This paper presents effective and efficient implementation techniques for DMA buffer overflow elimination on the Cell Broadband Engine™ (Cell/B.E.) processor. In the Cell/B.E. programming model, application developers manually issue DMA commands to transfer data from the system memory to the local memories of the Cell/B.E. cores. Although this allows us to eliminate cache misses or cache invalidation overhead, it requires careful management of the buffer arrays for DMA in the application programs to prevent DMA buffer overflows. To guard against DMA buffer overflows, we introduced safe DMA handling functions for the applications to use. To improve and minimize the performance overhead of buffer overflow prevention, we used three different optimization techniques that take advantage of SIMD operations: branch-hint-based optimizations, jump-table-based optimizations and self-modifying-based optimizations. Our optimized implementation prevents all DMA buffer overflows with minimal performance overhead, only 2.93% average slowdown in comparison to code without the buffer overflow protection.

抄録全体を表示

A buffer overflow attack occurs when a program writes data outside the allocated memory in an attempt to invade a system. Approximately forty percent of all software vulnerabilities over the past several years are attributed to buffer overflow. Taint tracking is a novel technique to prevent buffer overflow. Previous studies on taint tracking ran a victim's program on an emulator to dynamically instrument the code for tracking the propagation of taint data in memory and checking whether malicious code is executed. However, the critical problem of this approach is its heavy performance overhead. Analysis of this overhead shows that 60% of the overhead is from the emulator, and the remaining 40% is from dynamic instrumentation and taint information maintenance. This article proposes a new taint-style system called Embedded TaintTracker to eliminate the overhead in the emulator and dynamic instrumentation by compressing a checking mechanism into the operating system (OS) kernel and moving the instrumentation from runtime to compilation time. Results show that the proposed system outperforms the previous work, TaintCheck, by at least 8 times on throughput degradation, and is about 17.5 times faster than TaintCheck when browsing 1KB web pages.

抄録全体を表示

Anomaly-based worm detection is a complement to existing signature-based worm detectors. It detects unknown worms and fills the gap between when a worm is propagated and when a signature is generated and downloaded to a signature-based worm detector. A major obstacle for its deployment to personal computers (PCs) is its high false positive alarms since a typical PC user lacks the skill to handle exceptions flagged by a detector without much knowledge of computers. In this paper, we exploit the feature of personal computers in which the user interacts with many running programs and the features combining various network characteristics. The model of a program's network behaviors is conditioned on the human interactions with the program. Our scheme automates detection of unknown worms with dramatically reduced false positive alarms while not compromising low false negatives, as proved by our experimental results from an implementation on Windows-based PCs to detect real world worms.

抄録全体を表示

本稿では，セキュリティを語る上で基盤となる「インターネット」の歴史に触れ，脅威の根源となっている「マルウェアの変遷」について説明する．さらに，現在，複雑化する通信/ システムインフラやアプリケーションにより構成されるサイバー空間における脅威を概観する．最後に，概観した脅威に対抗するためのセキュリティ技術の全体像を概観し，将来に向けたセキュリティ技術のあり方，その方向性についても言及する．

抄録全体を表示

インターネットを通じた不正アクセスはここ数年，なぜ顕著に増加しているのか。本稿ではまず攻撃者の手法に関し，歴史をさかのぼってそのトレンド分析を行い，防御技術に課せられた課題と限界について解説する。またセキュリティー対策の今後について，「まず観察して情勢を判断し，意思決定に基づいて行動，その結果を再び観察する」OODA（Observation-Orientation-Decision-Action）サイクルにも着目する。さらには組織と人材の育成において，何が急務とされているのかについて示す。

抄録全体を表示