diehard probabilistic memory safety for unsafe
play

DieHard: Probabilistic Memory Safety for Unsafe Programming - PowerPoint PPT Presentation

Oct 17, 2023 •249 likes •609 views

DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery Berger Ben Zorn University of Massachusetts Microsoft Research Amherst Presented by: Brian Norris PLDI 2006 PLDI 2006 Frivolity Happy Leap Day! PLDI 2006

  1. DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery Berger Ben Zorn University of Massachusetts Microsoft Research Amherst Presented by: Brian Norris PLDI 2006 PLDI 2006

  2. Frivolity  Happy Leap Day! PLDI 2006 PLDI 2006

  3. Frivolity  Happy Leap Day!  die-hard  (adj.) strongly or fanatically determined or devoted PLDI 2006 PLDI 2006

  4. Frivolity  Happy Leap Day!  die-hard  (adj.) strongly or fanatically determined or devoted PLDI 2006 PLDI 2006

  5. Frivolity  Happy Leap Day!  die-hard  (adj.) strongly or fanatically determined or devoted PLDI 2006 PLDI 2006

  6. Problems with Unsafe Languages  C, C++: pervasive apps, but memory unsafe  Numerous opportunities for security vulnerabilities, errors  Double free  Invalid free  Uninitialized reads  Dangling pointers  Buffer overflows (stack & heap ) PLDI 2006 PLDI 2006

  7. Current Approaches  Unsound, may work or abort  Windows, GNU libc, etc., Rx  Unsound, will definitely continue  Failure oblivious (Rinard) **  Sound, definitely aborts (fail-safe)  CCured , CRED , SAFECode  Requires C source, programmer intervention  30% to 20X slowdowns  Good for debugging , less for deployment PLDI 2006 PLDI 2006

  8. DieHard  Sound execution (with high probability)  Fully-randomized memory manager  Increases odds of benign memory errors  Ensures different heaps across users  Replication  Run multiple replicas simultaneously, vote on results  Detects crashing & non-crashing errors  Trades space (and CPU?) for increased reliability PLDI 2006 PLDI 2006

  9. Soundness for “Erroneous” Programs  Consider infinite-heap allocator:  All new s fresh ; ignore delete  No dangling pointers, invalid frees, double frees  Every object infinitely large  No buffer overflows, data overwrites  Transparent to correct program  “Erroneous” programs sound PLDI 2006 PLDI 2006

  10. Approximating Infinite Heaps  Infinite ) M-heaps: probabilistic soundness  Option 1: Pad allocations & defer deallocations + Simple – No protection from larger overflows – pad = 8 bytes, overflow = 9 bytes… – Deterministic : overflow crashes everyone  Better: randomize heap + Probabilistic protection against errors + Independent across heaps ? Efficient implementation… PLDI 2006 PLDI 2006

  11. Randomized Heap Layout 00000001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap  Bitmap-based, segregated size classes  Bit represents one object of given size  i.e., one bit = 2 i+3 bytes, etc.  Prevents fragmentation PLDI 2006 PLDI 2006

  12. Randomized Allocation 00000001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap malloc(sz):  compute size class = ceil(log 2 sz) – 3  randomly probe bitmap for zero-bit (free)  Fast: runtime O(1)  M=2 ) E[# of probes] · 2 PLDI 2006 PLDI 2006

  13. Randomized Allocation 00010001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap malloc(sz):  compute size class = ceil(log 2 sz) – 3  randomly probe bitmap for zero-bit (free)  Fast: runtime O(1)  M=2 ) E[# of probes] · 2 PLDI 2006 PLDI 2006

  14. Randomized Deallocation 00010001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap free(ptr):  Ensure object valid (aligned)  Check bitmap  Reset bit  Prevents invalid frees, double frees PLDI 2006 PLDI 2006

  15. Randomized Deallocation 00010001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap free(ptr):  Ensure object valid (aligned)  Check bitmap  Reset bit  Prevents invalid frees, double frees PLDI 2006 PLDI 2006

  16. Randomized Deallocation 00000001 1010 10 metadata size = 2 i+3 2 i+4 2 i+5 heap free(ptr):  Ensure object valid (aligned)  Check bitmap  Reset bit  Prevents invalid frees, double frees PLDI 2006 PLDI 2006

  17. Randomized Heaps & Reliability object size = 2 i+3 object size = 2 i+4 … 2 4 5 3 1 6 3  Objects randomly spread across heap  Different run = different heap  Errors across heaps independent PLDI 2006 PLDI 2006

  18. Randomized Heaps & Reliability object size = 2 i+3 object size = 2 i+4 … 2 4 5 3 1 6 3  Objects randomly spread across heap  Different run = different heap  Errors across heaps independent … 1 6 3 2 5 4 1 PLDI 2006 PLDI 2006

  19. Randomized Heaps & Reliability object size = 2 i+3 object size = 2 i+4 … 2 4 5 3 1 6 3 My Mozilla: “malignant” overflow  Objects randomly spread across heap  Different run = different heap  Errors across heaps independent … 1 6 3 2 5 4 1 PLDI 2006 PLDI 2006

  20. Randomized Heaps & Reliability object size = 2 i+3 object size = 2 i+4 … 2 4 5 3 1 6 3 My Mozilla: “malignant” overflow  Objects randomly spread across heap  Different run = different heap  Errors across heaps independent Your Mozilla: “benign” overflow … 1 6 3 2 5 4 1 PLDI 2006 PLDI 2006

  21. DieHard software architecture replica 1 seed 1 input output replica 2 seed 2 vote broadcast replica 3 seed 3 execute replicas  Each replica has different allocator  “Output equivalent” – kill failed replicas PLDI 2006 PLDI 2006

  22. Results  Analytical results  Buffer overflows  Dangling pointer errors  Uninitialized reads  Empirical results  Runtime overhead  Error avoidance  Injected faults & actual applications PLDI 2006 PLDI 2006

  23. Analytical Results: Buffer Overflows  Model overflow as write of live data  Heap half full (max occupancy) PLDI 2006 PLDI 2006

  24. Analytical Results: Buffer Overflows  Model overflow as write of live data  Heap half full (max occupancy) PLDI 2006 PLDI 2006

  25. Analytical Results: Buffer Overflows  Model overflow as write of live data  Heap half full (max occupancy) PLDI 2006 PLDI 2006

  26. Analytical Results: Buffer Overflows  Replicas: Increase odds of avoiding overflow in at least one replica replicas PLDI 2006 PLDI 2006

  27. Analytical Results: Buffer Overflows  Replicas: Increase odds of avoiding overflow in at least one replica replicas PLDI 2006 PLDI 2006

  28. Analytical Results: Buffer Overflows  Replicas: Increase odds of avoiding overflow in at least one replica replicas  P(Overflow in all replicas) = (1/2) 3 = 1/8  P(No overflow in ¸ 1 replica) = 1-(1/2) 3 = 7/8 PLDI 2006 PLDI 2006

  29. Analytical Results: Buffer Overflows F = free space  H = heap size  N = # objects  worth of overflow k = replicas  Overflow one object  PLDI 2006 PLDI 2006

  30. Empirical Results: Runtime PLDI 2006 PLDI 2006

  31. Empirical Results: Runtime PLDI 2006 PLDI 2006

  32. Empirical Results: Error Avoidance  Injected faults:  Dangling pointers (@50%, 10 allocations)  glibc : crashes ; DieHard : 9/10 correct  Overflows (@1%, 4 bytes over)  glibc : crashes 9/10, inf loop ; DieHard : 10/10 correct  Real faults:  Avoids Squid web cache overflow  Crashes BDW & glibc  Avoids dangling pointer error in Mozilla  DoS in glibc & Windows PLDI 2006 PLDI 2006

  33. Conclusion  Randomization + replicas = probabilistic memory safety  Useful point between absolute soundness (fail-stop) and unsound  Trades hardware resources (RAM, CPU) for reliability  Hardware trends  Larger memories, multi-core CPUs  Follows in footsteps of ECC memory, RAID PLDI 2006 PLDI 2006

  34. Major Weakness  Excessive memory, CPU usage  Fallacy: we can forfeit extra memory and CPU resources because they are becoming cheaper  For production use (seriously?)  Inconsistent comparisons PLDI 2006 PLDI 2006

  35. Related Work  Unsound, will definitely continue  Failure oblivious (Rinald) [30, 32] **  Introduced idea of “boundless memory blocks”  Same benefits with less memory?  DieHarder PLDI 2006 PLDI 2006

Recommend

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Our Design Leadership process began with finding a need. What is Personal Safety? Who feels

Our Design Leadership process began with finding a need. What is Personal Safety? Who feels

Our Design Leadership process began with finding a need. What is Personal Safety? Who feels safe/unsafe in public? How do we understand their story Irene Kuo Brainstorms Why do people feel unsafe? Too Broad General Safety Too Broad Safety

620 views • 12 slides
The business case of unsafe The business case of unsafe care care 16 billion injections a

The business case of unsafe The business case of unsafe care care 16 billion injections a

Health care causes harm to patients Better knowledge for safer care GCC Conference on Patient Safety 6-8 April 2009 Research for Patient Safety Itziar Larizgoitia Head Research & knowledge Management Patient Safety WHO The business case

318 views • 4 slides
Diditwithbuckets: NumberTheory: 3gal.&5gal. DieHard 3gal.&9gal.

Diditwithbuckets: NumberTheory: 3gal.&5gal. DieHard 3gal.&9gal.

GeneralizedDieHard MathematicsforComputerScience MIT 6.042J/18.062J Diditwithbuckets: NumberTheory: 3gal.&5gal. DieHard 3gal.&9gal. Uniquefactorization Nowagal.&bgal.? AlbertRMeyer March5,2012

425 views • 3 slides
Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust! Memory Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy

556 views • 53 slides
Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is

Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors Is memory safety relevant? Yes!

827 views • 47 slides
Unsafe & safe road way design Unsafe & safe road way design for urban roads for

Unsafe & safe road way design Unsafe & safe road way design for urban roads for

PIARC International Road Safety Safety Seminar Seminar PIARC International Road Beijing 18 20 20 October October 2005 2005 Beijing 18 Unsafe & safe road way design Unsafe & safe road way design for urban roads for

1.02k views • 34 slides
Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

r e l i p e m v o i t c c Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler perspective. Kostya Serebryany , Evgenii Stepanov, Vlad Tsyrklevich (Google) Oct 2018 1 Agenda ARM v8.5

504 views • 29 slides
Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated? Where does memory live? What kinds of pointers does Rust have? Memory management goal: Allocate memory when you need it, and free it when

614 views • 24 slides
Safety Culture at Catalysis Engineering Goal We are good at the formal aspects of safety

Safety Culture at Catalysis Engineering Goal We are good at the formal aspects of safety

Safety Culture at Catalysis Engineering Goal We are good at the formal aspects of safety (safety test, SAS, gas team, etc.) But do we have a safety culture? - Detect and remediate unsafe situations? - Talk to our colleagues when they work

515 views • 4 slides
Born in the surf. Raised in the mountains OUR STORY A diehard skier and surfer, Shawn Biega

Born in the surf. Raised in the mountains OUR STORY A diehard skier and surfer, Shawn Biega

Born in the surf. Raised in the mountains OUR STORY A diehard skier and surfer, Shawn Biega spent endless hours in the sun. As an outdoor athlete, he understood the need for sun protection that could withstand salt water, high altitudes and

918 views • 25 slides
WELCOME! Why are you in this room right now? What: Internet Safety and Review of Behavior

WELCOME! Why are you in this room right now? What: Internet Safety and Review of Behavior

WELCOME! Why are you in this room right now? What: Internet Safety and Review of Behavior Expectations Why: Weve had some instances of unsafe practices within our student body and we care about your safety. How: Provide you

422 views • 19 slides
Probabilistic cellular automata with memory two Ir` ene Marcovici Joint work with J er ome

Probabilistic cellular automata with memory two Ir` ene Marcovici Joint work with J er ome

Probabilistic cellular automata with memory two Ir` ene Marcovici Joint work with J er ome Casse (NYU Shanghai) Institut Elie Cartan de Lorraine, Univ. de Lorraine, Nancy ALEA in Europe Workshop Vienna, October 13, 2017 Ir` ene

1.34k views • 62 slides
On the Memory Consumption of Probabilistic Pushdown Automata Tom Brzdil 1 Javier Esparza 2

On the Memory Consumption of Probabilistic Pushdown Automata Tom Brzdil 1 Javier Esparza 2

On the Memory Consumption of Probabilistic Pushdown Automata Tom Brzdil 1 Javier Esparza 2 Stefan Kiefer 3 1 Masaryk University, Brno (Czech Republic) 2 TU Mnchen (Germany) 3 University of Oxford (UK) FSTTCS (Kanpur, India), 15 December,

743 views • 40 slides
Product Safety Consumer Products Controlling the safety of non-food products beyond 2015

Product Safety Consumer Products Controlling the safety of non-food products beyond 2015

Product Safety Consumer Products Controlling the safety of non-food products beyond 2015 Northamptonshire County Council Trading Standards Service Toni Eldridge 01604 362447 tseldridge@northamptonshire.gov.uk Issues unsafe

334 views • 12 slides
Improving Farm Tap Safety Goal: Improved Safety BHEs goal from the proposal is to improve farm

Improving Farm Tap Safety Goal: Improved Safety BHEs goal from the proposal is to improve farm

Improving Farm Tap Safety Goal: Improved Safety BHEs goal from the proposal is to improve farm tap safety (from Northern Natural Gas pipe to premise) Test fuel lines for leaks and material compliance Replace unsafe lines Install

248 views • 9 slides
Workpla orkplace Saf ce Safety ety C Competi ompetitio ion Health Health & Safet &

Workpla orkplace Saf ce Safety ety C Competi ompetitio ion Health Health & Safet &

Workpla orkplace Saf ce Safety ety C Competi ompetitio ion Health Health & Safet & Safety P Pres esen entatio tation Detai Details ls Objective: To review an unsafe act, develop a safe work instruction and create a

481 views • 8 slides
Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure

Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure

Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure Software Systems Day 2: Memory Safety Introduction Reversing the stack Stephen McCamant University of Minnesota, Computer Science & Engineering

440 views • 4 slides
SEER PROBABILISTIC SCHEDULING FOR COMMODITY HARDWARE TRANSACTIONAL MEMORY Nuno Diegues , Paolo

SEER PROBABILISTIC SCHEDULING FOR COMMODITY HARDWARE TRANSACTIONAL MEMORY Nuno Diegues , Paolo

27 th Symposium on Parallel Architectures and Algorithms SEER PROBABILISTIC SCHEDULING FOR COMMODITY HARDWARE TRANSACTIONAL MEMORY Nuno Diegues , Paolo Romano and Stoyan Garbatov 2 Seer: Scheduling for Commodity HTM SPAA 2015 The multi-core

681 views • 25 slides
INTRODUCTION OF PROBABILISTIC SAFETY ANALYSIS OF THE NPP TEMELIN Author: Miroslav Jake

INTRODUCTION OF PROBABILISTIC SAFETY ANALYSIS OF THE NPP TEMELIN Author: Miroslav Jake

INTRODUCTION OF PROBABILISTIC SAFETY ANALYSIS OF THE NPP TEMELIN Author: Miroslav Jake Contents Introduction of PSA Summary of PSA results Present PSA conclusions Updating actions Introduction First part of the Level 1PSA

258 views • 10 slides
Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Main Focus I. Memory as a process Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory the process by which I. Sensory Memory information is - acquired, II. Short -Term Memory - stored,

169 views • 5 slides
UNSAFE PORTS: abnormal occurrences and the insurance solution. David Pitlarge Partner Marine,

UNSAFE PORTS: abnormal occurrences and the insurance solution. David Pitlarge Partner Marine,

UNSAFE PORTS: abnormal occurrences and the insurance solution. David Pitlarge Partner Marine, Trade & Energy Hill Dickinson LLP Unsafe Ports: abnormal occurrences Basic warranty Practical terms types of dispute

466 views • 19 slides
Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained Contracts Preprocessor Safety Whimsical execution Garbage collection Explicit memory management Memory initialization

967 views • 63 slides
Table of Contents I Probabilistic Reasoning Classical Probabilistic Models Basic Probabilistic

Table of Contents I Probabilistic Reasoning Classical Probabilistic Models Basic Probabilistic

Table of Contents I Probabilistic Reasoning Classical Probabilistic Models Basic Probabilistic Reasoning: The Jungle Story Multiple Random Selection Rules: Dice New Constructs Causal Probability Observations and Intentions Dynamic Range

1.08k views • 73 slides

More recommend