Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry*

Slides:



Advertisements
Similar presentations
Pay-to-use strong atomicity on conventional hardware Martín Abadi, Tim Harris, Mojtaba Mehrara Microsoft Research.
Advertisements

A Binary Agent Technology for COTS Software Integrity Richard Schooler Anant Agarwal InCert Software.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Flexible Hardware Acceleration for Instruction-Grain Program Monitoring Joint work with Michael Kozuch 1, Theodoros Strigkos 2, Babak Falsafi 3, Phillip.
Instrumentation of Linux Programs with Pin Robert Cohn & C-K Luk Platform Technology & Architecture Development Enterprise Platform Group Intel Corporation.
Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Wish Branches Combining Conditional Branching and Predication for Adaptive Predicated Execution The University of Texas at Austin *Oregon Microarchitecture.
Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner, Angela Demke Brown, Ashvin Goel University of Toronto Presenter: Chuong.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Chrysalis Analysis: Incorporating Synchronization Arcs in Dataflow-Analysis-Based Parallel Monitoring Michelle Goodstein*, Shimin Chen †, Phillip B. Gibbons.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,
Pipeline Enhancements for the Y86 Architecture
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Efficient and Flexible Architectural Support for Dynamic Monitoring YUANYUAN ZHOU, PIN ZHOU, FENG QIN, WEI LIU, & JOSEP TORRELLAS UIUC.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.
1 Improving Hash Join Performance through Prefetching _________________________________________________By SHIMIN CHEN Intel Research Pittsburgh ANASTASSIA.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Umbra: Efficient and Scalable Memory Shadowing CGO 2010, Toronto, Canada April 26, 2010.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
SCRAP: Architecture for Signature-Based Protection from Code Reuse Attacks Mehmet Kayaalp, Timothy Schmitt, Junaid Nomani, Dmitry Ponomarev and Nael.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.
1 Dimension: An Instrumentation Tool for Virtual Execution Environments Jing Yang, Shukang Zhou and Mary Lou Soffa Department of Computer Science University.
Parallelizing Security Checks on Commodity Hardware E.B. Nightingale, D. Peek, P.M. Chen and J. Flinn U Michigan.
Page Overlays An Enhanced Virtual Memory Framework to Enable Fine-grained Memory Management Vivek Seshadri Gennady Pekhimenko, Olatunji Ruwase, Onur Mutlu,
R Enabling Trusted Software Integrity Darko Kirovski Microsoft Research Milenko Drinić Miodrag Potkonjak Computer Science Department University of California,
DOWN TO THE BARE METAL: USING PROCESSOR FEATURES FOR BINARY ANALYSIS Carsten Willems 1, Ralf Hund 1, Andreas Fobian 1, Thorsten Holz 1, Amit Vasudevan.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
Scalable Support for Multithreaded Applications on Dynamic Binary Instrumentation Systems Kim Hazelwood Greg Lueck Robert Cohn.
On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan December 12,
15-410, S’ Hardware Overview Jan. 19, 2004 Dave Eckhardt Bruce Maggs L04_Hardware “Dude, what were you thinking?”
JIT Instrumentation – A Novel Approach To Dynamically Instrument Operating Systems Marek Olszewski Keir Mierle Adam Czajkowski Angela Demke Brown University.
An Integrated Framework for Dependable and Revivable Architecture Using Multicore Processors Weidong ShiMotorola Labs Hsien-Hsin “Sean” LeeGeorgia Tech.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Binary Concolic Execution for Automatic Exploit Generation Todd Frederick.
Computer Architecture Lab at Evangelos Vlachos, Michelle L. Goodstein, Michael A. Kozuch, Shimin Chen, Phillip B. Gibbons, Babak Falsafi and Todd C. Mowry.
Carnegie Mellon Log Based Dynamic Binary Analysis for Detecting Device Driver Defects Olatunji Ruwase Thesis Proposal Thesis Committee: Todd C. Mowry (Chair)
HARD: Hardware-Assisted lockset- based Race Detection P.Zhou, R.Teodorescu, Y.Zhou. HPCA’07 Shimin Chen LBA Reading Group Presentation.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan November 29,
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.
1 ROGUE Dynamic Optimization Framework Using Pin Vijay Janapa Reddi PhD. Candidate - Electrical And Computer Engineering University of Colorado at Boulder.
Correct RelocationMarch 20, 2016 Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.
Better Performance Through Thread-local Emulation Ali Razeen, Valentin Pistol, Alexander Meijer, and Landon P. Cox Duke University.
Qin Zhao1, Joon Edward Sim2, WengFai Wong1,2 1SingaporeMIT Alliance 2Department of Computer Science National University of Singapore
Remix: On-demand Live Randomization
On-Demand Dynamic Software Analysis
Mingwei Zhang Aravind Prakash Xiaolei Li Zhenkai Liang Heng Yin
Performance Optimizations in Dyninst
EnGarde: Mutually Trusted Inspection of SGX Enclaves
Optimization Code Optimization ©SoftMoore Consulting.
Stamatis Vassiliadis Symposium Sept. 28, 2007 J. E. Smith
A Review of Processor Design Flow
1Intel Research Pittsburgh 2CMU 3EPFL 4UT Austin
Fundamentals of Computer Organisation & Architecture
Hyesoon Kim Onur Mutlu Jared Stark* Yale N. Patt
Parallelizing Dynamic Information Flow Tracking
X86 Assembly Review.
ICS51 Introductory Computer Organization
Dynamic Binary Translators and Instrumenters
TEE-Perf A Profiler for Trusted Execution Environments
Presentation transcript:

Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry* Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry* *School of Computer Science Carnegie Mellon University + Intel Labs Pittsburgh

Bug detection using Lifeguards program Lifeguard Detect errors by monitoring execution of unmodified binary Exploit instruction-grained runtime information Block exploits before software patch [Savage et al. ‘97, Newsome & Song ’05, Nethercote et al. ‘07] Significant program slowdown 10 - 100X using Dynamic Binary Instrumentation(DBI) Valgrind, PIN, DynamoRIO DBI is standard practice Decoupled Lifeguards - 2 -

Why instruction grained Lifeguards are slow program TaintCheck lifeguard mov %eax A add %eax B mov C %eax cmp %ecx, %eax taint(eax) = taint(A) taint(C) = taint (eax) taint(eax) |= taint(B) Decoupled Lifeguards - 3 -

Why instruction grained Lifeguards are slow program TaintCheck lifeguard taint(eax) = taint(A) mov %eax A taint(eax) |= taint(B) add %eax B taint(C) = taint (eax) mov C %eax cmp %ecx, %eax mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al Handler for memory-to-register copy instruction Decoupled Lifeguards - 4 -

Why instruction grained Lifeguards are slow mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al Swith execution context mov %eax A Switch execution context or reg_taint(%edx) %al add %eax B mov %al reg_taint(%edx) mov C %eax cmp %ecx, %eax mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al Switch execution context mov %eax A taint(eax) |= taint(B) add %eax B taint(C) = taint (eax) mov C %eax cmp %ecx, %eax program TaintCheck lifeguard Decoupled Lifeguards - 5 -

Optimizing Lifeguard code on program paths is hard mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al Swith execution context mov %eax A Switch execution context or reg_taint(%edx) %al add %eax B mov %al reg_taint(%edx) mov C %eax cmp %ecx, %eax Key obstacle is tight coupling of program & Lifeguard code Opportunity study for lifeguard acceleration showed that optimizing lifeguard code on long program paths (up to 8 branches) will reduce overhead of lifeguard code significantly. Instrumented program path shows tight coupling of program code (thin black lines) and lifeguard code (thick colored lines). Optimization is dy Tight coupling of program & lifeguard code is key obstacle Instrumented program path Decoupled Lifeguards - 6 -

Decoupling Lifeguard execution Unoptimized path handler Instrumented program path Decoupled Lifeguards - 7 -

Lifeguard specific optimizations on program path Compose instruction handlers Program path Say hottest mcf path Unoptimized path handler Decoupled Lifeguards - 8 -

Lifeguard specific optimizations on program path x86 instruction count of TaintCheck handler for mcf path Original Standard path opts Lifeguard path opts 86 81(95%) 47(55%) Compose instruction handlers Program path Say hottest mcf path Unoptimized path handler Optimized path handler Decoupled Lifeguards - 9 -

Outline Dynamic path optimization of Decoupled Lifeguards Decoupling Lifeguards: Challenges and Solutions Using lifeguard domain knowledge for path optimizations Evaluation Conclusions Decoupled Lifeguards - 10 -

Decoupling Lifeguards: Challenges and Solutions Issue 1: When to run Lifeguard code Optimized path handler Program path At end of path where data is available Decoupled Lifeguards - 11 -

Decoupling Lifeguards: Challenges and Solutions Issue 2: How to pass data to Lifeguard Marshall data Buffer Optimized path handler Program path Decoupled Lifeguards - 12 -

Decoupling Lifeguards: Challenges and Solutions Challenge 1: How to handle side exits 1 1 2 3 4 2 3 Optimized path handler 4 Path handler for side exits Program path Decoupled Lifeguards - 13 -

Decoupling Lifeguards: Challenges and Solutions Challenge 2: How to contain errors in the path See paper for details of solution based on: Page protection to prevent data corruption Completing checks at function & system calls and indirect jumps Program path Page protection to prevent data corruption Complete checking before syscalls, indirect jumps, function calls Optimized path handler Decoupled Lifeguards - 14 -

Outline Dynamic path optimization of Decoupled Lifeguards Decoupling Lifeguards: Challenges and Solutions Using lifeguard domain knowledge for path optimizations Evaluation Conclusion Decoupled Lifeguards - 15 -

Lifeguard optimization opportunities Alias analysis to reduce metadata accesses Dead metadata update detection to eliminate instruction handlers taint(esi) = taint(esi) | taint( ) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint( ) taint(ecx) = taint( ) taint(edi) = taint(edx) | taint(ecx) taint(ebx) = taint( ) … A B mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al C 6 instructions to access metadata of program memory address D TaintCheck handler for mcf path Decoupled Lifeguards - 16 -

Alias analysis for metadata accesses program add %esi -0x24[%ebp] mov %edx %edi mov %edi %esi sub %edi -0x24[%ebp] … mov %ecx -0x24[%ebp] lea %edi [%edx,%ecx,1] mov %ebx 0x1c[%ebp] mcf path taint(esi) = taint(esi) | taint(A) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint(B) taint(ecx) = taint(C) taint(edi) = taint(edx) | taint(ecx) taint(ebx) = taint(D) … Program on right, lifeguard on left TaintCheck handler for mcf path Decoupled Lifeguards - 17 -

Alias analysis for metadata accesses program add %esi -0x24[%ebp] mov %edx %edi mov %edi %esi sub %edi -0x24[%ebp] … mov %ecx -0x24[%ebp] lea %edi [%edx,%ecx,1] mov %ebx 0x1c[%ebp] mcf path taint(esi) = taint(esi) | taint(A) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint(A) taint(ecx) = taint(A) taint(edi) = taint(edx) | taint(ecx) taint(ebx) = taint(A+64) … Enables metadata access CSE optimization described in paper TaintCheck handler for mcf path Decoupled Lifeguards - 18 -

Eliminating dead instruction handlers taint(esi) = taint(esi) | taint(A) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint(A) taint(ecx) = taint(A) = taint(edx) | taint(ecx) taint(ebx) = taint(A+64) … Dead taint(edi) updates See paper for details of other optimizations: e.g eliminating loop redundancies taint(edi) TaintCheck handler for mcf path Decoupled Lifeguards - 19 -

Evaluation Lifeguards AddrCheck: unallocated memory access Eraser: concurrency errors MemCheck: AddrCheck + uninitialized read errors TaintCheck: security errors Lifeguard instrumentation platforms DBI (Valgrind ) & Hardware accelerated (LBA) Decoupled lifeguard code on program paths of up to 8 branches Decoupled Lifeguards - 20 -

Lifeguard overhead reduction in Valgrind AddrCheck Standard path optimizations(SPO) SPO + dead handler elimination(DHE) MemCheck Standard path opts yield mixed results Decoupled Lifeguards - 21 -

Lifeguard overhead reduction in Valgrind AddrCheck 24% reduction Standard path optimizations(SPO) SPO + dead handler elimination(DHE) MemCheck Limitations to improvements Instrumentation overhead No metadata access CSE 6% reduction Talk about limitations Decoupled Lifeguards - 22 -

Results with hardware assisted instrumentation (LBA) SPO SPO + DHE SPO + DHE + Metadata access CSE AddrCheck 50% reduction Eraser 53% reduction MemCheck 42% reduction TaintCheck 38% reduction Decoupled Lifeguards - 23 -

Conclusions Decoupling: enables optimization of lifeguard code on program paths Correctness checking at a path granularity Multi-versioned checking code to handle side exits Page protection for containing errors Lifeguard domain knowledge: enable redundancy elimination beyond standard optimizations Better alias analysis Lifeguard-specific dead code & common subexpression elimination Lifeguard overhead reductions Up to 24% on Valgrind Up to 53% on LBA Decoupled Lifeguards - 24 -

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.