Automatically Tolerating And Correcting Memory Errors

UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • 2007 • 2007

Automatically Tolerating &Correcting Memory Errors

Emery BergerUniversity of Massachusetts Amherst

joint work with Gene Novark (UMass Amherst),Ben Zorn (Microsoft Research)

[PLDI 2006, PLDI 2007]

Problems with Unsafe Languages

C, C++: pervasive apps, but langs.memory unsafe

Numerous opportunities for security vulnerabilities, errors Double free Invalid free Uninitialized reads Dangling pointers Buffer overflows (stack & heap)

Current Approaches

Unsound, may work or abort Windows, GNU libc, etc., Rx [Zhou]

Unsound, will definitely continue Failure oblivious [Rinard]

Sound, definitely aborts (fail-safe) CCured [Necula], CRED [Ruwase & Lam], SAFECode

[Dhurjati, Kowshik & Adve], etc. Slowdowns: 30% - 20X Requires C source, programmer intervention Garbage collection or partially sound (pools)

Good for debugging, less for deployment

Soundness for “Erroneous” Programs

Normally: memory errors ? Consider infinite-heap allocator:

All news fresh;ignore delete

No dangling pointers, invalid frees,double frees

Every object infinitely large No buffer overflows, data overwrites

Transparent to correct program “Erroneous” programs sound

Probabilistic Memory Safety

Approximate with M-heaps (e.g., M=2)

DieHard: fully-randomized M-heap Increases odds of benign errors Probabilistic memory safety

i.e., P(no error) n Errors independent across heaps

E(users with no error) n * |users|

? Efficient implementation…

Implementation Choices

Conventional, freelist-based heaps Hard to randomize, protect from errors

Double frees, heap corruption What about bitmaps? [Wilson90]

– Catastrophic fragmentation Each small object likely to occupy one page

obj obj objobj

Randomized Heap Layout

Bitmap-based, segregated size classes Bit represents one object of given size

i.e., one bit = 2i+3 bytes, etc. Prevents fragmentation

00000001 1010 10

size = 2i+3 2i+

metadata

Randomized Allocation

malloc(8): compute size class = ceil(log2 sz) – 3 randomly probe bitmap for zero-bit (free)

Fast: runtime O(1) M=2 E[# of probes] ≈ 2

00000001 1010 10

size = 2i+3 2i+

metadata

malloc(8): compute size class = ceil(log2 sz) – 3 randomly probe bitmap for zero-bit (free)

Fast: runtime O(1) M=2 E[# of probes] ≈ 2

00010001 1010 10

size = 2i+3 2i+

metadata

Randomized Allocation

free(ptr): Ensure object valid – aligned to right address Ensure allocated – bit set Resets bit

Prevents invalid frees, double frees

00010001 1010 10

size = 2i+3 2i+

metadata

Randomized Deallocation

00010001 1010 10

size = 2i+3 2i+

metadata

00000001 1010 10

size = 2i+3 2i+

metadata

Randomized Heaps & Reliability

2 34 5 3 1 6

object size = 2i+4

object size = 2i+3

11 6 3 2 5 4 …

My Mozilla: “malignant” overflow

Your Mozilla: “benign” overflow

Objects randomly spread across heap Different run = different heap

Improves security Errors across heaps independent

DieHard software architecture

broadcast vote

input output

execute replicas(separate processes)

replica3seed3

replica1seed1

replica2seed2

Optional: replication-based fault-tolerance Requires randomization: errors independent

DieHard Results

Analytical results (pictures!) Dangling pointer errors Buffer overflows Uninitialized reads

Empirical results Runtime overhead Error avoidance

Injected faults & actual applications

Analytical Results: Dangling Pointers

Free one object too early

Object extremely unlikely to be reused soon

Example: F = 1,000,000 P(ok after one malloc) ¼ 1 P(ok after 1000 mallocs) ¸ 99.9%

F = # free objectsA = # mallocs

Analytical Results: Buffer Overflows

Model overflow: random write of live data Heap half full (max occupancy)

Replicas: Increase odds of avoiding overflow in at least one replica

P(Overflow in all replicas) = (½)3 = 1/8 P(No overflow in ≥ 1 replica) = 1-(½)3 = 7/8

F = free spaceH = heap sizeN = # objects

worth of overflow

k = replicas

Overflow one object

Empirical Results: Error Avoidance

Injected faults: Dangling pointers (@50%, 10 allocations)

glibc: crashes; DieHard: 9/10 correct Overflows (@1%, 4 bytes over) –

glibc: crashes 9/10, “inf loop”; DieHard: 10/10 correct Real faults:

Avoids Squid web cache overflow Crashes BDW & glibc

Avoids dangling pointer error in Mozilla DoS in glibc & Windows

DieHard Limitations

Fine for single error But: multiple errors eventually swamp

probabilistic protection Not great for large overflows

Tolerates errors But doesn’t find them

No information for programmer Ideal: point directly to bug…

Exterminator:Automatically Correcting

Memory Errors with High Probability

Diagnosing Buffer Overflows

Canonical buffer overflow: Allocate object – too small Write past end ) nukes object bytes forward

Not necessarily contiguous

char * str = new char[8];strcpy (str, “goodbye cruel world”);

bad object(too small)

bytes past end

1. Heap provides no useful information

bytes past end

2. No way to detect corruption

Isolating Buffer Overflows

8 2 9 3 4 5 1 7

Red =possiblebadobject

Green =notbadobject

Canaries in freed space detect corruption

known random value dead canary = corruption

# = object id (allocation time)

8 2 9 3 4 5 1 7

Green =notbadobject

Canaries in freed space detect corruption Run multiple times with “DieFast” allocator

8 2 9 3 4 5 1 7

Green =notbadobject

1 8 7 5 3 2 9 6 4

Canaries in freed space detect corruption Run multiple times with “DieFast” allocator Key insight: Overflow must be at same

8 2 9 3 4 5 1 7

Green =notbadobject

1 8 7 5 3 2 9 6 4

8 2 9 4 5 1 7

Green =notbadobject

1 8 7 5 3 2 9 6 4

8 2 9 3 4 5 1 7

Green =notbadobject

1 8 7 5 3 2 9 6 4

8 2 9 3 4 5 1 7

Green =notbadobject

1 8 7 5 3 6 492

8 2 9 3 4 5 1 7

Green =notbadobject

1 8 7 5 3 2 9 6 4

4 9 6 38 5 72 1

) object 9 overflowed, with high probability

Buffer Overflow Analysis

Example: H = 1,000,000 objects3 iterations ¼ false positives

Iterations exponentially increase precision

H = # heap objectsK = # iterations

11;000;000

8 2 9 3 4 5 1 7

1 8 7 5 3 2 9 6 4

4 9 6 38 5 72 1

Isolating Dangling Pointers

Dangling pointer error: Allocated object freed too soon Overwritten by some other object

int * v = new int[4];…delete [] v; // oops…char * str = new char[16];strcpy (str, “die, pointer”);v[3] = 12;… use of v[0]

Isolating Dangling Pointers

Unlike buffer overflow: dangling pointer ) same corruption in all

k = 3 ) false negatives ¼P(identical over°ow) ·

H ¡ 1

¶k¡ 1

11;000;000

11 2 3 6 4 5 10 1 12 798

1 7 5 3 2 1112 648 9 10

4 6 312 5 72 1410 8 9

Correcting Allocator

Generate runtime patches to correct errors Track object call sites in allocator

Prevent overflows: pad overflowed objects

malloc(8) malloc(8 + δ)

Prevent dangling pointers: defer freesfree(ptr) delay δ mallocs;

free(ptr)

Exterminator Summary

Three main pieces: DieHard-based allocator (DieFast)

Reveals bugs Error isolator

Finds bugs across multiple heaps w.h.p. Correcting allocator

Fixes bugs Modes suitable for testing (debugging)

or deployment

Exterminator Modes

Iterative Run multiple times Same inputs Debugging

Replicated Run simultaneously Deployable w/limitations Can fix errors on-the-fly

Cumulative Different inputs, nondeterminism Deployable; see paper for details

votebroadcast

input output

DieFast replica1seed

DieFast replica2seed

Error isolator

correcting allocator

DieFast replica3

runtime patches

Exterminator Runtime Overhead

Empirical Results: Real Faults

Squid heap overflow Crashes glibc 2.8.0 and BDW collector 3 iterations to fix ) 6 byte pad

Prevents overflow for all subsequent executions

Mozilla 1.7.3 buffer overflow Debug scenario:

repeated load of PoC: 23 runs to fix overflow

Deployed scenario: different browsing sessions: 34 runs to fix

Empirical Results: Real Faults

Conclusion Randomization: enables

probabilistic memory safety (DieHard)& automatic error correction (Exterminator)

Trades hardware resources(RAM,CPU) for reliability Hardware trends

Larger memories, multi-core CPUs Follows in footsteps of

ECC memory, RAID

The End

www.diehard-software.orgwww.cs.umass.edu/~emery

4 3 6 5218

allocation space

bitmap

object size

2inUse

4inUse

1inUse

6inUse

1inUse

miniheaps

Actual DieHard Heap Layout

Bitmap-based, segregated size classes Bit represents one object of given size

i.e., one bit = 2i+3 bytes, etc.

malloc(): randomly probe bitmap for free space free(): just reset bit

Automatically Tolerating And Correcting Memory Errors

Technology

Transcript of Automatically Tolerating And Correcting Memory Errors

Correcting GFEBS AXOL IDOC Errors

Tolerating and Correcting Memory Errors in C and C++

FOR LIVE PROGRAM ONLY Correcting Capital Account Mistakes ...media.straffordpub.com/products/correcting-capital... · 4/25/2017 · Correcting Capital Account Mistakes and Errors

Correcting Capital Account Mistakes and Errors on ...media.straffordpub.com › products › correcting-capital-account-mistakes-and-errors-on...Nov 24, 2015 · Correcting Capital

Correcting Common Sentence Errors

Correcting Errors

Maintenance of genomes Correcting replication errors Repairing DNA damage.

Correcting Common Budget Errors - Northwestern …ffra.northwestern.edu/documents/training/gl/721/CorrectingCommonB… · Correcting Common Budget Journal Errors . ... More than one

Tolerating and Correcting Memory Errors in C and C++ Ben Zorn Microsoft Research In collaboration with: Emery Berger and Gene Novark, Umass - Amherst Karthik.

Correcting Threading Errors with Intel® Parallel Inspector

Correcting pervasive errors in RNA crystallography through ......and and , –) .

Design of VLSI Digital Filters for Tolerating Transient Timing Errors

Correcting Errors in MLCs with Bit-fixing Coding

Correcting Capital Account Mistakes and Errors on Partnership …media.straffordpub.com/products/correcting-capital... · 2016-11-21 · Nov. 22, 2016 Correcting Capital Account Mistakes

CORRECTING ERRORS

Correcting 2016 Form W-2 errors - EYFILE/ey-correcting-2016-form-w-2-errors.pdf · Correcting 2016 Form W-2 errors 3 ... Code DD 2 Excess contributions to a qualified ... 4 Correcting

Correcting Numerical Integration Errors Caused by Small Aliasing Errors

DEGEN DE1103: Correcting the errors - HAMRADIO OK1IKEok1ike.c-a-v.com/soubory/degen_modif.pdf · DEGEN DE1103. Correcting the Errors. The main disadvantages DE1103 were noted in the

Exterminator: Automatically Correcting Memory Errors

A Method for Correcting Preposition Errors in Learner ...