Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Mario Hewardt Senior Development Lead Microsoft Corporation  Daniel Pravat Senior Development Lead Microsoft Corporation …and we approve this message.

Similar presentations


Presentation on theme: " Mario Hewardt Senior Development Lead Microsoft Corporation  Daniel Pravat Senior Development Lead Microsoft Corporation …and we approve this message."— Presentation transcript:

1  Mario Hewardt Senior Development Lead Microsoft Corporation  Daniel Pravat Senior Development Lead Microsoft Corporation …and we approve this message

2

3

4

5

6 Source: Coverity White Paper

7

8

9

10

11

12  Daniel Pravat

13

14

15

16

17

18

19 cs_DB1 cs_DB2 Thread 0 Thread 1 No progress = Deadlock Acquisition order is reversed The length may be different A,B,C = OK B,C = OK A,B = OK A,C = OK B,C,A = Deadlock

20

21 Test System Test Systems Remote client Symbols Sources Smart client Sources

22  Daniel Pravat

23 DisplayError calls Sleep Return address is saved Sleep calls SleepEx Return address is saved … … Return address is changed to X Execution starts at X There is another thread smashing the stack How to catch this async operation? What are the implications of this bug? Can the execution be controlled? Can this execution be prevented? Welcome NX bit

24

25

26 Daniel Pravat

27 Build a new version Extract public symbols Index symbols Publish symbols Use symbols

28

29

30

31

32 Build a new version Extract the source file list Store the information required to retrieve the file from SC Publish symbols Use the symbols

33

34 C:\>pdbstr –r –p:%_NT386TREE%\sym.pri\retail\exe\03sample.pdb –s:srcsrv SRCSRV: ini VERSION=1 INDEXVERSION=2 VERCTRL=Visual Source Safe DATETIME=Mon Jan 8 00:04: SRCSRV: variables SSDIR=C:\AWD\VSS SRCSRVENV=SSDIR=%AWD% VSSTRGDIR=%targ%\%var2%\%fnbksl%(%var3%)\%var4% VSS_EXTRACT_CMD=ss.exe get -GL”%vsstrgdir%” -GF- -I-Y -W “$/%var3%” - V”%var4%” VSS_EXTRACT_TARGET=%targ%\%var2%\%fnbksl%(%var3%)\%var4%\%fnfile%(%var1% ) AWD=C:\AWD\VSS SRCSRVTRG=%VSS_extract_target% SRCSRVCMD=%VSS_extract_cmd% SRCSRV: source files c:\awd\chapter3\spydbg.cpp*AWD*chapter3/spydbg.cpp*VERSION1 SRCSRV: end

35

36

37

38

39

40

41

42

43

44

45 EPROCESS Ref CountObj CountObject Event WIN32 API Mutant Header CreateEvent( … …); CreateEvent( … …); User Kernel

46 HANDLE hFile=CreateFile( pWorkerData->pszFileName, FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); // Use file handle CloseHandle(hFile);

47

48 Leak? Type of resource Type of resource Initial Analysis Initial Analysis Use tools Avoidance Strategy Avoidance Strategy Done No

49 Mario Hewardt

50

51

52

53 Application Virtual Memory Manager Heap Manager Default Process Heap C Runtime Heap C Runtime Heap Other Heaps

54 BYTE* pMem=(BYTE*) HeapAlloc(GetProcessHeap(), 0, 100); // Use memory HeapFree(GetProcessHeap(), 0, pMem);

55

56 Mario Hewardt

57

58

59

60

61

62

63 Web client Web front-end Web front-end Middle tier Database back-end

64

65

66

67 0:000> !token 7bc -n TS Session ID: 0 User: S (User: XP-SP2\TestAdmin) Groups: 00 S (Group: XP-SP2\None) Attributes - Mandatory Default Enabled 01 S (Well Known Group: localhost\Everyone) Attributes - Mandatory Default Enabled 02 S (Alias: BUILTIN\Administrators) Attributes - Mandatory Default Enabled Owner 03 S (Alias: BUILTIN\Users) Attributes - Mandatory Default Enabled 04 S (Well Known Group: NT AUTHORITY\INTERACTIVE) Attributes - Mandatory Default Enabled 05 S (Well Known Group: NT AUTHORITY\Authenticated Users) Attributes - Mandatory Default Enabled 06 S (no name mapped) Attributes - Mandatory Default Enabled LogonId 07 S (Well Known Group: localhost\LOCAL) Attributes - Mandatory Default Enabled Primary Group: S (Group: XP-SP2\None) Privs: 00 0x SeChangeNotifyPrivilege Attributes - Enabled Default 01 0x SeSecurityPrivilege Attributes x SeTakeOwnershipPrivilege Attributes x e SeCreateGlobalPrivilege Attributes - Enabled Default 19 0x d SeImpersonatePrivilege Attributes - Enabled Default Auth ID: 0:1c3a8 Impersonation Level: Identification TokenType: Impersonation

68

69 0:000> !acl ac ACL is: ACL is: ->AclRevision: 0x2 ACL is: ->Sbz1 : 0x0 ACL is: ->AclSize : 0x1c ACL is: ->AceCount : 0x1 ACL is: ->Sbz2 : 0x0 ACL is: ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE ACL is: ->Ace[0]: ->AceFlags: 0x0 ACL is: ->Ace[0]: ->AceSize: 0x14 ACL is: ->Ace[0]: ->Mask : 0x ACL is: ->Ace[0]: ->SID: S-1-1-0

70 kd> !sd >Revision: 0x1 ->Sbz1 : 0x0 ->Control : 0x8004 SE_DACL_PRESENT SE_SELF_RELATIVE ->Owner : S >Group : S >Dacl : ->Dacl : ->AclRevision: 0x2 ->Dacl : ->Sbz1 : 0x0 ->Dacl : ->AclSize : 0x1c ->Dacl : ->AceCount : 0x1 ->Dacl : ->Sbz2 : 0x0 ->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE ->Dacl : ->Ace[0]: ->AceFlags: 0x0 ->Dacl : ->Ace[0]: ->AceSize: 0x14 ->Dacl : ->Ace[0]: ->Mask : 0x >Dacl : ->Ace[0]: ->SID: S >Sacl : is NULL

71

72  Daniel Pravat

73 void MTAClientCall() { COSERVERINFO si; MULTI_QI mqi;... if (SUCCEEDED(CoCreateInstanceEx( CLSID_Calculator, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER, &si, 1, &mqi ))) { ICalculator * pCalculator = NULL; pCalculator = (ICalculator*)mqi.pItf; __int32 result = 0; wprintf(L"Calling SumSlow..."); pCalculator->SumSlow(1,2, &result); pCalculator->Release(); wprintf(L"done\n"); }

74 Remote client Remote client RPCSS Server DCOM server DCOM Launch HOST OS SCM DCOM client

75  Daniel Pravat

76

77

78

79

80

81

82

83 Application Virtual Memory Manager Heap Manager Default Process Heap C Runtime Heap C Runtime Heap Other Heaps

84 Look aside Table Unused … 1024

85 Variable Size unused … 1016 Free Lists X X … Segment List

86

87 Busy Block Uncommitted range Free Block

88

89 Current Size Previous Size Seg Index Seg Index Flags Unused Tag Index Pre-allocation Metadata Post-allocation Metadata User accessible part Pre-allocation Metadata Suffix Bytes Fill Area (debug) Fill Area (debug) Heap Extra Post-allocation Metadata User accessible part

90 Allocation Size: 32 Allocation Size: 16 Allocation Size: 64

91

92 Mario Hewardt

93

94

95

96

97

98

99

100 Error Sent Dr. Watson Process Crash Process Crash Crash data over HTTPS Fault response over HTTPS Windows Error Reporting Service ISV Query Fault Data

101 Mario Hewardt

102

103

104

105 Daniel Pravat

106

107

108

109 Main() {... int operationCount = 0; for (; ; ) { operationCount++; HostInfo hi = HostInfo.GetDefault(hostAddress, userName, password); IWSManSession session = GetSession(hi); string response = session.Get("wmicimv2/Win32_OperatingSystem", 0); Console.Write("\rNumber of calls: " + operationCount); }... }

110 static public IWSManSession GetSession(HostInfo hi) { IWSManSession session = null; // Get a cached session string key = hi.GetKey(); if (!sessionCache.TryGetValue(key, out session)) { session = CreateSession(hi); sessionCache[key] = session; } return session; }

111  Daniel Pravat

112

113

114

115

116

117

118 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

119


Download ppt " Mario Hewardt Senior Development Lead Microsoft Corporation  Daniel Pravat Senior Development Lead Microsoft Corporation …and we approve this message."

Similar presentations


Ads by Google