SwapoutClustering patch tested

Posted by frag – November 2, 2009

When NetBSD and FreeBSD swap out a page from a process, they look in the process virtual address space to find nearby pages that are also candidates for being swapped out. This greatly increases the chance of swapin IO pulling in related data, reducing the number of disk seeks involved in swap IO (from kernelnewbies.org).
I’ve tested the Swapout Clustering patch here and it seems to improve the overall swapping system.
I wrote a benchmark tool to test the swapping system of Linux and collect results.
The benchmark allocates and locks a high amount of physical memory and measures timings of reads and writes to swapped memory.

Actually the parent process sucks all the memory, locks it (unswappable memory) and other 30 processes allocate their own memory to perform reads and writes on.
Three parameters (amount of memory to lock, number of benchmark processes, amount of memory allocated per process) can be tuned to perform a reasonable benchmark on different systems.

Results have been collected on a virtual machine running in KVM, with 128MB RAM.
The benchmark tool has been launched by locking 110MB of physical memory; 30 processes performed reads and writes on a 10MB memory space.
Build and run with

make swapbench
./swapbench -a 110 -p 30 -l 10

Set a reasonable amount of memory to lock and force the system to swap benchmark processes’ memory in and out.

Results

I run the benchmark many times to collect reliable results on a Kvm virtual machine with 128MB Ram, Intel Core2Duo processor and the kernel versions reported in the table below:

kernel version Avg. read (s) Avg. write (s) Overhead read Overhead write
linux-git 2.6.32-rc5
0.560072201681
0.560865798319
%
%
linux-git-swapoutclustering-patch
0.433929222689
0.43047510084
-23%
-23%

Download

The source code of the benchmark as well as the collected results is available for download.

Filename Description Download
swapbench.c Source code of the benchmark tool (not complete but fully functional) here
bench_swap_cluster.txt Results collected from linux-git here
bench_swap_cluster_patch.txt Results collected from linux-git-cluster-patch here
readstats.py Python utility to compute averages from result files here

BitTorrent “magic tricks”

Posted by frag – July 29, 2009

A recent research paper in the field of P2P technology has been published and considered the “most effective” solution to kill P2P as it is intended nowadays. The research comes indeed with the scary title Proactive Content Poisoning To Prevent Collusive Piracy in P2P File Sharing.
It consists in injecting fake pieces of files to not authorized peers (users who didn’t pay the fee to download) who will never download the complete file, of course (they will download it in infinite time… ok engineers…:) ).
Thing is that the BitTorrent protocol is not affected by this kind of protection since each piece is checked with the SHA1 of the metainfo file (the .torrent file you download from thepiratebay.org…). Moreover all modern BitTorrent clients try to download chunks (parts of a piece for which the SHA1 exists) of the same piece from the same peer. This would prevent a peer to stay anonymous when he will inject a fake chunk. At the first occasion, when the complete piece can be checked, if the checksum fails, that peer is banned from the peerlist.
(Why not informing the tracker with a hey-this-is-a-bad-guy message? I think this can be a protocol extension).

Full paper can be downloaded here.

Another great magic trick of the BitTorrent protocol (although it needs improvements) or just another pompous strategy to prevent filesharing?

Days…

Posted by frag – July 18, 2009

daysCopyright 2009 Francesco Gadaleta

days

Traditional computing for new tasks: an overview of modern Internet browsers

Posted by frag – July 16, 2009

In the last ten years the web has evolved from a set of interconnected static pages to a system of complex, distributed applications and active content. Traditional browsers are no more appropriate tools to handle such contents and many security issues have arisen from the usage of tools designed to handle traditional types of content.
Insufficient studies have been accomplished to surf the new contents of the Internet, referring to dynamic and potentially malicious applications.
Internet browsers have become the most used application for common operations like media streaming, social networking, chatting or bank transactions. The integration with plugins and external applets and the support of real programming languages like Javascript, C# or Java, let traditional browsers grow in terms of complexity and type of achievable operations. Thereby, this high complexity has come with several security issues, allowing potential attackers and malicious web sites to compromise the overall system during the execution of a browser instance.
Monolithic browsers are mainly affected by these issues, since a vulnerability can be exploited to attack the local operating system. There is no isolation mechanism among browser components and an attack coming from one of the running components can affect all the others. A crash of the Javascript engine, for instance, might crash the whole application. A traditional approach in designing web browsers may therefore lead to high severity vulnerabilities. Designing a new generation browser only to achieve the highest performance, underestimating the security issues is not considered a smart choice nowadays.

Because web browsers have become really complex applications, there might be several critical points, potential targets for attackers: the rendering engine, the Javascript interpreter, or any other browser supported language, external plugins, etc.., are all interesting spots to search for vulnerabilities to exploit.
It seems that the current browser war is all focused on cranking out the fastest browser, the one which eats 3D rendering for breakfast or completes the pure Javascript benchmark in 10ms less than its direct competitor.
When it comes to (almost) the only application to surf the web and communicate to people, thinking about security is a must (well, it should be). Whereas an application run locally could be designed to achieve great performances at the expense of security (relatively important for an application that will not connect to anyone and cannot serve requests), the Internet browser cannot be designed with such requirements at all.
The monolithic approach, eg. Mozilla Firefox, Safari, IE, is not suitable to overcome the security issues described above, since it is hard to isolate components with a straightforward design. A vulnerability discovered in the HTML parser or in the Javascript engine, would compromise the whole system. In the monolithic browser each component is executed in the same address space of any other.
The most effective design to solve such issues consists in isolating each component by sandboxing processes and/or creating different processes to execute in different address spaces. The birth of modular browsers characterized by an interesting architecture design to reduce common browser attacks, seems to be the right direction.
A hard technical difficulty is represented by backward compatibility with existent complex web sites. All processes contributing to view the web page and let the user surf interactively need a way to communicate to each other (this is normally provided by Inter Process Communication mechanisms, IPC).
Another quality factor is represented by performance. In a multiprocess browser, IPC comes with a cost. In a realistic scenario, a page composed by HTML code, embedded Javascript and some Flash, needs at least three processes to be rendered.

Google Chrome is currently the most promising solution in terms of security (and performances). Chrome is a browser specifically designed to reduce the security issues that may affect a web browser (eg. remote code execution, exploit of vulnerabilities in the Javascript engine, etc…). Chrome is designed to achieve a clear isolation between a browser kernel and a rendering engine. The former, is considered a trusted code component, is responsible to draw interfaces, save cookies, allow access to network and to the local file system. The rendering engine is the second main component to parse HTML code, interpret Javascript/DOM and execute in a virtual machine, decode images, fill in the screen buffer. All these operations are sandboxed in order to maintain a good level of security also when a vulnerability in one of those components is found and exploited.
Unfortunately, sandbox is an Operating System dependent component. Thus portability is another issue to deal with. For instance, processes in Linux can be sandboxed by AppArmor or other techniques, whereas Mac OS X provides an operating system sandbox which is clearly different from the one provided by Microsoft Windows.
Attempting the direction of Operating System development could be an easy way to avoid the technical problem of portability.
In a modular browser each rendering engine must be executed by a different process. In such an architecture an attack coming from site A wouldn’t have any effect on the process in which the rendering engine of site B is running. How to separate processes is still an open problem and more studies are needed. Separation can be achieved at Tab, web page or address level (Same-Origin policy) or any other well-advised policy.
A tradeoff between backward compatibility and the degree of security to guarantee, need to be taken into account. Although, when it comes to security this is a difficult goal to reach.
Google measures performance and security of its new browser with a method far away to be appropriate. In [1] they report that Chrome mitigates about 70% of critical vulnerabilities other browsers are affected. This is clearly an insufficient metric since there would be the “big one” vulnerability leading to a disaster (if exploited), in the remaining 30%.
Although Google Chrome is considered the most promising architecture in comparison to what the market of browsers is offering nowadays, it is still affected by some limitations, both in the implementation and design.
Limitations in the implementation must be considered solvable in further mature versions of the browser. But limitations in the design should be considered a critical path to work on at once.
A critical problem is represented by plugins that require to be executed in the browser kernel, since they need to access operating system resources directly. In this specific scenario the crash of one plugin would lead to crash the overall system. In case plugins were executed in the rendering engine, creating new instances would lead to compatibility issues for all those plugins that require at most one running instance.
Another implementation issue prevents a sandboxed process from opening network sockets directly. Thus all sockets are opened by the browser kernel, exposing it to potentially exploitable vulnerabilities.

Peacekeeper benchmark results

Some results from Peacekeeper benchmark suite are reported here. Google Chrome is not the fastest browser as they claim. The multiprocess architecture comes with a cost, specially on mashups. Great results only on text parsing.
Google Chrome seems to be highly operating system dependent. The following results have been collected from Peacekeeper benchmarks on Mac OS X and Windows XP.

Mac OSX

Test Safari 4 FF3.5.1 Chrome 3.0.192
Rendering 1220 1772 777
Social Networking 1543 1583 514
Complex Graphics 1021 2576 1454
Data 2920 1910 1398
DOM operations 3302 1073 1482
Text parsing 3031 1172 3332

Windows XP SP2

Test Safari 4 FF3.5.1 Chrome 2.0.172
Rendering 882 1674 889
Social Networking 1030 1433 897
Complex Graphics 1533 2029 2610
Data 2401 1895 1504
DOM operations 2037 835 1094
Text parsing 2047 1141 2413

(the higher the better)

Designing an operating system and running new generation browsers on top of it may help in solving many of the issues described above. The difficulty indeed is to integrate new generation browser designs with traditional operating systems.
The idea of designing a browser tailored operating system (and not the reverse as can be thought) is not new: Tahoma [2] offers a virtualization architecture to isolate web applications and browser instances.
The concepts come from three main assumptions:

  • Web applications should not be trusted, thus contained within appropriate sandboxes to mitigate damages to the operating system.
  • Web browsers should not be trusted since they’ve become more complex and prone to bugs. Thus they should be isolated from the rest of the system.
  • Users should control and manage downloaded web applications possibly having a list of web services to which the local applications could connect.

The architecture offered by Tahoma consists in defining a browser operating system (BOS) and executing special implementations of existent browsers as Netscape or Internet Explorer, on top of it.
The BOS limits the set of web services each application is permitted to connect to, throughout white lists and security policies. Each browser instance is executed within a virtual machine which provides access to hardware resources to share with other running virtual machines.
The isolation guaranteed by a virtualization environment is much stronger than the one provided by a multiprocess architecture. This higher level of security comes with a cost.
I believe that since there are no defined metrics to assess the performances of an application with respect to the level of security its implementation provides, poorer performances should be absolutely acceptable in all those cases where a high degree of security is guaranteed by the method.
Normally, people think about performance as the number of operations perceived by the final user in the time unit. Unfortunately, for an application that guarantees the maximum degree of security this is not a correct metric anymore.
A browser instance running in the Tahoma architecture for the first time requires a huge amount of operations to set a secure environment: a new virtual machine is created on the fly, a guest operating system is booted, browser code and data are installed, a browser instance is finally executed. The architecture is exactly the same proposed by Xen Virtual Machine Monitor, VMM. All applications are executing in virtual machines booted on top of the Virtual Machine Monitor.
The cost of virtualization is usually high. A browser cold start occurs in about 10 seconds (Intel P4 3,0GHz, 1GB RAM, Linux Kernel 2.6.10) against 5 seconds on a native Linux.

When it comes to security it is already hard to find the optimal tradeoff with performance. When it comes to browser security it seems to be even worse, since the Web Browser is the most used application and the way people use computers is definitely being revolutionized.

References

[1] The Security Architecture of the Chromium Browser
Adam Barth, Collin Jackson, Charles Reis, and The Google Chrome Team
Technical Report 2008

[2]A safety-oriented platform for web applications
Richard S. Cox, Steven D. Gribble, Henry M. Levy, Jacob Gorm Hansen

Address Space Layout Randomization: an Overview

Posted by frag – September 18, 2008

Internet and the proliferation of opensource programs that have given source code informations to exploit vulnerabilities of applications, made buffer overflow attacks more common and insidious methods to compromise software security.
Since these attacks require knowledge of the memory layout schema, the basic idea to design a countermeasure is to randomize locations of target memory areas. Address Space Layout Randomization is a method for randomizing the address space layout of a program. An analysis of benefits and drawbacks of the method is provided in order to discuss possible choices to avoid or reduce the risk of attacks.

Download full paper here