A Binary Agent Technology for
COTS Software Integrity
Anant AgarwalRichard Schooler
DARPAMar 2002
2
Agenda Objectives & Approach Prototype Recent Work User Experience Next Steps
DARPAMar 2002
3
Objectives “First-fault” diagnosis of application mis-
behavior (defects, attacks). “Always on”: obviate need to replicate failures. Fine-grain execution monitoring.
Focus on: Deployed applications - not just for development, QA
phases. Inside the application - not just externally-visible
behavior.
DARPAMar 2002
4
Approach Approach:
Run-time execution monitoring. Binary instrumentation to inject probes into release-
built executables. Targets & Assumptions:
Similarity between explicit attacks and accidental faults. Assume system-level mechanisms in-place - not
guarding against replacement of entire executable, compromise of OS, etc.
DARPAMar 2002
5
Prototype Tasks Core technology for customizable agent
insertion into Windows NT/2000/XP and SPARC/Solaris.
Anomaly detection and reporting. Rapid recovery and problem pinpointing.
DARPAMar 2002
6
Major Components
Snapshot Files
Trace Reconstruction
•Block sequence•User logging•Post-Mortem info
Map Files
InstrumentationEngine
Executables InstrumentedExecutables
•Block->Address Map
Debug Info
•Address<->Line Map•Source Module Name
Trace(XML)
•Source Line/Module•Thread•Annotations
Platform-dependent
interface
Service
Runtime
DARPAMar 2002
7
User Interface
DARPAMar 2002
8
Configuration
DARPAMar 2002
9
Recent Work Solaris instrumentation & runtime. User deployments. Performance measurement.
DARPAMar 2002
10
Solaris Implementation New binary platform: SPARC ISA (delay slots, register
windows), COFF format, ELF/STAB debug format, Solaris signal interface, TSD, etc.
Compilers: Forte (SunPro) C/C++ & gcc C. Some new issues:
64 bit support. How to hook runtime (interposition via LD_PRELOAD). How to get relocation info (no /fixed:no).
Balance between using Solaris-specific features, and staying generic-Unix-portable.
DARPAMar 2002
11
User Experience Complex, multi-component application
architecture. E.g., pharmaceutical trials ASP:
Deployed on 100s of servers!
IIS
Data-
baseCustom
Service
DLL DLL DLL DLL
Handledexception:
HTTP
HTMLMTS
DARPAMar 2002
12
Performance Typical scenario: business application
Custom business application logic is instrumented. Runs on stock framework (application server, OS, database,
etc.) Relevant metrics are end-to-end transaction throughput,
latency. Results:
Range from imperceptible up to ~10% Matches “5%” threshold most enterprises quote to go into
production deployment.
DARPAMar 2002
13
Next Steps Distributed application architectures:
Multiple machines. Multiple technologies.
Larger-scale deployment issues: Analysis/correlation across many application
traces. Clusters and server farms.
DARPAMar 2002
14
Combined Trace