U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.

Slides:



Advertisements
Similar presentations
DieHard: Memory Error Fault Tolerance in C and C++ Ben Zorn Microsoft Research In collaboration with Emery Berger and Gene Novark, Univ. of Massachusetts.
Advertisements

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.
Dynamic Memory Management
Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 10: Heap Management CS 540 GMU Spring 2009.
Michael Bond Kathryn McKinley The University of Texas at Austin Presented by Na Meng Most of the slides are from Mike’s original talk. Many thanks go to.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Dynamic Memory Management Emery Berger and Mark Corner.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
1 U NIVERSITY OF M ASSACHUSETTS, A MHERST School of Computer Science P REDATOR : Predictive False Sharing Detection Tongping Liu*, Chen Tian, Ziang Hu,
By Gene Novark, Emery D. Berger and Benjamin G. Zorn Presented by Matthew Kent Exterminator: Automatically Correcting Memory Errors with High Probability.
Ben Livshits Based in part of Stanford class slides from and slides from Ben Zorn’s talk slides.
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
CPSC 388 – Compiler Design and Construction
Memory Safety Through Runtime Analysis Justin Samuel for CSE 504, Spring ‘10 Instructor: Ben Livshits.
By Emery D. Berger and Benjamin G. Zorn Presented by: David Roitman.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science CRAMM: Virtual Memory Support for Garbage-Collected Applications Ting Yang, Emery.
Operating Systems CMPSCI 377 Lecture 11: Memory Management
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.
Tolerating and Correcting Memory Errors in C and C++ Ben Zorn Microsoft Research In collaboration with: Emery Berger and Gene Novark, Umass - Amherst Karthik.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Garbage Collection Without Paging Matthew Hertz, Yi Feng, Emery Berger University.
Fault Tolerant, Efficient, and Secure Runtimes Ben Zorn Research in Software Engineering (RiSE) Microsoft Research In collaboration with: Emery Berger.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Virtualization in Data Centers Prashant Shenoy
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles C/C++ Emery Berger and Mark Corner University of Massachusetts.
Quarantine: A Framework to Mitigate Memory Errors in JNI Applications Du Li , Witawas Srisa-an University of Nebraska-Lincoln.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
Memory Layout C and Data Structures Baojian Hua
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Computer Security and Penetration Testing
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
Buffer Overflow Maddikayala, jagadish. CSCI 5931 Web Security Prof. T. Andrew Yang Monday Feb. 23.
DieHard: Probabilistic Memory Safety for Unsafe Languages Emery D. Berger and Benjamin G. Zorn PLDI'06 Presented by Uri Kanonov
Storage Management. The stack and the heap Dynamic storage allocation refers to allocating space for variables at run time Most modern languages support.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Advanced Compilers CMPSCI 710 Spring 2004 Lecture 1 Emery Berger University of Massachusetts,
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science S HERIFF : Precise Detection & Automatic Mitigation of False Sharing Tongping Liu,
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 1 Automatic Heap Sizing: Taking Real Memory into Account Ting Yang, Emery Berger,
1 Dynamic Memory Allocation –The need –malloc/free –Memory Leaks –Dangling Pointers and Garbage Collection Today’s Material.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Yi Feng & Emery Berger University of Massachusetts Amherst A Locality-Improving.
Author: Gene Novark, Emery D. Berger University of Massachusetts Amherst DieHarder: Securing the Heap ACM CCS’10.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Hank Childs, University of Oregon April 15th, 2015 CIS 330: _ _ _ _ ______ _ _____ / / / /___ (_) __ ____ _____ ____/ / / ____/ _/_/ ____/__ __ / / / /
Consider Starting with 160 k of memory do: Starting with 160 k of memory do: Allocate p1 (50 k) Allocate p1 (50 k) Allocate p2 (30 k) Allocate p2 (30 k)
S ECURE P ROGRAMMING 6. B UFFER O VERFLOW (S TRINGS AND I NTEGERS ) P ART 2 Chih Hung Wang Reference: 1. B. Chess and J. West, Secure Programming with.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Improve Embedded System Stability and Performance through Memory Analysis Tools Bill Graham, Product Line Manager Development Tools November 14, 2006.
Fault Tolerant, Efficient, and Secure Runtimes Ben Zorn Research in Software Engineering (RiSE) Microsoft Research In collaboration with: Emery Berger.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Presented by: Daniel Taylor
YAHMD - Yet Another Heap Memory Debugger
Secure Programming Dr. X
Storage Management.
Reconsidering Custom Memory Allocation
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Memory Allocation CS 217.
Software Security Lesson Introduction
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
Chien-Chung Shen CIS/UD
Operating System Introduction.
CETS: Compiler-Enforced Temporal Safety for C
Presentation transcript:

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene Novark Emery Berger University of Massachusetts Amherst TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A Ben Zorn Microsoft Research

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Problems with Unsafe Languages C, C++: pervasive apps, but unsafe Numerous opportunities for security vulnerabilities, errors Double/Invalid free Uninitialized reads Dangling pointers Buffer overflows (stack & heap) DieHard: eliminates some, probabilistically avoids others [PLDI 2006] Exterminator: builds on DieHard

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 DieHard Overview Use randomization & (optionally) replication to reduce risk of memory errors Objects randomly spread across heap Different run = different heap Probabilistic memory safety Errors across heaps independent object size = 2 i+4 object size = 2 i … Run 1: “malignant” overflowRun 2: “benign” overflow … [PLDI 2006]

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 DieHard Limitations DieHard: Fine for single error But multiple errors eventually swamp probabilistic protection Not great for large overflows Tolerates errors But doesn’t find them No information for programmer Exterminator: Automatically isolate and fix memory errors

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous char * str = new char[8]; strcpy (str, “goodbye cruel world”);

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous char * str = new char[8]; strcpy (str, “goodbye cruel world”);

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous bad object (too small) char * str = new char[8]; strcpy (str, “goodbye cruel world”);

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous bad object (too small)  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous bad object (too small)  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”); 1. Heap provides no useful information

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”); 2. No way to detect corruption

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Isolating Buffer Overflows Red = possible bad object Green = not bad object Canaries in freed space detect corruption known random valuedead canary = corruption # = object id (allocation time)

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Isolating Buffer Overflows Red = possible bad object Green = not bad object Canaries in freed space detect corruption Run multiple times with “DieFast” allocator 10

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Isolating Buffer Overflows Red = possible bad object Green = not bad object

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same  Isolating Buffer Overflows Red = possible bad object Green = not bad object

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Isolating Buffer Overflows Red = possible bad object Green = not bad object Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same  10

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Isolating Buffer Overflows Red = possible bad object Green = not bad object Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same  10

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same  Isolating Buffer Overflows Red = possible bad object Green = not bad object

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same  ) object 9 overflowed, with high probability Isolating Buffer Overflows Red = possible bad object Green = not bad object

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Buffer Overflow Analysis Example: H = 1,000,000 objects 3 iterations ¼ false positives Iterations exponentially increase precision H = # heap objects K = # iterations

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Isolating Dangling Pointers Dangling pointer error: Live object freed too soon Overwritten by some other object int * v = new int[4]; … delete [] v; // oops … char * str = new char[16]; strcpy (str, “die, pointer”); v[3] = 12; … use of v[0]

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Isolating Dangling Pointers Unlike buffer overflow: dangling pointer ) same corruption in all k = 3 ) false negatives ¼

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Correcting Allocator Generate runtime patches to correct errors Track object call sites in allocator Prevent overflows: pad overflowed objects malloc(8)  malloc(8 + δ ) Prevent dangling pointers: defer frees free(ptr)  delay δ mallocs; free(ptr) 1  1

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator Architecture Three main pieces: DieHard-based allocator (DieFast) Reveals bugs Error isolator Finds bugs across multiple heaps w.h.p. Correcting allocator Fixes bugs Multiple modes suitable for testing (debugging) or deployment

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator Modes Iterative Run multiple times Same inputs Debugging Replicated Run simultaneously Deployable w/limitations Can fix errors on-the-fly Cumulative Different inputs, nondeterminism Deployable; see paper for details seed vote broadcast input output DieFast replica 1 seed DieFast replica 2 seed Error isolator correcting allocator DieFast replica 3 runtime patches

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator Runtime Overhead 25%

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Empirical Results: Real Faults Squid heap overflow Crashes glibc and BDW collector 3 iterations to fix ) 6 byte pad Prevents overflow for all subsequent executions

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Mozilla buffer overflow Debug scenario: repeated load of PoC: 23 runs to fix overflow Deployed scenario: different browsing sessions: 34 runs to fix 2 Empirical Results: Real Faults 31 12

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator Conclusion Exterminator: automatic error correction w.h.p. Randomization  bugs have different effects Statistical analysis combines information from multiple runs to isolate error Correcting allocator eliminates bugs at runtime

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007

allocation space bitmap 1 object size 2 inUse miniheaps DieHard, heap layout Bitmap-based, segregated size classes Bit represents one object of given size i.e., one bit = 2 i+3 bytes, etc. malloc() : randomly probe bitmap for free space free(): just reset bit

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator Extensions single miniheap allocation bitmap heap object id (serial number) 32 dealloc time DieHard Exterminator dealloc site D6D6 D9D9 alloc site A4A4 A8A8 A3A3

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.