diehard probabilistic memory safety for unsafe
play

DieHard: Probabilistic Memory Safety for Unsafe Programming - PowerPoint PPT Presentation

Oct 17, 2023 •249 likes •609 views

DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery Berger Ben Zorn University of Massachusetts Microsoft Research Amherst Presented by: Brian Norris PLDI 2006 PLDI 2006 Frivolity Happy Leap Day! PLDI 2006

  1. DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery Berger Ben Zorn University of Massachusetts Microsoft Research Amherst Presented by: Brian Norris PLDI 2006 PLDI 2006

  2. Frivolity  Happy Leap Day! PLDI 2006 PLDI 2006

  3. Frivolity  Happy Leap Day!  die-hard  (adj.) strongly or fanatically determined or devoted PLDI 2006 PLDI 2006

  4. Frivolity  Happy Leap Day!  die-hard  (adj.) strongly or fanatically determined or devoted PLDI 2006 PLDI 2006

  5. Frivolity  Happy Leap Day!  die-hard  (adj.) strongly or fanatically determined or devoted PLDI 2006 PLDI 2006

  6. Problems with Unsafe Languages  C, C++: pervasive apps, but memory unsafe  Numerous opportunities for security vulnerabilities, errors  Double free  Invalid free  Uninitialized reads  Dangling pointers  Buffer overflows (stack & heap ) PLDI 2006 PLDI 2006

  7. Current Approaches  Unsound, may work or abort  Windows, GNU libc, etc., Rx  Unsound, will definitely continue  Failure oblivious (Rinard) **  Sound, definitely aborts (fail-safe)  CCured , CRED , SAFECode  Requires C source, programmer intervention  30% to 20X slowdowns  Good for debugging , less for deployment PLDI 2006 PLDI 2006

  8. DieHard  Sound execution (with high probability)  Fully-randomized memory manager  Increases odds of benign memory errors  Ensures different heaps across users  Replication  Run multiple replicas simultaneously, vote on results  Detects crashing & non-crashing errors  Trades space (and CPU?) for increased reliability PLDI 2006 PLDI 2006

  9. Soundness for “Erroneous” Programs  Consider infinite-heap allocator:  All new s fresh ; ignore delete  No dangling pointers, invalid frees, double frees  Every object infinitely large  No buffer overflows, data overwrites  Transparent to correct program  “Erroneous” programs sound PLDI 2006 PLDI 2006

  10. Approximating Infinite Heaps  Infinite ) M-heaps: probabilistic soundness  Option 1: Pad allocations & defer deallocations + Simple – No protection from larger overflows – pad = 8 bytes, overflow = 9 bytes… – Deterministic : overflow crashes everyone  Better: randomize heap + Probabilistic protection against errors + Independent across heaps ? Efficient implementation… PLDI 2006 PLDI 2006

  11. Randomized Heap Layout 00000001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap  Bitmap-based, segregated size classes  Bit represents one object of given size  i.e., one bit = 2 i+3 bytes, etc.  Prevents fragmentation PLDI 2006 PLDI 2006

  12. Randomized Allocation 00000001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap malloc(sz):  compute size class = ceil(log 2 sz) – 3  randomly probe bitmap for zero-bit (free)  Fast: runtime O(1)  M=2 ) E[# of probes] · 2 PLDI 2006 PLDI 2006

  13. Randomized Allocation 00010001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap malloc(sz):  compute size class = ceil(log 2 sz) – 3  randomly probe bitmap for zero-bit (free)  Fast: runtime O(1)  M=2 ) E[# of probes] · 2 PLDI 2006 PLDI 2006

  14. Randomized Deallocation 00010001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap free(ptr):  Ensure object valid (aligned)  Check bitmap  Reset bit  Prevents invalid frees, double frees PLDI 2006 PLDI 2006

  15. Randomized Deallocation 00010001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap free(ptr):  Ensure object valid (aligned)  Check bitmap  Reset bit  Prevents invalid frees, double frees PLDI 2006 PLDI 2006

  16. Randomized Deallocation 00000001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap free(ptr):  Ensure object valid (aligned)  Check bitmap  Reset bit  Prevents invalid frees, double frees PLDI 2006 PLDI 2006

  17. Randomized Heaps & Reliability object size = 2 i+3 object size = 2 i+4 … 2 4 5 3 1 6 3  Objects randomly spread across heap  Different run = different heap  Errors across heaps independent PLDI 2006 PLDI 2006

  18. Randomized Heaps & Reliability object size = 2 i+3 object size = 2 i+4 … 2 4 5 3 1 6 3  Objects randomly spread across heap  Different run = different heap  Errors across heaps independent … 1 6 3 2 5 4 1 PLDI 2006 PLDI 2006

  19. Randomized Heaps & Reliability object size = 2 i+3 object size = 2 i+4 … 2 4 5 3 1 6 3 My Mozilla: “malignant” overflow  Objects randomly spread across heap  Different run = different heap  Errors across heaps independent … 1 6 3 2 5 4 1 PLDI 2006 PLDI 2006

  20. Randomized Heaps & Reliability object size = 2 i+3 object size = 2 i+4 … 2 4 5 3 1 6 3 My Mozilla: “malignant” overflow  Objects randomly spread across heap  Different run = different heap  Errors across heaps independent Your Mozilla: “benign” overflow … 1 6 3 2 5 4 1 PLDI 2006 PLDI 2006

  21. DieHard software architecture replica 1 seed 1 input output replica 2 seed 2 vote broadcast replica 3 seed 3 execute replicas  Each replica has different allocator  “Output equivalent” – kill failed replicas PLDI 2006 PLDI 2006

  22. Results  Analytical results  Buffer overflows  Dangling pointer errors  Uninitialized reads  Empirical results  Runtime overhead  Error avoidance  Injected faults & actual applications PLDI 2006 PLDI 2006

  23. Analytical Results: Buffer Overflows  Model overflow as write of live data  Heap half full (max occupancy) PLDI 2006 PLDI 2006

  24. Analytical Results: Buffer Overflows  Model overflow as write of live data  Heap half full (max occupancy) PLDI 2006 PLDI 2006

  25. Analytical Results: Buffer Overflows  Model overflow as write of live data  Heap half full (max occupancy) PLDI 2006 PLDI 2006

  26. Analytical Results: Buffer Overflows  Replicas: Increase odds of avoiding overflow in at least one replica replicas PLDI 2006 PLDI 2006

  27. Analytical Results: Buffer Overflows  Replicas: Increase odds of avoiding overflow in at least one replica replicas PLDI 2006 PLDI 2006

  28. Analytical Results: Buffer Overflows  Replicas: Increase odds of avoiding overflow in at least one replica replicas  P(Overflow in all replicas) = (1/2) 3 = 1/8  P(No overflow in ¸ 1 replica) = 1-(1/2) 3 = 7/8 PLDI 2006 PLDI 2006

  29. Analytical Results: Buffer Overflows F = free space  H = heap size  N = # objects  worth of overflow k = replicas  Overflow one object  PLDI 2006 PLDI 2006

  30. Empirical Results: Runtime PLDI 2006 PLDI 2006

  31. Empirical Results: Runtime PLDI 2006 PLDI 2006

  32. Empirical Results: Error Avoidance  Injected faults:  Dangling pointers (@50%, 10 allocations)  glibc : crashes ; DieHard : 9/10 correct  Overflows (@1%, 4 bytes over)  glibc : crashes 9/10, inf loop ; DieHard : 10/10 correct  Real faults:  Avoids Squid web cache overflow  Crashes BDW & glibc  Avoids dangling pointer error in Mozilla  DoS in glibc & Windows PLDI 2006 PLDI 2006

  33. Conclusion  Randomization + replicas = probabilistic memory safety  Useful point between absolute soundness (fail-stop) and unsound  Trades hardware resources (RAM, CPU) for reliability  Hardware trends  Larger memories, multi-core CPUs  Follows in footsteps of ECC memory, RAID PLDI 2006 PLDI 2006

  34. Major Weakness  Excessive memory, CPU usage  Fallacy: we can forfeit extra memory and CPU resources because they are becoming cheaper  For production use (seriously?)  Inconsistent comparisons PLDI 2006 PLDI 2006

  35. Related Work  Unsound, will definitely continue  Failure oblivious (Rinald) [30, 32] **  Introduced idea of “boundless memory blocks”  Same benefits with less memory?  DieHarder PLDI 2006 PLDI 2006

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Our Design Leadership process began with finding a need. What is Personal Safety? Who feels

Our Design Leadership process began with finding a need. What is Personal Safety? Who feels

Our Design Leadership process began with finding a need. What is Personal Safety? Who feels safe/unsafe in public? How do we understand their story Irene Kuo Brainstorms Why do people feel unsafe? Too Broad General Safety Too Broad Safety

620 views • 12 slides
The business case of unsafe The business case of unsafe care care 16 billion injections a

The business case of unsafe The business case of unsafe care care 16 billion injections a

Health care causes harm to patients Better knowledge for safer care GCC Conference on Patient Safety 6-8 April 2009 Research for Patient Safety Itziar Larizgoitia Head Research & knowledge Management Patient Safety WHO The business case

318 views • 4 slides
Diditwithbuckets: NumberTheory: 3gal.&5gal. DieHard 3gal.&9gal.

Diditwithbuckets: NumberTheory: 3gal.&5gal. DieHard 3gal.&9gal.

GeneralizedDieHard MathematicsforComputerScience MIT 6.042J/18.062J Diditwithbuckets: NumberTheory: 3gal.&5gal. DieHard 3gal.&9gal. Uniquefactorization Nowagal.&bgal.? AlbertRMeyer March5,2012

425 views • 3 slides
Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust! Memory Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy

556 views • 53 slides
Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors Is memory safety relevant? Yes!

827 views • 47 slides
Unsafe & safe road way design Unsafe & safe road way design for urban roads for

Unsafe & safe road way design Unsafe & safe road way design for urban roads for

PIARC International Road Safety Safety Seminar Seminar PIARC International Road Beijing 18 20 20 October October 2005 2005 Beijing 18 Unsafe & safe road way design Unsafe & safe road way design for urban roads for

1.02k views • 34 slides
Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

r e l i p e m v o i t c c Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler perspective. Kostya Serebryany , Evgenii Stepanov, Vlad Tsyrklevich (Google) Oct 2018 1 Agenda ARM v8.5

504 views • 29 slides
Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated? Where does memory live? What kinds of pointers does Rust have? Memory management goal: Allocate memory when you need it, and free it when

614 views • 24 slides
Safety Culture at Catalysis Engineering Goal We are good at the formal aspects of safety

Safety Culture at Catalysis Engineering Goal We are good at the formal aspects of safety

Safety Culture at Catalysis Engineering Goal We are good at the formal aspects of safety (safety test, SAS, gas team, etc.) But do we have a safety culture? - Detect and remediate unsafe situations? - Talk to our colleagues when they work

515 views • 4 slides
Born in the surf. Raised in the mountains OUR STORY A diehard skier and surfer, Shawn Biega

Born in the surf. Raised in the mountains OUR STORY A diehard skier and surfer, Shawn Biega

Born in the surf. Raised in the mountains OUR STORY A diehard skier and surfer, Shawn Biega spent endless hours in the sun. As an outdoor athlete, he understood the need for sun protection that could withstand salt water, high altitudes and

918 views • 25 slides
WELCOME! Why are you in this room right now? What: Internet Safety and Review of Behavior

WELCOME! Why are you in this room right now? What: Internet Safety and Review of Behavior

WELCOME! Why are you in this room right now? What: Internet Safety and Review of Behavior Expectations Why: Weve had some instances of unsafe practices within our student body and we care about your safety. How: Provide you

422 views • 19 slides
Probabilistic cellular automata with memory two Ir` ene Marcovici Joint work with J er ome

Probabilistic cellular automata with memory two Ir` ene Marcovici Joint work with J er ome

Probabilistic cellular automata with memory two Ir` ene Marcovici Joint work with J er ome Casse (NYU Shanghai) Institut Elie Cartan de Lorraine, Univ. de Lorraine, Nancy ALEA in Europe Workshop Vienna, October 13, 2017 Ir` ene

1.34k views • 62 slides
On the Memory Consumption of Probabilistic Pushdown Automata Tom Brzdil 1 Javier Esparza 2

On the Memory Consumption of Probabilistic Pushdown Automata Tom Brzdil 1 Javier Esparza 2

On the Memory Consumption of Probabilistic Pushdown Automata Tom Brzdil 1 Javier Esparza 2 Stefan Kiefer 3 1 Masaryk University, Brno (Czech Republic) 2 TU Mnchen (Germany) 3 University of Oxford (UK) FSTTCS (Kanpur, India), 15 December,

743 views • 40 slides
Product Safety Consumer Products Controlling the safety of non-food products beyond 2015

Product Safety Consumer Products Controlling the safety of non-food products beyond 2015

Product Safety Consumer Products Controlling the safety of non-food products beyond 2015 Northamptonshire County Council Trading Standards Service Toni Eldridge 01604 362447 tseldridge@northamptonshire.gov.uk Issues unsafe

334 views • 12 slides
Improving Farm Tap Safety Goal: Improved Safety BHEs goal from the proposal is to improve farm

Improving Farm Tap Safety Goal: Improved Safety BHEs goal from the proposal is to improve farm

Improving Farm Tap Safety Goal: Improved Safety BHEs goal from the proposal is to improve farm tap safety (from Northern Natural Gas pipe to premise) Test fuel lines for leaks and material compliance Replace unsafe lines Install

248 views • 9 slides
Approximate Spectral Clustering via Randomized Sketching Christos Boutsidis Yahoo! Labs, New

Approximate Spectral Clustering via Randomized Sketching Christos Boutsidis Yahoo! Labs, New

Approximate Spectral Clustering via Randomized Sketching Christos Boutsidis Yahoo! Labs, New York Joint work with Alex Gittens (Ebay), Anju Kambadur (IBM) The big picture: sketch and solve Tradeoff : Speed (depends on the size of A)

378 views • 22 slides
Directed Automated Randomized Testing (DART) Motivation Verifica(on is really

Directed Automated Randomized Testing (DART) Motivation Verifica(on is really

Directed Automated Randomized Testing (DART) Motivation Verifica(on is really hard Unit tes(ng is also hard and rarely done properly Have to check all corner

186 views • 16 slides
Controversies and Unresolved Issues in the Design of Randomized Controlled Trials Testing

Controversies and Unresolved Issues in the Design of Randomized Controlled Trials Testing

Controversies and Unresolved Issues in the Design of Randomized Controlled Trials Testing Clinical/Behavioral Public Health Interventions Part II: Rejecting Universal Adjustment for Multiple Testing in Public Health RCTs of Clinical/Behavioral

338 views • 23 slides
Demystifying Biostatistical Concepts for Embedded Pragmatic Clinical Trials June 19, 2020

Demystifying Biostatistical Concepts for Embedded Pragmatic Clinical Trials June 19, 2020

Living Textbook Grand Rounds Series Demystifying Biostatistical Concepts for Embedded Pragmatic Clinical Trials June 19, 2020 Elizabeth L. Turner, PhD, Duke University Patrick J. Heagerty, PhD, University of Washington David M. Murray, PhD,

797 views • 69 slides
Randomized sparse Kaczmarz methods Dirk Lorenz, joint with Frank Schpfer, Feb 9, 2018 Inverse

Randomized sparse Kaczmarz methods Dirk Lorenz, joint with Frank Schpfer, Feb 9, 2018 Inverse

Randomized sparse Kaczmarz methods Dirk Lorenz, joint with Frank Schpfer, Feb 9, 2018 Inverse Problems and Machine Learning, Caltech 2018 The Kaczmarz method Randomization Sparsity Split feasibility problems Convergence rates Feb 9, 2018

912 views • 68 slides
On the Resiliency of Randomized Routing Against Multiple Edge

On the Resiliency of Randomized Routing Against Multiple Edge

On the Resiliency of Randomized Routing Against Multiple Edge Failures Slobodan Mitrovi (EPFL) Joint work with M. Chiesa, A. Gurtov, A. Mdry, I.

861 views • 57 slides
Introduction to Randomized Algorithms: QuickSort Lecture 2 January 17, 2019 Chandra (UIUC)

Introduction to Randomized Algorithms: QuickSort Lecture 2 January 17, 2019 Chandra (UIUC)

CS 498ABD: Algorithms for Big Data, Spring 2019 Introduction to Randomized Algorithms: QuickSort Lecture 2 January 17, 2019 Chandra (UIUC) CS498ABD 1 Spring 2019 1 / 51 Outline Our goal Basics of randomization probability space,

1.51k views • 113 slides
Introducing Random Search H YP ERPARAMETER TUN IN G IN P YTH ON Alex Scriven Data Scientist

Introducing Random Search H YP ERPARAMETER TUN IN G IN P YTH ON Alex Scriven Data Scientist

Introducing Random Search H YP ERPARAMETER TUN IN G IN P YTH ON Alex Scriven Data Scientist What you already know Very similar to grid search: Dene an estimator, which hyperparameters to tune and the range of values for each

482 views • 27 slides

More recommend