Accelerating Dynamic Software Analyses Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan December 1,

Slides:

Advertisements

Similar presentations

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.

Recording Inter-Thread Data Dependencies for Deterministic Replay Tarun GoyalKevin WaughArvind Gopalakrishnan.

KMemvisor: Flexible System Wide Memory Mirroring in Virtual Environments Bin Wang Zhengwei Qi Haibing Guan Haoliang Dong Wei Sun Shanghai Key Laboratory.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

Yuanyuan ZhouUIUC-CS Architectural Support for Software Bug Detection Yuanyuan (YY) Zhou and Josep Torrellas University of Illinois at Urbana-Champaign.

Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Rapid Identification of Architectural Bottlenecks via Precise Event Counting John Demme, Simha Sethumadhavan Columbia University

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.

Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Parallelizing Security Checks on Commodity Hardware E.B. Nightingale, D. Peek, P.M. Chen and J. Flinn U Michigan.

Virtualization: Not Just For Servers Hollis Blanchard PowerPC kernel hacker.

Hadi Salimi Distributed Systems Lab, School of Computer Engineering, Iran University of Science and Technology, Fall 2010 Performance.

R Enabling Trusted Software Integrity Darko Kirovski Microsoft Research Milenko Drinić Miodrag Potkonjak Computer Science Department University of California,

CS533 Concepts of Operating Systems Jonathan Walpole.

Parallelizing Security Checks on Commodity Hardware Ed Nightingale Dan Peek, Peter Chen Jason Flinn Microsoft Research University of Michigan.

A Case for Unlimited Watchpoints Joseph L. Greathouse †, Hongyi Xin*, Yixin Luo †‡, Todd Austin † † University of Michigan ‡ Shanghai Jiao Tong University.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Chapter 10 System Monitoring Issues Performance Benchmarks NT Server Services Users and Server Access Information Task Manager for Applications Ram and.

Performance Comparison Xen vs. KVM vs. Native –Benchmarks: SPEC CPU2006, SPEC JBB 2005, SPEC WEB, TPC –Case studies Design instrumentations for figure.

02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan December 12,

Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.

Operating Systems Security

An Integrated Framework for Dependable and Revivable Architecture Using Multicore Processors Weidong ShiMotorola Labs Hsien-Hsin “Sean” LeeGeorgia Tech.

Adaptive GPU Cache Bypassing Yingying Tian *, Sooraj Puthoor†, Joseph L. Greathouse†, Bradford M. Beckmann†, Daniel A. Jiménez * Texas A&M University *,

Hardware Mechanisms for Distributed Dynamic Software Analysis Joseph L. Greathouse Advisor: Prof. Todd Austin May 10, 2012.

Full and Para Virtualization

Testudo: Heavyweight Security Analysis via Statistical Sampling Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Ilya.

Hardware Support for On-Demand Software Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan December 8, 2011.

Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.

HARD: Hardware-Assisted lockset- based Race Detection P.Zhou, R.Teodorescu, Y.Zhou. HPCA’07 Shimin Chen LBA Reading Group Presentation.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois

On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan November 29,

The Potential of Sampling for Dynamic Analysis Joseph L. GreathouseTodd Austin Advanced Computer Architecture Laboratory University of Michigan PLAS, San.

Demand-Driven Software Race Detection using Hardware Performance Counters Joseph L. Greathouse †, Zhiqiang Ma ‡, Matthew I. Frank ‡ Ramesh Peri ‡, Todd.

Architectural Features of Transactional Memory Designs for an Operating System Chris Rossbach, Hany Ramadan, Don Porter Advanced Computer Architecture.

*Pentium is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries Performance Monitoring.

Better Performance Through Thread-local Emulation Ali Razeen, Valentin Pistol, Alexander Meijer, and Landon P. Cox Duke University.

LASER: Light, Accurate Sharing dEtection and Repair Liang Luo, Akshitha Sriraman, Brooke Fugate, Shiliang Hu, Chris J Newburn, Gilles Pokam, Joseph Devietti.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

On-Demand Dynamic Software Analysis

Presented by Mike Marty

Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry*

Secure Software Development: Theory and Practice

MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan.

runtime verification Brief Overview Grigore Rosu

Hardware Mechanisms for Distributed Dynamic Software Analysis

Introduction to Operating Systems

OS Virtualization.

High Coverage Detection of Input-Related Security Faults

By Dunlap, King, Cinar, Basrai, Chen

Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

On-Demand Dynamic Software Analysis

Co-designed Virtual Machines for Reliable Computer Systems

Landon Cox January 17, 2018 January 22, 2018

Sampling Dynamic Dataflow Analyses

Presentation transcript:

Accelerating Dynamic Software Analyses Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan December 1, 2011

NIST: SW errors cost U.S. ~$60 billion/year as of 2002 FBI CCS: Security Issues $67 billion/year as of 2005  >⅓ from viruses, network intrusion, etc. Software Errors Abound 2 Cataloged Software Vulnerabilities

Example of a Modern Bug 3 Thread 2 mylen=large Thread 1 mylen=small ptr ∅ Nov OpenSSL Security Flaw if(ptr == NULL) { len=thread_local->mylen; ptr=malloc(len); memcpy(ptr, data, len); }

Example of a Modern Bug 4 if(ptr==NULL) memcpy(ptr, data2, len2) ptr LEAKED TIME Thread 2 mylen=large Thread 1 mylen=small ∅ len2=thread_local->mylen; ptr=malloc(len2); len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1)

Dynamic Software Analysis Analyze the program as it runs + System state, find errors on any executed path – LARGE runtime overheads, only test one path 5 Developer Instrumented Program In-House Test Machine(s) LONG run time Analysis Results Analysis Instrumentation Program

Taint Analysis (e.g.TaintCheck) Dynamic Bounds Checking Data Race Detection (e.g. Inspector XE) Memory Checking (e.g. MemCheck) Runtime Overheads: How Large? x 10-80x 5-50x 2-300x Symbolic Execution x

Outline Problem Statement Background Information  Demand-Driven Dynamic Dataflow Analysis Proposed Solutions  Demand-Driven Data Race Detection  Sampling to Cap Maximum Overheads 7

Dynamic Dataflow Analysis Associate meta-data with program values Propagate/Clear meta-data while executing Check meta-data for safety & correctness Forms dataflows of meta/shadow information 8

a += y z = y * 75 y = x * 1024 w = x + 42 Check w Example: Taint Analysis 9 validate(x) x = read_input() Clear a += y z = y * 75 y = x * 1024 x = read_input() Propagate Associate Input Check a Check z Data Meta-data

Demand-Driven Dataflow Analysis 10 Only Analyze Shadowed Data Native Application Native Application Instrumented Application Instrumented Application Instrumented Application Meta-Data Detection Non- Shadowed Data Shadowed Data No meta-data

Finding Meta-Data 11 No additional overhead when no meta-data  Needs hardware support Take a fault when touching shadowed data Solution: Virtual Memory Watchpoints V→P FAULT

Results by Ho et al. lmbench Best Case Results: Results when everything is tainted: 12

Outline Problem Statement Background Information  Demand-Driven Dynamic Dataflow Analysis Proposed Solutions  Demand-Driven Data Race Detection  Sampling to Cap Maximum Overheads 13

Software Data Race Detection Add checks around every memory access Find inter-thread sharing events Synchronization between write-shared accesses?  No? Data race. 14

Thread 2 mylen=large Thread 1 mylen=small if(ptr==NULL) len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1) len2=thread_local->mylen; ptr=malloc(len2); memcpy(ptr, data2, len2) Example of Data Race Detection 15 ptr write-shared? Interleaved Synchronization? TIME

SW Race Detection is Slow 16 PhoenixPARSEC

Inter-thread Sharing is What’s Important “ Data races... are failures in programs that access and update shared data in critical sections” – Netzer & Miller, if(ptr==NULL) len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1) len2=thread_local->mylen; ptr=malloc(len2); memcpy(ptr, data2, len2) Thread-local data NO SHARING Shared data NO INTER-THREAD SHARING EVENTS TIME

Very Little Inter-Thread Sharing 18 PhoenixPARSEC

Use Demand-Driven Analysis! 19 Multi-threaded Application Multi-threaded Application Software Race Detector Local Access Inter-thread sharing Inter-thread Sharing Monitor

Finding Inter-thread Sharing Virtual Memory Watchpoints? –~100% of accesses cause page faults Granularity Gap Per-process not per-thread 20 FAULT Inter-Thread Sharing

Hardware Sharing Detector Hardware Performance Counters Intel’s HITM event: W→R Data Sharing 21 S S M M S S I I HITM Pipeline Cache Perf. Ctrs FAULT Core 1Core PEBS Armed Debug Store EFLAGS EIP RegVals MemInfo Precise Fault

Potential Accuracy & Perf. Problems Limitations of Performance Counters  HITM only finds W→R Data Sharing  Hardware prefetcher events aren’t counted Limitations of Cache Events  SMT sharing can’t be counted  Cache eviction causes missed events  False sharing, etc… PEBS events still go through the kernel 22

Demand-Driven Analysis on Real HW 23 Execute Instruction SW Race Detection Enable Analysis Disable Analysis HITM Interrupt? HITM Interrupt? Sharing Recently? Analysis Enabled? NO YES

Performance Increases 24 PhoenixPARSEC 51x

Demand-Driven Analysis Accuracy 25 1/1 2/4 3/3 4/4 3/3 4/4 2/4 4/4 2/4 Accuracy vs. Continuous Analysis: 97%

Outline Problem Statement Background Information  Demand-Driven Dynamic Dataflow Analysis Proposed Solutions  Demand-Driven Data Race Detection  Sampling to Cap Maximum Overheads 26

Reducing Overheads Further: Sampling 27 Lower overheads by skipping some analyses Complete Analysis No Analysis No Analysis

Sampling Allows Distribution 28 Developer Beta TestersEnd Users Many users testing at little overhead see more errors than one user at high overhead.

a += y z = y * 75 y = x * 1024 w = x + 42 Cannot Naïvely Sample Code 29 Validate(x) x = read_input() a += y y = x * 1024 False Positive False Negative w = x + 42 validate(x) x = read_input() Skip Instr. Input Check w Check z Skip Instr. Check a

Sampling must be aware of meta-data Remove meta-data from skipped dataflows  Prevents false positives Solution: Sample Data, not Code 30

a += y z = y * 75 y = x * 1024 w = x + 42 Dataflow Sampling Example 31 validate(x) x = read_input() a += y y = x * 1024 False Negative x = read_input() Skip Dataflow Input Check w Check z Skip Dataflow Check a

Dataflow Sampling 32 Remove dataflows if execution is too slow Sampling Analysis Tool Instrumented Application Instrumented Application Native Application Instrumented Application Instrumented Application Meta-Data Detection Meta-data Clear meta-data OH Threshold

Prototype Setup Taint analysis sampling system  Network packets untrusted Xen-based demand analysis  Whole-system analysis with modified QEMU Overhead Manager (OHM) is user-controlled 33 Xen Hypervisor OS and Applications App … Linux Shadow Page Table Admin VM Taint Analysis QEMU Net Stack OHM

Benchmarks Performance – Network Throughput  Example: ssh_receive Accuracy of Sampling Analysis  Real-world Security Exploits 34 NameError Description ApacheStack overflow in Apache Tomcat JK Connector EggdropStack overflow in Eggdrop IRC bot LynxStack overflow in Lynx web browser ProFTPDHeap smashing attack on ProFTPD Server SquidHeap smashing attack on Squid proxy server

ssh_receive Performance of Dataflow Sampling 35 Throughput with no analysis

Accuracy with Background Tasks ssh_receive running in background 36

BACKUP SLIDES 37

Performance Difference 38 PhoenixPARSEC

Width Test 39