enhancing memory error detection for large scale
play

Enhancing Memory Error Detection for Large-Scale Applications and - PowerPoint PPT Presentation

Mar 18, 2024 •177 likes •659 views

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han , Byunggil Joe, Byoungyoung Lee * , Chengyu Song , Insik Shin KAIST, * Purdue, UCR 1 Memory error glibc: getaddrinfo Heartbleed Shellshock

  1. Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han , Byunggil Joe, Byoungyoung Lee * , Chengyu Song † , Insik Shin KAIST, * Purdue, † UCR 1

  2. Memory error glibc: getaddrinfo Heartbleed Shellshock stack-based buffer overflow • Information leakage – Heartbleed • Privilege escalation – Shellshock • Remote code execution – Shellshock, glibc, Conficker 2

  3. Memory error detection • Pointer-based [SoftBound+CETS, Intel MPX] • Hardware support (cannot detect temporal memory errors) • Challenges to support complex applications • Redzone-based [AddressSanitizer (ASan)] • Compatible to complex applications • Most popular in practice  Google Chrome, Mozilla Firefox, Linux Kernel  American Fuzzy Lop (AFL), ClusterFuzz, OSS-Fuzz 3

  4. Redzone-based memory error detection • Buffer overflow (spatial memory errors) ptrX Shadow memory: a bitmap to validate all addresses objX Check before access Shadow memory Accessible 4

  5. Redzone-based memory error detection • Buffer overflow (spatial memory errors) ptrX Shadow memory: a bitmap to validate all addresses objX Check before Redzone: inaccessible access region between objects Shadow memory Accessible Inaccessible (redzone) 4

  6. Redzone-based memory error detection • Buffer overflow (spatial memory errors) ptrX Shadow memory: a bitmap to validate all addresses objX Redzone: inaccessible Error! region between objects Shadow memory Accessible Inaccessible (redzone) 4

  7. Redzone-based memory error detection • Use-after-free (temporal memory errors) ptrX objX Accessible Inaccessible Shadow memory 5

  8. Redzone-based memory error detection • Use-after-free (temporal memory errors) ptrX ptrX free(ptrX) objX Region is invalidated Quarantined and quarantined, but not actually deallocated Accessible Inaccessible Shadow memory 5

  9. Redzone-based memory error detection • Use-after-free (temporal memory errors) ptrX ptrX Hold the free(ptrX) objX region until Quarantined quarantine zone is full (FIFO) Accessible Inaccessible Shadow memory 5

  10. Redzone-based memory error detection • Use-after-free (temporal memory errors) ptrX ptrY ptrX ptrY = malloc() free(ptrX) objX objY Quarantined The region is actually deallocated, and can be allocated to a new object Accessible Inaccessible Shadow memory 5

  11. Limitations of redzone-based approach 1. What if a pointer accesses beyond redzone? ptrX objX objY 6

  12. Limitations of redzone-based approach 1. What if a pointer accesses beyond redzone? objX ptrX objY Spatial memory error 6

  13. Limitations of redzone-based approach 1. What if a pointer 2. What if a dangling pointer accesses beyond accesses after another object redzone? is allocated in the region? objX ptrX ptrX objX objY Spatial memory error 6

  14. Limitations of redzone-based approach 1. What if a pointer 2. What if a dangling pointer accesses beyond accesses after another object redzone? is allocated in the region? objX ptrX ptrX ptrX objX objZ objY Temporal memory error Spatial memory error 6

  15. Limitations of redzone-based approach 1. What if a pointer 2. What if a dangling pointer accesses beyond accesses after another object redzone? is allocated in the region? objX ptrX ptrX Cannot detect! ptrX objX objZ objY Temporal memory error Spatial memory error 6

  16. Motivation P1 • To enhance detectability of redzone- obj1 based memory error detection • P1. Large gap to detect spatial memory errors P1 • P2. Large quarantine zone to detect temporal memory errors obj1 P1 7

  17. Motivation P1 • To enhance detectability of redzone- P2 obj1 obj1 based memory error detection • P1. Large gap to detect spatial memory errors P1 • P2. Large quarantine zone to detect temporal memory errors P2 obj1 obj2 P1 7

  18. Motivation P1 • To enhance detectability of redzone- P2 obj1 obj1 based memory error detection • P1. Large gap to detect spatial memory errors P1 • P2. Large quarantine zone to detect temporal memory errors P2 obj1 obj2 Huge physical memory P1 required 7

  19. MEDS overview • Enhances detectability of redzone-based memory error detection • Idea: Fully utilize 64-bit virtual address space to support • P1. Large gap to detect spatial error • P2. Large quarantine zone to detect temporal error • Approach : minimize physical memory use • Page aliasing allocator and page protection • Hierarchical memory error detection 8

  20. Page aliasing (P1) • Maps multiple virtual pages to single physical page Virtual obj1 A memory page obj2 Allocated Redzone Page aliasing obj4 9

  21. Page aliasing (P1) • Maps multiple virtual pages to single physical page Virtual obj1 Physical obj1 obj2 A memory page obj3 obj2 obj4 Allocated Redzone Page aliasing obj4 9

  22. Page aliasing (P1) • Maps multiple virtual pages to single physical page Virtual obj1 Redzone itself does not occupy physical memory Physical obj1 obj2 A memory page obj3 obj2 obj4 Allocated Redzone Page aliasing obj4 9

  23. Page protection (P1) • Redzone only pages are unmapped Virtual obj1 Physical obj1 A memory page obj2 obj3 Unmapped page obj4 obj2 Allocated Redzone Page aliasing 10

  24. Page protection (P1) • Redzone only pages are unmapped Do not occupy shadow memory and physical Virtual memory obj1 Physical obj1 A memory page obj2 obj3 Unmapped page obj4 obj2 Allocated Redzone Page aliasing 10

  25. Page aliasing & Page protection (P2) Virtual obj1 Physical obj1 obj2 A memory page obj3 obj4 Unmapped page obj4 Allocated Redzone Page aliasing 11

  26. Page aliasing & Page protection (P2) Virtual Virtual obj1 Quarantined Physical Physical obj1 obj2 obj2 A memory page obj3 obj3 obj4 obj4 Unmapped page obj4 obj4 Allocated Redzone Page aliasing 11

  27. Page aliasing & Page protection (P2) Virtual Virtual obj1 Quarantined Physical Physical obj1 objX obj2 obj2 A memory page obj3 obj3 obj4 obj4 Unmapped page obj4 obj4 Allocated objX Redzone Page aliasing 11

  28. Page aliasing & Page protection (P2) Virtual Virtual Reuse physical obj1 memory immediately, Quarantined while not reusing virtual addresses Physical Physical obj1 objX obj2 obj2 A memory page obj3 obj3 obj4 obj4 Unmapped page obj4 obj4 Allocated objX Redzone Page aliasing 11

  29. Hierarchical memory error detection • Many different ways to represent redzones  Further optimizing physical memory uses ptr 12

  30. Hierarchical memory error detection • Many different ways to represent redzones  Further optimizing physical memory uses ptr #1. Shadow memory is invalid 12

  31. Hierarchical memory error detection • Many different ways to represent redzones  Further optimizing physical memory uses ptr #1. Shadow memory is invalid #2. Virtual page is unmapped 12

  32. Hierarchical memory error detection • Many different ways to represent redzones  Further optimizing physical memory uses ptr #1. Shadow memory is invalid #2. Virtual page is unmapped #3. Shadow memory is unmapped 12

  33. Evaluation • Configuration ASan MEDS Improv. Redzone 8-1024 bytes 4MB 16,384x Quarantine 128MB 80TB 65,536x • ASan cannot use configuration for MEDS (lack of memory) • Compatibility • Performance: 2 times slowdown • Detection (fuzz testing): 68% more detection 13

  34. Compatibility • Unit tests from real-world applications • Test cases in Chrome, Firefox, Nginx • All Passed • Memory error unit tests • ASan unit tests • All Passed • NIST Juliet test suites • All Passed except random access tests  ASan: 35% vs. MEDS: 98% 14

  35. Micro-scale performance overhead • TLB misses • 5 times more than ASan (more virtual pages with page aliasing ) • Number of system calls • mmap(), munmap(), and mremap() • 32 times more than ASan ( page aliasing and page protection ) • Memory footprint • 218% more than baseline • 68% more than ASan (much larger redzone and quarantine ) 15

  36. End-to-end performance overhead • 108% compared to baseline, 86% to ASan 4 3 2 1 Baseline 0 Chrome Firefox Apache Nginx ASan MEDS 16

  37. End-to-end performance overhead • 108% compared to baseline, 86% to ASan 4 41% to baseline 3 22% to ASan 2 1 Baseline 0 Chrome Firefox Apache Nginx ASan MEDS 16

  38. End-to-end performance overhead Large number of • 108% compared to baseline, 86% to ASan small objects on 4 stack 41% to baseline 3 243% to baseline 22% to ASan 211% to ASan 2 1 Baseline 0 Chrome Firefox Apache Nginx ASan MEDS 16

  39. Detection (fuzz testing) • Run AFL (8 cores, 6 hours) • Despite the performance overhead, explore 68.3% more unique crashes than ASan 4 3.5 3 2.5 2 1.5 ASan 1 0.5 0 17

  40. Detection (fuzz testing) • Run AFL (8 cores, 6 hours) • Despite the performance overhead, explore 68.3% more unique crashes than ASan MEDS finds more unique crashes in 4 3.5 initial phase, but saturated in the end 3 2.5 2 1.5 ASan 1 0.5 0 17

  41. Detection (fuzz testing) • Number of unique crashes with time spent (metacam) 70 Saturated 60 Found crashes 50 40 30 20 10 0 1 2 3 4 5 6 7 8 Time spent (hrs) ASan MEDS 18

Recommend

ERROR DETECTON & CORRECTION Error Detection EDC= Error Detection and Correction bits

ERROR DETECTON & CORRECTION Error Detection EDC= Error Detection and Correction bits

ERROR DETECTON & CORRECTION Error Detection EDC= Error Detection and Correction bits (redundancy) D = Data protected by error checking, may include header fields Error detection not 100% reliable! protocol may miss some errors,

320 views • 18 slides
Physical layer Error detection, correction Martin Heusse X L A TEX E Error detection

Physical layer Error detection, correction Martin Heusse X L A TEX E Error detection

Physical layer Error detection, correction Martin Heusse X L A TEX E Error detection Idea = Add redundant information in the transmitted data to check for errors or even correct them Also used for data storage, memory (Am I

229 views • 11 slides
Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Srinidhi Varadarajan 02/14/2000 Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes (e.g. CRC, Send a duplicate copy of the Parity, Checksums) message Error Correction Codes (e.g. Problems

269 views • 5 slides
Extending a Compiler Backend for Complete Memory Error Detection Norman A. Rink and Jeronimo

Extending a Compiler Backend for Complete Memory Error Detection Norman A. Rink and Jeronimo

Extending a Compiler Backend for Complete Memory Error Detection Norman A. Rink and Jeronimo Castrillon Technische Universitt Dresden Automotive Safety & Security 2017 30 May 2017 Stuttgart Outline 1. Motivation 2. Error detection,

573 views • 23 slides
Error Detection Two types Error Detection Codes (e.g. CRC, Parity, Checksums) Error

Error Detection Two types Error Detection Codes (e.g. CRC, Parity, Checksums) Error

Error Detection Two types Error Detection Codes (e.g. CRC, Parity, Checksums) Error Correction Codes (e.g. Hamming, Reed Solomon) Basic Idea Add redundant information to determine if errors have been introduced Why

643 views • 25 slides
XED:%EXPOSING%ON,DIE%ERROR% DETECTION%INFORMATION%FOR% STRONG%MEMORY%RELIABILITY

XED:%EXPOSING%ON,DIE%ERROR% DETECTION%INFORMATION%FOR% STRONG%MEMORY%RELIABILITY

XED:%EXPOSING%ON,DIE%ERROR% DETECTION%INFORMATION%FOR% STRONG%MEMORY%RELIABILITY Prashant%Nair,%Georgia%Tech Vilas&Sridharan ," AMD&Inc.&&&&& Moinuddin Qureshi,&Georgia Tech ISCA%43,)June)20 th 2016

670 views • 56 slides
Memory Management Techniques for Large-Scale Persistent-Main-Memory Systems [VLDB 2017] Ismail

Memory Management Techniques for Large-Scale Persistent-Main-Memory Systems [VLDB 2017] Ismail

Memory Management Techniques for Large-Scale Persistent-Main-Memory Systems [VLDB 2017] Ismail Oukid, Daniel Booss, Adrien Lespinasse, Wolfgang Lehner, Thomas Willhalm, Grgoire Gomes Non-Volatile Memories Workshop March 12, 2018 PUBLIC

714 views • 21 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
Measurement of Timing Error Detection Performance of Software-based Error Detection Mechanisms

Measurement of Timing Error Detection Performance of Software-based Error Detection Mechanisms

Measurement of Timing Error Detection Performance of Software-based Error Detection Mechanisms and Its Correlation with Simulation Yutaka Masuda, Masanori Hashimoto, Takao Onoye Dept. of Information Systems Eng., Osaka University

376 views • 18 slides
Enhancing Interdisciplinary Cooperation in Large Scale Research Networks Andr Calero Valdez,

Enhancing Interdisciplinary Cooperation in Large Scale Research Networks Andr Calero Valdez,

Enhancing Interdisciplinary Cooperation in Large Scale Research Networks Andr Calero Valdez, Anne Kathrin Schaar, Martina Ziefle, Andreas Holzinger Agenda Overview Interdisciplinary Innovation Management 1 Investigating and supporting

500 views • 17 slides
Asynchronous Logging and Fast Recovery for a Large-Scale Distributed In-Memory Storage Kevin

Asynchronous Logging and Fast Recovery for a Large-Scale Distributed In-Memory Storage Kevin

Asynchronous Logging and Fast Recovery for a Large-Scale Distributed In-Memory Storage Kevin Beineke, Florian Klein, Michael Schttner Institut fr Informatik, Heinrich-Heine-Universitt Dsseldorf Outline Motivation The In-Memory

323 views • 21 slides
BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
Evaluation of Amplification attacks in large-scale networks to improve detection performance

Evaluation of Amplification attacks in large-scale networks to improve detection performance

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluation of Amplification attacks in large-scale networks to improve detection performance Michael Kpferl Interdisciplinary Project Final

517 views • 49 slides
25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian

25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian

25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian Lekies, Ben Stock , Martin Johns Agenda XSS & Attacker Scenario WebSec guys: wake up once you see a cat Motivation Our contributions

619 views • 34 slides
Hierarchical Parallel Matrix Multiplication on Large-Scale Distributed Memory Platforms

Hierarchical Parallel Matrix Multiplication on Large-Scale Distributed Memory Platforms

Problem Outline Experiments Summary Hierarchical Parallel Matrix Multiplication on Large-Scale Distributed Memory Platforms Jean-Nol Quintin, Khalid Hasanov, Alexey Lastovetsky Heterogeneous Computing Laboratory School of Computer Science

564 views • 41 slides
Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy

Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy

Anomaly Detection and Troubleshooting of Large Scale Systems from Event Logs Presented By Niloy Ganguly Bivas Mitra, Subhendu Khatuya Also in collaboration with NetApp Department of Computer Science and Engineering Indian Institute of

689 views • 53 slides
Data Analysis, Estimation, and Fault detection of Large-Scale Autonomous System of Vehicles Using

Data Analysis, Estimation, and Fault detection of Large-Scale Autonomous System of Vehicles Using

Data Analysis, Estimation, and Fault detection of Large-Scale Autonomous System of Vehicles Using Neural Networks Presented by: Parsa Yousefi Supervisors: Dr. M. Jamshidi, Dr. P. Benavidez June 23 rd , 2017 The University of Texas at San

571 views • 33 slides
Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut fr Telematik, Universitt Karlsruhe (TH), Germany Why Attack Detection still is important Distributed Denial-of-Service problem persists Attack

366 views • 19 slides
Memory Errors Bits in memory can be flipped Hard error The chip is broken E.g.,

Memory Errors Bits in memory can be flipped Hard error The chip is broken E.g.,

Verilog Memory Errors Bits in memory can be flipped Hard error The chip is broken E.g., manufacturing defect, wear (in Flash) Soft error Stored data corrupted, but cell still works Caused by atmospheric neutrons, alpha

291 views • 7 slides
Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in

Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in

Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in Production Julien Desfossez Michel Dagenais Dcembre 2014 cole Polytechnique de Montreal Latency-tracker Kernel module to track down

524 views • 17 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Optimizing Data Aggregation by Leveraging the Deep Memory Hierarchy on Large-scale Systems

Optimizing Data Aggregation by Leveraging the Deep Memory Hierarchy on Large-scale Systems

Optimizing Data Aggregation by Leveraging the Deep Memory Hierarchy on Large-scale Systems Franois Tessier , Paul Gressier, Venkatram Vishwanath Argonne National Laboratory, USA Thursday 14 th June, 2018 Context Computational science

648 views • 26 slides
INFRASTRUCTURE Optimizing Interrupt Handling Performance for Memory Failures in Large Scale Data

INFRASTRUCTURE Optimizing Interrupt Handling Performance for Memory Failures in Large Scale Data

INFRASTRUCTURE Optimizing Interrupt Handling Performance for Memory Failures in Large Scale Data Centers Harish Dattatraya Dixit, Fred Lin, Bill Holland, Matt Beadon, Zhengyu Yang, Sriram Sankar Hardware Sustaining. Facebook. MAP : 1.3B MAP

489 views • 30 slides
Using Timing-Error Detection and Correction for Transient-Error Tolerance and Adaptation to PVT

Using Timing-Error Detection and Correction for Transient-Error Tolerance and Adaptation to PVT

A Power-Efficient 32b ARM ISA Processor Using Timing-Error Detection and Correction for Transient-Error Tolerance and Adaptation to PVT Variation David Bull 1 , Shidhartha Das 1 , Karthik Shivashankar 1 , Ganesh Dasika 2 , Krisztian Flautner 1 ,

778 views • 41 slides

More recommend