practical memory safety with
play

Practical Memory Safety with REST KANAD SINHA & SIMHA - PowerPoint PPT Presentation

Feb 11, 2023 •338 likes •827 views

Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors Is memory safety relevant? Yes!

  1. Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY

  2. Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors

  3. Is memory safety relevant? Yes!

  4. Practical memory safety Presenting… Random Embedded Security Tokens or REST Core H/W primitive: Insert known 64B random value ( token ) in program and detect accesses to them.

  5. Practical memory safety Presenting… Random Embedded Security Tokens or REST Core H/W primitive: Insert known 64B random value ( token ) in program and detect accesses to them. char *buf = malloc(BUF_LEN); buf for (i=0; i<out_of_bounds; i++) buf = 0; Other allocs Heap

  6. Practical memory safety Presenting… Random Embedded Security Tokens or REST Core H/W primitive: Insert known 64B random value ( token ) in program and detect accesses to them. Token char *buf = malloc(BUF_LEN); buf for (i=0; i<out_of_bounds; i++) Token buf = 0; Other allocs Heap

  7. Practical memory safety Presenting… Random Embedded Security Tokens or REST Core H/W primitive: Insert known 64B random value ( token ) in program and detect accesses to them. • Trivial hardware implementation • Software framework based on AddressSanitizer • Provides heap safety for legacy binaries

  8. Background: Spatial Memory Safety Xander’s House Yana’s House Zoey’s House

  9. Background: Spatial Memory Safety char *ptr buf = malloc(BUF_LEN); ptr buf … buf ptr buf [in_bounds] = X; … ptr buf [out_of_bounds] = Y;

  10. Background: Spatial Memory Safety char *ptr buf = malloc(BUF_LEN); ptr buf … buf ptr buf [in_bounds] = X; … ptr buf [out_of_bounds] = Y;

  11. Background: Spatial Memory Safety char *ptr buf = malloc(BUF_LEN); ptr buf … buf ptr buf [in_bounds] = X; … ptr buf [out_of_bounds] = Y;

  12. Background: Temporal Memory Safety Xander moves out, Will moves in Xander’s House Yana’s House Zoey’s House

  13. Background: Temporal Memory Safety Xander moves out, Will moves in Will’s House Yana’s House Zoey’s House

  14. Background: Temporal Memory Safety char *ptr buf = malloc(BUF_LEN); ptr buf ptr buf [in_bounds] = X; buf … free(ptr buf ); ptr buf [in_bounds] = Y;

  15. Background: Temporal Memory Safety char *ptr buf = malloc(BUF_LEN); ptr buf ptr buf [in_bounds] = X; … free(ptr buf ); ptr buf [in_bounds] = Y;

  16. Previous H/W Solutions Mainly categorizable into 2 types.

  17. Previous H/W Solutions Mainly categorizable into 2 types. • Whitelisting: Pointer based + Good coverage + Temporal safety (for some) ptr buf - Performance overhead buf - Implementation overhead - Imprecise

  18. Previous H/W Solutions Mainly categorizable into 2 types. • Whitelisting: Pointer based + Good coverage + Temporal safety (for some) ptr - Performance overhead buf - Implementation overhead - Imprecise • Blacklisting: Location based + Fast - Weaker coverage (has false negatives) - Implementation overhead - No temporal protection

  19. Previous H/W Solutions Tag-based buf Buf *ptr buf Metadata is_valid(ptr buf )?

  20. REST : Primitive Overview Content-based blacklisting Token *ptr buf buf Buf is(*ptr buf == token)? Token REST primitive has trivial complexity, overhead

  21. REST : Spatial Memory Safety Xander’s House Yana’s House Zoey’s House

  22. REST : Temporal Memory Safety Will gets new house Yana’s House Zoey’s House

  23. REST Software

  24. Heap Safety Heap • Allocate and bookend region, malloc to program buf 24

  25. Heap Safety Heap • Allocate and bookend region, malloc to program • REST ’ize at free • Do not reallocate region until heap sufficiently consumed 25

  26. Heap Safety Heap • Allocate and bookend region, malloc to Spatial Protection program • REST ’ize at free • Do not reallocate region until heap sufficiently consumed 26

  27. Heap Safety Heap • Allocate and bookend region, malloc to program • REST’ize at free • Do not reallocate region until heap Temporal Protection sufficiently consumed Can be enabled for legacy binaries 27

  28. Stack Safety void foo() { buf char buf[64]; … return; } foo ‘s frame Previous frame 28

  29. Stack Safety void foo() { rz1 char rz1[64]; char buf[64]; buf char rz2[64]; arm(rz1); rz2 arm(rz2); … disarm(rz1); foo ‘s frame disarm(rz2); Previous return; frame } 29

  30. Stack Safety void foo() { rz1 char rz1[64]; char rz1[64]; char buf[64]; char buf[64]; buf char rz2[64]; char rz2[64]; arm(rz1); rz2 arm(rz2); … disarm(rz1); foo ‘s frame disarm(rz2); Previous return; frame } 30

  31. Stack Safety void foo() { rz1 char rz1[64]; char buf[64]; buf char rz2[64]; arm : Set token arm(rz1); rz2 arm rz1; arm(rz2); arm rz2; … disarm(rz1); foo ‘s frame disarm(rz2); Previous return; frame } 31

  32. Stack Safety void foo() { rz1 char rz1[64]; char buf[64]; buf char rz2[64]; arm(rz1); rz2 arm(rz2); … disarm rz1; disarm(rz1); foo ‘s frame disarm : Unset token disarm rz2; disarm(rz2); Previous return; frame } 32

  33. Stack Safety void foo() { rz1 char rz1[64]; char buf[64]; buf char rz2[64]; arm(rz1); rz2 arm(rz2); … disarm(rz1); foo ‘s frame disarm(rz2); Previous return; frame } Requires recompilation with REST plugin 33

  34. REST Hardware

  35. Naïve Design Every store involves an extra load  Complicated and expensive load/store X Memory Token L1-D Value = Core

  36. Cache Modifications Comparator at L1-D mem interface + 1b per L1-D line load/store X Token Bits Memory Token L1-D Value = Core

  37. Cache Miss load/store X Token Bits Memory Token L1-D Value = Core

  38. Cache Hit load/store X Token Bits Memory Token L1-D Value = Core

  39. Cache Eviction Armed outgoing line filled with token value load/store X Token Bits Memory Token L1-D Value = Core

  40. What about the core? TODO: Have to support arms and disarms • 512b writes • Special semantics: can only touch token with disarm LSQ design concerns: • Forwarding would break semantics • 512b data entries • How to match unaligned token access?

  41. Load-Store Queue • Forwarding breaks semantics Add 1b tag • 512b data entries Only update token bit • Detecting unaligned token access Split regular match logic 6 Data = Address Token Match Match CAM bit Logic Address

  42. Load-Store Queue • Forwarding breaks semantics Add 1b tag • 512b data entries Only update token bit • Detecting unaligned token access Split regular match logic 6 REST Violation Data = = Address Token Match Match CAM bit Logic Address

  43. REST Overhead

  44. REST Performance

  45. REST Performance

  46. REST Performance REST primitive overhead near-zero. Software overhead mostly from allocator.

  47. To conclude… REST : Hardware/software mechanism to detect common memory safety errors ◦ Low overhead, low complexity hardware implementation ◦ Heap safety for legacy binaries 22-90% faster than comparable software solution on SPEC CPU Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Abstractions for Practical Systems Caching and the memory hierarchy Operating systems and the

Abstractions for Practical Systems Caching and the memory hierarchy Operating systems and the

CS 240 Stage 3 Abstractions for Practical Systems Caching and the memory hierarchy Operating systems and the process model Virtual memory Dynamic memory allocation Victory lap Memory Hierarchy: Cache Memory hierarchy Cache basics Locality

1.02k views • 49 slides
Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust! Memory Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy

556 views • 53 slides
Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

r e l i p e m v o i t c c Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler perspective. Kostya Serebryany , Evgenii Stepanov, Vlad Tsyrklevich (Google) Oct 2018 1 Agenda ARM v8.5

504 views • 29 slides
Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated? Where does memory live? What kinds of pointers does Rust have? Memory management goal: Allocate memory when you need it, and free it when

614 views • 24 slides
EUROCONTROL Safety Regulatory Requirements Practical Application European Organisation for the

EUROCONTROL Safety Regulatory Requirements Practical Application European Organisation for the

EUROCONTROL Safety Regulatory Requirements Practical Application European Organisation for the Safety of Air Navigation 1 ESARRs - Overview 1. Requirements for safety regulation by State authorities 2. Safety monitoring and improvement 3.

365 views • 10 slides
Considerations for the Practical Application of the Safety Requirements for Nuclear Power Plant

Considerations for the Practical Application of the Safety Requirements for Nuclear Power Plant

International Atomic Energy Agency Considerations for the Practical Application of the Safety Requirements for Nuclear Power Plant Design Joint ICTP-IAEA Essential Knowledge Workshop on Deterministic Safety Analysis and Engineering Aspects

747 views • 31 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure

Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure

Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure Software Systems Day 2: Memory Safety Introduction Reversing the stack Stephen McCamant University of Minnesota, Computer Science &amp; Engineering

440 views • 4 slides
PRACTICAL EXPERIENCE OF IMPLEMENTING NATIONAL FOOD SAFETY EMERGENCY RESPONSE PLANS Mrs.

PRACTICAL EXPERIENCE OF IMPLEMENTING NATIONAL FOOD SAFETY EMERGENCY RESPONSE PLANS Mrs.

PRACTICAL EXPERIENCE OF IMPLEMENTING NATIONAL FOOD SAFETY EMERGENCY RESPONSE PLANS Mrs. Jongkolnee Vithayarungruangsri Director of Bureau of Food Safety Extension and Support Ministry of Public Health, Thailand foodsafety@moph.mail.go.th ;

907 views • 35 slides
Seminar on Land-Use Planning and Industrial Safety Session 5 Practical Session with a Role

Seminar on Land-Use Planning and Industrial Safety Session 5 Practical Session with a Role

Seminar on Land-Use Planning and Industrial Safety Session 5 Practical Session with a Role Play Explanation of the practical session: the scenario, role play, and organizational aspects Lamot Heritage Conference Centre, Mechelen, Belgium

275 views • 24 slides
Practical Memory Leak Detector Based on Parameterized Procedural Summaries Yungbum Jung,

Practical Memory Leak Detector Based on Parameterized Procedural Summaries Yungbum Jung,

Practical Memory Leak Detector Based on Parameterized Procedural Summaries Yungbum Jung, Kwangkeun Yi { dreameye, kwang } @ropas.snu.ac.kr Programming Research Lab. Seoul National University Korea June 8, 2008 International Symposium on

748 views • 31 slides
Practical Near-Data Processing for In-Memory Analytics Frameworks Mingyu Gao, Grant Ayers,

Practical Near-Data Processing for In-Memory Analytics Frameworks Mingyu Gao, Grant Ayers,

Practical Near-Data Processing for In-Memory Analytics Frameworks Mingyu Gao, Grant Ayers, Christos Kozyrakis Stanford University http://mast.stanford.edu PACT Oct 19, 2015 Motivating Trends End of Dennard scaling systems are energy

290 views • 27 slides
Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Main Focus I. Memory as a process Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory the process by which I. Sensory Memory information is - acquired, II. Short -Term Memory - stored,

169 views • 5 slides
Practical Verification of High-Level Dataraces in Transactional Memory Programs Vasco Pessanha

Practical Verification of High-Level Dataraces in Transactional Memory Programs Vasco Pessanha

Practical Verification of High-Level Dataraces in Transactional Memory Programs Vasco Pessanha (*) Ricardo J. Dias (*) Joo L Loureno (*) (*) Eitan Farchi (+) Diogo Sousa (*) (*) Universidade Nova de Lisboa (+) IBM Research Labs

318 views • 27 slides
Practical Multi-threaded Graph Coloring Algorithms for Shared Memory Architecture Nandini Singhal

Practical Multi-threaded Graph Coloring Algorithms for Shared Memory Architecture Nandini Singhal

Practical Multi-threaded Graph Coloring Algorithms for Shared Memory Architecture Nandini Singhal Sathya Peri Subrahmanyam Kalyanasundaram Department of Computer Science &amp; Engineering Indian Institute of Technology Hyderabad ICDCN AADDA

676 views • 55 slides
Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained Contracts Preprocessor Safety Whimsical execution Garbage collection Explicit memory management Memory initialization

967 views • 63 slides
Rest Service with Intellij Overview Download IntellIj and run as Administrator Setup

Rest Service with Intellij Overview Download IntellIj and run as Administrator Setup

Rest Service with Intellij Overview Download IntellIj and run as Administrator Setup Server Create Project Create Artifact Check Artifact to server Add Java Code Compile Add Server Download Glass Fish

565 views • 14 slides
Building a Killer REST Client for Your REST+JSON API Les

Building a Killer REST Client for Your REST+JSON API Les

Building a Killer REST Client for Your REST+JSON API Les Hazlewood @lhazlewood Apache Shiro Project Chair CTO, Stormpath stormpath.com @lhazlewood |

701 views • 59 slides
WORDY Giovanni Luca Lo Magno lomagno.gl@virgilio.it University of Palermo SWire at a glance

WORDY Giovanni Luca Lo Magno lomagno.gl@virgilio.it University of Palermo SWire at a glance

2017 German Stata Users Group meeting Berlin, June 23 Connecting Stata to the rest of the world via SWire : several applications including SWordy, an Office add-in to facilitate interaction between Microsoft Word and Stata WORDY Giovanni Luca

1.86k views • 152 slides
Qt a Qt and W nd WebSe bService rvices Tim Dewhirst &lt;tim@kdab.com&gt; WARNING! Acronym

Qt a Qt and W nd WebSe bService rvices Tim Dewhirst &lt;tim@kdab.com&gt; WARNING! Acronym

Qt a Qt and W nd WebSe bService rvices Tim Dewhirst &lt;tim@kdab.com&gt; WARNING! Acronym Heavy Overview What are they? History Popular service types Qt Clients Servers What are they? W3C: &quot;a software system

618 views • 39 slides
WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server

WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server

WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server WSGI Response Python Web Application Connectionless Media Independent Stateless WSGI : Web Server Gateway Interface 2 HTTP Methods

395 views • 28 slides
Evaluating REST architectures Telecom SudParis 2019-2020: CCN Presented by:KASHAMA Katanga Wa

Evaluating REST architectures Telecom SudParis 2019-2020: CCN Presented by:KASHAMA Katanga Wa

Evaluating REST architectures Telecom SudParis 2019-2020: CCN Presented by:KASHAMA Katanga Wa Muila , Yerik KASSYM Outlines: 1. Terminology 2. What gives us REST and When to use? 3. Difference between Traditional HTTP , SOAP and REST

351 views • 23 slides
Getting Things Done with REST Ian Robinson http://ian S

Getting Things Done with REST Ian Robinson http://ian S

Getting Things Done with REST Ian Robinson http://ian S robinson.com @ian S robinson ian S robinson@gmail.com Getting Things Done Pick your path Executing a

993 views • 48 slides
Experiences on a Design Approach for Interactive Web Applications Experiences on a Design

Experiences on a Design Approach for Interactive Web Applications Experiences on a Design

Experiences on a Design Approach for Interactive Web Applications Experiences on a Design Approach for Interactive Web Applications Janne Kuuskeri Tampere University of Technology Stratagen Systems Current Browser Server Current

598 views • 43 slides

More recommend