Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data,...
Transcript of Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data,...
![Page 1: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/1.jpg)
Using Address Watchpoints
Instrument data, not just code
Ashvin GoelUniversity of Toronto
Advanced Host-Level Security (AHLS)Dec 10, 2014
![Page 2: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/2.jpg)
Project Goal
22
Goal is to protect operating system kernels against buggy module/driver code
What types of bugs are we interested in?
![Page 3: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/3.jpg)
Types of Bugs
33
Bug detection Memory bugs
Use-after-free, read-before-write, double-free Buffer overflow detectors, memory leak detector
Concurrency (race, atomicity) bugs Direct memory access (DMA) bugs Semantic bugs
Object-specific invariant violations, access pattern violations
Performance anomalies False sharing detector
![Page 4: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/4.jpg)
Approach
Instrument all module code at runtime using Dynamic Binary Translation (DBT) Rewrite module code during execution Provides complete control over module
execution Built a prototype system called Granary
Think "Valgrind", but for the Linux kernel
What about writing bug detectors using DBT?
44
![Page 5: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/5.jpg)
Problems with Existing DBT Systems
Instruments code at instruction level Wrong abstraction, tools need to instrument
data accesses
All code is instrumented High overhead, limits heavy instrumentation
Hard to use Have to deal with tricky instructions, worry
about re-entrancy, safety, maintain illusion that DBT is not there
55
![Page 6: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/6.jpg)
Ideally, We Want
66
Data-centric instrumentation You tell the hardware what objects your tool
cares about The hardware tells your tool when the objects
is accessed
Selective instrumentation Otherwise, no instrumentation overhead
High-level instrumention Provide high-level API that handles
concurrency, safety
![Page 7: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/7.jpg)
Solution: Address Watchpoints
77
Key insight Hard to track objects, easy to track addresses! Taint the address of “interesting” objects so
that accesses to them always raise a fault, hence “address watchpoints"
Address watchpoints Relies on x86-64 48-bit address
implementation in which 16 high-order bits are "free" to be changed
Kind of like getting a segfault when you read a bad pointer
On fault, use the tainted bits to identify what object is accessed, and what do about it
![Page 8: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/8.jpg)
Example
struct sk_buff *skb = alloc_skb(skb_size,
GFP_KERNEL);
// skb == 0xFFFFFFFFA092600
skb = add_watchpoint(skb, <meta-data>);
// skb == 0x7654FFFFA092600
...
dma_map_single(…, skb->data, , …);
do_general_protection(regs)
... regs->regs[...] == 0x7654FFFFA0926E0
...
<meta-data>
...
88
Isn’t this slow?
![Page 9: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/9.jpg)
Selective Instrumentation
Approach Take fault on first access to watched address Turn on DBT Turn off DBT when watched addresses are not
expected to be accessed
Benefits Avoids faults on each watched addresss Provides efficiency by taking advantage of
locality of watched accesses No overhead when watched addresses are not
accessed99
![Page 10: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/10.jpg)
Initial Implementation
Implemented address watchpoints using Granary DBT system [HotDep 2013]
Applications Buffer overflow detector Use-after-free, read-before-write Memory leak detector
1010
![Page 11: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/11.jpg)
Current Status
Implementing Granary+ Learning from mistakes exposed by address
watchpoints
Building high-level instrumentation API Tools are still hard to implement using address
watchpoints
Will enable more powerful watchpoint-based tools Races, lock contention, false sharing detector
1111
![Page 12: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/12.jpg)
array div_count, div_p2_count
probe insn($opcode == "div") and function { div_count[$name]++ // fn performs div if ((@op.2 & (@op.2 - 1)) != 0) div_p2_count[$name]++ // fn performs div // by power of 2}
probe end { for (fname in div_count) printf(“%d | %d | %s\n”, div_count[fname], div_p2_count[fname], fname)}
Example: Instruction Profiling
1212
![Page 13: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/13.jpg)
Example: Address Watchpoints
1313
array accesses // # accesses of target objectsset targets // handled by watchpoint framework
probe object.alloc and function($name == “skb_alloc") {
add(@start..@end, targets) // track address range}
probe object.access and function ($name =~ “dma_map_single") { if (@addr in targets) accesses[targets[@addr]]++}
![Page 14: Using Address Watchpoints - Polytechnique Montréal · Using Address Watchpoints Instrument data, not just code Ashvin Goel University of Toronto Advanced Host-Level Security (AHLS)](https://reader034.fdocuments.us/reader034/viewer/2022042105/5e830486a58a9030c110d8a3/html5/thumbnails/14.jpg)
Conclusions
1414
Address watchpoints enable data-centric, selective instrumentation
Initial implementation enabled several debugging tools for kernel modules
Current Status Reimplemening Granary/watchpoint
implementation Building higher-level instrumentation API
Will allow integrating tracepoints Will enable more powerful watchpoint tools