The society nowadays relies heavily on digitized information and services. Among others,cyber-security is one of the cornerstones of the digital world. The reality is that everydaynumerous computer systems are compromised, and that sensitive information is leaked,corrupted or forged. It does not only cause massive loss, but also hurts the confidenceof people over digitized information processing, such as electronic commerce, digitalhospitals, and online banking.In order to enhance software security, the status of program execution is usuallychecked and verified, aiming at detecting anomalies and cyber-attacks in their earlystages. Once an intrusion is detected, the service provider needs to diagnose the attackand fix the issue promptly.Although the procedure of monitoring, diagnosing, and fixing is widely adopted whendealing with software failures as well as security incidents, there exist many unresolvedissues in each of the actions. First, security checking and verification interleave withfunctional code, and thus slow down program execution; in reality, security is frequentlysacrificed for the sake of speed. Second, enterprise software is complicated, comprisingmillions of lines of code and a whole stack of intricate components. Once an anomaly isdetected, it is like looking for a noodle in a haystack to diagnose an attack and figure outthe root cause. Third, after a software vulnerability is reported, patch generation by thesoftware company is a lengthy process, which leaves the system vulnerable to attacks fora long time.Our work is devoted to making the procedure of monitoring, diagnosing and fixingmore efficient and intelligent. We thus proposed, built, and evaluated techniques towardsconcurrent monitoring, automated diagnosis, and instant defense generation.First, in order to resolve the tension between security checking and performanceoptimization, we propose a novel concurrent monitoring technology, named softwarecruising, which separates security checking from program functionality computationand runs them on separate processors or cores. It enforces monitoring in a concurrentand non-blocking fashion, and is featured with high efficiency and scalability. Unlikeconventional security techniques, which usually trade effect for efficiency, softwarecruising satisfies both the monitoring effect and efficiency needs.Next, one of the main reasons that diagnosis is time-consuming is the lack of criticalinformation in logs. Among a variety of runtime information, the calling context, i.e., thesequent of functions on the call stack, is especially useful; it provides precise informationabout which components are connected to the anomalies. While some techniques havebeen proposed to track calling context efficiently, they lack a reliable and precise decodingcapability; or they work only under restricted conditions, that is, small programs withoutobject-oriented programming or dynamic component loading. These shortcomings havelimited the application of calling context tracking in practice. We propose an encodingtechnique, named DeltaPath, without those limitations: it provides precise and reliabledecoding, supports large-sized programs, both procedural and objected-oriented ones,and copes with dynamic class/library loading. The technique thus enables calling contexttracking in a wide variety of scenarios.Finally, We present a new form of defense generation for implementing self-shieldingsoftware. Given an instance of exploitation of a software vulnerability, a defense can begenerated (without resorting to the software company) instantly and automatically. Wehave applied the technique to dealing with buffer overrun bugs, such as the Heartbleedvulnerability. Our insight is that, given a buffer overrun bug, the buffers that can beoverrun share the same calling context when they were allocated. Based on the obser-vation, we creatively utilize the calling context encoding technique to characterize anddistinguish heap buffers that can be exploited by attacker, and apply costly enhance-ment precisely to those problematic buffers. We present HeapTherapy, a heap memoryallocator that performs the characterization and installs defenses automatically. Ourexperiments illustrate that by applying HeapTherapy Nginx server becomes immune tothe Heartbleed attack. Moreover, HeapTherapy defeats various other real-world overflowattacks and the slowdown averages only 6% on SPEC CPU2006.By leveraging rich computation resources in multicore architectures as well as tech-niques such as virtualization, software cruising performs non-blocking monitoring withminimal performance penalty. Due to the availability of critical runtime information,diagnosis becomes directed and precise. The instant defense generation represents apromising direction for implementing self-shielding software. The evaluation showsthat software security can be significantly enhanced through concurrent monitoring,intelligent anomaly diagnosis, and instant defense generation.
