enhancing memory error detection for large scale
play

Enhancing Memory Error Detection for Large-Scale Applications and - PowerPoint PPT Presentation

Mar 18, 2024 •177 likes •659 views

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han , Byunggil Joe, Byoungyoung Lee * , Chengyu Song , Insik Shin KAIST, * Purdue, UCR 1 Memory error glibc: getaddrinfo Heartbleed Shellshock

  1. Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han , Byunggil Joe, Byoungyoung Lee * , Chengyu Song † , Insik Shin KAIST, * Purdue, † UCR 1

  2. Memory error glibc: getaddrinfo Heartbleed Shellshock stack-based buffer overflow • Information leakage – Heartbleed • Privilege escalation – Shellshock • Remote code execution – Shellshock, glibc, Conficker 2

  3. Memory error detection • Pointer-based [SoftBound+CETS, Intel MPX] • Hardware support (cannot detect temporal memory errors) • Challenges to support complex applications • Redzone-based [AddressSanitizer (ASan)] • Compatible to complex applications • Most popular in practice  Google Chrome, Mozilla Firefox, Linux Kernel  American Fuzzy Lop (AFL), ClusterFuzz, OSS-Fuzz 3

  4. Redzone-based memory error detection • Buffer overflow (spatial memory errors) ptrX Shadow memory: a bitmap to validate all addresses objX Check before access Shadow memory Accessible 4

  5. Redzone-based memory error detection • Buffer overflow (spatial memory errors) ptrX Shadow memory: a bitmap to validate all addresses objX Check before Redzone: inaccessible access region between objects Shadow memory Accessible Inaccessible (redzone) 4

  6. Redzone-based memory error detection • Buffer overflow (spatial memory errors) ptrX Shadow memory: a bitmap to validate all addresses objX Redzone: inaccessible Error! region between objects Shadow memory Accessible Inaccessible (redzone) 4

  7. Redzone-based memory error detection • Use-after-free (temporal memory errors) ptrX objX Accessible Inaccessible Shadow memory 5

  8. Redzone-based memory error detection • Use-after-free (temporal memory errors) ptrX ptrX free(ptrX) objX Region is invalidated Quarantined and quarantined, but not actually deallocated Accessible Inaccessible Shadow memory 5

  9. Redzone-based memory error detection • Use-after-free (temporal memory errors) ptrX ptrX Hold the free(ptrX) objX region until Quarantined quarantine zone is full (FIFO) Accessible Inaccessible Shadow memory 5

  10. Redzone-based memory error detection • Use-after-free (temporal memory errors) ptrX ptrY ptrX ptrY = malloc() free(ptrX) objX objY Quarantined The region is actually deallocated, and can be allocated to a new object Accessible Inaccessible Shadow memory 5

  11. Limitations of redzone-based approach 1. What if a pointer accesses beyond redzone? ptrX objX objY 6

  12. Limitations of redzone-based approach 1. What if a pointer accesses beyond redzone? objX ptrX objY Spatial memory error 6

  13. Limitations of redzone-based approach 1. What if a pointer 2. What if a dangling pointer accesses beyond accesses after another object redzone? is allocated in the region? objX ptrX ptrX objX objY Spatial memory error 6

  14. Limitations of redzone-based approach 1. What if a pointer 2. What if a dangling pointer accesses beyond accesses after another object redzone? is allocated in the region? objX ptrX ptrX ptrX objX objZ objY Temporal memory error Spatial memory error 6

  15. Limitations of redzone-based approach 1. What if a pointer 2. What if a dangling pointer accesses beyond accesses after another object redzone? is allocated in the region? objX ptrX ptrX Cannot detect! ptrX objX objZ objY Temporal memory error Spatial memory error 6

  16. Motivation P1 • To enhance detectability of redzone- obj1 based memory error detection • P1. Large gap to detect spatial memory errors P1 • P2. Large quarantine zone to detect temporal memory errors obj1 P1 7

  17. Motivation P1 • To enhance detectability of redzone- P2 obj1 obj1 based memory error detection • P1. Large gap to detect spatial memory errors P1 • P2. Large quarantine zone to detect temporal memory errors P2 obj1 obj2 P1 7

  18. Motivation P1 • To enhance detectability of redzone- P2 obj1 obj1 based memory error detection • P1. Large gap to detect spatial memory errors P1 • P2. Large quarantine zone to detect temporal memory errors P2 obj1 obj2 Huge physical memory P1 required 7

  19. MEDS overview • Enhances detectability of redzone-based memory error detection • Idea: Fully utilize 64-bit virtual address space to support • P1. Large gap to detect spatial error • P2. Large quarantine zone to detect temporal error • Approach : minimize physical memory use • Page aliasing allocator and page protection • Hierarchical memory error detection 8

  20. Page aliasing (P1) • Maps multiple virtual pages to single physical page Virtual obj1 A memory page obj2 Allocated Redzone Page aliasing obj4 9

  21. Page aliasing (P1) • Maps multiple virtual pages to single physical page Virtual obj1 Physical obj1 obj2 A memory page obj3 obj2 obj4 Allocated Redzone Page aliasing obj4 9

  22. Page aliasing (P1) • Maps multiple virtual pages to single physical page Virtual obj1 Redzone itself does not occupy physical memory Physical obj1 obj2 A memory page obj3 obj2 obj4 Allocated Redzone Page aliasing obj4 9

  23. Page protection (P1) • Redzone only pages are unmapped Virtual obj1 Physical obj1 A memory page obj2 obj3 Unmapped page obj4 obj2 Allocated Redzone Page aliasing 10

  24. Page protection (P1) • Redzone only pages are unmapped Do not occupy shadow memory and physical Virtual memory obj1 Physical obj1 A memory page obj2 obj3 Unmapped page obj4 obj2 Allocated Redzone Page aliasing 10

  25. Page aliasing & Page protection (P2) Virtual obj1 Physical obj1 obj2 A memory page obj3 obj4 Unmapped page obj4 Allocated Redzone Page aliasing 11

  26. Page aliasing & Page protection (P2) Virtual Virtual obj1 Quarantined Physical Physical obj1 obj2 obj2 A memory page obj3 obj3 obj4 obj4 Unmapped page obj4 obj4 Allocated Redzone Page aliasing 11

  27. Page aliasing & Page protection (P2) Virtual Virtual obj1 Quarantined Physical Physical obj1 objX obj2 obj2 A memory page obj3 obj3 obj4 obj4 Unmapped page obj4 obj4 Allocated objX Redzone Page aliasing 11

  28. Page aliasing & Page protection (P2) Virtual Virtual Reuse physical obj1 memory immediately, Quarantined while not reusing virtual addresses Physical Physical obj1 objX obj2 obj2 A memory page obj3 obj3 obj4 obj4 Unmapped page obj4 obj4 Allocated objX Redzone Page aliasing 11

  29. Hierarchical memory error detection • Many different ways to represent redzones  Further optimizing physical memory uses ptr 12

  30. Hierarchical memory error detection • Many different ways to represent redzones  Further optimizing physical memory uses ptr #1. Shadow memory is invalid 12

  31. Hierarchical memory error detection • Many different ways to represent redzones  Further optimizing physical memory uses ptr #1. Shadow memory is invalid #2. Virtual page is unmapped 12

  32. Hierarchical memory error detection • Many different ways to represent redzones  Further optimizing physical memory uses ptr #1. Shadow memory is invalid #2. Virtual page is unmapped #3. Shadow memory is unmapped 12

  33. Evaluation • Configuration ASan MEDS Improv. Redzone 8-1024 bytes 4MB 16,384x Quarantine 128MB 80TB 65,536x • ASan cannot use configuration for MEDS (lack of memory) • Compatibility • Performance: 2 times slowdown • Detection (fuzz testing): 68% more detection 13

  34. Compatibility • Unit tests from real-world applications • Test cases in Chrome, Firefox, Nginx • All Passed • Memory error unit tests • ASan unit tests • All Passed • NIST Juliet test suites • All Passed except random access tests  ASan: 35% vs. MEDS: 98% 14

  35. Micro-scale performance overhead • TLB misses • 5 times more than ASan (more virtual pages with page aliasing ) • Number of system calls • mmap(), munmap(), and mremap() • 32 times more than ASan ( page aliasing and page protection ) • Memory footprint • 218% more than baseline • 68% more than ASan (much larger redzone and quarantine ) 15

  36. End-to-end performance overhead • 108% compared to baseline, 86% to ASan 4 3 2 1 Baseline 0 Chrome Firefox Apache Nginx ASan MEDS 16

  37. End-to-end performance overhead • 108% compared to baseline, 86% to ASan 4 41% to baseline 3 22% to ASan 2 1 Baseline 0 Chrome Firefox Apache Nginx ASan MEDS 16

  38. End-to-end performance overhead Large number of • 108% compared to baseline, 86% to ASan small objects on 4 stack 41% to baseline 3 243% to baseline 22% to ASan 211% to ASan 2 1 Baseline 0 Chrome Firefox Apache Nginx ASan MEDS 16

  39. Detection (fuzz testing) • Run AFL (8 cores, 6 hours) • Despite the performance overhead, explore 68.3% more unique crashes than ASan 4 3.5 3 2.5 2 1.5 ASan 1 0.5 0 17

  40. Detection (fuzz testing) • Run AFL (8 cores, 6 hours) • Despite the performance overhead, explore 68.3% more unique crashes than ASan MEDS finds more unique crashes in 4 3.5 initial phase, but saturated in the end 3 2.5 2 1.5 ASan 1 0.5 0 17

  41. Detection (fuzz testing) • Number of unique crashes with time spent (metacam) 70 Saturated 60 Found crashes 50 40 30 20 10 0 1 2 3 4 5 6 7 8 Time spent (hrs) ASan MEDS 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ERROR DETECTON & CORRECTION Error Detection EDC= Error Detection and Correction bits

ERROR DETECTON & CORRECTION Error Detection EDC= Error Detection and Correction bits

ERROR DETECTON & CORRECTION Error Detection EDC= Error Detection and Correction bits (redundancy) D = Data protected by error checking, may include header fields Error detection not 100% reliable! protocol may miss some errors,

320 views • 18 slides
Physical layer Error detection, correction Martin Heusse X L A TEX E Error detection

Physical layer Error detection, correction Martin Heusse X L A TEX E Error detection

Physical layer Error detection, correction Martin Heusse X L A TEX E Error detection Idea = Add redundant information in the transmitted data to check for errors or even correct them Also used for data storage, memory (Am I

229 views • 11 slides
Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Srinidhi Varadarajan 02/14/2000 Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes (e.g. CRC, Send a duplicate copy of the Parity, Checksums) message Error Correction Codes (e.g. Problems

269 views • 5 slides
Extending a Compiler Backend for Complete Memory Error Detection Norman A. Rink and Jeronimo

Extending a Compiler Backend for Complete Memory Error Detection Norman A. Rink and Jeronimo

Extending a Compiler Backend for Complete Memory Error Detection Norman A. Rink and Jeronimo Castrillon Technische Universitt Dresden Automotive Safety & Security 2017 30 May 2017 Stuttgart Outline 1. Motivation 2. Error detection,

573 views • 23 slides
Error Detection Two types Error Detection Codes (e.g. CRC, Parity, Checksums) Error

Error Detection Two types Error Detection Codes (e.g. CRC, Parity, Checksums) Error

Error Detection Two types Error Detection Codes (e.g. CRC, Parity, Checksums) Error Correction Codes (e.g. Hamming, Reed Solomon) Basic Idea Add redundant information to determine if errors have been introduced Why

643 views • 25 slides
XED:%EXPOSING%ON,DIE%ERROR% DETECTION%INFORMATION%FOR% STRONG%MEMORY%RELIABILITY

XED:%EXPOSING%ON,DIE%ERROR% DETECTION%INFORMATION%FOR% STRONG%MEMORY%RELIABILITY

XED:%EXPOSING%ON,DIE%ERROR% DETECTION%INFORMATION%FOR% STRONG%MEMORY%RELIABILITY Prashant%Nair,%Georgia%Tech Vilas&Sridharan ," AMD&Inc.&&&&& Moinuddin Qureshi,&Georgia Tech ISCA%43,)June)20 th 2016

669 views • 56 slides
Memory Management Techniques for Large-Scale Persistent-Main-Memory Systems [VLDB 2017] Ismail

Memory Management Techniques for Large-Scale Persistent-Main-Memory Systems [VLDB 2017] Ismail

Memory Management Techniques for Large-Scale Persistent-Main-Memory Systems [VLDB 2017] Ismail Oukid, Daniel Booss, Adrien Lespinasse, Wolfgang Lehner, Thomas Willhalm, Grgoire Gomes Non-Volatile Memories Workshop March 12, 2018 PUBLIC

714 views • 21 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
Measurement of Timing Error Detection Performance of Software-based Error Detection Mechanisms

Measurement of Timing Error Detection Performance of Software-based Error Detection Mechanisms

Measurement of Timing Error Detection Performance of Software-based Error Detection Mechanisms and Its Correlation with Simulation Yutaka Masuda, Masanori Hashimoto, Takao Onoye Dept. of Information Systems Eng., Osaka University

376 views • 18 slides
Enhancing Interdisciplinary Cooperation in Large Scale Research Networks Andr Calero Valdez,

Enhancing Interdisciplinary Cooperation in Large Scale Research Networks Andr Calero Valdez,

Enhancing Interdisciplinary Cooperation in Large Scale Research Networks Andr Calero Valdez, Anne Kathrin Schaar, Martina Ziefle, Andreas Holzinger Agenda Overview Interdisciplinary Innovation Management 1 Investigating and supporting

500 views • 17 slides
Asynchronous Logging and Fast Recovery for a Large-Scale Distributed In-Memory Storage Kevin

Asynchronous Logging and Fast Recovery for a Large-Scale Distributed In-Memory Storage Kevin

Asynchronous Logging and Fast Recovery for a Large-Scale Distributed In-Memory Storage Kevin Beineke, Florian Klein, Michael Schttner Institut fr Informatik, Heinrich-Heine-Universitt Dsseldorf Outline Motivation The In-Memory

323 views • 21 slides
BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
Evaluation of Amplification attacks in large-scale networks to improve detection performance

Evaluation of Amplification attacks in large-scale networks to improve detection performance

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluation of Amplification attacks in large-scale networks to improve detection performance Michael Kpferl Interdisciplinary Project Final

517 views • 49 slides
25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian

25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian

25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian Lekies, Ben Stock , Martin Johns Agenda XSS & Attacker Scenario WebSec guys: wake up once you see a cat Motivation Our contributions

619 views • 34 slides
Hierarchical Parallel Matrix Multiplication on Large-Scale Distributed Memory Platforms

Hierarchical Parallel Matrix Multiplication on Large-Scale Distributed Memory Platforms

Problem Outline Experiments Summary Hierarchical Parallel Matrix Multiplication on Large-Scale Distributed Memory Platforms Jean-Nol Quintin, Khalid Hasanov, Alexey Lastovetsky Heterogeneous Computing Laboratory School of Computer Science

564 views • 41 slides
Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy

Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy

Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy Ganguly Bivas Mitra, Subhendu Khatuya Also in collaboration with NetApp Department of Computer Science and Engineering Indian Institute of

689 views • 53 slides
Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time

Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time

I-SHARE ALMA PRIMO VE OFFICE HOURS WILL START SHORTLY Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time permits, we will respond to questions typed in the chat box, and offline afterwards, as needed

351 views • 11 slides
Introduction Katina Mortensen Director of Public Policy Minnesota Council on Foundations

Introduction Katina Mortensen Director of Public Policy Minnesota Council on Foundations

Introduction Katina Mortensen Director of Public Policy Minnesota Council on Foundations Remarks Amanda Simpson Chief Operating Officer Office of Governor Tim Waltz and Lt. Governor Peggy Flanagan Planning in Light of COVID-19 Tanya

711 views • 39 slides
Please remember to mute your speakers. Connected Care Discussion Series For audio, please dial in

Please remember to mute your speakers. Connected Care Discussion Series For audio, please dial in

Please remember to mute your speakers. Connected Care Discussion Series For audio, please dial in using VANTS: 1-800-767-1750 pc: 43950# Thank you for joining. We will begin shortly. Annie COVID-19 Protocols Presenter: Boyd Loehr, RN, BSN, RN

386 views • 12 slides
x

x

x

974 views • 24 slides
PRESENTER: LAURA HAMBLIN Prescott attorney and human resources consultant 30 years

PRESENTER: LAURA HAMBLIN Prescott attorney and human resources consultant 30 years

6/3/2020 Yavapai College Small Business Development Center Wednesday, June 3, 2020 PRESENTER: LAURA HAMBLIN Prescott attorney and human resources consultant 30 years experience in employment law and working as HR executive for large

352 views • 10 slides
UNIFIED STRATEGY A framework for science based measurement and communication of health risk with

UNIFIED STRATEGY A framework for science based measurement and communication of health risk with

5 S LIDES W E RE DISCUSSING W EDNESDAY J UNE 17, 2020 UNIFIED STRATEGY A framework for science based measurement and communication of health risk with case based interventions RAPID SURVEILLENCE TESTING ISOLATION SYNDROMIC RESPONSE

464 views • 7 slides
10 Slides to Make You Think about COVID-19 LATAM May 13 th , 2020 How the ten slides made us

10 Slides to Make You Think about COVID-19 LATAM May 13 th , 2020 How the ten slides made us

10 Slides to Make You Think about COVID-19 LATAM May 13 th , 2020 How the ten slides made us think about COVID-19 in Latam While social isolation advance, fear about economic situation grows. People remains leaving their houses for the

252 views • 13 slides
Drexel University College of Medicine Proofpoint Anti-SPAM User-Managed Features User Managed

Drexel University College of Medicine Proofpoint Anti-SPAM User-Managed Features User Managed

Drexel University College of Medicine Proofpoint Anti-SPAM User-Managed Features User Managed Features Email is filtered Scanned for viruses and scored for liklihood of SPAM Messages are delivered, quarantined or blocked

313 views • 10 slides

More recommend