.org/doi/10.1145/3105906
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents