Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant."— Presentation transcript:

1 SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant Kowshik, Vikram Adve

2 SAFECode Weakly Typed Languages (C/C++) Weak semantic guarantees –Undetected array bounds errors, dangling pointer errors, type cast errors, uninitialized pointers, etc.  Memory safety violations  Any static analysis is suspect Widely Ignored

3 SAFECode Static Analysis Tools Memory errors invalidate core analyses Yes or No property Software Tools (e.g. ESP, BLAST) C program Normal Compiler Alias analysis, Call graph, Type information Core Analyses ≈

4 SAFECode Why not use safe languages? Large body of legacy applications in C/C++ Porting is not easy –Automatic memory management or GC –Wrappers for library calls because of metadata on pointers Java, C#, safe dialects of C (e.g. CCured, Cyclone)

5 SAFECode Our Solution: SAFECode Not a safe language : tolerates errors Completely automatic, no wrappers, no GC Works for nearly all C programs Low overhead (less than 30% in our expts) Provides sound analysis platform –Sound operational semantics for C based on core analyses Masks dangling pointer, array bounds errors Ensures memory safety (defined later)

6 SAFECode SAFECode as Analysis Platform C program Normal Compiler Alias analysis, Call graph, Type information SAFECode C program with checks property Yes or No Software Verification e.g. ESP, BLAST SAFECode enforces core analyses, memory safety Core Analyses ≈

7 SAFECode Outline Motivation & Overview Background Approach Formalization Evaluation Summary

8 SAFECode Background - Alias Analysis P = malloc(2 * sizeof(int)); P[i] = …. struct BigT *Q = (Struct BigT *)P; TU S,A P Q field TK : Type Known, TU : Type Unknown struct List* head = makeList(20); struct List (TK) H next val head A static summary of memory objects and their connectivity Restriction: flow-insensitive, unification based Q->field8 = …

9 SAFECode Background - Automatic Pool Allocation (APA) [LattnerAdve:PLDI05] Each node instance uses separate pool Pool is destroyed if not accessible Pool 1Pool 2 List H next val head Partitions heap into pools based on alias analysis List H next val x y

10 SAFECode Outline Motivation & Overview Background Approach Formalization Evaluation Summary

11 SAFECode SAFECode Approach : Enforce Core Analyses Alias analysis Call graph –Run-time checks on indirect calls Type information –Subset of alias analysis

12 SAFECode Enforcing Alias Analysis Check if tmp points to corresponding node Normal allocators –Memory objects are scattered in the heap –Each check at run-time is extremely expensive struct List (TK) H next val tmp

13 SAFECode Insight 1 – Use Automatic Pool Allocation (APA) Each node instance uses separate pool Pool is destroyed if not accessible Pool 1Pool 2 List H next val head Partitions heap into pools based on alias analysis List H next val x y

14 SAFECode The Pool Bounds Check Pool is a list of pages (2^k) Pool maintains a hash table of the start addresses of the pages Poolcheck on a pointer p –Mask lower k bits of p, see if it is in the hash table –Alignment check for TK pools Poolcheck : involves hash lookups

15 SAFECode Insight 2 : Mostly static checking for TK pools 3 sufficient properties Type Known Pools Typed accessesfree Correct alignment free No pool bounds violations Pool bounds checks Type Unknown Pools Pool bounds checks on all operations Solution –Type homogeneity, do not release memory from pool ( Insight 3 ) Release memory from pool when pool is inaccessible (Insight 4)

16 SAFECode poolinit (ρ, int) PP { int* ρ x,y; int*ρ’ z; x = malloc(4); y = x; free(x); y = malloc(4); Formalization as a Type System Soundness theorem ensures core analyses are never invalidated Int xy ρ poolinit( ρ’, int) PP’ { poolinit (ρ, int) PP { int* ρ x,y; int*ρ’ z; x = poolalloc(PP, 1); //allocate one element y = x; //type checks poolfree(PP,x) y = poolalloc(PP,1); // malloc semantics different } ρ’ρ’ Int z

17 SAFECode Static Analysis Using SAFECode Flow-sensitive analysis –Only change is in malloc semantics Flow insensitive analyses –don’t require any changes e.g., ESP, BLAST Sound Analyses for C are now possible

18 SAFECode Evaluation (Run-time Overhead) Olden, Ptrdist, 3 system daemons [Full list in the paper] No source changes necessary Compared with CCured on Olden [See paper] ProgramSAFECode ratio bh1.03 bisort1.00 em3d1.27 treeadd0.99 tsp0.99 Yacr21.30 Ks1.12 anagram1.23 ftpd1.00 fingerd1.03 ghttpd1.07 1.0 ≡ no pool allocation + no SAFECode passes

19 SAFECode Related Work Modified C Pure C SolutionPerformance Error detection/ prevention Sound analysis Memory Management Purify, Valgrind Several 100xSome- - SafeC5xSome- - Jones-Kelley5-6xSome- - SFIOver 2xFew- - YongOver 2xSome- - SAFECodeUpto 1.30SomeYes - CCuredUpto 1.87AllYes GC Cyclone1x-2xAllYes Regions +GC

20 SAFECode Two errors we don’t detect Detecting array bounds overflow – A low overhead backwards-compatible solution [ICSE 2006] Detecting dangling pointer dereference –Efficient detection for some kinds of programs [DSN 2006]

21 SAFECode Conclusion Sound operational semantics for C + core analyses Guarantee alias analysis with low over head  We guarantee memory safety without detecting some errors - Control flow integrity - Data access integrity (type information) - Analysis integrity http://safecode.cs.uiuc.edu

22 SAFECode

Download ppt "SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant."

Similar presentations

Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
Automatic Pool Allocation: Compile-Time Control Over Complete Pointer-Based Data Structures Vikram Adve University of Illinois at Urbana-Champaign Joint.

Automatic Pool Allocation: Compile-Time Control Over Complete Pointer-Based Data Structures Vikram Adve University of Illinois at Urbana-Champaign Joint.
SAFECode Memory Safety Without Runtime Checks or Garbage Collection By Dinakar Dhurjati Joint work with Sumant Kowshik, Vikram Adve and Chris Lattner University.

SAFECode Memory Safety Without Runtime Checks or Garbage Collection By Dinakar Dhurjati Joint work with Sumant Kowshik, Vikram Adve and Chris Lattner University.
1 Day 03 Introduction to C. 2 Memory layout and addresses 5 10 12.5 9. 8 r s int x = 5, y = 10; float f = 12.5, g = 9.8; char c = ‘r’, d = ‘s’; 430043044308431243164317.

1 Day 03 Introduction to C. 2 Memory layout and addresses r s int x = 5, y = 10; float f = 12.5, g = 9.8; char c = ‘r’, d = ‘s’;
Korey Breshears. Overview  What are automated security tools?  Why do we need them?  What types of tools are there?  What problems do these tools.

Korey Breshears. Overview  What are automated security tools?  Why do we need them?  What types of tools are there?  What problems do these tools.
By Emery D. Berger and Benjamin G. Zorn Presented by: David Roitman.

By Emery D. Berger and Benjamin G. Zorn Presented by: David Roitman.
Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.

Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.
“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.

“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.
Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.

Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.

1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.
Run-Time Error Handling Wes Weimer, George Necula.

Run-Time Error Handling Wes Weimer, George Necula.
Chapter 3.7 Memory and I/O Systems. 2 Memory Management Only applies to languages with explicit memory management (C or C++) Memory problems are one of.

Chapter 3.7 Memory and I/O Systems. 2 Memory Management Only applies to languages with explicit memory management (C or C++) Memory problems are one of.

Similar presentations

Ads by Google