Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang

Slides:

Advertisements

Similar presentations

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Advertisements

1 Memory Allocation Professor Jennifer Rexford COS 217.

User-Level Memory Management in Linux Programming

Hastings Purify: Fast Detection of Memory Leaks and Access Errors.

CPSC 388 – Compiler Design and Construction

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Run-Time Storage Organization

C and Data Structures Baojian Hua

WEL COME PRAVEEN M JIGAJINNI PGT (Computer Science) MCA, MSc[IT], MTech[IT], MPhil (Comp. Sci), PGDCA, ADCA, Dc. Sc. & Engg.

. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.

Memory Layout C and Data Structures Baojian Hua

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Prof. amr Goneid, AUC1 CSCE 110 PROGRAMMING FUNDAMENTALS WITH C++ Prof. Amr Goneid AUC Part 10. Pointers & Dynamic Data Structures.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Computer Security and Penetration Testing

Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.

Pointers review Let a variable aa be defined as ‘int *aa;’, what is stored in aa? Let a variable aa be defined as ‘int ** aa;’ what is stored in aa? Why.

Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.

Replay Compilation: Improving Debuggability of a Just-in Time Complier Presenter: Jun Tao.

Chapter 4 Memory Management Virtual Memory.

University of Washington Today Finished up virtual memory On to memory allocation Lab 3 grades up HW 4 up later today. Lab 5 out (this afternoon): time.

Dynamic Memory Allocation. Domain A subset of the total domain name space. A domain represents a level of the hierarchy in the Domain Name Space, and.

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.

Debugging of # P. Hristov 04/03/2013. Introduction Difficult problem – The behavior is “random” and depends on the “history” – The debugger doesn’t.

1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.

Consider Starting with 160 k of memory do: Starting with 160 k of memory do: Allocate p1 (50 k) Allocate p1 (50 k) Allocate p2 (30 k) Allocate p2 (30 k)

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

Improve Embedded System Stability and Performance through Memory Analysis Tools Bill Graham, Product Line Manager Development Tools November 14, 2006.

Memory Management What if pgm mem > main mem ?. Memory Management What if pgm mem > main mem ? Overlays – program controlled.

Code improvement: Coverity static analysis Valgrind dynamic analysis GABRIELE COSMO CERN, EP/SFT.

Memory-Related Perils and Pitfalls in C

CSE 220 – C Programming malloc, calloc, realloc.

Dynamic Allocation in C

Content Coverity Static Analysis Use cases of Coverity Examples

Object Lifetime and Pointers

Data Types In Text: Chapter 6.

Free Transactions with Rio Vista

Processes and threads.

Data Watch Presenter Information Jason Puncher and François Tétreault

YAHMD - Yet Another Heap Memory Debugger

Unusual Data Types CSC-3004 Introduction to Software Development

Debugging Memory Issues

ENEE150 Discussion 07 Section 0101 Adam Wang.

Dynamic Memory Allocation

Storage Management.

Checking Memory Management

Dynamically Allocated Memory

Chapter 9 :: Subroutines and Control Abstraction

High Coverage Detection of Input-Related Security Faults

MEMORY MANAGEMENT & their issues

Chap. 8 :: Subroutines and Control Abstraction

Chap. 8 :: Subroutines and Control Abstraction

Dynamic Memory A whole heap of fun….

Dynamic Memory Allocation

Memory Allocation CS 217.

Free Transactions with Rio Vista

Process Description and Control

Effective and Efficient memory Protection Using Dynamic Tainting

Chien-Chung Shen CIS/UD

CETS: Compiler-Enforced Temporal Safety for C

Dynamic Memory.

Foundations and Definitions

RUN-TIME STORAGE Chuen-Liang Chen Department of Computer Science

Virtual Memory and Paging

Run-time environments

Presentation transcript:

Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang Memory Corruption Detecting Method Using Static Variables and Dynamic Memory Usage Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang {pola0527, ddangddon}@ewhain.net, bjchoi@ewha.ac.kr, gihun.chang@Samsung.com 표지

Agenda Memory Corruption Related Work Our Method Empirical study Static memory corruption detection Dynamic memory corruption detection Our Method Information tagging Real-time memory defect detection Signal hooking Automation Empirical study Conclusion and future work

Memory corruption Memory corruption is a fault in which the content of memory is changed unintentionally during the execution of program. Once memory corruption occurs, the process either malfunctions or the system crashes. Memory corruption is a defect that is difficult to resolve Reason 1: There are often cases where the location of the cause of the memory corruption differs from the location of the actual failure  It is difficult to correlate the cause and effect Reason 2: The symptoms of memory corruption are non-deterministic  The fault is not always reproduced  We propose a method to detect real time memory corruption by using static global variables and dynamic memory usage

Memory defect categories Category Defects Allocation Memory allocation failure Zero-size memory allocation Memory leak Deallocation Null pointer free (Compiler-dependent) Duplicated free Unallocated memory free Allocation/deallocation mismatch Access Null pointer access Freed memory access Unallocated memory access Access defects out of the allocated range that do not conflict with memory space of other variables Access defect out of the allocated range that conflicts with memory space of other variables

<Linux Virtual Memory> Related work Static memory corruption detection Analyze source codes Analyze executable binaries without execution Analyze to detect defects such as a buffer overflow Limitation: This method cannot detect memory corruption in dynamic memory Defect detection accuracy is not very high Dynamic memory corruption detection Collects debugging information by adding tracking code into memory-related function Compilation time Runtime Some popular tools: Purify, Memcheck, AddressSanitizer, … operate in the actual execution environment Highly accurate in the detection of memory corruption Limitation Performance overhead Recompilation or change in the executable binary Text (Code) Data Heap Stack <Linux Virtual Memory>

Information tagging Target System In order to detect memory defects in real-time, there must first be information that can determine the validity of the memory that will be used  shadow memory technique To reduce the overhead from shadow memory, only the static global variables analyzed from the executable binary and dynamically allocated information on the heap memory area are managed through a data structure called ‘information tag’ Executable binary Target System Information Tags Repository Process Dynamic memory usage Static variables

Memory defect detection To monitor memory usage, hooking is used for memory-related functions void free(void *ptr) { if ((tempTag->Flag & 0x01) == 0x01) { s_informtag *tempTag = NULL; // Duplicated free if the information tag's deallocation flag is set if (g_pOrigFree == NULL) { SoMain(); // Information Tagging Module initialization return; } // Update the information tag if(ptr == NULL) { InfoTag_Update((const void*)ptr, 2, (int)(tempTag->Flag |= 0x01)); // Null pointer free InfoTag_Update(ptr, 4, (ADDR_TYPE)__builtin_return_address(0)); … ((void(*)(void*))g_pOrigFree)(ptr); tempTag = InfoTag_Get(ptr); if(tempTag == NULL) { // Unallocated memory free if the information tag does not exist if ((tempTag->Flag & 0x80) == 0x80) { // Unallocated memory free if the information tag's allocation flag is set as static allocation if ((tempTag->Flag & 0x18) > 0) { // Allocation/deallocation mismatch if the information tag's allocation function type flag is set to type new/new[]

Signal hooking Some memory defects may cause system crashes In order to detect defects without losing information when a system crashes, a signal handler that is raised during a crash is hooked Signal related to memory defects SIGSEGV SIGABRT SIGBUS

Execution Binary Analysis Automation Tool ARM-based Linux system Linux kernel 4.9.27 Executable binary analysis module Extracts static global variables to store in information tag repository from the binary file Defect detection module using information tagging Detects defects using information tags each time a memory-related function is called Crash monitoring module Used the signal hooking to hook signal handlers and collect defect detection information without losing data Result output module (Fault Detection) Generates the results on defects that were detected in real-time MCDT Execution Binary Analysis Run - Target Process Fault Detection

Automation Tool

Empirical study ITC benchmark A program that was developed for defects occurring in actual vehicle software Contains a mix of various defects, such as deadlock and typecasting, memory defects Fault TC count Crash occurrence TC_02 Buffer_overrun_dynamic 32 1 TC_29 Memory_leak 18 TC_03 Buffer_underrun_dynamic 39 3 TC_31 Null_pointer 17 15 TC_04 Cmp_funcadr 2 TC_32 Overrun_st 54 TC_11 Deletion_of_data_structure_sentinel TC_33 Ow_memory TC_12 Double_free 12 TC_42 St_overflow 7 TC_16 Free_nondynamic_allocated_memory 16 TC_43 St_underflow TC_17 Free_null_pointer 14 9 TC_44 Underrun_st 13 TC_24 Invalid_memory_access TC_45 Uninit_memory_access TC_25 Littlemem_st 11 4 TC_46 Uninit_pointer TC_28 Memory_allocation_failure

Results - All Detection rate Cause of defects (a) Detected Fault Our tool detected 111 defects out of 311 defects AddressSanitizer: 65 defects Memcheck: 80 defects Cause of defects Our method accurately analyzed the cause of 94 defects (84.69%) AddressSanitizer: 10 defects Memcheck: 43 defects (a) Detected Fault (b) Fault Detection Accuracy

Results – Crash occurrence Detection rate Our tool detected 77 defects out of 84 defects AddressSanitizer: 57 defects Memcheck: 63 defects Cause of defects Our method accurately analyzed the cause of 58 defects (65.71%) AddressSanitizer: 8 defects Memcheck: 34 defects (a) Fault Detection (b) Fault Detection Accuracy

Performance Monitoring overhead Our method had a 6.67% performance overhead AddressSanitizer: 26.7% performance overhead Memcheck: heavyweight method

Conclusion and future work Memory corruption is a remaining problem to be resolved Defects must be detected across all memories used in a process It is important to accurately identify the location of the cause of the defect instead of just the moment when the defect occurred We proposed a method that detects memory corruption by analyzing static global variables and dynamic memory use Future work We will conduct further experimental study to measure the performance of our tool by fault injection We plan to expand the static memory used for defect detection to the entire static memory area