Data Watch Presenter Information Jason Puncher and François Tétreault

Slides:



Advertisements
Similar presentations
SE-292: High Performance Computing
Advertisements

ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.
COMP 3221: Microprocessors and Embedded Systems Lectures 27: Virtual Memory - III Lecturer: Hui Wu Session 2, 2005 Modified.
Memory Management and Paging CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.
CS 104 Introduction to Computer Science and Graphics Problems
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Memory Management Chapter 5.
Computer Organization Cs 147 Prof. Lee Azita Keshmiri.
CS 333 Introduction to Operating Systems Class 9 - Memory Management
CS333 Intro to Operating Systems Jonathan Walpole.
IT253: Computer Organization
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
Paging (continued) & Caching CS-3013 A-term Paging (continued) & Caching CS-3013 Operating Systems A-term 2008 (Slides include materials from Modern.
Lecture Topics: 11/24 Sharing Pages Demand Paging (and alternative) Page Replacement –optimal algorithm –implementable algorithms.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.
Multilevel Caches Microprocessors are getting faster and including a small high speed cache on the same chip.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Memory Management Overview.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Virtual Memory Implementation.
Memory management The main purpose of a computer system is to execute programs. These programs, together with the data they access, must be in main memory.
1 Virtual Memory. 2 Outline Case analysis –Pentium/Linux Memory System –Core i7 Suggested reading: 9.7.
Translation Lookaside Buffer
Lecture 11 Virtual Memory
Displacement (Indexed) Stack
Non Contiguous Memory Allocation
Jonathan Walpole Computer Science Portland State University
Virtual Memory Chapter 7.4.
CE 454 Computer Architecture
Chapter 2 Memory and process management
Segmentation COMP 755.
ECE232: Hardware Organization and Design
CSE 120 Principles of Operating
Virtual Memory User memory model so far:
Today How was the midterm review? Lab4 due today.
Modeling Page Replacement Algorithms
Swapping Segmented paging allows us to have non-contiguous allocations
Memory Hierarchy Virtual Memory, Address Translation
Morgan Kaufmann Publishers
William Stallings Computer Organization and Architecture 8th Edition
CSE 153 Design of Operating Systems Winter 2018
Chapter 8: Main Memory.
CSE 153 Design of Operating Systems Winter 2018
O.S Lecture 13 Virtual Memory.
Module IV Memory Organization.
Main Memory Background Swapping Contiguous Allocation Paging
CS399 New Beginnings Jonathan Walpole.
Modeling Page Replacement Algorithms
Memory Management Overview
Virtual Memory Hardware
Translation Lookaside Buffer
Lecture 3: Main Memory.
Effective and Efficient memory Protection Using Dynamic Tainting
CSE 451: Operating Systems Autumn 2005 Memory Management
Virtual Memory Overcoming main memory size limitation
Contents Memory types & memory hierarchy Virtual memory (VM)
CSE451 Virtual Memory Paging Autumn 2002
CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management
Translation Buffers (TLB’s)
CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management
Lecture 7: Flexible Address Translation
COMP3221: Microprocessors and Embedded Systems
CSE 153 Design of Operating Systems Winter 2019
Paging and Segmentation
CSE 153 Design of Operating Systems Winter 2019
Virtual Memory Lecture notes from MKP and S. Yalamanchili.
Virtual Memory Use main memory as a “cache” for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs share main.
COMP755 Advanced Operating Systems
Virtual Memory and Paging
Chapter 8 & 9 Main Memory and Virtual Memory
Presentation transcript:

Data Watch Presenter Information Jason Puncher and François Tétreault Date Dec 13, 2016

Overview Goal of the techniques discussed in this presentation is to catch invalid memory accesses (read or write) whilst minimizing the impact on both the CPU and memory. “Catching the invalid access in the act.” Keeping in mind the limitations of ours embedded systems: All are PowerPC-based All are 32 bit. File system is either a small flash disk or a tiny ROM RAM and CPU is limited i.e. some targets only have 64 MB of RAM

Problem Summary Software may intentionally or unintentionally access memory (e.g. read or write) that it shouldn’t. NULL pointer dereference, access beyond array scope, or continued access of released memory. Many tools exists to catch these types of accesses. But most catch it after the fact. And even few support latent memory access. Some tools exist that to catch software in the act. Valgrind : This tool simulates every instruction the program executes, adding instrumentation to every memory access, and every value computed.   Though it will catch the access, it means simulating every instruction (plus instrumentation) resulting in significant runtime performance impact (10-50 times slower execution).  Electic Fence: Not so much a tool as a technique which requires rounding the number of bytes allocated to the nearest page size.  This would have a significant memory impact in software which allocates many small blocks on a system with large page sizes.

Overview Data Watch will track all accesses to memory allocated from the heap. It can detect some stack overwrite conditions, memory block "out-of-bounds" access and latent read-write to previously freed memory. Violations such as these often result in abnormal system behaviors that can be very hard to debug because the effects are unpredictable and can manifest in ways completely unrelated to the affected sub-systems or code.

Address Watchpoints (inspiration…) block = allocator(size,…) block == 0xFFFFFFFFA092600 block = add_watchpoint(block, <meta-data>) block == 0x7654FFFFA092600 Inspired by presentation from Peter Goodman, a student from the University of Toronto (in May 2014). Reference material can be found here: https://ahls.dorsal.polymtl.ca/system/files/AHLS%20-%20Address%20Watchpoints-%20Instrument%20Data%2C%20Not%20Code.pdf Taint object addresses so that accesses to "interesting" objects always raise a fault. "Address watchpoints“ Relies on x86-64 48-bit address implementation in which 16 bits are "free" to be changed. <meta-data>

Address Watchpoints (continued…) Application Tainted Memory Exception Real Memory Access to tainted memory will generate and exception. The exception handler would then strip the 16 bit taint from the address line and follow through with the access to physical memory. Problem: How do we taint the address on a 32 bit system? We do so by mapping the physical memory to a virtual memory region not mapped by the hardware MMU. In essence, we are creating a software MMU. However, we are not limited by the page size, or having to align the physical address to a page boundary.

Working with 32-bit applications Virtual Address Space Physical Address Space Carve up a large region of unmapped memory into equal sized blocks. The memory allocator will : allocate both a physical block of memory as well as one of these virtual blocks. update a table mapping the virtual block address to its physical memory. The table will also include the allocation size. return the pointer to the virtual address. The pointer is now tainted. All accesses through this pointer will cause an exception, allowing the tool to sanitize the access. If sane, the tool will map the virtual address back to the phyiscal memory and perform the read/write. Memory Block A Block D Memory Block B Block B Return these addresses Block C Memory Block C Memory Block D Block A

Working with 32-bit applications (continued) Virtual Address Space The limitation to this approach is that the tool can only track allocations whose size is smaller than the virtual block size. For this reason we create multiple regions of varying block sizes. In our system unmapped memory far exceeds the amount of physical memory. As such, with this approach we are able to create enough regions to cover all memory allocations. Block 1 Region 1 Blocks of same size (i.e. 512 bytes) Block n Block 1 Region 2 Blocks of same size (i.e. 4KBytes) Block m

Tool Memory Allocation and Management Link list (prev) Link list (next) Physical addr Allocated size A table is maintained to map the block index back to its physical address. Each entry having : dual link list pointers to easily access both the free list, and allocation list physical address for each block (after allocation) the size of the memory allocation Elements are pulled from the free list using FIFO. It’s a best effort way to ensure recently freed blocks are not re-used immediately. A mapping table is created for each region. Free List [head] 0x2cdf670 Allocated List [head] 0x28df240 0x2bce690 0x2cf29a0 0x22df500 0x24df070 Table for region 1 (for blk of size X) Table for region 2 (for blk of size Y)

Tool Memory Allocation and Management (continued…) In our system it’s possible to carve off a 128/256 MB (aligned) blocks of virtual memory. The starting address of this block is our base. In it we create equal sized regions (the number of which must be a power of 2). We then carve each region into blocks (the size of which must also be a power of 2). This allows us to quickly determine which region we are accessing and which block (within the region) based on the bits in the address. 32 bit Virtual Address Region Number [0-X] Block number [(X+1)- Y] Offset Into Block [(Y+1)-31] BASE Block Index Region Index Table for region 1 (for blk of size X) Table for region 2 (for blk of size Y) 32 bit Physical Address + Offset

Runtime Execution Exception Table text Access to a virtual address generates a Data Access Exception (DSI). Exception handler calculates block index, and offset into block. Block index is used to locate metadata. With it, it can determine if the offset is greater than the allocated size. or if the block is still allocated. optionally, the memory could be pre-filled with a know pattern to see if we have a read before right access. map the block + offset to the physical address Log Error or trap if address is invalid. The exception handler must then emulate the load/store using the physical address. instruction PC Data Access Our Memory Access Validation Code stw xx instruction instruction … Translate Virtual to Physical address Addr. valid? size != 0 offset < size True False Log error or trap Emulate mem access Return from interrupt

Other applications This tool has been expanded to support: Stack linkage scribbler detection Watch specific memory address range Read before Write detection Memory Utilization Tracking Static Memory Overruns

Where to next? Currently working on porting to Linux OS. Add support for ARM processor. Add support for static (data/bss) memory overruns. This would require compile modifications.

Thank You