"... In PAGE 11: ... On the other hand, fast software handlers can be use- ful in the protection against memory corruption attacks, by helping identify potential bounds-check operations and managing the trade- off between false positives and false negatives. Table4 presents the slowdown experienced by various integer benchmarks from the SPEC2000 suite when software handlers are used to identify input validation cases while running the pointer tainting analysis that provides protection against memory corrup- tion attacks. We attempted to separately filter two validation cases: comparison instructions that constitute bounds checks; and logi- cal AND instructions with a power of two minus one that serve as bounds checks if used before indexing into a power of two sized table.... In PAGE 11: ... We also attempted to filter both validation cases in a combined analysis. For every filter case, the left column in Table4 shows the slow- down with Raksha when the software filter utilizes the low-overhead security exception. The right column measures the slowdown when the software filter is invoked through a regular OS exception.... In PAGE 11: ... OS traps are the mechanism that previous DIFT architectures would use to invoke further software, had they recognized the need for software intervention to properly handle these corner cases. Table4 indicates that for programs like gcc and crafty, the over- head of software filtering is quite low for both mechanisms, as they rarely use tagged data in comparisons or logical AND instructions. On the other hand, utilities like twolf and bzip2 generate these cases more frequently.... In PAGE 11: ... While Raksha cannot eliminate all performance issues in all cases, it helps reduce the overhead of avoiding false positives and negatives in strong security policies. Table4 shows that the overhead for the combined filter is some- times lower than that with one of the individual filters. This is due to the synergistic nature of the two filters.... In PAGE 11: ... Low-overhead security exceptions allow software to intervene more frequently or perform more work per invocation. For reference, our software filters for the experiments in Table4 require approximately 100 instructions per invocation. 8.... ..."

"... In PAGE 9: ... We believe they represent a good mix of security sensitive system software being used today. We summarize the analysis results in Table2 . The secu- rity errors in Linux are found by intersecting buffer access errors with results from a modified tainting analysis [1]: we flag values that could come from a malicious user and any error involving those values could be a potential security... ..."

"... In PAGE 9: ... We believe they represent a good mix of security sensitive system software being used today. We summarize the analysis results in Table2 . The secu- rity errors in Linux are found by intersecting bu er access errors with results from a modi ed tainting analysis [1]: we ag values that could come from a malicious user and any error involving those values could be a potential security... ..."

"... In PAGE 3: ... Similarly, a process becomes dependent on a file when it reads the file. Table2 shows the dependency rules between the kernel objects that are considered by the analyzer. These rules are used to taint a dependent object when the source object is tainted.... In PAGE 3: ... Each dependency, which always involves a process, is caused by the type of operations shown in the corresponding row. The last column of Table2 shows some of the key system call operations that constitute each type of operation. A process to process dependency occurs when a child process is forked, which captures a tainted process hierarchy, and when IPC and signal-based communication occurs between processes.... In PAGE 3: ...3.2 Tainting Algorithm The tainting algorithm derives the set of tainted objects using the audit log, the dependency rules shown in Table2 and an initial set of tainted objects, known as detection points, that are provided by an intrusion detection system (IDS) or an administrator. Detection points can either be the source of an attack (e.... In PAGE 3: ... The propagation phase starts from the attack start-time and uses the dependency rules to mark objects as tainted. When an operation shown in Table2 occurs, and the source object is tainted, the taint status propagates to the dependent object. The dependent object is then marked tainted, and the tainting time is recorded.... In PAGE 4: ... In par- ticular, modification operations to a file-system object that occur af- ter the time the object was tainted are marked as tainted operations and are not replayed. This simple redo solution is correct because the dependency rules in Table2 ensure that legitimate operations do not depend on tainted operations. Unfortunately, replaying all legitimate operations can be a slow process.... In PAGE 4: ... Operations that occur after the attack time are marked tainted and are shown in boxes. Note that the dependency rules in Table2 ensure that after the first tainted op- eration, all operations on a tainted name, content or attribute object are marked tainted. Recovery starts with the file-system state at the recovery time.... In PAGE 5: ....1.1 Optimistic Analysis Policies The analyzer described in Section 2.3 uses a conservative taint analysis policy that takes into account all dependency rules listed in Table2 . This policy correctly identifies all tainted kernel objects, but it generates a large number of false dependencies that cause legitimate objects to be marked tainted.... ..."