Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior Xi Wang, Nickolai Zeldovich, M. Frans Kaashoek, Armando Solar-Lezama MIT.

Published byAbigail Russell Modified over 8 years ago

Similar presentations

Presentation on theme: "Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior Xi Wang, Nickolai Zeldovich, M. Frans Kaashoek, Armando Solar-Lezama MIT."— Presentation transcript:

1 Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior Xi Wang, Nickolai Zeldovich, M. Frans Kaashoek, Armando Solar-Lezama MIT CSAIL 24 th ACM SOSP (November, 2013) Best Paper

2 O UTLINE Introduction Model for Unstable Code Design & Implementation Evaluation 2013/11/26 A Seminar at Advanced Defense Lab 2

3 I NTRODUCTION The specifications of C-family languages designate certain code fragments as having undefined behavior. giving compilers the freedom to generate instructions Aiming for system programming, the specifications choose to trust programmers and assume that their code will never invoke undefined behavior. 2013/11/26 3 A Seminar at Advanced Defense Lab

4 U NDEFINED B EHAVIOR IN C p, q, p’: n-bit pointer x, y : n-bit integer a : array 2013/11/26 4 A Seminar at Advanced Defense Lab

5 C OMPILER O PTIMIZATION One way in which compilers exploit undefined behavior is to optimize a program under the assumption that the program NEVER invokes undefined behavior. Consequence: Origin program ≠ Optimized program We call such code optimization-unstable code, or just unstable code for short. 2013/11/26 5 A Seminar at Advanced Defense Lab

6 U NSTABLE C ODE E XAMPLE Vulnerability Note VU#162289 (US-CERT) [link]link 2013/11/26 6 A Seminar at Advanced Defense Lab =>Compiler think: always false

7 U NSTABLE C ODE E XAMPLE ( CONT.) CVE-2009-1897 [link]link Linux Kernel 2.6.30 [LXR link]LXR link Programmer put the check at an improper position, but it can work... 2013/11/26 7 A Seminar at Advanced Defense Lab =>Compiler think: always false

8 Is this programmers’ fault? Poor understanding of unstable code is a major obstacle to reasoning about system behavior. However, these bugs are quite subtle, and understanding them requires detailed knowledge of the language specification. 2013/11/26 8 A Seminar at Advanced Defense Lab

9 Is this compilers’ fault? A story: GCC bug #30475 (2007/01/15) [link]link “This will create MAJOR SECURITY ISSUES in ALL MANNER OF CODE. I don’t care if your language lawyers tell you gcc is right.... FIX THIS! NOW!” A GCC user “I am not joking, the C standard explictly says signed integer overflow is undefined behavior.... GCC is not going to change.” A GCC developer 2013/11/26 9 A Seminar at Advanced Defense Lab

10 U NSTABLE C ODE T EST The default optimization level for release build is -O2. 2013/11/26 10 A Seminar at Advanced Defense Lab

11 M ODEL FOR U NSTABLE C ODE 2013/11/26 11 A Seminar at Advanced Defense Lab

12 A PPROACH FOR I DENTIFYING U NSTABLE C ODE Stack does this using a two-phase scheme 1. Run optimizer O without taking advantage of undefined behavior, which resembles optimizations under C* 2. Run optimizer O again, this time taking advantage of undefined behavior, which resembles (more aggressive) optimizations under C. 2013/11/26 12 A Seminar at Advanced Defense Lab

13 W ELL - DEFINED P ROGRAM A SSUMPTION 2013/11/26 13 A Seminar at Advanced Defense Lab

14 E LIMINATING U NREACHABLE C ODE 2013/11/26 14 A Seminar at Advanced Defense Lab

15 S IMPLIFYING U NNECESSARY C OMPUTATION 2013/11/26 15 A Seminar at Advanced Defense Lab

16 S IMPLIFICATION O RACLE Boolean oracle: propose true and false in turn for a boolean expression, enumerating possible values Algebra oracle: propose to eliminate common terms on both sides of a comparison if one side is a subexpression of the other x + y y < 0 2013/11/26 16 A Seminar at Advanced Defense Lab

17 L IMITATION It is possible to exploit the well-defined program assumption in other forms. 2013/11/26 17 A Seminar at Advanced Defense Lab

18 D ESIGN & I MPLEMENTATION Implement with LLVM + Boolector solver 2013/11/26 18 A Seminar at Advanced Defense Lab

19 C OMPILER F RONTEND To reduce false warnings, Stack ignores such compiler-generated code by tracking code origins, at the cost of missing possible bugs. 2013/11/26 19 A Seminar at Advanced Defense Lab

20 UB C ONDITION I NSERTION Stack inserts a special function call into the IR at the corresponding instruction void bug_on(bool expr) 2013/11/26 20 A Seminar at Advanced Defense Lab

21 S OLVER - BASED A LGORITHM To implement these algorithms, Stack consults the Boolector solver to decide satisfiability for elimination and simplification queries. But it is practically infeasible to precisely compute them for large programs. To address this challenge, Stack computes approximate queries by limiting the computation to a single function. With Tu and Padua’s algorithm 2013/11/26 21 A Seminar at Advanced Defense Lab

22 E VALUATION New bug: 160 (July 2012  March 2013) 2013/11/26 22 A Seminar at Advanced Defense Lab

23 A NALYSIS OF B UG R EPORTS Non-optimization bugs Urgent optimization bugs Time bombs Redundant code (false alarm) 2013/11/26 23 A Seminar at Advanced Defense Lab

24 A NALYSIS OF B UG R EPORTS ( CONT.) Non-optimization Bugs Example: PostgreSQL [link]link 2013/11/26 24 A Seminar at Advanced Defense Lab Time bomb!!

25 P RECISION Kerberos: 11 warning Developers accepted every patch false warning rate: 0/11 Postgres: STACK produced 68 warnings 9 patches accepted 29 patches in discussion: developers blamed compilers 26 time bombs 4 false warnings 2013/11/26 25 A Seminar at Advanced Defense Lab

26 P ERFORMANCE 64-bit Ubuntu (Linux) Intel Core i7-980 3.3GHz 24GB memory Solver time out: 5s 2013/11/26 26 A Seminar at Advanced Defense Lab

27 P REVALENCE OF U NSTABLE C ODE All packages in Debian Wheezy archive: 17,432 Containing C/C++ code: 8,575 Containing unstable code: 3,471 (40%) 150 CPU day to analyze 2013/11/26 27 A Seminar at Advanced Defense Lab

28 P REVALENCE OF U NSTABLE C ODE ( CONT.) 2013/11/26 28 A Seminar at Advanced Defense Lab

29 C OMPLETENESS It is difficult to known precisely how much unstable code Stack would miss in general. We analyze what kind of unstable code Stack misses. A total of ten tests from real systems Result: 7/10 2013/11/26 29 A Seminar at Advanced Defense Lab

30 Q & A 2013/11/26 A Seminar at Advanced Defense Lab 30

Download ppt "Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior Xi Wang, Nickolai Zeldovich, M. Frans Kaashoek, Armando Solar-Lezama MIT."

Similar presentations

Undefined Behavior What happened to my code?

Undefined Behavior What happened to my code?
Page Replacement Algorithms

Page Replacement Algorithms
Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.

Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.
1 Symbolic Execution Kevin Wallace, CSE504 2010-04-28.

1 Symbolic Execution Kevin Wallace, CSE
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Introduction to Linked Lists In your previous programming course, you saw how data is organized and processed sequentially using an array. You probably.

Introduction to Linked Lists In your previous programming course, you saw how data is organized and processed sequentially using an array. You probably.
The Case for a SC-preserving Compiler Madan Musuvathi Microsoft Research Dan Marino Todd Millstein UCLA University of Michigan Abhay Singh Satish Narayanasamy.

The Case for a SC-preserving Compiler Madan Musuvathi Microsoft Research Dan Marino Todd Millstein UCLA University of Michigan Abhay Singh Satish Narayanasamy.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.

8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.
Fortran Jordan Martin Steven Devine. Background Developed by IBM in the 1950s Designed for use in scientific and engineering fields Originally written.

Fortran Jordan Martin Steven Devine. Background Developed by IBM in the 1950s Designed for use in scientific and engineering fields Originally written.
MPI and C-Language Seminars 2010. Seminar Plan (1/3)  Aim: Introduce the ‘C’ Programming Language.  Plan to cover: Basic C, and programming techniques.

MPI and C-Language Seminars Seminar Plan (1/3)  Aim: Introduce the ‘C’ Programming Language.  Plan to cover: Basic C, and programming techniques.
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
Advanced microprocessor optimization Kampala August, 2007 Agner Fog www.agner.org.

Advanced microprocessor optimization Kampala August, 2007 Agner Fog
CMPT 225 Sorting Algorithms Algorithm Analysis: Big O Notation.

CMPT 225 Sorting Algorithms Algorithm Analysis: Big O Notation.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.
CS 1114: Data Structures – memory allocation Prof. Graeme Bailey (notes modified from Noah Snavely, Spring 2009)

CS 1114: Data Structures – memory allocation Prof. Graeme Bailey (notes modified from Noah Snavely, Spring 2009)
COMP3221: Microprocessors and Embedded Systems Lecture 2: Instruction Set Architecture (ISA) Lecturer: Hui Wu Session.

COMP3221: Microprocessors and Embedded Systems Lecture 2: Instruction Set Architecture (ISA) Lecturer: Hui Wu Session.

Similar presentations

Ads by Google