Presentation is loading. Please wait.

Presentation is loading. Please wait.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery."— Presentation transcript:

1 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery Berger University of Massachusetts Amherst Ben Zorn Microsoft Research

2 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Problems with Unsafe Languages C, C++: pervasive apps, but langs. memory unsafe Numerous opportunities for security vulnerabilities, errors Double free Invalid free Uninitialized reads Dangling pointers Buffer overflows (stack & heap)

3 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Current Approaches Unsound, may work or abort Windows, GNU libc, etc., Rx [Zhou] Unsound, will definitely continue Failure oblivious [Rinard] Sound, definitely aborts (fail-safe) CCured [Necula], CRED [Ruwase & Lam], SAFECode [Dhurjati, Kowshik & Adve] Requires C source, programmer intervention 30% to 20X slowdowns Good for debugging, less for deployment

4 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Probabilistic Memory Safety Fully-randomized memory manager Increases odds of benign memory errors Ensures different heaps across users Replication Run multiple replicas simultaneously, vote on results Detects crashing & non-crashing errors Trades space for increased reliability DieHard: correct execution in face of errors with high probability

5 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Soundness for “Erroneous” Programs Normally: memory errors ) ? … Consider infinite-heap allocator: All new s fresh; ignore delete No dangling pointers, invalid frees, double frees Every object infinitely large No buffer overflows, data overwrites Transparent to correct program “Erroneous” programs sound

6 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Approximating Infinite Heaps Infinite ) M-heaps: probabilistic soundness Pad allocations & defer deallocations  Simple –No protection from larger overflows –pad = 8 bytes, overflow = 9 bytes… –Deterministic: overflow crashes everyone Better: randomize heap  Probabilistic protection against errors  Independent across heaps  Efficient implementation…

7 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Implementation Choices Conventional, freelist-based heaps Hard to randomize, protect from errors Double frees, heap corruption What about bitmaps? [Wilson90] –Catastrophic fragmentation Each small object likely to occupy one page obj pages

8 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Randomized Heap Layout Bitmap-based, segregated size classes Bit represents one object of given size i.e., one bit = 2 i+3 bytes, etc. Prevents fragmentation 00000001101010 size = 2 i+3 2 i+4 2 i+5 metadata heap

9 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Randomized Allocation malloc(8) : compute size class = ceil(log 2 sz) – 3 randomly probe bitmap for zero-bit (free) Fast: runtime O(1) M=2 ) E[# of probes] · 2 00000001101010 size = 2 i+3 2 i+4 2 i+5 metadata heap

10 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 malloc(8) : compute size class = ceil(log 2 sz) – 3 randomly probe bitmap for zero-bit (free) Fast: runtime O(1) M=2 ) E[# of probes] · 2 00010001101010 size = 2 i+3 2 i+4 2 i+5 metadata heap Randomized Allocation

11 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 free(ptr) : Ensure object valid – aligned to right address Ensure allocated – bit set Resets bit Prevents invalid frees, double frees 00010001101010 size = 2 i+3 2 i+4 2 i+5 metadata heap Randomized Deallocation

12 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Randomized Deallocation free(ptr) : Ensure object valid – aligned to right address Ensure allocated – bit set Resets bit Prevents invalid frees, double frees 00010001101010 size = 2 i+3 2 i+4 2 i+5 metadata heap

13 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 free(ptr) : Ensure object valid – aligned to right address Ensure allocated – bit set Resets bit Prevents invalid frees, double frees 00000001101010 size = 2 i+3 2 i+4 2 i+5 metadata heap Randomized Deallocation

14 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Randomized Heaps & Reliability 2345316 object size = 2 i+4 object size = 2 i+3 … 1163254 … My Mozilla: “malignant” overflow Your Mozilla: “benign” overflow Objects randomly spread across heap Different run = different heap Errors across heaps independent

15 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard software architecture “Output equivalent” – kill failed replicas broadcast vote input output execute replicas replica 3 seed 3 replica 1 seed 1 replica 2 seed 2 Each replica has different allocator

16 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Results Analytical results (pictures!) Buffer overflows Dangling pointer errors Uninitialized reads Empirical results Runtime overhead Error avoidance Injected faults & actual applications

17 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Analytical Results: Buffer Overflows Model overflow as write of live data Heap half full (max occupancy)

18 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Analytical Results: Buffer Overflows Model overflow as write of live data Heap half full (max occupancy)

19 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Analytical Results: Buffer Overflows Model overflow as write of live data Heap half full (max occupancy)

20 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Analytical Results: Buffer Overflows Replicas: Increase odds of avoiding overflow in at least one replica replicas

21 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Analytical Results: Buffer Overflows Replicas: Increase odds of avoiding overflow in at least one replica replicas

22 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Analytical Results: Buffer Overflows Replicas: Increase odds of avoiding overflow in at least one replica replicas P(Overflow in all replicas) = (1/2) 3 = 1/8 P(No overflow in ¸ 1 replica) = 1-(1/2) 3 = 7/8

23 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Analytical Results: Buffer Overflows F = free space H = heap size N = # objects worth of overflow k = replicas Overflow one object

24 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Empirical Results: Runtime

25 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Empirical Results: Runtime

26 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Empirical Results: Error Avoidance Injected faults: Dangling pointers (@50%, 10 allocations) glibc: crashes; DieHard: 9/10 correct Overflows (@1%, 4 bytes over) – glibc: crashes 9/10, inf loop; DieHard: 10/10 correct Real faults: Avoids Squid web cache overflow Crashes BDW & glibc Avoids dangling pointer error in Mozilla DoS in glibc & Windows

27 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 Conclusion Randomization + replicas = probabilistic memory safety Improves over today (0%) Useful point between absolute soundness (fail-stop) and unsound Trades hardware resources (RAM,CPU) for reliability Hardware trends Larger memories, multi-core CPUs Follows in footsteps of ECC memory, RAID

28 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard software http://www.cs.umass.edu/~emery/diehard Linux, Solaris (stand-alone & replicated) Windows (stand-alone only)

Download ppt "U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery."

Similar presentations

DieHard: Memory Error Fault Tolerance in C and C++ Ben Zorn Microsoft Research In collaboration with Emery Berger and Gene Novark, Univ. of Massachusetts.

DieHard: Memory Error Fault Tolerance in C and C++ Ben Zorn Microsoft Research In collaboration with Emery Berger and Gene Novark, Univ. of Massachusetts.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
U NIVERSITY OF M ASSACHUSETTS, A MHERST – Department of Computer Science The Implementation of the Cilk-5 Multithreaded Language (Frigo, Leiserson, and.

U NIVERSITY OF M ASSACHUSETTS, A MHERST – Department of Computer Science The Implementation of the Cilk-5 Multithreaded Language (Frigo, Leiserson, and.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Dynamic Memory Management Emery Berger and Mark Corner.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Dynamic Memory Management Emery Berger and Mark Corner.
U NIVERSITY OF M ASSACHUSETTS – Department of Computer Science Emery Berger Scalable Memory Management for Multithreaded Applications CMPSCI 691P Fall.

U NIVERSITY OF M ASSACHUSETTS – Department of Computer Science Emery Berger Scalable Memory Management for Multithreaded Applications CMPSCI 691P Fall.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.

Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
1 U NIVERSITY OF M ASSACHUSETTS, A MHERST School of Computer Science P REDATOR : Predictive False Sharing Detection Tongping Liu*, Chen Tian, Ziang Hu,

1 U NIVERSITY OF M ASSACHUSETTS, A MHERST School of Computer Science P REDATOR : Predictive False Sharing Detection Tongping Liu*, Chen Tian, Ziang Hu,
By Gene Novark, Emery D. Berger and Benjamin G. Zorn Presented by Matthew Kent Exterminator: Automatically Correcting Memory Errors with High Probability.

By Gene Novark, Emery D. Berger and Benjamin G. Zorn Presented by Matthew Kent Exterminator: Automatically Correcting Memory Errors with High Probability.
Ben Livshits Based in part of Stanford class slides from and slides from Ben Zorn’s talk slides.

Ben Livshits Based in part of Stanford class slides from and slides from Ben Zorn’s talk slides.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Heap Management.

Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Heap Management.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.

A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.

SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.

Similar presentations

Ads by Google