Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rémi Douence, Thomas Fritz Nicolas Loriant, Jean-Marc Menaud Marc Ségura-Devillechaise, Mario Südholt OBASCO group EMN/INRIA An expressive aspect language.

Published byMelinda Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Rémi Douence, Thomas Fritz Nicolas Loriant, Jean-Marc Menaud Marc Ségura-Devillechaise, Mario Südholt OBASCO group EMN/INRIA An expressive aspect language."— Presentation transcript:

1 Rémi Douence, Thomas Fritz Nicolas Loriant, Jean-Marc Menaud Marc Ségura-Devillechaise, Mario Südholt OBASCO group EMN/INRIA An expressive aspect language for system applications with Arachne

2 2 Outline Why another aspect system? How to program with Arachne? How does Arachne work? How fast are Arachne aspects?

3 3 Aspects for adapting legacy applications ● Adaptation and evolution usually mismatch with the original program architecture legacy C applications ● Difficult to anticipate adaptation and evolution ● How to adapt, evolve an application? Highly available server, waste of money/resources ● Can AOP help?

4 4 Three concerns from the squid web cache Switching network protocols uses UDP instead of TCP when safe to improve performance Buffer overflows programming error where data written in an array (ie buffer) exceeds the array size often exploited by hackers (Slammer, Code Red,...) crosscutting: all squid source files use buffers Prefetching predict the page that the user will access and download before the user asks for it

5 5 Motivations for a new aspect system in the imperative world of C-written applications: sequence of events in the execution of the base program Weaving: needs to be dynamic can not be anticipated should not suspend the base program execution Efficiency adaptation often occurs for performance reasons

6 6 Outline Why another aspect system? How to program with Arachne? How does Arachne work? How fast are Arachne aspects?

7 7 Sequence instances Buggy base program: char* two = malloc(2); gets(two);/*fills one with input typed by the user*/ free(two); char* one = malloc(1); gets(one);/*fills two with input typed by the user*/ free(one); Sample naive gets implementation (standard C library): char* gets(char* buffer) { int i=0; do { buffer[i]=getchar(); i++;} while(buffer[i]!='\n'); buffer[i-1]='\0'; return buffer; }

8 8 The problem: relating events Execution trace when user types “A” create two, a one character long buffer [ two=malloc(2) ] call gets, buffer now alias two [ gets(two) ] set i to 0 [ int i=0; ] read A [ getchar() ] put A in two at index 0 [ buffer[i]=... ] Ok set i to 1 [ i++ ] compare with \n [ buffer[i]!='\n' ] put O in two at index 1 [ buffer[i]=... ] Ok

9 9 Sequence instances Execution trace when user types “A” then “OP” create two a 2 characters buffer [ two=malloc(2) address 0x800] call gets, buffer now alias two [ gets(two) ]... put A in two at index 0 [ buffer[i]=... ],... put \n in two at index 1 [ buffer[i]=... ],... replace \n by \0 in two at index 1 [ buffer[i-1]='\0' ],... destroy two a 2 characters buffer [ free(two) ] create one a 1 characters buffer [ one=malloc(1) address 0x800] call gets, buffer now alias one [ gets(one) ]... put O in one at index 0 [ buffer[i]=... ],... put P in one at index 1 [ buffer[i]=... ],...

10 10 A solution: aspect detecting overflow seq( call(void* malloc(size_t))&& args(size) && return(buffer); /*possibly other events in between*/ write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* /*possibly other events in between*/ call(void free(void*))&& args(array) && if(buffer==array)); );

11 11 Advice definition (around semantic) seq( call(void* malloc(size_t))&& args(size) && return(buffer); write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* call(void free(void*))&& args(array) && if(buffer==array)); );

12 12 Defining the steps of the sequence A step has the form pointcut [ then advice] opt ; [ * ] opt with * the pointcut can match 0 or n times A step has a pointcut defined with: ● call : direct function calls ● cflowstar, cflow : sequence of nested function calls ● readGlobal, writeGlobal : global variable accesses ● read, write : memory accesses Each step can retain some information about its joinpoint: args, return, size... if can be used to test against this information Possible to write sequence less aspect

13 13 Relating events through time: start seq( call(void* malloc(size_t))&& args(size) && return(buffer); write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* call(void free(void*))&& args(array) && if(buffer==array)); );

14 14 Relating events through time: step 2 seq( call(void* malloc(size_t))&& args(size) && return(buffer); write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* call(void free(void*))&& args(array) && if(buffer==array)); );

15 15 Relating events through time: end seq( call(void* malloc(size_t))&& args(size) && return(buffer); write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* call(void free(void*))&& args(array) && if(buffer==array)); );

16 16 Relating events through data seq( call(void* malloc(size_t))&& args(size) && return(buffer); write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* call(void free(void*))&& args(array) && if(buffer==array)); );

17 17 Outline Why another aspect system? How to program with Arachne? How does Arachne work? How fast are Arachne aspects?

18 18 The Arachne aspect system: core features Weaver for x86/Linux/C application Internally rewrites binary code Weaving and deweaving are fully dynamic Weaving and deweaving are directed by the end user No need to “prepare” the base program Compatible with threaded applications

19 19 Weaving process Arachne rewriting thread code analysis binary code rewriting aspect activation Weaving request compiled aspect loading Arachne injection Base program process

20 20 Outline Why another aspect system? How to program with Arachne? How does Arachne work? How fast are Arachne aspects?

21 21 Evaluation on real application: method Goal compare the overhead of using Arachne to editing/recompiling the source code to adapt an application Method Add prefetching to squid by editing/recompiling its source code weaving Arachne aspect Use a well known benchmark (polygraph) Report the performance variations between versions

22 22 Benchmark 1 Benchmark 2 Results

23 23 Conclusion Practice suggested need for aspect constructs relating events need for dynamic weaving The Arachne aspect system: language to adapt applications call, variable accesses, cflow, sequences towards a formal semantic weaver for adapting applications dynamic enforcement of continuous service support of legacy C programs without preparation of the base program

24 www.emn.fr/x-info/arachne Questions?

25 25 Why another aspect language? Single buffer overflow ● Useful to correct a known published bug ● Pointcut based on the name of the vulnerable buffer ● Action checks the access ● Solution = µDyner ● state of the art aspect language ● a dynamic weaver Any buffer overflow ● Useful when you do not trust the base program program under hacker attacks… ● Pointcuts based on a sequence of events ● Buffer creation ● Then access to the buffer ● Action checks the access Solution = ?

26 26 The problem: buffer overflow Buggy base program: char* in = malloc(1); gets(in);/*fills in with input typed by the user*/ free(in); Sample naive gets implementation (standard C library): char* gets(char* buffer) { int i=0; do { buffer[i]=getchar(); i++; } while(buffer[i]!='\n'); buffer[i-1]='\0'; return buffer; }

27 27 The problem: relating events Execution trace when user types “AOP” create in, a one character long buffer [ in=malloc(1) ] call gets, buffer now alias in [ gets(in) ] set i to 0 [ int i=0; ] read A [ getchar() ] put A in in at index 0 [ buffer[i]=... ] Ok set i to 1 [ i++ ] compare with \n [ buffer[i]!='\n' ] put O in in at index 1 [ buffer[i]=... ] Bug

28 28 Number of matching instances 1253 4 5 10 200.6 Cycles 293.2 Cycles 380.8 Cycles466.3 Cycles seq 577 Cycles Ratio readGlobal Size of variable (bits) 8 128643216 1000 2000 3000 2466 Cycles2487 Cycles 2762 Cycles 3363 Cycles 4990 Cycles Ratio cflow 28 Cycles 228 Cycles 327 Cycles 424 Cycles522 Cycles 12534 10 20 30 Number of imbricated calls Ratio Arachne language constructs versus the speed of their C equivalent

29 29 Goal compare the speed of Arachne with C Method ratio= Base program void f() { return; } int main(int argc, char**argv){ startTimer(); f(); /*joinpoint*/ endTimer(); } Aspect call(void f())then f(); Arachne language constructs versus the speed of their C equivalents runtime with the aspect runtime without aspect

30 30 Results Ratio Pointcut

31 31 Mapping protocols

32 32 Another aspect example seq( call(int socket(…)) && args(…) && return(fd) then socket(…); call(int connect(int,…)) && args(fd1,…) && if(fd1 == fd) then returnZero(); ( call(size_t read(int,…)) && args(fd2…) && if(fd2 == fd) then recvfrom(fd,…); || call(size_t write(int,…)) && args(fd3…) && if(fd3 == fd) then sendTo(fd,…);) (*) call(int close(int)) && args(fd4) && if(fd4 == fd) )

33 33 Arachne architecture

34 34 Implementation model shadow: rewriting site replaced by a x86 instruction execution flow jump Binary code of the compiled base program and/or advices Residue (dynamic tests) Entry hook save registersReturn hook Restore registers instruction(s) Relocated tailored updating registers Base program process Hooks generated at weaving time Legacy base binary code Aspect DLL generated at aspect compile time

35 35 The future Continue the exploration of efficient language constructs to relate events together Extend Arachne to C++ in progress, already using an application to medical imaging to the linux kernel

Download ppt "Rémi Douence, Thomas Fritz Nicolas Loriant, Jean-Marc Menaud Marc Ségura-Devillechaise, Mario Südholt OBASCO group EMN/INRIA An expressive aspect language."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
1 JAC : Aspect Oriented Programming in Java An article review by Yuval Nir and Limor Lahiani.

1 JAC : Aspect Oriented Programming in Java An article review by Yuval Nir and Limor Lahiani.
Constructing Component-Based Extension Interfaces in Legacy Systems Code Gilles Muller École des Mines de Nantes Julia Lawall DIKU, University of Copenhagen.

Constructing Component-Based Extension Interfaces in Legacy Systems Code Gilles Muller École des Mines de Nantes Julia Lawall DIKU, University of Copenhagen.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
CS 536 Spring 20011 Run-time organization Lecture 19.

CS 536 Spring Run-time organization Lecture 19.
Memory Management 2010.

Memory Management 2010.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Run-time Environment and Program Organization

Run-time Environment and Program Organization
1. 2 FUNCTION INLINE FUNCTION DIFFERENCE BETWEEN FUNCTION AND INLINE FUNCTION CONCLUSION 3.

1. 2 FUNCTION INLINE FUNCTION DIFFERENCE BETWEEN FUNCTION AND INLINE FUNCTION CONCLUSION 3.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Software security patches Audit, deployment and hot update Nicolas Loriant, Marc Ségura-Devillechaise, Jean-Marc Menaud, Obasco Group EMN/INRIA Workshop.

Software security patches Audit, deployment and hot update Nicolas Loriant, Marc Ségura-Devillechaise, Jean-Marc Menaud, Obasco Group EMN/INRIA Workshop.

Similar presentations

Ads by Google