Presentation is loading. Please wait.

Presentation is loading. Please wait.

Checking Memory Safety with BLAST Dirk Beyer, et al. FASE 2005 KAIST CS750b 2006 Fall Seonggun Kim.

Published byDaniella Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Checking Memory Safety with BLAST Dirk Beyer, et al. FASE 2005 KAIST CS750b 2006 Fall Seonggun Kim."— Presentation transcript:

1 Checking Memory Safety with BLAST Dirk Beyer, et al. FASE 2005 KAIST CS750b 2006 Fall Seonggun Kim

2 2 Outline Memory Safety Two-step Approach –CCured: a type-based memory safety analyzer –BLAST: a temporal safety property checker CCured Conclusion –An improvement in the memory safety analysis

3 3 Memory Safety Essential for security systems –Invalid memory access can… Cause a process to crash Produce incorrect results –Buffer overflows are the basis of many attacks Memory bugs –Dereferencing null-pointer –Dereferencing outside of object bounds –Freeing non-pointers –Using freed memory

4 4 C and Memory Safety C is designed and used for efficiency –Allows many ‘unsafe’ operations E.g., casting to arbitrary types –Sacrifices safety for efficiency A solution: Run-time checking int array[10]; … if ( (array+i >= array+10) || (array+i < array)) { exit(EXIT_FAILURE); } val = array[i]; Inserted code

5 5 Run-time Overhead Run-time checking causes slow-down –Time spent executing inserted code –E.g., IBM Rational® Purify: 10x slow-down But, in many C programs, –Most pointers are used safely –Only small portions are responsible for unsafe behavior Static analysis can eliminate many run-time checking

6 6 Checking Memory Safety with BLAST BLAST can guarantee a pointer is safely used –by checking if the location labeled __BLAST_ERROR is reachable –If __BLAST_ERROR is not reachable, we can eliminate the corresponding checking code OBJ *p = malloc(sizeof(OBJ)); … if (p == NULL) { __BLAST_ERROR: ; } val = p->value;

7 7 Disadvantage of BLAST Expensive (takes long time) –Path sensitive –Generates an execution trace Overkill for some checks Not good for large programs Solution –Combine BLAST with more efficient tool: CCured

8 8 Combining BLAST and CCured CCured –Efficient –More runtime checks BLAST –Expensive –More powerful –Feedback Together –Efficient –Fewer runtime checks –Feedback CCured BLAST program codechecking code

9 9 CCured The CCured System CCured Translator Compile & Execute C Program Instrumented C Program Halt: Memory Safety Violation Success

10 10 A Little More about CCured A type-based memory safety analyzer for C Classifies the pointers according to usage –Type-inference –SAFE, SEQ, WILD –Transform normal pointers to “fat-pointers” Annotates with run-time checks –SAFE: Null-check –SEQ: check array bound –WILD: check non-pointer and bounds and non-null

11 11 A Little More about CCured Classifies the pointers according to usage casting arith. on pointer –SAFE:NONO –SEQ:NOYES –WILD:YESYES (roughly) Annotates with run-time checks –SAFE: null-check –SEQ: array bound check (implicit null-check) –WILD: null-check + bound check + non-pointer check Remove redundant checks by naïve optimizer

12 12 SAFE Pointer Invariants and Representation T * SAFE –Prototypical example: FILE *fp = fopen(filename, “r”); –Can be 0 or a pointer to storage containing a T –All aliases agree on the type of the referenced storage –Must do null-check before dereference –Inexpensive to store and to use (just null-check) p statically typed home area T x: assert(x.p != null);

13 13 SEQ Pointer Invariants and Representation T * SEQ –Can be 0 –Can be involved in pointer arithmetic: val = array++; –Null check and bounds check before use –Carries the bounds of a home area consisting of a sequence of T ’ s –All SAFE or SEQ aliases agree on the type of the referenced area basepend statically typed home area TT … T … assert(x.b <= x.p); assert(x.p <= x.e – sizeof(T)); x:

14 14 WILD Pointer Invariants and Representation T * WILD –Can be a non-pointer (any primitive) –Carries the bounds of a dynamic home area –Has only WILD pointer aliases –Must do a non-pointer and a bounds check –Must maintain the tags when writing (1 bit per word) dynamically typed home areaendtag bits basep indicates which words contain base assert(x.b != null); assert(x.b <= x.p); assert(x.p <= len(x.b) – sizeof(T’)); if (typeof(*(x.p)) is *WILD) assert(tag(x.b, x.p+1) == 1);

15 15 Example 1: OBJ* f (int **a) { 2: int **x; 3: int **y = a + 10; 4: for (x = a; x < y; x++) 5: *x = *y; 6: return (OBJ*) *y; 7: } 1: OBJ *WILD f (int *WILD *SEQ a) { 2: int *WILD *SEQ x; 3: int *WILD *SAFE y = a + 10; 4: for (x = a; x < y; x++) 5: *x = *y; 6: return (OBJ *WILD) *y; 7: }

16 16 Example (cont) 1: OBJ *WILD f (int *WILD *SEQ a) { 2: int *WILD *SEQ x; 3: int *WILD *SAFE y = a + 10; 4: for (x = a; x < y; x++) 5: *x = *y; 6: return (OBJ *WILD) *y; 7: } 1 : OBJ *WILD f (int *WILD *SEQ a) { 2 : int *WILD *SEQ x; 3 : int *WILD *SAFE y = a + 10; 4 : for (x = a; x < y; x++) 5’: __CHECK_SEQ(x); 5”; __CHECK_SAFE(y); 5 : *x = *y; 6 : return (OBJ *WILD) *y; 7 : }

17 17 Experimental Results of CCured LOC%Safe%Seq%WildCCured RatioPurify Ratio compress1590871201.2528 go2931596402.0151 ijpeg31371361622.1530 li776193601.8650 bh2053801801.5394 bisort707901001.0342 em3d557851502.447 ks97392801.4731 health72593700.9425

18 18 CCured + BLAST Null-pointer dereferencing 1.Annotate a program using CCured __CHECK_NULL(p); 2.Replace the call to __CHECK_NULL to __BLAST_CHECK_NULL void __BLAST_CHECK_NULL(void *p) { if (!p) { __BLAST_ERROR: ; } } 3.Check if __BLAST_ERROR : is reachable

19 19 Experimental Results Timeout: 200s

20 20 Conclusion and Discussion An improvement in the memory safety analysis –Scalability and precision Pros –A kind of coarse-grained refinement –C.E. can be used for debugging Cons –Only handles null-pointer check Pointers can be regarded as Boolean variables State explosion for array bound checking?

21 21 References http://www.inf.ethz.ch/personal/daniekro/classe s/se-sem/ss2005/slides/geissbuehler.ppthttp://www.inf.ethz.ch/personal/daniekro/classe s/se-sem/ss2005/slides/geissbuehler.ppt http://nenya.ms.mff.cuni.cz/teaching/seminars/2 006-04-11-Adamek-Blast.pdfhttp://nenya.ms.mff.cuni.cz/teaching/seminars/2 006-04-11-Adamek-Blast.pdf http://osq.cs.berkeley.edu/retreat02/Weimer- CCured.ppthttp://osq.cs.berkeley.edu/retreat02/Weimer- CCured.ppt http://chess.eecs.berkeley.edu/publications/talks /02/neculaResOverview.ppthttp://chess.eecs.berkeley.edu/publications/talks /02/neculaResOverview.ppt

Download ppt "Checking Memory Safety with BLAST Dirk Beyer, et al. FASE 2005 KAIST CS750b 2006 Fall Seonggun Kim."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.

CHECKING MEMORY SAFETY AND TEST GENERATION USING B LAST By: Pashootan Vaezipoor Computing Science Dept of Simon Fraser University.
Linked Lists CSE 2451 Matt Boggus. Dynamic memory reminder Allocate memory during run-time malloc() and calloc() – return a void pointer to memory or.

Linked Lists CSE 2451 Matt Boggus. Dynamic memory reminder Allocate memory during run-time malloc() and calloc() – return a void pointer to memory or.
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
Fortran Jordan Martin Steven Devine. Background Developed by IBM in the 1950s Designed for use in scientific and engineering fields Originally written.

Fortran Jordan Martin Steven Devine. Background Developed by IBM in the 1950s Designed for use in scientific and engineering fields Originally written.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Rational XL C/C++ Compiler Development © 2007 IBM Corporation Identifying Aliasing Violations in Source Code A Points-to Analysis Approach Ettore Tiotto,

Rational XL C/C++ Compiler Development © 2007 IBM Corporation Identifying Aliasing Violations in Source Code A Points-to Analysis Approach Ettore Tiotto,
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
Malloc Recitation Section K (Kevin Su) November 5 th, 2012.

Malloc Recitation Section K (Kevin Su) November 5 th, 2012.
Chapter Four Data Types Pratt 2 Data Objects A run-time grouping of one or more pieces of data in a virtual machine a container for data it can be –system.

Chapter Four Data Types Pratt 2 Data Objects A run-time grouping of one or more pieces of data in a virtual machine a container for data it can be –system.
SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.

SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.

Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.
Strength Through Typing: A more powerful dependently-typed assembly language Matt Harren George Necula OSQ 2004.

Strength Through Typing: A more powerful dependently-typed assembly language Matt Harren George Necula OSQ 2004.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 Efficient Memory Safety for TinyOS 2.1 Yang Chen Nathan Cooprider Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing.

1 Efficient Memory Safety for TinyOS 2.1 Yang Chen Nathan Cooprider Will Archer Eric Eide David Gay † John Regehr University of Utah School of Computing.

Similar presentations

Ads by Google