SlideShare una empresa de Scribd logo

Exterminator: Automatically Correcting Memory Errors with High Probability

Emery Berger
Emery Berger

Exterminator automatically corrects heap-based memory errors without programmer intervention. It exploits randomization and replication (or multiple users) to pinpoint errors with high precision. From this information, Exterminator derives runtime patches that fix these errors in current and subsequent executions.

EducaciónTecnología
1 de 36
Descargar para leer sin conexión
Exterminator: Automatically Correcting Memory Errors with High Probability Gene Novark Emery Berger University of Massachusetts Amherst Ben Zorn Microsoft Research UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Problems with Unsafe Languages C, C++: pervasive apps, but unsafe  Numerous opportunities for security  vulnerabilities, errors Double/Invalid free  Uninitialized reads  Dangling pointers  Buffer overflows (stack & heap)  DieHard: eliminates some, probabilistically  avoids others [PLDI 2006] Exterminator: builds on DieHard  UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
DieHard Overview [PLDI 2006] Use randomization & (optionally)  replication to reduce risk of memory errors Objects randomly spread across heap  Different run = different heap  Probabilistic memory safety  Errors across heaps independent  object size = 2i+3 object size = 2i+4 … 24 5 3 1 63 Run 1: “malignant” overflow Run 2: “benign” overflow … 1 6 3 2 54 1 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
DieHard Limitations DieHard:  Fine for single error  But multiple errors eventually swamp probabilistic  protection Not great for large overflows  Tolerates errors  But doesn’t find them  No information for programmer  Exterminator:  Automatically isolate and fix memory errors UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bad object (too small) UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end bad object (too small) UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end bad object (too small) UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end 1. Heap provides no useful information UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end 2. No way to detect corruption UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Isolating Buffer Overflows Canaries in freed space detect corruption  known random value dead canary = corruption Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object # = object id (allocation time) UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object 1 8 7 5 3 10 2 9 6 4 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Key insight: Overflow must be at same  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object 1 8 7 5 3 10 2 9 6 4 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Key insight: Overflow must be at same  Red = Green = possible not 8 10 2 3 4 5 1 7 9 bad bad object object 1 8 7 5 3 2 9 6 4 10 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Key insight: Overflow must be at same  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object 1 8 7 5 3 10 2 9 6 4 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Key insight: Overflow must be at same  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object 1 8 7 5 3 10 2 9 6 4 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Key insight: Overflow must be at same  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object 1 8 7 5 3 10 2 9 6 4 3 4 9 6 8 2 5 7 1 ) object 9 overflowed, with high probability UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Buffer Overflow Analysis 8 10 2 9 3 4 5 1 7 1 8 7 5 3 10 2 9 6 4 3 4 9 6 8 2 5 7 1 H = # heap objects K = # iterations Example: H = 1,000,000 objects  3 iterations ¼ 1;000;000 false positives 1 Iterations exponentially increase precision  UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Isolating Dangling Pointers Dangling pointer error:  Live object freed too soon  Overwritten by some other object  int * v = new int[4]; … delete [] v; // oops … char * str = new char[16]; strcpy (str, “die, pointer”); v[3] = 12; … use of v[0] UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Isolating Dangling Pointers Unlike buffer overflow:  dangling pointer ) same corruption in all  8 11 2 9 3 6 4 5 10 1 12 7 4 1 8 7 5 3 12 2 9 11 6 10 4 3 4 10 6 8 2 12 5 7 1 9 µ ¶k¡1 1 P(identical over°ow) · H ¡1 2 1 k = 3 ) false negatives ¼  1;000;000 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Correcting Allocator Generate runtime patches to correct errors  Track object call sites in allocator  Prevent overflows: pad overflowed objects  malloc(8 + δ) malloc(8) 1 1 Prevent dangling pointers: defer frees  delay δ mallocs; free(ptr) free(ptr) UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Exterminator Architecture Three main pieces:  DieHard-based allocator (DieFast)  Reveals bugs  Error isolator  Finds bugs across multiple heaps w.h.p.  Correcting allocator  Fixes bugs  Multiple modes suitable for testing  (debugging) or deployment UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Exterminator Modes Iterative Error isolator runtime  patches Run multiple times  correcting allocator Same inputs  seed DieFast replica1 Debugging  correcting allocator input output Replicated seed DieFast replica2  vote broadcast correcting allocator Run simultaneously  seed DieFast replica3 Deployable w/limitations  Can fix errors on-the-fly  Cumulative  Different inputs, nondeterminism  Deployable; see paper for details  UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Exterminator Runtime Overhead 25% UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Empirical Results: Real Faults Squid heap overflow  Crashes glibc 2.8.0 and BDW collector  3 iterations to fix ) 6 byte pad  Prevents overflow for all subsequent executions  UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Empirical Results: Real Faults Mozilla 1.7.3 buffer overflow  Debug scenario:  repeated load of PoC: 23 runs to fix overflow  1 2 3 Deployed scenario:  different browsing sessions: 34 runs to fix  1 2 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Exterminator Conclusion Exterminator: automatic error correction w.h.p.  Randomization bugs have different effects  Statistical analysis combines information from  multiple runs to isolate error Correcting allocator eliminates bugs at runtime  http://www.cs.umass.edu/~gnovark/ UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
DieHard, heap layout object size allocation space 1 2 4 3 6 5 inUse 8 6 inUse inUse 4 2 bitmap 1 inUse 16 miniheaps 1 inUse 1 Bitmap-based, segregated size classes  Bit represents one object of given size  i.e., one bit = 2i+3 bytes, etc.  malloc(): randomly probe bitmap for free space  free(): just reset bit  UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
Exterminator Extensions single miniheap 00000001 allocation bitmap heap DieHard Exterminator 2 1 3 object id (serial number) alloc site A4 A8 A3 D9 D6 dealloc site dealloc time 3 2 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007

Recomendados

Operating Systems - Garbage Collection
Operating Systems - Garbage CollectionOperating Systems - Garbage Collection
Operating Systems - Garbage Collection
Emery Berger
 
Operating Systems - Dynamic Memory Management
Operating Systems - Dynamic Memory ManagementOperating Systems - Dynamic Memory Management
Operating Systems - Dynamic Memory Management
Emery Berger
 
Operating Systems - Architecture
Operating Systems - ArchitectureOperating Systems - Architecture
Operating Systems - Architecture
Emery Berger
 
Operating Systems - Intro to C++
Operating Systems - Intro to C++Operating Systems - Intro to C++
Operating Systems - Intro to C++
Emery Berger
 
Operating Systems - Introduction
Operating Systems - IntroductionOperating Systems - Introduction
Operating Systems - Introduction
Emery Berger
 
Global Pico Projector Market Forecast & Opportunities, 2019
Global Pico Projector Market Forecast & Opportunities, 2019Global Pico Projector Market Forecast & Opportunities, 2019
Global Pico Projector Market Forecast & Opportunities, 2019
TechSci Research
 
Air borne intelligence
Air borne intelligenceAir borne intelligence
Air borne intelligence
Sujan Gunda
 
Presnetation on Skinput technology
Presnetation on Skinput technologyPresnetation on Skinput technology
Presnetation on Skinput technology
Aravind Kumar Devulapelly
 

Recomendados

Operating Systems - Garbage Collection
Operating Systems - Garbage CollectionOperating Systems - Garbage Collection
Operating Systems - Garbage Collection
Emery Berger
 
Operating Systems - Dynamic Memory Management
Operating Systems - Dynamic Memory ManagementOperating Systems - Dynamic Memory Management
Operating Systems - Dynamic Memory Management
Emery Berger
 
Operating Systems - Architecture
Operating Systems - ArchitectureOperating Systems - Architecture
Operating Systems - Architecture
Emery Berger
 
Operating Systems - Intro to C++
Operating Systems - Intro to C++Operating Systems - Intro to C++
Operating Systems - Intro to C++
Emery Berger
 
Operating Systems - Introduction
Operating Systems - IntroductionOperating Systems - Introduction
Operating Systems - Introduction
Emery Berger
 
Global Pico Projector Market Forecast & Opportunities, 2019
Global Pico Projector Market Forecast & Opportunities, 2019Global Pico Projector Market Forecast & Opportunities, 2019
Global Pico Projector Market Forecast & Opportunities, 2019
TechSci Research
 
Air borne intelligence
Air borne intelligenceAir borne intelligence
Air borne intelligence
Sujan Gunda
 
Presnetation on Skinput technology
Presnetation on Skinput technologyPresnetation on Skinput technology
Presnetation on Skinput technology
Aravind Kumar Devulapelly
 
Tripwire
TripwireTripwire
Tripwire
Dhananjay Aloorkar
 
TRIP WIRE
TRIP WIRETRIP WIRE
TRIP WIRE
praveen369
 
Optical Burst Switching
Optical Burst SwitchingOptical Burst Switching
Optical Burst Switching
JYoTHiSH o.s
 
Blue jacking mercy
Blue jacking mercyBlue jacking mercy
Blue jacking mercy
Mercy Amirthakani
 
Sky x technology
Sky x technologySky x technology
Sky x technology
Tapesh Chalisgaonkar
 
Mind reading computer
Mind reading computerMind reading computer
Mind reading computer
Radhika Pratapwar
 
Wi vi ppt
Wi vi pptWi vi ppt
Wi vi ppt
snehalpapa
 
Daknet Technology
Daknet TechnologyDaknet Technology
Daknet Technology
Aranta Chatterjee
 
3d password by suresh
3d password by suresh3d password by suresh
3d password by suresh
suresh5c2
 
seminar on invisible eye
seminar on invisible eyeseminar on invisible eye
seminar on invisible eye
Vashishth Narayan Kumar
 
E ball technology ppt b
E ball technology ppt bE ball technology ppt b
E ball technology ppt b
Vikas Reddy
 
Robotic Surgery PPT
Robotic Surgery PPTRobotic Surgery PPT
Robotic Surgery PPT
Sai Charan
 
5G TECHNOLOGY
5G TECHNOLOGY5G TECHNOLOGY
5G TECHNOLOGY
SAIKRISHNA KOPPURAVURI
 
Augmented Reality using Microsoft Hololens
Augmented Reality using Microsoft HololensAugmented Reality using Microsoft Hololens
Augmented Reality using Microsoft Hololens
Kishan Kumar
 
Blue brain project ppt
Blue brain project pptBlue brain project ppt
Blue brain project ppt
Lishita Shah
 
Blue Eyes ppt
Blue Eyes pptBlue Eyes ppt
Blue Eyes ppt
deepu427
 
Rain technology
Rain technologyRain technology
Rain technology
Yamuna Devi
 
Wi Vi technology
Wi Vi technology Wi Vi technology
Wi Vi technology
Liju Thomas
 
Swarm Intelligence - An Introduction
Swarm Intelligence - An IntroductionSwarm Intelligence - An Introduction
Swarm Intelligence - An Introduction
Rohit Bhat
 
Brain Chip Technology
Brain Chip TechnologyBrain Chip Technology
Brain Chip Technology
anitha pillai
 
Doppio: Breaking the Browser Language Barrier
Doppio: Breaking the Browser Language BarrierDoppio: Breaking the Browser Language Barrier
Doppio: Breaking the Browser Language Barrier
Emery Berger
 
Dthreads: Efficient Deterministic Multithreading
Dthreads: Efficient Deterministic MultithreadingDthreads: Efficient Deterministic Multithreading
Dthreads: Efficient Deterministic Multithreading
Emery Berger
 

Más contenido relacionado

Destacado

E ball technology ppt b
E ball technology ppt bE ball technology ppt b
E ball technology ppt b
Vikas Reddy
 
Robotic Surgery PPT
Robotic Surgery PPTRobotic Surgery PPT
Robotic Surgery PPT
Sai Charan
 
Blue brain project ppt
Blue brain project pptBlue brain project ppt
Blue brain project ppt
Lishita Shah
 
Blue Eyes ppt
Blue Eyes pptBlue Eyes ppt
Blue Eyes ppt
deepu427
 
Wi Vi technology
Wi Vi technology Wi Vi technology
Wi Vi technology
Liju Thomas
 

Destacado (20)

Tripwire
TripwireTripwire
Tripwire
 
TRIP WIRE
TRIP WIRETRIP WIRE
TRIP WIRE
 
Optical Burst Switching
Optical Burst SwitchingOptical Burst Switching
Optical Burst Switching
 
Blue jacking mercy
Blue jacking mercyBlue jacking mercy
Blue jacking mercy
 
Sky x technology
Sky x technologySky x technology
Sky x technology
 
Mind reading computer
Mind reading computerMind reading computer
Mind reading computer
 
Wi vi ppt
Wi vi pptWi vi ppt
Wi vi ppt
 
Daknet Technology
Daknet TechnologyDaknet Technology
Daknet Technology
 
3d password by suresh
3d password by suresh3d password by suresh
3d password by suresh
 
seminar on invisible eye
seminar on invisible eyeseminar on invisible eye
seminar on invisible eye
 
E ball technology ppt b
E ball technology ppt bE ball technology ppt b
E ball technology ppt b
 
Robotic Surgery PPT
Robotic Surgery PPTRobotic Surgery PPT
Robotic Surgery PPT
 
5G TECHNOLOGY
5G TECHNOLOGY5G TECHNOLOGY
5G TECHNOLOGY
 
Augmented Reality using Microsoft Hololens
Augmented Reality using Microsoft HololensAugmented Reality using Microsoft Hololens
Augmented Reality using Microsoft Hololens
 
Blue brain project ppt
Blue brain project pptBlue brain project ppt
Blue brain project ppt
 
Blue Eyes ppt
Blue Eyes pptBlue Eyes ppt
Blue Eyes ppt
 
Rain technology
Rain technologyRain technology
Rain technology
 
Wi Vi technology
Wi Vi technology Wi Vi technology
Wi Vi technology
 
Swarm Intelligence - An Introduction
Swarm Intelligence - An IntroductionSwarm Intelligence - An Introduction
Swarm Intelligence - An Introduction
 
Brain Chip Technology
Brain Chip TechnologyBrain Chip Technology
Brain Chip Technology
 

Más de Emery Berger

Doppio: Breaking the Browser Language Barrier
Doppio: Breaking the Browser Language BarrierDoppio: Breaking the Browser Language Barrier
Doppio: Breaking the Browser Language Barrier
Emery Berger
 
Dthreads: Efficient Deterministic Multithreading
Dthreads: Efficient Deterministic MultithreadingDthreads: Efficient Deterministic Multithreading
Dthreads: Efficient Deterministic Multithreading
Emery Berger
 
Programming with People
Programming with PeopleProgramming with People
Programming with People
Emery Berger
 
Stabilizer: Statistically Sound Performance Evaluation
Stabilizer: Statistically Sound Performance EvaluationStabilizer: Statistically Sound Performance Evaluation
Stabilizer: Statistically Sound Performance Evaluation
Emery Berger
 
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
Emery Berger
 
Operating Systems - Advanced File Systems
Operating Systems - Advanced File SystemsOperating Systems - Advanced File Systems
Operating Systems - Advanced File Systems
Emery Berger
 
Operating Systems - Queuing Systems
Operating Systems - Queuing SystemsOperating Systems - Queuing Systems
Operating Systems - Queuing Systems
Emery Berger
 
Operating Systems - Distributed Parallel Computing
Operating Systems - Distributed Parallel ComputingOperating Systems - Distributed Parallel Computing
Operating Systems - Distributed Parallel Computing
Emery Berger
 
Operating Systems - Concurrency
Operating Systems - ConcurrencyOperating Systems - Concurrency
Operating Systems - Concurrency
Emery Berger
 
Operating Systems - Advanced Synchronization
Operating Systems - Advanced SynchronizationOperating Systems - Advanced Synchronization
Operating Systems - Advanced Synchronization
Emery Berger
 

Más de Emery Berger (20)

Doppio: Breaking the Browser Language Barrier
Doppio: Breaking the Browser Language BarrierDoppio: Breaking the Browser Language Barrier
Doppio: Breaking the Browser Language Barrier
 
Dthreads: Efficient Deterministic Multithreading
Dthreads: Efficient Deterministic MultithreadingDthreads: Efficient Deterministic Multithreading
Dthreads: Efficient Deterministic Multithreading
 
Programming with People
Programming with PeopleProgramming with People
Programming with People
 
Stabilizer: Statistically Sound Performance Evaluation
Stabilizer: Statistically Sound Performance EvaluationStabilizer: Statistically Sound Performance Evaluation
Stabilizer: Statistically Sound Performance Evaluation
 
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
 
Operating Systems - Advanced File Systems
Operating Systems - Advanced File SystemsOperating Systems - Advanced File Systems
Operating Systems - Advanced File Systems
 
Operating Systems - File Systems
Operating Systems - File SystemsOperating Systems - File Systems
Operating Systems - File Systems
 
Operating Systems - Networks
Operating Systems - NetworksOperating Systems - Networks
Operating Systems - Networks
 
Operating Systems - Queuing Systems
Operating Systems - Queuing SystemsOperating Systems - Queuing Systems
Operating Systems - Queuing Systems
 
Operating Systems - Distributed Parallel Computing
Operating Systems - Distributed Parallel ComputingOperating Systems - Distributed Parallel Computing
Operating Systems - Distributed Parallel Computing
 
Operating Systems - Concurrency
Operating Systems - ConcurrencyOperating Systems - Concurrency
Operating Systems - Concurrency
 
Operating Systems - Advanced Synchronization
Operating Systems - Advanced SynchronizationOperating Systems - Advanced Synchronization
Operating Systems - Advanced Synchronization
 
Operating Systems - Synchronization
Operating Systems - SynchronizationOperating Systems - Synchronization
Operating Systems - Synchronization
 
Processes and Threads
Processes and ThreadsProcesses and Threads
Processes and Threads
 
Virtual Memory and Paging
Virtual Memory and PagingVirtual Memory and Paging
Virtual Memory and Paging
 
Operating Systems - Virtual Memory
Operating Systems - Virtual MemoryOperating Systems - Virtual Memory
Operating Systems - Virtual Memory
 
MC2: High-Performance Garbage Collection for Memory-Constrained Environments
MC2: High-Performance Garbage Collection for Memory-Constrained EnvironmentsMC2: High-Performance Garbage Collection for Memory-Constrained Environments
MC2: High-Performance Garbage Collection for Memory-Constrained Environments
 
Vam: A Locality-Improving Dynamic Memory Allocator
Vam: A Locality-Improving Dynamic Memory AllocatorVam: A Locality-Improving Dynamic Memory Allocator
Vam: A Locality-Improving Dynamic Memory Allocator
 
Quantifying the Performance of Garbage Collection vs. Explicit Memory Management
Quantifying the Performance of Garbage Collection vs. Explicit Memory ManagementQuantifying the Performance of Garbage Collection vs. Explicit Memory Management
Quantifying the Performance of Garbage Collection vs. Explicit Memory Management
 
Garbage Collection without Paging
Garbage Collection without PagingGarbage Collection without Paging
Garbage Collection without Paging
 

Último

9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
discovermytutordmt
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 

Último (20)

fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 

Exterminator: Automatically Correcting Memory Errors with High Probability

  • 1. Exterminator: Automatically Correcting Memory Errors with High Probability Gene Novark Emery Berger University of Massachusetts Amherst Ben Zorn Microsoft Research UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 2. Problems with Unsafe Languages C, C++: pervasive apps, but unsafe  Numerous opportunities for security  vulnerabilities, errors Double/Invalid free  Uninitialized reads  Dangling pointers  Buffer overflows (stack & heap)  DieHard: eliminates some, probabilistically  avoids others [PLDI 2006] Exterminator: builds on DieHard  UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 3. DieHard Overview [PLDI 2006] Use randomization & (optionally)  replication to reduce risk of memory errors Objects randomly spread across heap  Different run = different heap  Probabilistic memory safety  Errors across heaps independent  object size = 2i+3 object size = 2i+4 … 24 5 3 1 63 Run 1: “malignant” overflow Run 2: “benign” overflow … 1 6 3 2 54 1 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 4. DieHard Limitations DieHard:  Fine for single error  But multiple errors eventually swamp probabilistic  protection Not great for large overflows  Tolerates errors  But doesn’t find them  No information for programmer  Exterminator:  Automatically isolate and fix memory errors UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 5. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 6. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 7. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bad object (too small) UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 8. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end bad object (too small) UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 9. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end bad object (too small) UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 10. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 11. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 12. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 13. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 14. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end 1. Heap provides no useful information UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 15. Diagnosing Buffer Overflows Canonical buffer overflow:  Allocate object – too small  Write past end ) nukes object bytes forward  Not necessarily contiguous  char * str = new char[8]; strcpy (str, “goodbye cruel world”); bytes past end 2. No way to detect corruption UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 16. Isolating Buffer Overflows Canaries in freed space detect corruption  known random value dead canary = corruption Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object # = object id (allocation time) UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 17. Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 18. Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object 1 8 7 5 3 10 2 9 6 4 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 19. Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Key insight: Overflow must be at same  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object 1 8 7 5 3 10 2 9 6 4 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 20. Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Key insight: Overflow must be at same  Red = Green = possible not 8 10 2 3 4 5 1 7 9 bad bad object object 1 8 7 5 3 2 9 6 4 10 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 21. Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Key insight: Overflow must be at same  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object 1 8 7 5 3 10 2 9 6 4 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 22. Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Key insight: Overflow must be at same  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object 1 8 7 5 3 10 2 9 6 4 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 23. Isolating Buffer Overflows Canaries in freed space detect corruption  Run multiple times with “DieFast” allocator  Key insight: Overflow must be at same  Red = Green = possible not 8 10 2 9 3 4 5 1 7 bad bad object object 1 8 7 5 3 10 2 9 6 4 3 4 9 6 8 2 5 7 1 ) object 9 overflowed, with high probability UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 24. Buffer Overflow Analysis 8 10 2 9 3 4 5 1 7 1 8 7 5 3 10 2 9 6 4 3 4 9 6 8 2 5 7 1 H = # heap objects K = # iterations Example: H = 1,000,000 objects  3 iterations ¼ 1;000;000 false positives 1 Iterations exponentially increase precision  UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 25. Isolating Dangling Pointers Dangling pointer error:  Live object freed too soon  Overwritten by some other object  int * v = new int[4]; … delete [] v; // oops … char * str = new char[16]; strcpy (str, “die, pointer”); v[3] = 12; … use of v[0] UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 26. Isolating Dangling Pointers Unlike buffer overflow:  dangling pointer ) same corruption in all  8 11 2 9 3 6 4 5 10 1 12 7 4 1 8 7 5 3 12 2 9 11 6 10 4 3 4 10 6 8 2 12 5 7 1 9 µ ¶k¡1 1 P(identical over°ow) · H ¡1 2 1 k = 3 ) false negatives ¼  1;000;000 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 27. Correcting Allocator Generate runtime patches to correct errors  Track object call sites in allocator  Prevent overflows: pad overflowed objects  malloc(8 + δ) malloc(8) 1 1 Prevent dangling pointers: defer frees  delay δ mallocs; free(ptr) free(ptr) UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 28. Exterminator Architecture Three main pieces:  DieHard-based allocator (DieFast)  Reveals bugs  Error isolator  Finds bugs across multiple heaps w.h.p.  Correcting allocator  Fixes bugs  Multiple modes suitable for testing  (debugging) or deployment UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 29. Exterminator Modes Iterative Error isolator runtime  patches Run multiple times  correcting allocator Same inputs  seed DieFast replica1 Debugging  correcting allocator input output Replicated seed DieFast replica2  vote broadcast correcting allocator Run simultaneously  seed DieFast replica3 Deployable w/limitations  Can fix errors on-the-fly  Cumulative  Different inputs, nondeterminism  Deployable; see paper for details  UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 30. Exterminator Runtime Overhead 25% UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 31. Empirical Results: Real Faults Squid heap overflow  Crashes glibc 2.8.0 and BDW collector  3 iterations to fix ) 6 byte pad  Prevents overflow for all subsequent executions  UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 32. Empirical Results: Real Faults Mozilla 1.7.3 buffer overflow  Debug scenario:  repeated load of PoC: 23 runs to fix overflow  1 2 3 Deployed scenario:  different browsing sessions: 34 runs to fix  1 2 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 33. Exterminator Conclusion Exterminator: automatic error correction w.h.p.  Randomization bugs have different effects  Statistical analysis combines information from  multiple runs to isolate error Correcting allocator eliminates bugs at runtime  http://www.cs.umass.edu/~gnovark/ UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 34. UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 35. DieHard, heap layout object size allocation space 1 2 4 3 6 5 inUse 8 6 inUse inUse 4 2 bitmap 1 inUse 16 miniheaps 1 inUse 1 Bitmap-based, segregated size classes  Bit represents one object of given size  i.e., one bit = 2i+3 bytes, etc.  malloc(): randomly probe bitmap for free space  free(): just reset bit  UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007
  • 36. Exterminator Extensions single miniheap 00000001 allocation bitmap heap DieHard Exterminator 2 1 3 object id (serial number) alloc site A4 A8 A3 D9 D6 dealloc site dealloc time 3 2 UNIVERSITY OF MASSACHUSETTS AMHERST • Department of Computer Science • 2007