Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using SMGCPA for the Detection of Memory Safety Bugs in the Linux Kernel Anton Vasilyev.

Published by镀崩 依尔觉罗 Modified over 7 years ago

Similar presentations

Presentation on theme: "Using SMGCPA for the Detection of Memory Safety Bugs in the Linux Kernel Anton Vasilyev."— Presentation transcript:

1 Using SMGCPA for the Detection of Memory Safety Bugs in the Linux Kernel
Anton Vasilyev

2 Classification of memory errors
Read / Write Overflow Over-read Dangling pointer Null pointer dereference Uninitialized variables Memory management Memory leak Double free Invalid free Use after free

3 SMG terminology Symbolic Memory Graphs — representation of memory state Objects Regions Lists (SLS и DLS) Symbolic values Points-to edges Has-value edges Labeling functions

4 Operations on SMGs Data Reinterpretation Read Reinterpretation
Write Reinterpretation Merging sequences of Objects to lists Materialisation of Lists Join of SMGs Checking Equality and Inequality of values

5 Write Reinterpretation
void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

6 Write Reinterpretation
void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

7 Write Reinterpretation
void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

8 Write Reinterpretation
void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

9 Write Reinterpretation
void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

10 Write Reinterpretation
void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

11 Overflow int main() { 0: int *array;
1: array = malloc(5 * sizeof(int)); 2: array[5] = 2; free(array); return 0; }

12 Overflow int main() { 0: int *array;
1: array = malloc(5 * sizeof(int)); 2: array[5] = 2; free(array); return 0; }

13 Overflow int main() { 0: int *array;
1: array = malloc(5 * sizeof(int)); 2: array[5] = 2; free(array); return 0; } Error State

14 Double free int main() { 0: int *array, *bad;
1: array = malloc(5 * sizeof(int)); 2: bad = array; 3: free(array); 4: free(bad); return 0; }

15 Double free int main() { 0: int *array, *bad;
1: array = malloc(5 * sizeof(int)); 2: bad = array; 3: free(array); 4: free(bad); return 0; }

16 Double free int main() { 0: int *array, *bad;
1: array = malloc(5 * sizeof(int)); 2: bad = array; 3: free(array); 4: free(bad); return 0; }

17 Double free int main() { 0: int *array, *bad;
1: array = malloc(5 * sizeof(int)); 2: bad = array; 3: free(array); 4: free(bad); return 0; }

18 Double free int main() { 0: int *array, *bad;
1: array = malloc(5 * sizeof(int)); 2: bad = array; 3: free(array); 4: free(bad); return 0; }

19 Double free int main() { 0: int *array, *bad;
1: array = malloc(5 * sizeof(int)); 2: bad = array; 3: free(array); 4: free(bad); return 0; } Error State

20 Merging Sequences of Objects

21 Join SMGs

22 Linux kernel problems Can`t be checked as whole

23 Linux kernel problems Can`t be checked as whole
Require special environment

24 Linux kernel problems Can`t be checked as whole
Require special environment Incomplete sources

25 Linux kernel problems Can`t be checked as whole
Require special environment Incomplete sources Incomplete variables initialization

26 Memory on demand Allows to have simple model of kernel internals
Doesn't report memory leak errors with marked memory Allows dereference uninitialized pointers

27 Memory on demand struct Recursive { struct Recursive *p; };
void foo() { struct Recursive *a; struct Recursive *b; a = ext_allocation(); b = a.p; free(b.p); } void main() { foo();

28 Memory on demand struct Recursive { struct Recursive *p; };
void foo() { struct Recursive *a; struct Recursive *b; a = ext_allocation(); b = a.p; free(b.p); } void main() { foo();

29 Memory on demand struct Recursive { struct Recursive *p; };
void foo() { struct Recursive *a; struct Recursive *b; a = ext_allocation(); b = a.p; free(b.p); } void main() { foo();

30 Memory on demand struct Recursive { struct Recursive *p; };
void foo() { struct Recursive *a; struct Recursive *b; a = ext_allocation(); b = a.p; free(b.p); } void main() { foo();

31 Visualization issues

32 Visualization issues

33 Verification results True positive unsafe False positive unsafe 62 527
Environment SMG 387 137

34 Verification results 11 patches to Linux kernel 7 patches are prepared
12 found errors were fixed

35 Kernel verification Unsafes Safes Unknows Reference level 580 1168
3101 SMG state copy modification 610 1184 3055

36 Further work Improve stop operator performance Symbolic part of SMG
Additional abstraction algorithm for arrays

Download ppt "Using SMGCPA for the Detection of Memory Safety Bugs in the Linux Kernel Anton Vasilyev."

Similar presentations

Linked Lists.

Linked Lists.
Linked Lists CSE 2451 Matt Boggus. Dynamic memory reminder Allocate memory during run-time malloc() and calloc() – return a void pointer to memory or.

Linked Lists CSE 2451 Matt Boggus. Dynamic memory reminder Allocate memory during run-time malloc() and calloc() – return a void pointer to memory or.
David Notkin Autumn 2009 CSE303 Lecture 13 This space for rent.

David Notkin Autumn 2009 CSE303 Lecture 13 This space for rent.
Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.

Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Growing Arrays in C By: Victoria Tielebein CS 265- Spring 2011.

Growing Arrays in C By: Victoria Tielebein CS 265- Spring 2011.
Discussion: Week 3/26. Structs: Used to hold associated data together Used to group together different types of variables under the same name struct Telephone{

Discussion: Week 3/26. Structs: Used to hold associated data together Used to group together different types of variables under the same name struct Telephone{
Introduction to C Programming in Unix Environment - II Abed Asi Extended System Programming Laboratory (ESPL) CS BGU Fall 2014/2015 Some slides.

Introduction to C Programming in Unix Environment - II Abed Asi Extended System Programming Laboratory (ESPL) CS BGU Fall 2014/2015 Some slides.
1 1 Lecture 4 Structure – Array, Records and Alignment Memory- How to allocate memory to speed up operation Structure – Array, Records and Alignment Memory-

1 1 Lecture 4 Structure – Array, Records and Alignment Memory- How to allocate memory to speed up operation Structure – Array, Records and Alignment Memory-
Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.

Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.
C and Data Structures Baojian Hua

C and Data Structures Baojian Hua
1 CSE 303 Lecture 11 Heap memory allocation ( malloc, free ) reading: Programming in C Ch. 11, 17 slides created by Marty Stepp

1 CSE 303 Lecture 11 Heap memory allocation ( malloc, free ) reading: Programming in C Ch. 11, 17 slides created by Marty Stepp
C Slides and captured lecture (video and sound) are available at: www.cim.mcgill.ca/~jer/C/

C Slides and captured lecture (video and sound) are available at:
University of Washington Memory Allocation III The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Memory Allocation III The Hardware/Software Interface CSE351 Winter 2013.
Week 9 Part 2 Kyle Dewey. Overview Announcement More with structs and memory Assertions Exam #2 Course review.

Week 9 Part 2 Kyle Dewey. Overview Announcement More with structs and memory Assertions Exam #2 Course review.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Natalia Yastrebova 02.08.2010. What is Coverity? Each developer should answer to some very simple, yet difficult to answer questions: How do I find new.

Natalia Yastrebova What is Coverity? Each developer should answer to some very simple, yet difficult to answer questions: How do I find new.
17. ADVANCED USES OF POINTERS. Dynamic Storage Allocation Many programs require dynamic storage allocation: the ability to allocate storage as needed.

17. ADVANCED USES OF POINTERS. Dynamic Storage Allocation Many programs require dynamic storage allocation: the ability to allocate storage as needed.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Week 9 Part 1 Kyle Dewey. Overview Dynamic allocation continued Heap versus stack Memory-related bugs Exam #2.

Week 9 Part 1 Kyle Dewey. Overview Dynamic allocation continued Heap versus stack Memory-related bugs Exam #2.

Similar presentations

Ads by Google