Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cho, Ho-Gi OS Lab. Cho, Ho-Gi OS Lab. How to Shadow Every Byte of Memory Used by a Program 2007. 11. 1.

Published byIsaac Allan Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "Cho, Ho-Gi OS Lab. Cho, Ho-Gi OS Lab. How to Shadow Every Byte of Memory Used by a Program 2007. 11. 1."— Presentation transcript:

1 Cho, Ho-Gi OS Lab. Cho, Ho-Gi OS Lab. How to Shadow Every Byte of Memory Used by a Program 2007. 11. 1

2 NeSe07h 2 Thesis  현존하는 dynamic binary analysis tool 들은 강력한 shadow memory 기법을 사용하는데 세부적으로 고려 되지 않으므로, 이 논문에서는 Valgrind 가 제공하는 Memcheck 의 shadow memory 구현을 설명하고 실험 을 통하여 기존 도구들보다 효율적이고 견고함을 보인다.

3 NeSe07h 3 What is Shadow Memory?  lets a tool remember something about the history of every memory location and/or value in memory  DBA tools using shadow memory –Memcheck, TaintCheck, Eraser, Hobbes,Annelid, Redux, pinSEL….  hard to implement well – Speed: large amounts of extra state, shadow memory operations – Robustness: portable, don’t affect original memory, compact using memory history of memory( allocation, defined,…) not use

4 NeSe07h 4 Memcheck  a memory error detector designed for C and C++ programs  maintains three kinds of meta data about the running client – A bits. 0 : unaddressable byte 1 : addressable byte – V bits. 0 : defined bit 1 : undefined bit – Heap blocks. Detect bad or repeated frees of heap blocks memory leaks

5 NeSe07h 5 Shadow Memory Data Structures SM 1 DSMSM 2 64 KB 128 KB 3968 KB 4032 KB PM … VVVVVVVVA VVVVVVVVA VVVVVVVVA VVVVVVVVA … VVVVVVVVA VVVVVVVVA VVVVVVVVA VVVVVVVVA … VVVVVVVVA VVVVVVVVA VVVVVVVVA VVVVVVVVA … 0 KB 3904 KB 192 KB

6 NeSe07h 6 Loads, Stores and Range get_SMget_abit get_vbits8 32-bit address  Range NOACCESS : unaddressable UNDEFINED : addressable and fully undefined DEFINED : addressable and fully defined

7 NeSe07h 7 Problems of a Simple Implementation  Do not shadow the shadows –If SMs are all nKB and they are guaranteed to be nKB-aligned, there will be no overlapping. –far away from the client’s original data  Possible corruption of shadow memory by the client –far away from the client’s original data –warned about any wild writes by DSM SM X (a 72KB SM, which covers 64KB of address space) Y (4KB of client data) SM X (a 72KB SM, which covers 64KB of address space)

8 NeSe07h 8 A Better Implementation SM 1 VA … PM 64 KB 128 KB 3968 KB 4032 KB … 0 KB 3904 KB 192 KB SM 2 VA … DMS Defined Undefined noAccess D D D D … U U U U … A A A A … Secondary V bits Table Using AVL Tree Full V bits … If(va == PARTDEFINED) M1 : Faster loads and stores M2 : Faster range-setting M3 : Faster stack pointer updates M4 : Compressed V bits DEFINED UNDEFINED NOACCESS PARTDEFINED

9 NeSe07h 9 Evaluation  Robustness –cite its number of users –the range of software and systems it has been used on  Experiment –CPU : 2.4GHz Intel Core 2 Duo (32bit mode) –RAM : 1GB RAM –OS : SUSE Linux 10.2 (kernel 2.6.18.2) –Valgrind : pre-3.2.0 version –Benchmark : SPEC * CPU 2000 *) Standard Performance Evaluation Corporation

10 NeSe07h 10 Performance of six Memcheck variants(M0-05) and Nulgrind(NL)

11 NeSe07h 11 Related Work  Hobbes, TaintTrace, LIFT and Eraser –half-and-half [NeSe07a]  Purify –a bit table that holds a two-bit state code for each byte in the heap, stack, data and bss sections  VisualThreads,pinSEL and DRD –two-level table User Space Shadow Space half-and-half

12 NeSe07h 12 Future Work  64-bit address spaces and multi-processor machines need to be addressed  shadow memory tools could still be improved  new tools that use shadow memory in new ways could be created

13 NeSe07h 13 Contributions  First detailed description of Memcheck’ shadow memory and any robust shadow memory implementation –have discussed in general of Memcheck except its shadow memory –make the difference between a toy and a real-world tool  First experimental evaluation of shadow memory  Novel shadow memory optimizations –faster, smaller

14 NeSe07h 14 Appendix int p,t; char *nf, *ba; if(p==5){ // 초기화 되지 않은 변수의 조건문 변수로 사용 t=p+1; } printf("%d is not initialized\n",p); // 초기화되지 않은 변수의 사용 ba = (char*)malloc(sizeof(char)*10); free(ba); nf = (char*)malloc(sizeof(char)*10); ba[0] = '1'; //free 된 변수에 접근 nf[10] = '1'; // 배열크기 이상의 접근 exit(t); //system call 에 초기화되지 않은 변수 포함 1 2 3 4 5

15 NeSe07h 15 Appendix ==12493== Conditional jump or move depends on uninitialised value(s) ==12493== at 0x80483F9: main (in /home/hogi/a.out) ==12493== Use of uninitialised value of size 4 … ==12493== Conditional jump or move depends on uninitialised value(s) ==12493== by 0x6004C2: printf (in /lib/libc-2.5.so) ==12493== by 0x8048416: main (in /home/hogi/a.out) ==12493== Invalid write of size 1 ==12493== at 0x8048443: main (in /home/hogi/a.out) ==12493== Address 0x401A028 is 0 bytes inside a block of size 10 free'd ==12493== at 0x4004FDA: free (vg_replace_malloc.c:233) ==12493== by 0x8048430: main (in /home/hogi/a.out) 1 2 3

16 NeSe07h 16 Appendix ==12493== Invalid write of size 1 ==12493== at 0x804844C: main (in /home/hogi/a.out) ==12493== Address 0x401A072 is 0 bytes after a block of size 10 alloc'd ==12493== at 0x40053C0: malloc (vg_replace_malloc.c:149) ==12493== by 0x804843C: main (in /home/hogi/a.out) ==12493== Syscall param exit_group(exit_code) contains uninitialised byte(s) ==12493== at 0x649E84: _Exit (in /lib/libc-2.5.so) ==12493== by 0x8048460: main (in /home/hogi/a.out) --12493-- REDIR: 0x629540 (memset) redirected to 0x4006540 (memset) 4 5 RealuserSys Real1.004s0.000s0.001s Valgrind1.478s0.448s0.027s

Download ppt "Cho, Ho-Gi OS Lab. Cho, Ho-Gi OS Lab. How to Shadow Every Byte of Memory Used by a Program 2007. 11. 1."

Similar presentations

Virtual Memory Basics.

Virtual Memory Basics.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching, 80286.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,
Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.

Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.
ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.

ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.
Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.

Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
OS Memory Addressing.

OS Memory Addressing.
Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.

Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.

Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
CSE 303 Lecture 13a Debugging C programs

CSE 303 Lecture 13a Debugging C programs
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Memory Layout C and Data Structures Baojian Hua

Memory Layout C and Data Structures Baojian Hua
MemTracker Efficient and Programmable Support for Memory Access Monitoring and Debugging Guru Venkataramani, Brandyn Roemer, Yan Solihin, Milos Prvulovic.

MemTracker Efficient and Programmable Support for Memory Access Monitoring and Debugging Guru Venkataramani, Brandyn Roemer, Yan Solihin, Milos Prvulovic.
Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Efficient Memory Shadowing for 64-bit Architectures ISMM 2010, Toronto, Canada June 6, 2010.

Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Efficient Memory Shadowing for 64-bit Architectures ISMM 2010, Toronto, Canada June 6, 2010.
Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.

Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.
1 How to Shadow Every Byte of Memory Used by a Program Nicholas Nethercote — National ICT Australia Julian Seward — OpenWorks LLP.

1 How to Shadow Every Byte of Memory Used by a Program Nicholas Nethercote — National ICT Australia Julian Seward — OpenWorks LLP.
Real-Time Concepts for Embedded Systems Author: Qing Li with Caroline Yao ISBN: 1-57820-124-1 CMPBooks.

Real-Time Concepts for Embedded Systems Author: Qing Li with Caroline Yao ISBN: CMPBooks.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Virtual & Dynamic Memory Management Summer 2014 COMP 2130 Intro Computer Systems Computing Science Thompson Rivers University.

Virtual & Dynamic Memory Management Summer 2014 COMP 2130 Intro Computer Systems Computing Science Thompson Rivers University.

Similar presentations

Ads by Google