Presentation is loading. Please wait.

Presentation is loading. Please wait.

Memory Management III: Perils and pitfalls Oct 14, 1999

Published byRudolph Stephens Modified over 5 years ago

Similar presentations

Presentation on theme: "Memory Management III: Perils and pitfalls Oct 14, 1999"— Presentation transcript:

1 Memory Management III: Perils and pitfalls Oct 14, 1999
“The course that gives CMU its Zip!” Memory Management III: Perils and pitfalls Oct 14, 1999 Topics Memory-related bugs Debugging versions of malloc Binary translation class16.ppt

2 C operators Operators Associativity
() [] -> left to right ! ~ * & (type) sizeof right to left * / % left to right left to right << >> left to right < <= > >= left to right == != left to right & left to right ^ left to right | left to right && left to right || left to right ?: right to left = += -= *= /= %= &= ^= != <<= >>= right to left , left to right Note: Unary +, -, and * have higher precedence than binary forms

3 C pointer declarations
int *p p is a pointer to int int *p[13] p is an array[13] of pointer to int int *(p[13]) p is an array[13] of pointer to int int **p p is a pointer to a pointer to an int int (*p)[13] p is a pointer to an array[13] of int int *f() f is a function returning a pointer to int int (*f)() f is a pointer to a function returning int int (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints

4 Memory-related bugs Dereferencing bad pointers
Reading uninitialized memory Overwriting memory Referencing nonexistent variables Freeing blocks multiple times Referencing freed blocks Failing to free blocks

5 Dereferencing bad pointers
The classic scanf bug scanf(“%d”, val);

6 Reading uninitialized memory
Assuming that heap data is initialized to zero /* return y = Ax */ int *matvec(int **A, int *x) { int *y = malloc(N*sizeof(int)); int i, j; for (i=0; i<N; i++) for (j=0; j<N; j++) y[i] += A[i][j]*x[j]; return y; }

7 Allocating the wrong sized object
Overwriting memory Allocating the wrong sized object int **p; p = malloc(N*sizeof(int)); for (i=0; i<N; i++) { p[i] = malloc(M*sizeof(int)); }

8 Overwriting memory Off-by-one int **p; p = malloc(N*sizeof(int *));
for (i=0; i<=N; i++) { p[i] = malloc(M*sizeof(int)); }

9 Overwriting memory Off-by-one redux int i=0, done=0; int s[4];
while (!done) { if (i > 3) done = 1; else s[++i] = 10; }

10 Forgetting that strings end with ‘/0’
Overwriting memory Forgetting that strings end with ‘/0’ char t[7]; char s[8] = “ ”; strcpy(t, s);

11 Not checking the max string size
Overwriting memory Not checking the max string size char s[8]; int i; gets(s); /* reads “ ” from stdin */ Basis for classic buffer overflow attacks 1988 Internet worm modern attacks on Web servers

12 Buffer overflow attacks
Description of hole: Servers that use C library routines such as gets() that don’t check input sizes when they write into buffers on the stack. local variables Stack frame for proc a proc a() { b(); # call procedure b } return addr 64 bytes for buffer proc b() { char buffer[64]; # alloc 64 bytes on stack gets(buffer); # read STDIN line into stack buf } Stack frame for proc b return addr

13 Buffer overflow attacks
Vulnerability stems from possibility of the gets() routine overwriting the return address for b. overwrite stack frame with machine code instruction that execs a shell a bogus return address to that instruction local variables proc a() { b(); # call procedure b } # b should return here, instead it # returns to an address inside of buffer return addr exec(“/bin/sh”) proc b() { char buffer[64]; # alloc 64 bytes on stack gets(buffer); # read STDIN line to stack buffer } stack region overwritten by call to gets() in b attacker’s return addr

14 Buffer overflow attacks on servers
Example attack: classic buffer overflow attack Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: finger To attack fingerd, send a binary string that puts a program to execute a shell on the stack followed by a new return address to that stack location, padded with enough bytes so that it overwrites the real return address. finger “binary program padding new return address” After the finger server reads the argument from the client, the client has a direct TCP connection to a root shell running on the server! STDIN and STDOUT on the server are bound to an open TCP socket Bottom line: client can now execute any command on the server.

15 Famous buffer overflow attack: The 1988 Internet Worm
Worm: an independent program that replicates itself across the host machines on a network. November 1988: Thousands of Sun and DEC machines on the Internet are attacked by a “worm” written by Cornell grad student Robert Morris. Because of a bug in the worm, it replicated itself multiple times on many of the Internet hosts, causing them to crash. had the effect of a denial of service attack Resulted (after a similar attack weeks later) in the formation of CERT (Computer Emergency Response Team) and increased awareness of security.

16 Referencing a pointer instead of the object it points to
Overwriting memory Referencing a pointer instead of the object it points to int *BinheapDelete(int **binheap, int *size) { int *packet; packet = binheap[0]; binheap[0] = binheap[*size - 1]; *size--; Heapify(binheap, *size, 0); return(packet); }

17 Misunderstanding pointer arithmetic
Overwriting memory Misunderstanding pointer arithmetic int *search(int *p, int val) { while (*p && *p != val) p += sizeof(int); return p; }

18 Referencing nonexistent variables
Forgetting that local variables disappear when a function returns int *foo () { int val; return &val; }

19 Freeing blocks multiple times
Nasty! x = malloc(N*sizeof(int)); <manipulate x> free(x); y = malloc(M*sizeof(int)); <manipulate y>

20 Referencing freed blocks
Evil! x = malloc(N*sizeof(int)); <manipulate x> free(x); ... y = malloc(M*sizeof(int)); for (i=0; i<M; i++) y[i] = x[i]++;

21 Failing to free blocks (memory leaks)
slow, long-term killer! foo() { int *x = malloc(N*sizeof(int)); ... return; }

22 Failing to free blocks (memory leaks)
Freeing only part of a data structure struct list { int val; struct list *next; }; foo() { struct list *head = malloc(sizeof(struct list)); head->val = 0; head->next = NULL; <create and manipulate the rest of the list> ... free(head); return; }

23 Dealing with memory bugs
Conventional debugger (gdb) good for finding bad pointer dereferences hard to detect the other memory bugs Debugging malloc (CSRI UToronto malloc) wrapper around conventional malloc detects memory bugs at malloc and free boundaries memory overwrites that corrupt heap structures some instances of freeing blocks multiple times memory leaks Cannot detect all memory bugs overwrites into the middle of allocated blocks freeing block twice that has been reallocated in the interim referencing freed blocks

24 Dealing with memory bugs (cont.)
Binary translator (Atom, Purify) powerful debugging and analysis technique rewrites text section of executable object file can detect all errors as debugging malloc can also check each individual reference at runtime bad pointers overwriting referencing outside of allocated block Garbage collection (Boehm-Weiser Conservative GC) let the system free blocks instead of the programmer does not guarantee that all garbage is collected -- an integer might look like a pointer to the collector, and the memory it points to will not be freed.

25 Debugging malloc mymalloc.h:
#define malloc(size) mymalloc(size, __FILE__, __LINE__) #define free(p) myfree(p, __FILE__, __LINE__) Application program: ifdef DEBUG #include <mymalloc.h> #endif main() { ... p = malloc(128); free(p); q = malloc(32); }

26 Debugging malloc (cont.)
Debugging malloc library: void *mymalloc(int size, char *file, int line) { <prologue code> p = malloc(...); <epilogue code> return q; } void myfree(void *p, char *file, int line) { free(p);

27 Debugging malloc (cont.)
block size block ID file name (of allocation) line number (of allocation) header checksum (of previous fields) ptr to next allocated block ptr to prev allocated block guard bytes Block requested by application application block guard bytes footer

28 Debugging malloc (cont.)
mymalloc(size): p = malloc(size + sizeof(header) + sizeof(footer)); add p to list of allocated blocks initialize application block to 0xdeadbeef return pointer to application block myfree(p): already free (line # = 0xfefefefefefefefe)? checksum OK? guard bytes OK? free(p - sizeof(hdr)); line # = 0xfefefefefefefefe;

29 Binary translator Converts an executable object file to an instrumented executable object file. hello.c main() { printf(“hello, world\n”); } analysis file (ptrace.anal.c) original executable ELF object file (hello) instrumented executable ELF object file (hello.ptrace) binary translator (e.g. Atom) gcc instrumentation file (ptrace.inst.c)

30 Atom example (procedure call tracing)
Instrumentation file (ptrace.inst.c): #include <stdio.h> #include <cmplrs/atom.inst.h> Instrument() { Proc *proc; AddCallProto(“ProcTrace(char*)”); for (proc = GetFirstProc(); proc != NULL; proc = GetNextProc(proc)) AddCallProc(proc, ProcBefore, ”ProcTrace”, ProcName(proc)); } Analysis file (ptrace.anal.c): #include <stdio.h> void ProcTrace(char *name) { printf(“%s\n”, name); }

31 Instrumenting “hello,world”
% cc -non_shared hello.c -o hello.rr % atom hello.rr ptrace.inst.c ptrace.anal.c -o hello.ptrace % hello.ptrace __start __init_libc __tis_init __libc_locks_init calloc malloc __sbrk _errno __getpagesize __tis_mutex_lock _unlocked_sbrk __tis_mutex_unblock memset main printf _doprnt __getmbcurmax memcpy __fwrite_unlocked _wrtchk _findbuf __geterrno __isatty __ioctl _cerror __seterrno memcpy __tis_mutex_unblock exit __ldr_atexit __fini_libc _cleanup __tis_mutex_trylock __fclose_unlocked __fflush_unlocked __close_nc __close __fflush_unlocked _xflsbuf __write_nc __write hello, world __close_nc __close __tis_mutex_trylock __fclose_unlocked

32 Tools built with Atom iprof - instruction profiling
liprof - instruction profiling at basic block level syscall - syscall trace and performance analyzer memsys - memory system simulator io - io performance summary gprof - call graph execution time profile 3rd - memory checker and leak finder (like Purify) pixie - basic block profiling

33 Atom on Linux Other tools like Atom for IA32 machines
Etch: Univ. of Wash (commercial product for NT) DynInst: Maryland (limited run-time instrumentation) Eel: Wisconsin (licensed code base) Would you like to develop a tool like Atom for the Linux community? potentially high impact and high visibility Issues: parsing IA32 machine code difficult, but examples exist (I.e, Eel) In the r/o .text section, what’s code and what’s data? research problem Incremental relocation tricky, but straightforward conceptually

Download ppt "Memory Management III: Perils and pitfalls Oct 14, 1999"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Carnegie Mellon 1 Dynamic Memory Allocation: Basic Concepts 15-213: Introduction to Computer Systems 17 th Lecture, Oct. 21, 2010 Instructors: Randy Bryant.

Carnegie Mellon 1 Dynamic Memory Allocation: Basic Concepts : Introduction to Computer Systems 17 th Lecture, Oct. 21, 2010 Instructors: Randy Bryant.
Instructors: Seth Copen Goldstein, Franz Franchetti, Greg Kesden

Instructors: Seth Copen Goldstein, Franz Franchetti, Greg Kesden
Some topics in Memory Management

Some topics in Memory Management
1 Dynamic Memory Allocation: Advanced Concepts Andrew Case Slides adapted from Jinyang Li, Randy Bryant and Dave O’Hallaron Joke of the day: Why did the.

1 Dynamic Memory Allocation: Advanced Concepts Andrew Case Slides adapted from Jinyang Li, Randy Bryant and Dave O’Hallaron Joke of the day: Why did the.
Mark and Sweep Algorithm Reference Counting Memory Related PitFalls

Mark and Sweep Algorithm Reference Counting Memory Related PitFalls
Carnegie Mellon 1 Dynamic Memory Allocation: Advanced Concepts 15-213: Introduction to Computer Systems 18 th Lecture, Oct. 26, 2010 Instructors: Randy.

Carnegie Mellon 1 Dynamic Memory Allocation: Advanced Concepts : Introduction to Computer Systems 18 th Lecture, Oct. 26, 2010 Instructors: Randy.
CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.

CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.
Dynamic Memory Allocation II Nov 7, 2002 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Memory-related perils and pitfalls.

Dynamic Memory Allocation II Nov 7, 2002 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Memory-related perils and pitfalls.
Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.

Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.
– 1 – Dynamic Memory Allocation – beyond the stack and globals Stack Easy to allocate (decrement esp) Easy to deallocate (increment esp) Automatic allocation.

– 1 – Dynamic Memory Allocation – beyond the stack and globals Stack Easy to allocate (decrement esp) Easy to deallocate (increment esp) Automatic allocation.
Dynamic Memory Allocation I May 21, 2008 Topics Simple explicit allocators Data structures Mechanisms Policies.

Dynamic Memory Allocation I May 21, 2008 Topics Simple explicit allocators Data structures Mechanisms Policies.
Pointers and Memory Allocation – part 2 -L. Grewe.

Pointers and Memory Allocation – part 2 -L. Grewe.
Dynamic Memory Allocation II November 7, 2007 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Review of pointers Memory-related.

Dynamic Memory Allocation II November 7, 2007 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Review of pointers Memory-related.
Dynamic Memory Allocation II March 27, 2008 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Review of pointers Memory-related.

Dynamic Memory Allocation II March 27, 2008 Topics Explicit doubly-linked free lists Segregated free lists Garbage collection Review of pointers Memory-related.
Pointers Applications

Pointers Applications
University of Washington Memory Allocation III The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Memory Allocation III The Hardware/Software Interface CSE351 Winter 2013.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Similar presentations

Ads by Google