practical memory safety with
play

Practical Memory Safety with REST KANAD SINHA & SIMHA - PowerPoint PPT Presentation

Feb 11, 2023 •338 likes •827 views

Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors Is memory safety relevant? Yes!

  1. Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY

  2. Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors

  3. Is memory safety relevant? Yes!

  4. Practical memory safety Presenting… Random Embedded Security Tokens or REST Core H/W primitive: Insert known 64B random value ( token ) in program and detect accesses to them.

  5. Practical memory safety Presenting… Random Embedded Security Tokens or REST Core H/W primitive: Insert known 64B random value ( token ) in program and detect accesses to them. char *buf = malloc(BUF_LEN); buf for (i=0; i<out_of_bounds; i++) buf = 0; Other allocs Heap

  6. Practical memory safety Presenting… Random Embedded Security Tokens or REST Core H/W primitive: Insert known 64B random value ( token ) in program and detect accesses to them. Token char *buf = malloc(BUF_LEN); buf for (i=0; i<out_of_bounds; i++) Token buf = 0; Other allocs Heap

  7. Practical memory safety Presenting… Random Embedded Security Tokens or REST Core H/W primitive: Insert known 64B random value ( token ) in program and detect accesses to them. • Trivial hardware implementation • Software framework based on AddressSanitizer • Provides heap safety for legacy binaries

  8. Background: Spatial Memory Safety Xander’s House Yana’s House Zoey’s House

  9. Background: Spatial Memory Safety char *ptr buf = malloc(BUF_LEN); ptr buf … buf ptr buf [in_bounds] = X; … ptr buf [out_of_bounds] = Y;

  10. Background: Spatial Memory Safety char *ptr buf = malloc(BUF_LEN); ptr buf … buf ptr buf [in_bounds] = X; … ptr buf [out_of_bounds] = Y;

  11. Background: Spatial Memory Safety char *ptr buf = malloc(BUF_LEN); ptr buf … buf ptr buf [in_bounds] = X; … ptr buf [out_of_bounds] = Y;

  12. Background: Temporal Memory Safety Xander moves out, Will moves in Xander’s House Yana’s House Zoey’s House

  13. Background: Temporal Memory Safety Xander moves out, Will moves in Will’s House Yana’s House Zoey’s House

  14. Background: Temporal Memory Safety char *ptr buf = malloc(BUF_LEN); ptr buf ptr buf [in_bounds] = X; buf … free(ptr buf ); ptr buf [in_bounds] = Y;

  15. Background: Temporal Memory Safety char *ptr buf = malloc(BUF_LEN); ptr buf ptr buf [in_bounds] = X; … free(ptr buf ); ptr buf [in_bounds] = Y;

  16. Previous H/W Solutions Mainly categorizable into 2 types.

  17. Previous H/W Solutions Mainly categorizable into 2 types. • Whitelisting: Pointer based + Good coverage + Temporal safety (for some) ptr buf - Performance overhead buf - Implementation overhead - Imprecise

  18. Previous H/W Solutions Mainly categorizable into 2 types. • Whitelisting: Pointer based + Good coverage + Temporal safety (for some) ptr - Performance overhead buf - Implementation overhead - Imprecise • Blacklisting: Location based + Fast - Weaker coverage (has false negatives) - Implementation overhead - No temporal protection

  19. Previous H/W Solutions Tag-based buf Buf *ptr buf Metadata is_valid(ptr buf )?

  20. REST : Primitive Overview Content-based blacklisting Token *ptr buf buf Buf is(*ptr buf == token)? Token REST primitive has trivial complexity, overhead

  21. REST : Spatial Memory Safety Xander’s House Yana’s House Zoey’s House

  22. REST : Temporal Memory Safety Will gets new house Yana’s House Zoey’s House

  23. REST Software

  24. Heap Safety Heap • Allocate and bookend region, malloc to program buf 24

  25. Heap Safety Heap • Allocate and bookend region, malloc to program • REST ’ize at free • Do not reallocate region until heap sufficiently consumed 25

  26. Heap Safety Heap • Allocate and bookend region, malloc to Spatial Protection program • REST ’ize at free • Do not reallocate region until heap sufficiently consumed 26

  27. Heap Safety Heap • Allocate and bookend region, malloc to program • REST’ize at free • Do not reallocate region until heap Temporal Protection sufficiently consumed Can be enabled for legacy binaries 27

  28. Stack Safety void foo() { buf char buf[64]; … return; } foo ‘s frame Previous frame 28

  29. Stack Safety void foo() { rz1 char rz1[64]; char buf[64]; buf char rz2[64]; arm(rz1); rz2 arm(rz2); … disarm(rz1); foo ‘s frame disarm(rz2); Previous return; frame } 29

  30. Stack Safety void foo() { rz1 char rz1[64]; char rz1[64]; char buf[64]; char buf[64]; buf char rz2[64]; char rz2[64]; arm(rz1); rz2 arm(rz2); … disarm(rz1); foo ‘s frame disarm(rz2); Previous return; frame } 30

  31. Stack Safety void foo() { rz1 char rz1[64]; char buf[64]; buf char rz2[64]; arm : Set token arm(rz1); rz2 arm rz1; arm(rz2); arm rz2; … disarm(rz1); foo ‘s frame disarm(rz2); Previous return; frame } 31

  32. Stack Safety void foo() { rz1 char rz1[64]; char buf[64]; buf char rz2[64]; arm(rz1); rz2 arm(rz2); … disarm rz1; disarm(rz1); foo ‘s frame disarm : Unset token disarm rz2; disarm(rz2); Previous return; frame } 32

  33. Stack Safety void foo() { rz1 char rz1[64]; char buf[64]; buf char rz2[64]; arm(rz1); rz2 arm(rz2); … disarm(rz1); foo ‘s frame disarm(rz2); Previous return; frame } Requires recompilation with REST plugin 33

  34. REST Hardware

  35. Naïve Design Every store involves an extra load  Complicated and expensive load/store X Memory Token L1-D Value = Core

  36. Cache Modifications Comparator at L1-D mem interface + 1b per L1-D line load/store X Token Bits Memory Token L1-D Value = Core

  37. Cache Miss load/store X Token Bits Memory Token L1-D Value = Core

  38. Cache Hit load/store X Token Bits Memory Token L1-D Value = Core

  39. Cache Eviction Armed outgoing line filled with token value load/store X Token Bits Memory Token L1-D Value = Core

  40. What about the core? TODO: Have to support arms and disarms • 512b writes • Special semantics: can only touch token with disarm LSQ design concerns: • Forwarding would break semantics • 512b data entries • How to match unaligned token access?

  41. Load-Store Queue • Forwarding breaks semantics Add 1b tag • 512b data entries Only update token bit • Detecting unaligned token access Split regular match logic 6 Data = Address Token Match Match CAM bit Logic Address

  42. Load-Store Queue • Forwarding breaks semantics Add 1b tag • 512b data entries Only update token bit • Detecting unaligned token access Split regular match logic 6 REST Violation Data = = Address Token Match Match CAM bit Logic Address

  43. REST Overhead

  44. REST Performance

  45. REST Performance

  46. REST Performance REST primitive overhead near-zero. Software overhead mostly from allocator.

  47. To conclude… REST : Hardware/software mechanism to detect common memory safety errors ◦ Low overhead, low complexity hardware implementation ◦ Heap safety for legacy binaries 22-90% faster than comparable software solution on SPEC CPU Questions?

Recommend

Abstractions for Practical Systems Caching and the memory hierarchy Operating systems and the

Abstractions for Practical Systems Caching and the memory hierarchy Operating systems and the

CS 240 Stage 3 Abstractions for Practical Systems Caching and the memory hierarchy Operating systems and the process model Virtual memory Dynamic memory allocation Victory lap Memory Hierarchy: Cache Memory hierarchy Cache basics Locality

1.02k views • 49 slides
Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust! Memory Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy

556 views • 53 slides
Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler

r e l i p e m v o i t c c Memory Tagging: e m p o s r r F e p how it improves C/C++ memory safety. Compiler perspective. Kostya Serebryany , Evgenii Stepanov, Vlad Tsyrklevich (Google) Oct 2018 1 Agenda ARM v8.5

504 views • 29 slides
Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated?

Memory Safety with Rust Will Crichton Todays goals When is memory allocated and deallocated? Where does memory live? What kinds of pointers does Rust have? Memory management goal: Allocate memory when you need it, and free it when

614 views • 24 slides
EUROCONTROL Safety Regulatory Requirements Practical Application European Organisation for the

EUROCONTROL Safety Regulatory Requirements Practical Application European Organisation for the

EUROCONTROL Safety Regulatory Requirements Practical Application European Organisation for the Safety of Air Navigation 1 ESARRs - Overview 1. Requirements for safety regulation by State authorities 2. Safety monitoring and improvement 3.

365 views • 10 slides
Considerations for the Practical Application of the Safety Requirements for Nuclear Power Plant

Considerations for the Practical Application of the Safety Requirements for Nuclear Power Plant

International Atomic Energy Agency Considerations for the Practical Application of the Safety Requirements for Nuclear Power Plant Design Joint ICTP-IAEA Essential Knowledge Workshop on Deterministic Safety Analysis and Engineering Aspects

747 views • 31 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure

Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure

Outline Memory safety and security CSci 4271W Stack buffer overflow Development of Secure Software Systems Day 2: Memory Safety Introduction Reversing the stack Stephen McCamant University of Minnesota, Computer Science &amp; Engineering

440 views • 4 slides
PRACTICAL EXPERIENCE OF IMPLEMENTING NATIONAL FOOD SAFETY EMERGENCY RESPONSE PLANS Mrs.

PRACTICAL EXPERIENCE OF IMPLEMENTING NATIONAL FOOD SAFETY EMERGENCY RESPONSE PLANS Mrs.

PRACTICAL EXPERIENCE OF IMPLEMENTING NATIONAL FOOD SAFETY EMERGENCY RESPONSE PLANS Mrs. Jongkolnee Vithayarungruangsri Director of Bureau of Food Safety Extension and Support Ministry of Public Health, Thailand foodsafety@moph.mail.go.th ;

907 views • 35 slides
Seminar on Land-Use Planning and Industrial Safety Session 5 Practical Session with a Role

Seminar on Land-Use Planning and Industrial Safety Session 5 Practical Session with a Role

Seminar on Land-Use Planning and Industrial Safety Session 5 Practical Session with a Role Play Explanation of the practical session: the scenario, role play, and organizational aspects Lamot Heritage Conference Centre, Mechelen, Belgium

275 views • 24 slides
Practical Memory Leak Detector Based on Parameterized Procedural Summaries Yungbum Jung,

Practical Memory Leak Detector Based on Parameterized Procedural Summaries Yungbum Jung,

Practical Memory Leak Detector Based on Parameterized Procedural Summaries Yungbum Jung, Kwangkeun Yi { dreameye, kwang } @ropas.snu.ac.kr Programming Research Lab. Seoul National University Korea June 8, 2008 International Symposium on

749 views • 31 slides
Practical Near-Data Processing for In-Memory Analytics Frameworks Mingyu Gao, Grant Ayers,

Practical Near-Data Processing for In-Memory Analytics Frameworks Mingyu Gao, Grant Ayers,

Practical Near-Data Processing for In-Memory Analytics Frameworks Mingyu Gao, Grant Ayers, Christos Kozyrakis Stanford University http://mast.stanford.edu PACT Oct 19, 2015 Motivating Trends End of Dennard scaling systems are energy

290 views • 27 slides
Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Main Focus I. Memory as a process Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory the process by which I. Sensory Memory information is - acquired, II. Short -Term Memory - stored,

169 views • 5 slides
Practical Verification of High-Level Dataraces in Transactional Memory Programs Vasco Pessanha

Practical Verification of High-Level Dataraces in Transactional Memory Programs Vasco Pessanha

Practical Verification of High-Level Dataraces in Transactional Memory Programs Vasco Pessanha (*) Ricardo J. Dias (*) Joo L Loureno (*) (*) Eitan Farchi (+) Diogo Sousa (*) (*) Universidade Nova de Lisboa (+) IBM Research Labs

318 views • 27 slides
Practical Multi-threaded Graph Coloring Algorithms for Shared Memory Architecture Nandini Singhal

Practical Multi-threaded Graph Coloring Algorithms for Shared Memory Architecture Nandini Singhal

Practical Multi-threaded Graph Coloring Algorithms for Shared Memory Architecture Nandini Singhal Sathya Peri Subrahmanyam Kalyanasundaram Department of Computer Science &amp; Engineering Indian Institute of Technology Hyderabad ICDCN AADDA

676 views • 55 slides
Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained

Cs Memory Model C0 C 1 Balance Sheet so far Lost Gained Contracts Preprocessor Safety Whimsical execution Garbage collection Explicit memory management Memory initialization

967 views • 63 slides
1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC

1 Memory SoC Persistent Memory-Driven Memory Memory Processor-Centric Memory SoC SoC Computing Computing + Fabric SoC Memory HYPERCONVERGED Exascale EDGE DEVICE SYSTEM Eliminate data movement via shared

400 views • 11 slides
State Safety Programmes &amp; working with the industry the practical side Jos Wilbrink

State Safety Programmes &amp; working with the industry the practical side Jos Wilbrink

State Safety Programmes &amp; working with the industry the practical side Jos Wilbrink Ministry of Infrastructure and Water Management 1. Introduction 2. The Netherlands 3. ICAO Annex 19 &amp; SSP 4. SSP Actionplan E-mail: 5.

800 views • 45 slides
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Eternal War in Memory Table of Contents

658 views • 38 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Module 7 Practical Exercise Module 7 - Practical Exercise Background You and your team are a

Module 7 Practical Exercise Module 7 - Practical Exercise Background You and your team are a

Module 7 Practical Exercise Module 7 - Practical Exercise Background You and your team are a part of the CAA Safety Oversight Department for EDTO Airways, an established WP-911 EDTO operator with 180 Minute EDTO approval for a fleet of 4 WP-911

596 views • 13 slides
PRACTICAL EXPERIENCE ON RISK ANALYSIS IN FOOD SAFETY EMERGENCY IN INDONESIA Roy Sparringa

PRACTICAL EXPERIENCE ON RISK ANALYSIS IN FOOD SAFETY EMERGENCY IN INDONESIA Roy Sparringa

PRACTICAL EXPERIENCE ON RISK ANALYSIS IN FOOD SAFETY EMERGENCY IN INDONESIA Roy Sparringa National Agency for Drug and Food Control Republic of Indonesia Training Workshop on Food recall and traceability -Application in National food safety

513 views • 32 slides

More recommend