Kernel AddressSanitizer

Slides:



Advertisements
Similar presentations
Recitation By yzhuang, sseshadr. Agenda Debugging practices – GDB – Valgrind – Strace Errors and Wrappers – System call return values and wrappers – Uninitialization.
Advertisements

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
Dynamic Memory Allocation I Topics Simple explicit allocators Data structures Mechanisms Policies CS 105 Tour of the Black Holes of Computing.
Dynamic Memory Allocation I Topics Basic representation and alignment (mainly for static memory allocation, main concepts carry over to dynamic memory.
Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.
User-Level Memory Management in Linux Programming
Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
Traffic Server Debugging using ASAN / TSAN Brian Geffon.
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.
HTML5 GEOLOCATION AND SHAREPOINT GEOLOCATION What is Geolocation? How easy it is to use this service? Can we do something without Javascript?
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Dynamic Memory Allocation Conventional array and other data declarations An incorrect attempt to size memory dynamically Requirement for dynamic allocation.
Chapter 8 – Main Memory (Pgs ). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.
1 Memory Management Basics. 2 Program P Basic Memory Management Concepts Address spaces Physical address space — The address space supported by the hardware.
1 Advanced Memory Management Techniques  static vs. dynamic kernel memory allocation  resource map allocation  power-of-two free list allocation  buddy.
CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.
CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows
1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
+ Dynamic memory allocation. + Introduction We often face situations in programming where the data is dynamics in nature. Consider a list of customers.
Processes and Virtual Memory
1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
1 C Basics Monday, August 30, 2010 CS 241. Announcements MP1, a short machine problem, will be released today. Due: Tuesday, Sept. 7 th at 11:59pm via.
By Anand George SourceLens.org Copyright. All rights reserved. Content Owner - Meera R (meera at sourcelens.org)
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
Where Testing Fails …. Problem Areas Stack Overflow Race Conditions Deadlock Timing Reentrancy.
CSE 333 – SECTION 2 Memory Management. Questions, Comments, Concerns Do you have any? Exercises going ok? Lectures make sense? Homework 1 – START EARLY!
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Linux 2.6 Memory Management Joseph Garvin. Why do we care? Without keeping multiple process in memory at once, we loose all the hard work we just did.
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
CS 140 Lecture Notes: Virtual Memory
Lecture 11 Virtual Memory
Protecting Memory What is there to protect in memory?
Presented by: Daniel Taylor
YAHMD - Yet Another Heap Memory Debugger
Debugging Memory Issues
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Virtual Memory User memory model so far:
Checking Memory Management
CS 140 Lecture Notes: Virtual Memory
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang
CSE 351 Section 10 The END…Almost 3/7/12
Dynamic Memory Allocation
CS 140 Lecture Notes: Virtual Memory
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
Dynamic Memory A whole heap of fun….
Introduction to Static Analyzer
Virtual Memory: Systems CSCI 380: Operating Systems
CSCI 380: Operating Systems William Killian
Dynamic Memory A whole heap of fun….
Pointer & Memory Allocation Review
CS703 - Advanced Operating Systems
Paging and Segmentation
COP 3330 Object-oriented Programming in C++
Machine-Level Programming II: Basics Comp 21000: Introduction to Computer Organization & Systems Spring 2016 Instructor: John Barr * Modified slides.
CS 140 Lecture Notes: Virtual Memory
Buddy Allocation CS 161: Lecture 5 2/11/19.
Landon Cox January 17, 2018 January 22, 2018
Makefiles, GDB, Valgrind
Sampling Dynamic Dataflow Analyses
Presentation transcript:

Kernel AddressSanitizer A fast memory error detector for Linux kernel Dmitry Vyukov, dvyukov@ Nov 14, 2014, ZeroNights

Address/Thread/MemorySanitizer AddressSanitizer (ASan): use-after-free, use-after-return, out-of-bounds on heap, stack, globals. ThreadSanitizer (TSan): data races, deadlocks, mallocs in signal handlers. MemorySanitizer (MSan): uses of uninitialized memory [Valgrind is sloooooooooooow]

User-space usage Continuous testing of Chromium and server-side codebase. We use "asanified" Chrome as default browser. ClusterFuzz: massive Chromium fuzzing. End-to-end system tests and live traffic serving. Lots of internal fuzzing. Thousands of bugs found. Also found bugs in: Firefox, Opera, vlc, ffmpeg, FreeType, WebRTC, MySQL, PostgreSQL, perl, PHP, clang, gcc, glibc.

Linux Kernel CONFIG_DEBUG_SLAB: does not detect OOB reads, best-effort UAF detection. CONFIG_DEBUG_PAGEALLOC: Detects UAF only when the whole page is unused. CONFIG_KMEMCHECK: Slow.

Kernel AddressSanitizer CONFIG_KASAN: fast and comprehensive solution for UAF and OOB. Based on compiler instrumentation (fast) OOB for both writes and reads OOB for globals and stack Strong UAF detection Prompt detection of bad memory accesses Informative reports

Shadow byte Every aligned 8-byte word of memory has only 9 states: first k bytes (0<=k<=8) are addressable, the rest are not. State of every 8-byte word can be encoded in 1 byte (shadow byte) (Extreme: up to 128 application bytes per 1 shadow byte)

Instrumentation: 8-byte access *ptr = ... char *shadow = AddrToShadow(ptr); if (*shadow) ReportError(ptr);

shadow = (addr>>3) + offset Shadow Memory Mapping shadow = (addr>>3) + offset

Instrumentation Example MOV %RDI, %RAX # copy address SHR $0x3, %RAX # divide by 8 MOV 0xFFFFD90000000000, %RCX # load offset CMPB $0x0, (%RAX, %RCX) # load&test shadow JNE fail # report failure MOVQ $0x1234, (%RDI) # original store

Run-time Support Map shadow memory during bootstrap SLAB/SLUB integration: add redzones poison/unpoison delay reuse (quarantine) Error reporting

Trophies ~20 bugs in upstream kernel ~20 in our internal kernel X bugs found by Samsung and Oracle

Example Report: UAF ERROR: AddressSanitizer: heap-use-after-free on address ffff880064d11924 ffff880064d11924 is located 84 bytes inside of 104-byte region [ffff880064d118d0, ffff880064d11938) Accessed by thread T3916: #1 ffffffff813fbb30 (ext4_mb_release_context+0x70/0xa40) ./fs/ext4/mballoc.c:4269 #2 ffffffff81401888 (ext4_mb_new_blocks+0x888/0x9b0) ./fs/ext4/mballoc.c:4432 #3 ffffffff813f2594 (ext4_ext_map_blocks+0x1404/0x1ba0) ./fs/ext4/extents.c:4213 Freed by thread T14794: #1 ffffffff813f7832 (ext4_mb_pa_callback+0x32/0x40) ./fs/ext4/mballoc.c:3428 #2 inlined rcu_do_batch ./kernel/rcutree.c:1991 #3 inlined invoke_rcu_callbacks ./kernel/rcutree.c:2229 Allocated by thread T1087: #1 ffffffff8190e928 (ext4_mb_new_inode_pa+0xd8/0x752) ./fs/ext4/mballoc.c:3506 #2 ffffffff8140190b (ext4_mb_new_blocks+0x90b/0x9b0) ./fs/ext4/mballoc.c:4417 #3 ffffffff813f2594 (ext4_ext_map_blocks+0x1404/0x1ba0) ./fs/ext4/extents.c:4213. Shadow bytes around the buggy address: ffff880064d11900: fd fd fd fd[fd]fd fd fa fa fa fa fa fa fa fa fa

Example Report: OOB "I guess the following patch might be worth a CVE" AddressSanitizer: heap-buffer-overflow on address ffff8800521e8730 ffff8800521e8730 is located 16 bytes to the left of 512-byte region [ffff8800521e8740, ffff8800521e8940) Accessed by thread T11464: #1 ffffffffa0003b1c (ip6_finish_output2+0x54c/0x840 [ipv6]) #2 ffffffffa00088dc (ip6_fragment+0xe2c/0x1520 [ipv6]) #3 ffffffffa00090f7 (ip6_finish_output+0x127/0x190 [ipv6]) #4 ffffffffa00091e1 (ip6_output+0x81/0x140 [ipv6]) #5 ffffffffa000630c (ip6_local_out+0x4c/0x60 [ipv6]) Allocated by thread T11464: #1 ffffffff817e0201 (__alloc_skb+0x91/0x280) #2 ffffffff817d807a (sock_wmalloc+0x6a/0xe0) #3 ffffffffa0005ea6 (ip6_append_data+0x1906/0x1c20 [ipv6]) #4 ffffffffa0030dd7 (rawv6_sendmsg+0x6a7/0x15c0 [ipv6]) #5 ffffffff818bb498 (inet_sendmsg+0x108/0x160) Shadow bytes around the buggy address: ffff8800521e8700: fa fa fa fa fa fa[fa]fa 00 00 00 00 00 00 00 00 "I guess the following patch might be worth a CVE"

Thanks! http://address-sanitizer.googlecode.com http://github.com/google/kasan Questions? Dmitry Vyukov, Google dvyukov@

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.