Presentation is loading. Please wait.

Presentation is loading. Please wait.

SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques Feng Zhou, Jeremy Condit, Zachary Anderson, Ilya Bagrak, Rob Ennals, Matthew.

Published byPaula Snow Modified over 8 years ago

Similar presentations

Presentation on theme: "SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques Feng Zhou, Jeremy Condit, Zachary Anderson, Ilya Bagrak, Rob Ennals, Matthew."— Presentation transcript:

1 SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques Feng Zhou, Jeremy Condit, Zachary Anderson, Ilya Bagrak, Rob Ennals, Matthew Harren, George Necula, Eric Brewer CS Division, UC Berkeley and Intel Research Berkeley http://ivy.cs.berkeley.edu/safedrive/

2 2 The Problem OSes and applications often run loadable extensions –e.g. Linux kernel, Apache, Firefox –Run in the same protection domain Extensions are often buggier than hosts –Device drivers cause a large percentage of Windows crashes –Xbox hacked due to memory bugs in games SafeDrive detects and recovers from type-safety and memory-safety errors in Linux device drivers

3 3 Approaches Separate hardware protection domains: Nooks [Swift et al], L4 [LeVasseur et al], Xen [Fraser et al] –Relatively high overhead due to cross-domain calls, system specific Binary instrumentation: SFI [Wahbe et al, Small/Seltzer] –High overhead, coarse-grained Static analysis + software guards: XFI [Erlingsson et al] –Control flow safety What can be done at the C language level? –Add fined-grained type-safety, to extensions only –A way to recover from failures

4 4 A Language-Based Approach to Extension Safety Light annotations in extension code and host API –Buffer bounds, non-null pointers, nullterm strings, tagged unions Deputy src-to-src compiler emits safety checks when necessary Key: compatible extension-host binary interface Runtime tracks resource usage and restores system invariants at fail time Annot. Source Deputy C w/ checks GCC Kernel Address Space Driver Module SafeDrive Runtime & Recovery Linux Kernel

5 5 Deputy: Motivation struct { unsigned int len; int * data; } x; for (i=0;i<x.len;i++) { … x.data[i] … } Common C code How to check memory safety? C pointers do not express extent of buffers (unlike Java)

6 6 Previous Approach: Fat Pointers Used in CCured and Cyclone Compiler inserts extra bounds variables Changes memory layout Cannot be applied modularly struct { unsigned int len; int * data; int * data_b; int * data_e; } x; for (i = 0; i < x.len; i++) { if (x.data+i<x.data_b) abort(); if (x.data+i>=x.data_e) abort(); … x.data[i] … }

7 7 Deputy Bounds Annotations struct { unsigned int len; int * count(len) data; } x; for(i = 0; i < x.len; i++) { if (i =x.len) abort(); … x.data[i] … } Annotations use existing bounds info in programs, or constants Compiler emits runtime checks No memory layout change  Can be applied to one extension a time Many checks can be optimized away

8 8 Deputy Features Bounds: safe,count(n), bound(lo,hi) –Default: safe Other annotations –Null terminated string/buffer –Tagged unions –Open arrays –Checks for printf() arguments Automatic bounds variables for local variables  reduced annotation burden

9 9 Deputy Guarantees Deputy guarantees type-safety if, –Programmer correctly annotates globals and function parameters used by the extension –Deallocation does not create dangling pointers –Trusted casts are correct –External modules / trusted code establish and preserve Deputy annotations

10 10 Failure Handling Everything runs inside the same protection domain After Deputy check failure: could just halt More useful: clean-up extension and let host continue Assumption: restarts should fix most transient failures Annot. Driver Deputy C w/ checks GCC Kernel Address Space Driver Module SafeDrive Runtime & Recovery Linux Kernel

11 11 Update Tracking and Restarts Free resources and undo state changes done by driver Kernel API functions “wrapped” to do update tracking –Compensations: spin_lock(l) vs. spin_unlock(l) After failure, undo updates in LIFO order Then restart driver Annot. Driver Deputy C w/ checks GCC Kernel Address Space Driver Module Wrappers Linux Kernel Update Tracking Recovery

12 12 Return Gracefully from Failure Invariants: No driver code is executed after failure Kernel: foo() { } Driver: bar2() { } Driver: bar1() { } Err code

13 13 Return Gracefully from Failure Invariants: No driver code is executed after failure No kernel function is forced to return early Kernel: foo1() { } Driver: bar2() { } Driver: bar1() { } Kernel: foo2() { } lock() unlock()

14 14 Discussion Compared to Nooks –Significantly less interception  Much simpler overall –Deputy does fine-grained per-allocation checks  No separate heap/stack –No help from virtual memory hardware –Works for user-level applications and safe languages Compared to C++/Java exceptions –Compensation does not contain any code from driver –Only restores host state, not extension state

15 15 Implementation Deputy compiler: 20K lines of OCaml Kernel patch to 2.6.15.5: 1K lines Kernel headers patch: 1.9K lines Patch for 6 drivers in 4 categories –Network: e1000, tg3 –USB: usb-storage –Sound: intel8x0, emu10k1 –Video: nvidia

16 16 Evaluation: Recovery Rate Inject random errors with compile-time injection: 5 errors from one of 7 categories each time –Faults chosen following empirical studies [Sullivan & Chillarege 91], [Christmansson & Chillarege 96] –Scan overrun, loop fault, corrupt parameter, off-by-one, flipped condition, missing call, missing assignment Load buggy e1000 driver w/ and w/o SafeDrive Exercise by downloading a 89MB file, verifying it and unloading the driver Then rerun with original driver

17 17 Recovery Rate Results SafeDrive off44 crashes21 failures75 passes SafeDrive on Static error1003 Runtime error3425 No problem detected 01967 Recovery successes44 (100%)2 (100%)8 (100%) 140 runs, 20 per fault category SafeDrive is effective at detecting and recovering from crashing problems, and can detect some statically.

18 18 Annotation Burden 1%-4% of lines with Deputy annotations Recovery wrappers can be automatically generated

19 19 Annotations Break-down Lines Changed BoundsStringsTagged Unions Trusted Code All 6 drivers 1544379832390 Kernel headers 18661872608140 Common reasons for trusted casts and trusted code –Polymorphic private data, e.g. netdev->priv –Small number of cases where buffer bounds are not available –Code manipulating pointer values directly, e.g. PTR_ERR(x)

20 20 Performance e1000 TCP recv e1000 UDP recv e1000 TCP send e1000 UDP send tg3 TCP recv tg3 TCP send usb-storage untar emu10k aplay intel8x0 aplay nvidia xinit Nooks (Linux 2.4): e1000 TCP recv: 46% (vs. 4%), e1000 TCP send: 111% (vs. 12%)

21 21 Conclusion SafeDrive does fine-grained memory safety checking for extensions with low overhead and few code changes A recovery scheme for in-process extensions via restarts It is feasible to get much of the safety guarantee in type- safe languages in extensions without abandoning existing systems in C Language technology makes extension isolation easier http://ivy.cs.berkeley.edu/safedrive http://deputy.cs.berkeley.edu

22 22

23 23 How do you change bounds/tags struct { unsigned int len; int * count(len) data; } x; x.data = NULL; if (x.data!=NULL && (A len)) abort x.len = A; if (B<sizeof(int)*x.len) abort x.data = malloc(B); 1 2 3

24 24 Related Work Improving memory safety of C –Safe C-like language: Cyclone [Morrisett et al] –Hybrid checking (non-modular): CCured [Necula et al] –Type qualifiers for static checking: CQual [Foster et al, Johnson/Wagner], Sparse [Torvalds] Improving OS/extension reliability –Hardware protection: Nooks [Swift et al], L4 [LeVasseur et al], Xen [Fraser et al] –Binary instrumentation: SFI [Wahbe et al, Small/Seltzer], XFI [Erlingsson] –Using Cyclone: OKE [Bos/Samwel] –Static validation of API usage: SLAM [Ball et al] –Writing OS with safe language: Singularity [Patel et al]

25 25 More Deputy Features Checking types of arguments in printf -like functions Bounds for open arrays Special support for memset(), memcpy() Trusted casts for programmer to override the type system

26 26 Recovery Rate Results SafeDriveCrashesMal- functions Innocuous Errors Works Off4421n/a75 On0198113 140 runs, 20 per fault category SafeDrive prevented all 44 crashes with 100% recovery rate –5 of 7 categories caused crashes –All caused by memory-safety errors

27 27 Recovery Rate Results (2) DetectionCrashesMal-functionInnocuousTotal Static100313 (24%) Dynamic342547 (76%) Total442854 24% problems are detected statically, including 10 crashes –e.g. wrong constant size for memcpy(), deref of uninitialized ptr

28 28 –Wrappers are currently hand-written –No session restoration for failed drivers

Download ppt "SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques Feng Zhou, Jeremy Condit, Zachary Anderson, Ilya Bagrak, Rob Ennals, Matthew."

Similar presentations

Nooks: Safe Device Drivers with Lightweight Kernel Protection Domains Mike Swift, Steve Martin Hank Levy, Susan Eggers, Brian Bershad University of Washington.

Nooks: Safe Device Drivers with Lightweight Kernel Protection Domains Mike Swift, Steve Martin Hank Levy, Susan Eggers, Brian Bershad University of Washington.
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
1 Memory Allocation Professor Jennifer Rexford COS 217.

1 Memory Allocation Professor Jennifer Rexford COS 217.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.

CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.

Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Nooks: an architecture for safe device drivers Mike Swift, The Wild and Crazy Guy, Hank Levy and Susan Eggers.

Nooks: an architecture for safe device drivers Mike Swift, The Wild and Crazy Guy, Hank Levy and Susan Eggers.
Capriccio: Scalable Threads for Internet Services Rob von Behren, Jeremy Condit, Feng Zhou, Geroge Necula and Eric Brewer University of California at Berkeley.

Capriccio: Scalable Threads for Internet Services Rob von Behren, Jeremy Condit, Feng Zhou, Geroge Necula and Eric Brewer University of California at Berkeley.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.

Similar presentations

Ads by Google