Presentation is loading. Please wait.

Presentation is loading. Please wait.

Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry*

Published byTracey Howard Modified over 6 years ago

Similar presentations

Presentation on theme: "Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry*"— Presentation transcript:

1 Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry*
Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry* *School of Computer Science Carnegie Mellon University + Intel Labs Pittsburgh

2 Bug detection using Lifeguards
program Lifeguard Detect errors by monitoring execution of unmodified binary Exploit instruction-grained runtime information Block exploits before software patch [Savage et al. ‘97, Newsome & Song ’05, Nethercote et al. ‘07] Significant program slowdown X using Dynamic Binary Instrumentation(DBI) Valgrind, PIN, DynamoRIO DBI is standard practice Decoupled Lifeguards - 2 -

3 Why instruction grained Lifeguards are slow
program TaintCheck lifeguard mov %eax A add %eax B mov C %eax cmp %ecx, %eax taint(eax) = taint(A) taint(C) = taint (eax) taint(eax) |= taint(B) Decoupled Lifeguards - 3 -

4 Why instruction grained Lifeguards are slow
program TaintCheck lifeguard taint(eax) = taint(A) mov %eax A taint(eax) |= taint(B) add %eax B taint(C) = taint (eax) mov C %eax cmp %ecx, %eax mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al Handler for memory-to-register copy instruction Decoupled Lifeguards - 4 -

5 Why instruction grained Lifeguards are slow
mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al Swith execution context mov %eax A Switch execution context or reg_taint(%edx) %al add %eax B mov %al reg_taint(%edx) mov C %eax cmp %ecx, %eax mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al Switch execution context mov %eax A taint(eax) |= taint(B) add %eax B taint(C) = taint (eax) mov C %eax cmp %ecx, %eax program TaintCheck lifeguard Decoupled Lifeguards - 5 -

6 Optimizing Lifeguard code on program paths is hard
mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al Swith execution context mov %eax A Switch execution context or reg_taint(%edx) %al add %eax B mov %al reg_taint(%edx) mov C %eax cmp %ecx, %eax Key obstacle is tight coupling of program & Lifeguard code Opportunity study for lifeguard acceleration showed that optimizing lifeguard code on long program paths (up to 8 branches) will reduce overhead of lifeguard code significantly. Instrumented program path shows tight coupling of program code (thin black lines) and lifeguard code (thick colored lines). Optimization is dy Tight coupling of program & lifeguard code is key obstacle Instrumented program path Decoupled Lifeguards - 6 -

7 Decoupling Lifeguard execution
Unoptimized path handler Instrumented program path Decoupled Lifeguards - 7 -

8 Lifeguard specific optimizations on program path
Compose instruction handlers Program path Say hottest mcf path Unoptimized path handler Decoupled Lifeguards - 8 -

9 Lifeguard specific optimizations on program path
x86 instruction count of TaintCheck handler for mcf path Original Standard path opts Lifeguard path opts 86 81(95%) 47(55%) Compose instruction handlers Program path Say hottest mcf path Unoptimized path handler Optimized path handler Decoupled Lifeguards - 9 -

10 Outline Dynamic path optimization of Decoupled Lifeguards
Decoupling Lifeguards: Challenges and Solutions Using lifeguard domain knowledge for path optimizations Evaluation Conclusions Decoupled Lifeguards - 10 -

11 Decoupling Lifeguards: Challenges and Solutions
Issue 1: When to run Lifeguard code Optimized path handler Program path At end of path where data is available Decoupled Lifeguards - 11 -

12 Decoupling Lifeguards: Challenges and Solutions
Issue 2: How to pass data to Lifeguard Marshall data Buffer Optimized path handler Program path Decoupled Lifeguards - 12 -

13 Decoupling Lifeguards: Challenges and Solutions
Challenge 1: How to handle side exits 1 1 2 3 4 2 3 Optimized path handler 4 Path handler for side exits Program path Decoupled Lifeguards - 13 -

14 Decoupling Lifeguards: Challenges and Solutions
Challenge 2: How to contain errors in the path See paper for details of solution based on: Page protection to prevent data corruption Completing checks at function & system calls and indirect jumps Program path Page protection to prevent data corruption Complete checking before syscalls, indirect jumps, function calls Optimized path handler Decoupled Lifeguards - 14 -

15 Outline Dynamic path optimization of Decoupled Lifeguards
Decoupling Lifeguards: Challenges and Solutions Using lifeguard domain knowledge for path optimizations Evaluation Conclusion Decoupled Lifeguards - 15 -

16 Lifeguard optimization opportunities
Alias analysis to reduce metadata accesses Dead metadata update detection to eliminate instruction handlers taint(esi) = taint(esi) | taint( ) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint( ) taint(ecx) = taint( ) taint(edi) = taint(edx) | taint(ecx) taint(ebx) = taint( ) A B mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al C 6 instructions to access metadata of program memory address D TaintCheck handler for mcf path Decoupled Lifeguards - 16 -

17 Alias analysis for metadata accesses
program add %esi x24[%ebp] mov %edx %edi mov %edi %esi sub %edi x24[%ebp] mov %ecx x24[%ebp] lea %edi [%edx,%ecx,1] mov %ebx 0x1c[%ebp] mcf path taint(esi) = taint(esi) | taint(A) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint(B) taint(ecx) = taint(C) taint(edi) = taint(edx) | taint(ecx) taint(ebx) = taint(D) Program on right, lifeguard on left TaintCheck handler for mcf path Decoupled Lifeguards - 17 -

18 Alias analysis for metadata accesses
program add %esi x24[%ebp] mov %edx %edi mov %edi %esi sub %edi x24[%ebp] mov %ecx x24[%ebp] lea %edi [%edx,%ecx,1] mov %ebx 0x1c[%ebp] mcf path taint(esi) = taint(esi) | taint(A) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint(A) taint(ecx) = taint(A) taint(edi) = taint(edx) | taint(ecx) taint(ebx) = taint(A+64) Enables metadata access CSE optimization described in paper TaintCheck handler for mcf path Decoupled Lifeguards - 18 -

19 Eliminating dead instruction handlers
taint(esi) = taint(esi) | taint(A) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint(A) taint(ecx) = taint(A) = taint(edx) | taint(ecx) taint(ebx) = taint(A+64) Dead taint(edi) updates See paper for details of other optimizations: e.g eliminating loop redundancies taint(edi) TaintCheck handler for mcf path Decoupled Lifeguards - 19 -

20 Evaluation Lifeguards AddrCheck: unallocated memory access
Eraser: concurrency errors MemCheck: AddrCheck + uninitialized read errors TaintCheck: security errors Lifeguard instrumentation platforms DBI (Valgrind ) & Hardware accelerated (LBA) Decoupled lifeguard code on program paths of up to 8 branches Decoupled Lifeguards - 20 -

21 Lifeguard overhead reduction in Valgrind
AddrCheck Standard path optimizations(SPO) SPO + dead handler elimination(DHE) MemCheck Standard path opts yield mixed results Decoupled Lifeguards - 21 -

22 Lifeguard overhead reduction in Valgrind
AddrCheck 24% reduction Standard path optimizations(SPO) SPO + dead handler elimination(DHE) MemCheck Limitations to improvements Instrumentation overhead No metadata access CSE 6% reduction Talk about limitations Decoupled Lifeguards - 22 -

23 Results with hardware assisted instrumentation (LBA)
SPO SPO + DHE SPO + DHE + Metadata access CSE AddrCheck 50% reduction Eraser 53% reduction MemCheck 42% reduction TaintCheck 38% reduction Decoupled Lifeguards - 23 -

24 Conclusions Decoupling: enables optimization of lifeguard code on program paths Correctness checking at a path granularity Multi-versioned checking code to handle side exits Page protection for containing errors Lifeguard domain knowledge: enable redundancy elimination beyond standard optimizations Better alias analysis Lifeguard-specific dead code & common subexpression elimination Lifeguard overhead reductions Up to 24% on Valgrind Up to 53% on LBA Decoupled Lifeguards - 24 -

Download ppt "Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry*"

Similar presentations

Pay-to-use strong atomicity on conventional hardware Martín Abadi, Tim Harris, Mojtaba Mehrara Microsoft Research.

Pay-to-use strong atomicity on conventional hardware Martín Abadi, Tim Harris, Mojtaba Mehrara Microsoft Research.
A Binary Agent Technology for COTS Software Integrity Richard Schooler Anant Agarwal InCert Software.

A Binary Agent Technology for COTS Software Integrity Richard Schooler Anant Agarwal InCert Software.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Flexible Hardware Acceleration for Instruction-Grain Program Monitoring Joint work with Michael Kozuch 1, Theodoros Strigkos 2, Babak Falsafi 3, Phillip.

Flexible Hardware Acceleration for Instruction-Grain Program Monitoring Joint work with Michael Kozuch 1, Theodoros Strigkos 2, Babak Falsafi 3, Phillip.
Instrumentation of Linux Programs with Pin Robert Cohn & C-K Luk Platform Technology & Architecture Development Enterprise Platform Group Intel Corporation.

Instrumentation of Linux Programs with Pin Robert Cohn & C-K Luk Platform Technology & Architecture Development Enterprise Platform Group Intel Corporation.
Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,

Software & Services Group PinPlay: A Framework for Deterministic Replay and Reproducible Analysis of Parallel Programs Harish Patil, Cristiano Pereira,
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Wish Branches Combining Conditional Branching and Predication for Adaptive Predicated Execution The University of Texas at Austin *Oregon Microarchitecture.

Wish Branches Combining Conditional Branching and Predication for Adaptive Predicated Execution The University of Texas at Austin *Oregon Microarchitecture.
Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner, Angela Demke Brown, Ashvin Goel University of Toronto Presenter: Chuong.

Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner, Angela Demke Brown, Ashvin Goel University of Toronto Presenter: Chuong.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Chrysalis Analysis: Incorporating Synchronization Arcs in Dataflow-Analysis-Based Parallel Monitoring Michelle Goodstein*, Shimin Chen †, Phillip B. Gibbons.

Chrysalis Analysis: Incorporating Synchronization Arcs in Dataflow-Analysis-Based Parallel Monitoring Michelle Goodstein*, Shimin Chen †, Phillip B. Gibbons.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,
Pipeline Enhancements for the Y86 Architecture

Pipeline Enhancements for the Y86 Architecture
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Efficient and Flexible Architectural Support for Dynamic Monitoring YUANYUAN ZHOU, PIN ZHOU, FENG QIN, WEI LIU, & JOSEP TORRELLAS UIUC.

Efficient and Flexible Architectural Support for Dynamic Monitoring YUANYUAN ZHOU, PIN ZHOU, FENG QIN, WEI LIU, & JOSEP TORRELLAS UIUC.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim.

Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

Similar presentations

Ads by Google