Presentation is loading. Please wait.

Presentation is loading. Please wait.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.

Published byLesley Hampton Modified over 9 years ago

Similar presentations

Presentation on theme: "U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene."— Presentation transcript:

1 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene Novark Emery Berger University of Massachusetts Amherst TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A Ben Zorn Microsoft Research

2 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Problems with Unsafe Languages C, C++: pervasive apps, but unsafe Numerous opportunities for security vulnerabilities, errors Double/Invalid free Uninitialized reads Dangling pointers Buffer overflows (stack & heap) DieHard: eliminates some, probabilistically avoids others [PLDI 2006] Exterminator: builds on DieHard

3 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 DieHard Overview Use randomization & (optionally) replication to reduce risk of memory errors Objects randomly spread across heap Different run = different heap Probabilistic memory safety Errors across heaps independent object size = 2 i+4 object size = 2 i+3 1163254 … Run 1: “malignant” overflowRun 2: “benign” overflow 2345316 … [PLDI 2006]

4 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 DieHard Limitations DieHard: Fine for single error But multiple errors eventually swamp probabilistic protection Not great for large overflows Tolerates errors But doesn’t find them No information for programmer Exterminator: Automatically isolate and fix memory errors

5 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous char * str = new char[8]; strcpy (str, “goodbye cruel world”);

6 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous char * str = new char[8]; strcpy (str, “goodbye cruel world”);

7 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous bad object (too small) char * str = new char[8]; strcpy (str, “goodbye cruel world”);

8 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous bad object (too small)  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

9 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous bad object (too small)  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

10 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

11 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

12 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

13 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”);

14 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”); 1. Heap provides no useful information

15 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Diagnosing Buffer Overflows Canonical buffer overflow: Allocate object – too small Write past end ) nukes object  bytes forward Not necessarily contiguous  bytes past end char * str = new char[8]; strcpy (str, “goodbye cruel world”); 2. No way to detect corruption

16 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Isolating Buffer Overflows 8102934517 Red = possible bad object Green = not bad object Canaries in freed space detect corruption known random valuedead canary = corruption # = object id (allocation time)

17 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Isolating Buffer Overflows 82934517 Red = possible bad object Green = not bad object Canaries in freed space detect corruption Run multiple times with “DieFast” allocator 10

18 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Canaries in freed space detect corruption Run multiple times with “DieFast” allocator 8102934517 Isolating Buffer Overflows Red = possible bad object Green = not bad object 18753291064

19 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same  8102934517 Isolating Buffer Overflows Red = possible bad object Green = not bad object 18753291064

20 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 8102 9 4517 Isolating Buffer Overflows Red = possible bad object Green = not bad object 187532 9 64 3 Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same  10

21 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 810 2 934517 Isolating Buffer Overflows Red = possible bad object Green = not bad object 18753 2 964 Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same  10

22 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same  8 10 2 934517 Isolating Buffer Overflows Red = possible bad object Green = not bad object 18753 10 6492

23 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same  ) object 9 overflowed, with high probability Isolating Buffer Overflows 8102934517 Red = possible bad object Green = not bad object 18753291064 496 3 85721

24 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Buffer Overflow Analysis Example: H = 1,000,000 objects 3 iterations ¼ false positives Iterations exponentially increase precision H = # heap objects K = # iterations 8102934517 496 3 85721 1875329 64

25 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Isolating Dangling Pointers Dangling pointer error: Live object freed too soon Overwritten by some other object int * v = new int[4]; … delete [] v; // oops … char * str = new char[16]; strcpy (str, “die, pointer”); v[3] = 12; … use of v[0]

26 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Isolating Dangling Pointers Unlike buffer overflow: dangling pointer ) same corruption in all k = 3 ) false negatives ¼ 1123645101127981753211126 4 891046 3 125721 4 1089

27 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Correcting Allocator Generate runtime patches to correct errors Track object call sites in allocator Prevent overflows: pad overflowed objects malloc(8)  malloc(8 + δ ) Prevent dangling pointers: defer frees free(ptr)  delay δ mallocs; free(ptr) 1  1

28 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator Architecture Three main pieces: DieHard-based allocator (DieFast) Reveals bugs Error isolator Finds bugs across multiple heaps w.h.p. Correcting allocator Fixes bugs Multiple modes suitable for testing (debugging) or deployment

29 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator Modes Iterative Run multiple times Same inputs Debugging Replicated Run simultaneously Deployable w/limitations Can fix errors on-the-fly Cumulative Different inputs, nondeterminism Deployable; see paper for details seed vote broadcast input output DieFast replica 1 seed DieFast replica 2 seed Error isolator correcting allocator DieFast replica 3 runtime patches

30 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator Runtime Overhead 25%

31 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Empirical Results: Real Faults Squid heap overflow Crashes glibc 2.8.0 and BDW collector 3 iterations to fix ) 6 byte pad Prevents overflow for all subsequent executions

32 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Mozilla 1.7.3 buffer overflow Debug scenario: repeated load of PoC: 23 runs to fix overflow Deployed scenario: different browsing sessions: 34 runs to fix 2 Empirical Results: Real Faults 31 12

33 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator Conclusion Exterminator: automatic error correction w.h.p. Randomization  bugs have different effects Statistical analysis combines information from multiple runs to isolate error Correcting allocator eliminates bugs at runtime http://www.cs.umass.edu/~gnovark/

34 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007

35 436521 8 16 allocation space bitmap 1 object size 2 inUse 4 1 6 1 miniheaps DieHard, heap layout Bitmap-based, segregated size classes Bit represents one object of given size i.e., one bit = 2 i+3 bytes, etc. malloc() : randomly probe bitmap for free space free(): just reset bit

36 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator Extensions 00000001 single miniheap allocation bitmap heap 2 1 3 object id (serial number) 32 dealloc time DieHard Exterminator dealloc site D6D6 D9D9 alloc site A4A4 A8A8 A3A3

Download ppt "U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene."

Similar presentations

DieHard: Memory Error Fault Tolerance in C and C++ Ben Zorn Microsoft Research In collaboration with Emery Berger and Gene Novark, Univ. of Massachusetts.

DieHard: Memory Error Fault Tolerance in C and C++ Ben Zorn Microsoft Research In collaboration with Emery Berger and Gene Novark, Univ. of Massachusetts.
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.
Dynamic Memory Management

Dynamic Memory Management
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 10: Heap Management CS 540 GMU Spring 2009.

Lecture 10: Heap Management CS 540 GMU Spring 2009.
Michael Bond Kathryn McKinley The University of Texas at Austin Presented by Na Meng Most of the slides are from Mike’s original talk. Many thanks go to.

Michael Bond Kathryn McKinley The University of Texas at Austin Presented by Na Meng Most of the slides are from Mike’s original talk. Many thanks go to.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Dynamic Memory Management Emery Berger and Mark Corner.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Dynamic Memory Management Emery Berger and Mark Corner.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
1 U NIVERSITY OF M ASSACHUSETTS, A MHERST School of Computer Science P REDATOR : Predictive False Sharing Detection Tongping Liu*, Chen Tian, Ziang Hu,

1 U NIVERSITY OF M ASSACHUSETTS, A MHERST School of Computer Science P REDATOR : Predictive False Sharing Detection Tongping Liu*, Chen Tian, Ziang Hu,
By Gene Novark, Emery D. Berger and Benjamin G. Zorn Presented by Matthew Kent Exterminator: Automatically Correcting Memory Errors with High Probability.

By Gene Novark, Emery D. Berger and Benjamin G. Zorn Presented by Matthew Kent Exterminator: Automatically Correcting Memory Errors with High Probability.
Ben Livshits Based in part of Stanford class slides from and slides from Ben Zorn’s talk slides.

Ben Livshits Based in part of Stanford class slides from and slides from Ben Zorn’s talk slides.
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.

Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
Memory Safety Through Runtime Analysis Justin Samuel for CSE 504, Spring ‘10 Instructor: Ben Livshits.

Memory Safety Through Runtime Analysis Justin Samuel for CSE 504, Spring ‘10 Instructor: Ben Livshits.
By Emery D. Berger and Benjamin G. Zorn Presented by: David Roitman.

By Emery D. Berger and Benjamin G. Zorn Presented by: David Roitman.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science CRAMM: Virtual Memory Support for Garbage-Collected Applications Ting Yang, Emery.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science CRAMM: Virtual Memory Support for Garbage-Collected Applications Ting Yang, Emery.
Operating Systems CMPSCI 377 Lecture 11: Memory Management

Operating Systems CMPSCI 377 Lecture 11: Memory Management
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.
Tolerating and Correcting Memory Errors in C and C++ Ben Zorn Microsoft Research In collaboration with: Emery Berger and Gene Novark, Umass - Amherst Karthik.

Tolerating and Correcting Memory Errors in C and C++ Ben Zorn Microsoft Research In collaboration with: Emery Berger and Gene Novark, Umass - Amherst Karthik.

Similar presentations

Ads by Google