Presentation is loading. Please wait.

Presentation is loading. Please wait.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger.

Published byEzra Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger."— Presentation transcript:

1 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger UMass Amherst Ben Zorn Microsoft Research

2 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Debugging Memory Errors Billions of lines of deployed C/C++ code Apps contain memory errors Heap overflows Dangling pointers Notoriously hard to debug Must reproduce bug, pinpoint cause Average 28 days from discovery of remotely exploitable memory error and patch [Symantec 2006]

3 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Coping with memory errors Unsound, may detect errors Windows, GNU libc, Rx Sound, always finds dynamic errors CCured, CRED, SAFECode Requires source modification Valgrind, Purify Order of magnitude slowdown Probabilistically avoid errors DieHard [Berger 2006] Exterminator: automatically isolate and fix detected errors

4 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 DieHard Overview Fully-randomized memory manager Bitmap-based with random probing Increases odds of benign memory errors Different heap layouts across runs Replication Run multiple replicas simultaneously, vote on results Increases reliability (hides bugs) by using more space

5 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 DieHard Heap Layout Bitmap-based, segregated size classes Bit represents one object of given size i.e., one bit = 2 i+3 bytes, etc. malloc(): randomly probe bitmap for free space free(): just reset bit 000000011010 size = 2 i+3 2 i+4 allocation bitmap heap

6 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator Extensions 000000011010 size = 2 i+3 2 i+4 allocation bitmap heap 2 1 3 object id (serial number) 32 dealloc time DieHard Exterminator dealloc site D6D6 D9D9 alloc site A4A4 A8A8 A3A3

7 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 The Exterminator System seed vote broadcast input output DieFast replica 1 seed DieFast replica 2 seed Error isolator correcting allocator DieFast replica 3 runtime patches On failure, create heap images (core dump) Isolator analyzes images, creates runtime patch Correcting allocator corrects isolated errors: pad allocations extend object lifetimes

8 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator Isolation Algorithm Identify “discrepancies” Compare valid object data Find equivalent objects (same ID) with different contents Find corrupted canaries (free space) Check for possible buffer overflows Check for dangling pointer error

9 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Comparing Object Data Lots of valid reasons for data to differ Pointers (random target locations) File descriptors Non-transparent use of pointers e.g. Red-Black tree keyed on pointer value Etc. Exterminator identifies and ignores: Values which differ across all replicas Valid pointers referring to same target ID

10 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Error Isolation: Buffer Overflows 245316 Replica 1: “malignant” overflow 163254 Replica 2 & 3: “benign” overflows 1.Identify corrupt object 2.Search for source 3.Compare data at same  163254 (  = 1: No object ) 555 ( vs. & ) (  = 2: candidate!) 2 22 2 5 ( vs. & Match! )

11 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Error Isolation: Dangling Pointer 245316 163254 5 5 Freed, Canary value Dangled ptr ? Assume dangling pointer Extend lifetime of object Corrupted canary values for object 5 Same object, same corruption Buffer overflow? Source object would be at same  in all replicas Unlikely,

12 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Error Isolation: Dangling ptr read What if the program doesn’t write to the dangled pointer? DieFast overwrites freed objects Canaries produce invalid reads, crashes How to identify prematurely freed objects? Common case 1: read something that was a pointer, dereference it Common case 2: read numeric value, error propagates through computation No information: previous contents destroyed!

13 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Error Isolation: Dangling ptr read Solution: Write canaries randomly (half the time) Equivalent to extending object lifetime (until overwritten) : overwritten with canaries: data intact Legal free: OK Illegal free: (later read + deref ptr) OK CRASH!

14 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Error Isolation: Dangling ptr read Correct frees uncorrelated with crash For each object i, compute estimator: P > 0.5: dangling pointer error Create patch when confidence reaches threshold

15 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Runtime Patches Overflow patches Allocation callsite Overflow amount Dangling pointer patches Allocation & Deallocation callsites Lifetime extension

16 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Correcting Allocator Extended DieHard allocator Reads runtime patches Stores pad table & deferral table On free: Check for life extension for current object Place ptr, time on deferral priority queue On allocation: Check for overflow fix for current callsite Check deferral queue for pending frees

17 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Results Analytical results Empirical results Runtime overhead Error detection Injected faults Real application (Squid)

18 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Analytic results summary Buffer overflows False negative & positive rate decrease exponentially with # of replicas Dangling pointers Write: exponentially low false +/- rate Read-only: Confidence threshold controls false positive rate, # replicas needed to identify culprit

19 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Empirical Results: Runtime

20 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Empirical Results: Overflows

21 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Empirical Results: Dang. Ptrs.

22 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Empirical Results: Squid Squid web cache heap overflow Remotely exploitable Crashes glibc 2.8.0 and BDW collector DieFast detects error immediately Corrupted canary past overflowed object Exterminator’s isolator generates an object pad of 6 bytes, fixing the overflow

23 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Conclusion Randomization + Replication = Information Randomization  bugs have different effects Exterminator exploits different effects across heaps to isolate cause Low overhead Automatically fix bugs in deployed programs Breaks crash-debug-patch cycle Create 0-day patches for 0-day bugs

24 U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Questions? http://www.cs.umass.edu/~gnovark/ http://www.cs.umass.edu/~gnovark

Download ppt "U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger."

Similar presentations

DieHard: Memory Error Fault Tolerance in C and C++ Ben Zorn Microsoft Research In collaboration with Emery Berger and Gene Novark, Univ. of Massachusetts.

DieHard: Memory Error Fault Tolerance in C and C++ Ben Zorn Microsoft Research In collaboration with Emery Berger and Gene Novark, Univ. of Massachusetts.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Deadlock Emery Berger and Mark Corner University of Massachusetts.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Deadlock Emery Berger and Mark Corner University of Massachusetts.
SEMINAR ON FILE SLACK AND DISK SLACK

SEMINAR ON FILE SLACK AND DISK SLACK
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Dynamic Memory Management Emery Berger and Mark Corner.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Dynamic Memory Management Emery Berger and Mark Corner.
U NIVERSITY OF M ASSACHUSETTS – Department of Computer Science Emery Berger Scalable Memory Management for Multithreaded Applications CMPSCI 691P Fall.

U NIVERSITY OF M ASSACHUSETTS – Department of Computer Science Emery Berger Scalable Memory Management for Multithreaded Applications CMPSCI 691P Fall.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.
CSc 352 Freeing Dynamically Allocated Memory Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Freeing Dynamically Allocated Memory Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
1 U NIVERSITY OF M ASSACHUSETTS, A MHERST School of Computer Science P REDATOR : Predictive False Sharing Detection Tongping Liu*, Chen Tian, Ziang Hu,

1 U NIVERSITY OF M ASSACHUSETTS, A MHERST School of Computer Science P REDATOR : Predictive False Sharing Detection Tongping Liu*, Chen Tian, Ziang Hu,
By Gene Novark, Emery D. Berger and Benjamin G. Zorn Presented by Matthew Kent Exterminator: Automatically Correcting Memory Errors with High Probability.

By Gene Novark, Emery D. Berger and Benjamin G. Zorn Presented by Matthew Kent Exterminator: Automatically Correcting Memory Errors with High Probability.
Ben Livshits Based in part of Stanford class slides from and slides from Ben Zorn’s talk slides.

Ben Livshits Based in part of Stanford class slides from and slides from Ben Zorn’s talk slides.
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.

Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Heap Management.

Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Heap Management.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.

A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Emery D. Berger and Benjamin G. Zorn Presented by: David Roitman.

By Emery D. Berger and Benjamin G. Zorn Presented by: David Roitman.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Advanced Compilers CMPSCI 710.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science CRAMM: Virtual Memory Support for Garbage-Collected Applications Ting Yang, Emery.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science CRAMM: Virtual Memory Support for Garbage-Collected Applications Ting Yang, Emery.

Similar presentations

Ads by Google