diehard: probabilistic memory safety for unsafe languages
DESCRIPTION
DieHard uses randomization and replication to transparently make C and C++ programs tolerate a wide range of errors, including buffer overflows and dangling pointers. Instead of crashing or running amok, DieHard lets programs continue to run correctly in the face of memory errors with high probability. Using DieHard also makes programs highly resistant to heap-based hacker attacks. Downloadable at www.diehard-software.org.TRANSCRIPT
![Page 1: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/1.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
DieHard:Probabilistic Memory Safety
for Unsafe Programming Languages
Emery BergerUniversity of
Massachusetts Amherst
Ben ZornMicrosoft Research
![Page 2: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/2.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Problems with Unsafe Languages
C, C++: pervasive apps, but langs.memory unsafe
Numerous opportunities for security vulnerabilities, errors Double free Invalid free Uninitialized reads Dangling pointers Buffer overflows (stack & heap)
![Page 3: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/3.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Current Approaches
Unsound, may work or abort Windows, GNU libc, etc., Rx [Zhou]
Unsound, will definitely continue Failure oblivious [Rinard]
Sound, definitely aborts (fail-safe) CCured [Necula], CRED [Ruwase & Lam],
SAFECode [Dhurjati, Kowshik & Adve] Requires C source, programmer intervention 30% to 20X slowdowns
Good for debugging, less for deployment
![Page 4: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/4.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Probabilistic Memory Safety
Fully-randomized memory manager Increases odds of benign memory
errors Ensures different heaps across users
Replication Run multiple replicas simultaneously,
vote on results Detects crashing & non-crashing errors
Trades space for increased reliability
DieHard: correct execution in face of errorswith high probability
![Page 5: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/5.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Soundness for “Erroneous” Programs
Normally: memory errors ) ? … Consider infinite-heap allocator:
All news fresh;ignore delete
No dangling pointers, invalid frees,double frees
Every object infinitely large No buffer overflows, data overwrites
Transparent to correct program “Erroneous” programs sound
![Page 6: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/6.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Approximating Infinite Heaps
Infinite ) M-heaps: probabilistic soundness
Pad allocations & defer deallocations+ Simple– No protection from larger overflows
– pad = 8 bytes, overflow = 9 bytes…
– Deterministic: overflow crashes everyone
Better: randomize heap+ Probabilistic protection against errors
+ Independent across heaps
? Efficient implementation…
![Page 7: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/7.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Implementation Choices
Conventional, freelist-based heaps Hard to randomize, protect from
errors Double frees, heap corruption
What about bitmaps? [Wilson90]– Catastrophic fragmentation
Each small object likely to occupy one page
obj obj objobj
pages
![Page 8: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/8.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Randomized Heap Layout
Bitmap-based, segregated size classes Bit represents one object of given size
i.e., one bit = 2i+3 bytes, etc. Prevents fragmentation
00000001 1010 10size = 2i+3 2i+
4
2i+
5
metadata
heap
![Page 9: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/9.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Randomized Allocation
malloc(8): compute size class = ceil(log2 sz) – 3 randomly probe bitmap for zero-bit (free)
Fast: runtime O(1) M=2 ) E[# of probes] · 2
00000001 1010 10size = 2i+3 2i+
4
2i+
5
metadata
heap
![Page 10: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/10.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
malloc(8): compute size class = ceil(log2 sz) – 3 randomly probe bitmap for zero-bit (free)
Fast: runtime O(1) M=2 ) E[# of probes] · 2
00010001 1010 10size = 2i+3 2i+
4
2i+
5
metadata
heap
Randomized Allocation
![Page 11: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/11.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
free(ptr): Ensure object valid – aligned to right address Ensure allocated – bit set Resets bit
Prevents invalid frees, double frees
00010001 1010 10size = 2i+3 2i+
4
2i+
5
metadata
heap
Randomized Deallocation
![Page 12: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/12.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Randomized Deallocation
free(ptr): Ensure object valid – aligned to right address Ensure allocated – bit set Resets bit
Prevents invalid frees, double frees
00010001 1010 10size = 2i+3 2i+
4
2i+
5
metadata
heap
![Page 13: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/13.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
free(ptr): Ensure object valid – aligned to right address Ensure allocated – bit set Resets bit
Prevents invalid frees, double frees
00000001 1010 10size = 2i+3 2i+
4
2i+
5
metadata
heap
Randomized Deallocation
![Page 14: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/14.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Randomized Heaps & Reliability
2 34 5 3 1 6
object size = 2i+4
object size = 2i+3
…
11 6 3 2 5 4 …
My Mozilla: “malignant” overflow
Your Mozilla: “benign” overflow
Objects randomly spread across heap Different run = different heap
Errors across heaps independent
![Page 15: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/15.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
DieHard software architecture
“Output equivalent” – kill failed replicas
broadcast
vote
input output
execute replicas
replica3seed3
replica1seed1
replica2seed2
Each replica has different allocator
![Page 16: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/16.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Results
Analytical results (pictures!) Buffer overflows Dangling pointer errors Uninitialized reads
Empirical results Runtime overhead Error avoidance
Injected faults & actual applications
![Page 17: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/17.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Analytical Results: Buffer Overflows
Model overflow as write of live data Heap half full (max occupancy)
![Page 18: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/18.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Analytical Results: Buffer Overflows
Model overflow as write of live data Heap half full (max occupancy)
![Page 19: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/19.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Analytical Results: Buffer Overflows
Model overflow as write of live data Heap half full (max occupancy)
![Page 20: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/20.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Analytical Results: Buffer Overflows
Replicas: Increase odds of avoiding overflow in at least one replica
rep
licas
![Page 21: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/21.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Analytical Results: Buffer Overflows
Replicas: Increase odds of avoiding overflow in at least one replica
rep
licas
![Page 22: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/22.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Analytical Results: Buffer Overflows
Replicas: Increase odds of avoiding overflow in at least one replica
rep
licas
P(Overflow in all replicas) = (1/2)3 = 1/8 P(No overflow in ¸ 1 replica) = 1-(1/2)3 = 7/8
![Page 23: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/23.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Analytical Results: Buffer Overflows
F = free space H = heap size N = # objects
worth of overflow
k = replicas
Overflow one object
![Page 24: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/24.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Empirical Results: Runtime
![Page 25: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/25.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Empirical Results: Runtime
![Page 26: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/26.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Empirical Results: Error Avoidance
Injected faults: Dangling pointers (@50%, 10
allocations) glibc: crashes; DieHard: 9/10 correct
Overflows (@1%, 4 bytes over) – glibc: crashes 9/10, inf loop; DieHard: 10/10
correct
Real faults: Avoids Squid web cache overflow
Crashes BDW & glibc Avoids dangling pointer error in Mozilla
DoS in glibc & Windows
![Page 27: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/27.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
Conclusion Randomization + replicas =
probabilistic memory safety Improves over today (0%) Useful point between absolute
soundness (fail-stop) and unsound
Trades hardware resources (RAM,CPU) for reliability Hardware trends
Larger memories, multi-core CPUs Follows in footsteps of
ECC memory, RAID
![Page 28: DieHard: Probabilistic Memory Safety for Unsafe Languages](https://reader033.vdocuments.mx/reader033/viewer/2022061212/54952184b479591e0b8b4719/html5/thumbnails/28.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTS ASSACHUSETTS AAMHERST • MHERST • Department of Computer Science Department of Computer Science • PLDI 2006 • PLDI 2006
DieHard software
http://www.cs.umass.edu/~emery/diehard
Linux, Solaris (stand-alone & replicated) Windows (stand-alone only)