Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang

Published byΑδώνια Χρηστόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang"— Presentation transcript:

1 Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang
Memory Corruption Detecting Method Using Static Variables and Dynamic Memory Usage Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang {pola0527, 표지

2 Agenda Memory Corruption Related Work Our Method Empirical study
Static memory corruption detection Dynamic memory corruption detection Our Method Information tagging Real-time memory defect detection Signal hooking Automation Empirical study Conclusion and future work

3 Memory corruption Memory corruption is a fault in which the content of memory is changed unintentionally during the execution of program. Once memory corruption occurs, the process either malfunctions or the system crashes. Memory corruption is a defect that is difficult to resolve Reason 1: There are often cases where the location of the cause of the memory corruption differs from the location of the actual failure  It is difficult to correlate the cause and effect Reason 2: The symptoms of memory corruption are non-deterministic  The fault is not always reproduced  We propose a method to detect real time memory corruption by using static global variables and dynamic memory usage

4 Memory defect categories
Category Defects Allocation Memory allocation failure Zero-size memory allocation Memory leak Deallocation Null pointer free (Compiler-dependent) Duplicated free Unallocated memory free Allocation/deallocation mismatch Access Null pointer access Freed memory access Unallocated memory access Access defects out of the allocated range that do not conflict with memory space of other variables Access defect out of the allocated range that conflicts with memory space of other variables

5 <Linux Virtual Memory>
Related work Static memory corruption detection Analyze source codes Analyze executable binaries without execution Analyze to detect defects such as a buffer overflow Limitation: This method cannot detect memory corruption in dynamic memory Defect detection accuracy is not very high Dynamic memory corruption detection Collects debugging information by adding tracking code into memory-related function Compilation time Runtime Some popular tools: Purify, Memcheck, AddressSanitizer, … operate in the actual execution environment Highly accurate in the detection of memory corruption Limitation Performance overhead Recompilation or change in the executable binary Text (Code) Data Heap Stack <Linux Virtual Memory>

6 Information tagging Target System
In order to detect memory defects in real-time, there must first be information that can determine the validity of the memory that will be used  shadow memory technique To reduce the overhead from shadow memory, only the static global variables analyzed from the executable binary and dynamically allocated information on the heap memory area are managed through a data structure called ‘information tag’ Executable binary Target System Information Tags Repository Process Dynamic memory usage Static variables

7 Memory defect detection
To monitor memory usage, hooking is used for memory-related functions void free(void *ptr) { if ((tempTag->Flag & 0x01) == 0x01) { s_informtag *tempTag = NULL; // Duplicated free if the information tag's deallocation flag is set if (g_pOrigFree == NULL) { SoMain(); // Information Tagging Module initialization return; } // Update the information tag if(ptr == NULL) { InfoTag_Update((const void*)ptr, 2, (int)(tempTag->Flag |= 0x01)); // Null pointer free InfoTag_Update(ptr, 4, (ADDR_TYPE)__builtin_return_address(0)); ((void(*)(void*))g_pOrigFree)(ptr); tempTag = InfoTag_Get(ptr); if(tempTag == NULL) { // Unallocated memory free if the information tag does not exist if ((tempTag->Flag & 0x80) == 0x80) { // Unallocated memory free if the information tag's allocation flag is set as static allocation if ((tempTag->Flag & 0x18) > 0) { // Allocation/deallocation mismatch if the information tag's allocation function type flag is set to type new/new[]

8 Signal hooking Some memory defects may cause system crashes
In order to detect defects without losing information when a system crashes, a signal handler that is raised during a crash is hooked Signal related to memory defects SIGSEGV SIGABRT SIGBUS

9 Execution Binary Analysis
Automation Tool ARM-based Linux system Linux kernel Executable binary analysis module Extracts static global variables to store in information tag repository from the binary file Defect detection module using information tagging Detects defects using information tags each time a memory-related function is called Crash monitoring module Used the signal hooking to hook signal handlers and collect defect detection information without losing data Result output module (Fault Detection) Generates the results on defects that were detected in real-time MCDT Execution Binary Analysis Run - Target Process Fault Detection

10 Automation Tool

11 Empirical study ITC benchmark
A program that was developed for defects occurring in actual vehicle software Contains a mix of various defects, such as deadlock and typecasting, memory defects Fault TC count Crash occurrence TC_02 Buffer_overrun_dynamic 32 1 TC_29 Memory_leak 18 TC_03 Buffer_underrun_dynamic 39 3 TC_31 Null_pointer 17 15 TC_04 Cmp_funcadr 2 TC_32 Overrun_st 54 TC_11 Deletion_of_data_structure_sentinel TC_33 Ow_memory TC_12 Double_free 12 TC_42 St_overflow 7 TC_16 Free_nondynamic_allocated_memory 16 TC_43 St_underflow TC_17 Free_null_pointer 14 9 TC_44 Underrun_st 13 TC_24 Invalid_memory_access TC_45 Uninit_memory_access TC_25 Littlemem_st 11 4 TC_46 Uninit_pointer TC_28 Memory_allocation_failure

12 Results - All Detection rate Cause of defects (a) Detected Fault
Our tool detected 111 defects out of 311 defects AddressSanitizer: 65 defects Memcheck: 80 defects Cause of defects Our method accurately analyzed the cause of 94 defects (84.69%) AddressSanitizer: 10 defects Memcheck: 43 defects (a) Detected Fault (b) Fault Detection Accuracy

13 Results – Crash occurrence
Detection rate Our tool detected 77 defects out of 84 defects AddressSanitizer: 57 defects Memcheck: 63 defects Cause of defects Our method accurately analyzed the cause of 58 defects (65.71%) AddressSanitizer: 8 defects Memcheck: 34 defects (a) Fault Detection (b) Fault Detection Accuracy

14 Performance Monitoring overhead
Our method had a 6.67% performance overhead AddressSanitizer: 26.7% performance overhead Memcheck: heavyweight method

15 Conclusion and future work
Memory corruption is a remaining problem to be resolved Defects must be detected across all memories used in a process It is important to accurately identify the location of the cause of the defect instead of just the moment when the defect occurred We proposed a method that detects memory corruption by analyzing static global variables and dynamic memory use Future work We will conduct further experimental study to measure the performance of our tool by fault injection We plan to expand the static memory used for defect detection to the entire static memory area

Download ppt "Jihyun Park, Changsun Park, Byoungju Choi, Gihun Chang"

Similar presentations

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
1 Memory Allocation Professor Jennifer Rexford COS 217.

1 Memory Allocation Professor Jennifer Rexford COS 217.
User-Level Memory Management in Linux Programming

User-Level Memory Management in Linux Programming
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.

Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Run-Time Storage Organization

Run-Time Storage Organization
C and Data Structures Baojian Hua

C and Data Structures Baojian Hua
WEL COME PRAVEEN M JIGAJINNI PGT (Computer Science) MCA, MSc[IT], MTech[IT], MPhil (Comp. Sci), PGDCA, ADCA, Dc. Sc. & Engg.

WEL COME PRAVEEN M JIGAJINNI PGT (Computer Science) MCA, MSc[IT], MTech[IT], MPhil (Comp. Sci), PGDCA, ADCA, Dc. Sc. & Engg.
. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.

. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.
Memory Layout C and Data Structures Baojian Hua

Memory Layout C and Data Structures Baojian Hua
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Prof. amr Goneid, AUC1 CSCE 110 PROGRAMMING FUNDAMENTALS WITH C++ Prof. Amr Goneid AUC Part 10. Pointers & Dynamic Data Structures.

Prof. amr Goneid, AUC1 CSCE 110 PROGRAMMING FUNDAMENTALS WITH C++ Prof. Amr Goneid AUC Part 10. Pointers & Dynamic Data Structures.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
15-740/18-740 Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.

Computer Science and Software Engineering University of Wisconsin - Platteville 2. Pointer Yan Shi CS/SE2630 Lecture Notes.
Pointers review Let a variable aa be defined as ‘int *aa;’, what is stored in aa? Let a variable aa be defined as ‘int ** aa;’ what is stored in aa? Why.

Pointers review Let a variable aa be defined as ‘int *aa;’, what is stored in aa? Let a variable aa be defined as ‘int ** aa;’ what is stored in aa? Why.

Similar presentations

Ads by Google