U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger.

Slides:



Advertisements
Similar presentations
DieHard: Memory Error Fault Tolerance in C and C++ Ben Zorn Microsoft Research In collaboration with Emery Berger and Gene Novark, Univ. of Massachusetts.
Advertisements

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Deadlock Emery Berger and Mark Corner University of Massachusetts.
SEMINAR ON FILE SLACK AND DISK SLACK
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Dynamic Memory Management Emery Berger and Mark Corner.
U NIVERSITY OF M ASSACHUSETTS – Department of Computer Science Emery Berger Scalable Memory Management for Multithreaded Applications CMPSCI 691P Fall.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.
CSc 352 Freeing Dynamically Allocated Memory Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
1 U NIVERSITY OF M ASSACHUSETTS, A MHERST School of Computer Science P REDATOR : Predictive False Sharing Detection Tongping Liu*, Chen Tian, Ziang Hu,
By Gene Novark, Emery D. Berger and Benjamin G. Zorn Presented by Matthew Kent Exterminator: Automatically Correcting Memory Errors with High Probability.
Ben Livshits Based in part of Stanford class slides from and slides from Ben Zorn’s talk slides.
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Heap Management.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
CPSC 388 – Compiler Design and Construction
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Emery D. Berger and Benjamin G. Zorn Presented by: David Roitman.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science CRAMM: Virtual Memory Support for Garbage-Collected Applications Ting Yang, Emery.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
More on protocol implementation Packet parsing Memory management Data structures for lookup.
Tolerating and Correcting Memory Errors in C and C++ Ben Zorn Microsoft Research In collaboration with: Emery Berger and Gene Novark, Umass - Amherst Karthik.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Garbage Collection Without Paging Matthew Hertz, Yi Feng, Emery Berger University.
PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
1 CSE 303 Lecture 11 Heap memory allocation ( malloc, free ) reading: Programming in C Ch. 11, 17 slides created by Marty Stepp
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles C/C++ Emery Berger and Mark Corner University of Massachusetts.
Quarantine: A Framework to Mitigate Memory Errors in JNI Applications Du Li , Witawas Srisa-an University of Nebraska-Lincoln.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
Debugging Print And Imaging Drivers. Print driver team philosophy on driver quality There are tools to detect violations Wrongful development assumptions.
Address Space Layout Permutation
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Computer Security and Penetration Testing
Presentation of Failure- Oblivious Computing vs. Rx OS Seminar, winter 2005 by Lauge Wullf and Jacob Munk-Stander January 4 th, 2006.
Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO, and THOMAS ANDERSON Ethan.
Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.
DieHard: Probabilistic Memory Safety for Unsafe Languages Emery D. Berger and Benjamin G. Zorn PLDI'06 Presented by Uri Kanonov
Pointers OVERVIEW.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science 1 Automatic Heap Sizing: Taking Real Memory into Account Ting Yang, Emery Berger,
Dynamic Memory Allocation. Domain A subset of the total domain name space. A domain represents a level of the hierarchy in the Domain Name Space, and.
CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.
CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Yi Feng & Emery Berger University of Massachusetts Amherst A Locality-Improving.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Author: Gene Novark, Emery D. Berger University of Massachusetts Amherst DieHarder: Securing the Heap ACM CCS’10.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Processes and Virtual Memory
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
CSc 352 Debugging Tools Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Fault Tolerant, Efficient, and Secure Runtimes Ben Zorn Research in Software Engineering (RiSE) Microsoft Research In collaboration with: Emery Berger.
Memory-Related Perils and Pitfalls in C
YAHMD - Yet Another Heap Memory Debugger
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang
Software Security Lesson Introduction
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
CSc 352 Debugging Tools Saumya Debray Dept. of Computer Science
The future of Software Security Dr. Si Chen
CETS: Compiler-Enforced Temporal Safety for C
Presentation transcript:

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger UMass Amherst Ben Zorn Microsoft Research

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Debugging Memory Errors Billions of lines of deployed C/C++ code Apps contain memory errors Heap overflows Dangling pointers Notoriously hard to debug Must reproduce bug, pinpoint cause Average 28 days from discovery of remotely exploitable memory error and patch [Symantec 2006]

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Coping with memory errors Unsound, may detect errors Windows, GNU libc, Rx Sound, always finds dynamic errors CCured, CRED, SAFECode Requires source modification Valgrind, Purify Order of magnitude slowdown Probabilistically avoid errors DieHard [Berger 2006] Exterminator: automatically isolate and fix detected errors

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 DieHard Overview Fully-randomized memory manager Bitmap-based with random probing Increases odds of benign memory errors Different heap layouts across runs Replication Run multiple replicas simultaneously, vote on results Increases reliability (hides bugs) by using more space

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 DieHard Heap Layout Bitmap-based, segregated size classes Bit represents one object of given size i.e., one bit = 2 i+3 bytes, etc. malloc(): randomly probe bitmap for free space free(): just reset bit size = 2 i+3 2 i+4 allocation bitmap heap

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator Extensions size = 2 i+3 2 i+4 allocation bitmap heap object id (serial number) 32 dealloc time DieHard Exterminator dealloc site D6D6 D9D9 alloc site A4A4 A8A8 A3A3

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 The Exterminator System seed vote broadcast input output DieFast replica 1 seed DieFast replica 2 seed Error isolator correcting allocator DieFast replica 3 runtime patches On failure, create heap images (core dump) Isolator analyzes images, creates runtime patch Correcting allocator corrects isolated errors: pad allocations extend object lifetimes

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator Isolation Algorithm Identify “discrepancies” Compare valid object data Find equivalent objects (same ID) with different contents Find corrupted canaries (free space) Check for possible buffer overflows Check for dangling pointer error

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Comparing Object Data Lots of valid reasons for data to differ Pointers (random target locations) File descriptors Non-transparent use of pointers e.g. Red-Black tree keyed on pointer value Etc. Exterminator identifies and ignores: Values which differ across all replicas Valid pointers referring to same target ID

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Error Isolation: Buffer Overflows Replica 1: “malignant” overflow Replica 2 & 3: “benign” overflows 1.Identify corrupt object 2.Search for source 3.Compare data at same  (  = 1: No object ) 555 ( vs. & ) (  = 2: candidate!) ( vs. & Match! )

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Error Isolation: Dangling Pointer Freed, Canary value Dangled ptr ? Assume dangling pointer Extend lifetime of object Corrupted canary values for object 5 Same object, same corruption Buffer overflow? Source object would be at same  in all replicas Unlikely,

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Error Isolation: Dangling ptr read What if the program doesn’t write to the dangled pointer? DieFast overwrites freed objects Canaries produce invalid reads, crashes How to identify prematurely freed objects? Common case 1: read something that was a pointer, dereference it Common case 2: read numeric value, error propagates through computation No information: previous contents destroyed!

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Error Isolation: Dangling ptr read Solution: Write canaries randomly (half the time) Equivalent to extending object lifetime (until overwritten) : overwritten with canaries: data intact Legal free: OK Illegal free: (later read + deref ptr) OK CRASH!

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Error Isolation: Dangling ptr read Correct frees uncorrelated with crash For each object i, compute estimator: P > 0.5: dangling pointer error Create patch when confidence reaches threshold

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Runtime Patches Overflow patches Allocation callsite Overflow amount Dangling pointer patches Allocation & Deallocation callsites Lifetime extension

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Correcting Allocator Extended DieHard allocator Reads runtime patches Stores pad table & deferral table On free: Check for life extension for current object Place ptr, time on deferral priority queue On allocation: Check for overflow fix for current callsite Check deferral queue for pending frees

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Results Analytical results Empirical results Runtime overhead Error detection Injected faults Real application (Squid)

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Analytic results summary Buffer overflows False negative & positive rate decrease exponentially with # of replicas Dangling pointers Write: exponentially low false +/- rate Read-only: Confidence threshold controls false positive rate, # replicas needed to identify culprit

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Empirical Results: Runtime

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Empirical Results: Overflows

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Empirical Results: Dang. Ptrs.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Empirical Results: Squid Squid web cache heap overflow Remotely exploitable Crashes glibc and BDW collector DieFast detects error immediately Corrupted canary past overflowed object Exterminator’s isolator generates an object pad of 6 bytes, fixing the overflow

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Conclusion Randomization + Replication = Information Randomization  bugs have different effects Exterminator exploits different effects across heaps to isolate cause Low overhead Automatically fix bugs in deployed programs Breaks crash-debug-patch cycle Create 0-day patches for 0-day bugs

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.