ABSTRACT
Speck (Speculative Parallel Check) is a system thataccelerates powerful security checks on commodity hardware by executing them in parallel on multiple cores. Speck provides an infrastructure that allows sequential invocations of a particular security check to run in parallel without sacrificing the safety of the system. Speck creates parallelism in two ways. First, Speck decouples a security check from an application by continuing the application, using speculative execution, while the security check executes in parallel on another core. Second, Speck creates parallelism between sequential invocations of a security check by running later checks in parallel with earlier ones. Speck provides a process-level replay system to deterministically and efficiently synchronize state between a security check and the original process.We use Speck to parallelize three security checks: sensitive data analysis, on-access virus scanning, and taint propagation. Running on a 4-core and an 8-core computer, Speck improves performance 4x and 7.5x for the sensitive data analysis check, 3.3x and 2.8x for theon-access virus scanning check, and 1.6x and 2x for the taint propagation check.
Supplemental Material
Available for Download
Slides from the presentation
Supplemental material for Parallelizing security checks on commodity hardware
- ClamAV: The clam anti-virus toolkit, 2007. http://www.clamav.net.Google Scholar
- K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting targeted attacks using shadow honey pots. In Proceedings of the 2005 USENIX Security Symposium, August 2005. Google ScholarDigital Library
- Thomas C. Bressoud and Fred B. Schneider. Hypervisor-based fault tolerance. In Proceedings of the 15th ACM Symposium on Operating Systems Principles, pages 1--11, Copper Mountain, CO, December 1995. Google ScholarDigital Library
- Miguel Castro, Manuel Costa, and Tim Harris. Securing software by enforcing data-flow integrity. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, pages 147--160, Seattle, WA, October 2006. Google ScholarDigital Library
- Fay Chang and Garth Gibson. Automatic I/O hint generation through speculative execution. In Proceedings of the 3rd Symposium on Operating Systems Design and Implementation, pages 1--14, New Orleans, LA, February 1999. Google ScholarDigital Library
- Shimin Chen, Babak Falsafi, Phillip B. Gibbons, Michael Kozuch, Todd C. Mowry, Radu Teodorescu, Anastassia Ailamaki, Limor Fix, Gregory R. Ganger, Bin Lin, and Steven W. Schlosser. Log-Based Architectures for General-Purpose Monitoring of Deployed Code. 2006 Workshop on Architectural and System Support for Improving Software Dependability, October 2006. Google ScholarDigital Library
- Jim Chow, Ben Pfaff, Tal Garfinkel, and Mendel Rosenblum. Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation. In Proceedings of the 2005 USENIX Security Symposium, pages 331--346, August 2005. Google ScholarDigital Library
- Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, and Paul Barham. Vigilante: end-to-end containment of internet worms. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, pages 133--147, Brighton, United Kingdom, October 2005. Google ScholarDigital Library
- George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza A. Basrai, and Peter M. Chen. ReVirt: Enabling intrusion analysis through virtual machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation, pages 211--224, Boston, MA, December 2002. Google ScholarDigital Library
- Keir Fraser and Fay Chang. Operating system I/O speculation: How two invocations are faster than one. In Proceedings of the 2003 USENIX Technical Conference, pages 325--338, San Antonio, TX, June 2003.Google Scholar
- Alex Ho, Michael Fetterman, Christopher Clark, Andrew Warfield, and Steven Hand. Practical Taint-based Protection using Demand Emulation. In Proceedings of EuroSys 2006, 2006. Google ScholarDigital Library
- Jeffrey Katcher. PostMark: A new file system benchmark. Technical Report TR3022, Network Appliance, 1997.Google Scholar
- Tom Knight. An architecture for mostly functional languages. In Proceedings of the 1986 ACM conference on LISP and functional programming, pages 105--112, 1986. Google ScholarDigital Library
- Calvin Ko and Timothy Redmond. Noninterference and intrusion detection. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 177--187, May 2002. Google ScholarDigital Library
- Tong Li, Carla S. Ellis, Alvin R. Lebeck, and Daniel J. Sorin. Pulse: A dynamic deadlock detection mechanism using speculative execution. In Proceedings of the 2005 USENIX Technical Conference, 31--44, April 2005. Google ScholarDigital Library
- Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Programming Language Design and Implementation, pages 190--200, Chicago, IL, June 2005. Google ScholarDigital Library
- Yevgeniy Miretskiy, Abhijith Das, Charles P. Wright, , and Erez Zadok. Avfs: An on-access anti-virus file system. In Proceedings of the 13th USENIX Security Symposium, pages 73--88, 2004. Google ScholarDigital Library
- Nicholas Nethercote and Julian Seward. Valgrind: A framework for heavy weight dynamic binary instrumentation. In Proceedings of the Conference on Programming Language Design and Implementation 2007, San Diego, CA, June 2007. Google ScholarDigital Library
- James Newsome and Dawn Song. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In In Proceedings of the 12th Network and Distributed Systems Security Symposium, February 2005.Google Scholar
- Edmund B. Nightingale, Peter M. Chen, and Jason Flinn. Speculative execution in a distributed file system. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, pages 191--205, Brighton, United Kingdom, October 2005. Google ScholarDigital Library
- Edmund B. Nightingale, Kaushik Veeraraghavan, Peter M. Chen, and Jason Flinn. Rethink the sync. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, pages 1--14, Seattle, WA, October 2006. Google ScholarDigital Library
- Jeffrey Oplinger and Monica S. Lam. Enhancing software reliability using speculative threads. In Proceedings of the 2002 International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 184--196, October 2002. Google ScholarDigital Library
- Yoshihiro Oyama, Koichi Onoue, and Akinori Yonezawa. Speculative security checks in sandboxing systems. In Proceedings of the 2005 International Parallel and Distributed Processing Symposium (IPDPS), April 2005. Google ScholarDigital Library
- Harish Patil and Charles N. Fischer. Efficient Run-time Monitoring Using Shadow Processing. In Proceedings of the International Workshop on Automated and Algorithmic Debugging (AADEBUG), pages 119--132, May 1995.Google Scholar
- Niels Provos. Improving host security with system call policies. In Proceedings of the 12th USENIX Security Symposium, Washington, D.C., August 2003. Google ScholarDigital Library
- Feng Qin, Joseph Tucek, Jagadeesan Sundaresan, and Yuanyuan Zhou. Rx: Treating bugs as allergies-a safe method to survive software failures. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, pages 235--248, Brighton, United Kingdom, October 2005. Google ScholarDigital Library
- Feng Qin, Cheng Wang, Zhenmin Li, Ho seop Kim, Yuanyuan Zhou, and Youfeng Wu. Lift: A low-overhead practical information flow tracking system for detecting general security attacks. In The 39th Annual IEEE/ACM International Symposium on Microarchitecture (MI CRO '06), Orlando, FL, 2006. Google ScholarDigital Library
- Gurindar S. Sohi, Scott E. Breach, and T. N. Vijaykumar. Multiscalar processors. In Proceedings of the 1995 International Symposium on Computer Architecture, June 1995. Google ScholarDigital Library
- J. Gregory Steffan and Todd C. Mowry. The potential for using thread-level data speculation to facilitate automatic parallelization. In Proceedings of the 1998 Symposium on High Performance Computer Architecture, February 1998. Google ScholarDigital Library
- G. T. Sullivan, D. L. Bruening, I. Baron, T. Garnett, and S. Amarasinghe. Dynamic native optimization of interpreters. In Proceedings of the Workshop on Interpreters, Virtual Machines and Emulators, 2003. Google ScholarDigital Library
- Peter Szor. The Art of Computer Virus Research and Defense. Addison Wesley, 2005. Google ScholarDigital Library
- Dean M. Tullsen, Susan J. Eggers, and Henry M. Levy. Simultaneous multithreading: Maximizing on-chip parallelism. In Proceedings of the 1995 International Symposium on Computer Architecture, June 1995. Google ScholarDigital Library
- David Wagner and Drew Dean. Intrusion detection via static analysis. In Proceedings of 2001 IEEE Symposium on Computer Security and Privacy2001, pages 156--169, 2001. Google ScholarDigital Library
- Min Xu, Rastislav Bodik, and Mark D. Hill. A Flight Data Recorder for Enabling Full-system Multiprocessor Deterministic Replay. In Proceedings of the 2003 International Symposium on Computer Architecture, June 2003. Google ScholarDigital Library
- Pin Zhou, Feng Qin, Wei Liu, Yuanyuan Zhou, and Josep Torrellas. iWatcher: Efficient architectural support for software debugging. In Proceedings of the 2004 International Symposium on Computer Architecture, June 2004. Google ScholarDigital Library
Index Terms
- Parallelizing security checks on commodity hardware
Recommendations
Parallelizing security checks on commodity hardware
ASPLOS '08Speck (Speculative Parallel Check) is a system thataccelerates powerful security checks on commodity hardware by executing them in parallel on multiple cores. Speck provides an infrastructure that allows sequential invocations of a particular security ...
Parallelizing security checks on commodity hardware
ASPLOS '08Speck (Speculative Parallel Check) is a system thataccelerates powerful security checks on commodity hardware by executing them in parallel on multiple cores. Speck provides an infrastructure that allows sequential invocations of a particular security ...
Parallelizing security checks on commodity hardware
ASPLOS '08Speck (Speculative Parallel Check) is a system thataccelerates powerful security checks on commodity hardware by executing them in parallel on multiple cores. Speck provides an infrastructure that allows sequential invocations of a particular security ...
Comments