Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing
|
|
- Alan Nichols
- 5 years ago
- Views:
Transcription
1 Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, Chengyu Song, Insik Shin KAIST, * Purdue, UCR 1
2 Memory error Heartbleed Shellshock glibc: getaddrinfo stack-based buffer overflow Information leakage Heartbleed Privilege escalation Shellshock Remote code execution Shellshock, glibc, Conficker 2
3 Memory error detection Pointer-based [SoftBound+CETS, Intel MPX] Hardware support (cannot detect temporal memory errors) Challenges to support complex applications Redzone-based [AddressSanitizer (ASan)] Compatible to complex applications Most popular in practice Google Chrome, Mozilla Firefox, Linux Kernel American Fuzzy Lop (AFL), ClusterFuzz, OSS-Fuzz 3
4 Redzone-based memory error detection Buffer overflow (spatial memory errors) ptrx objx Check before access Shadow memory: a bitmap to validate all addresses Shadow memory Accessible 4
5 Redzone-based memory error detection Buffer overflow (spatial memory errors) ptrx objx Shadow memory Check before access Accessible Inaccessible (redzone) Shadow memory: a bitmap to validate all addresses Redzone: inaccessible region between objects 4
6 Redzone-based memory error detection Buffer overflow (spatial memory errors) ptrx objx Shadow memory: a bitmap to validate all addresses Shadow memory Error! Accessible Inaccessible (redzone) Redzone: inaccessible region between objects 4
7 Redzone-based memory error detection Use-after-free (temporal memory errors) ptrx objx Accessible Inaccessible Shadow memory 5
8 Redzone-based memory error detection Use-after-free (temporal memory errors) ptrx ptrx objx free(ptrx) Quarantined Region is invalidated and quarantined, but not actually deallocated Accessible Inaccessible Shadow memory 5
9 Redzone-based memory error detection Use-after-free (temporal memory errors) ptrx ptrx objx free(ptrx) Quarantined Hold the region until quarantine zone is full (FIFO) Accessible Inaccessible Shadow memory 5
10 Redzone-based memory error detection Use-after-free (temporal memory errors) ptrx ptrx ptry objx free(ptrx) Quarantined The region is actually deallocated, and can be allocated to a new object ptry = malloc() objy Accessible Inaccessible Shadow memory 5
11 Limitations of redzone-based approach 1. What if a pointer accesses beyond redzone? ptrx objx objy 6
12 Limitations of redzone-based approach 1. What if a pointer accesses beyond redzone? objx ptrx objy Spatial memory error 6
13 Limitations of redzone-based approach 1. What if a pointer accesses beyond redzone? 2. What if a dangling pointer accesses after another object is allocated in the region? objx ptrx ptrx objy objx Spatial memory error 6
14 Limitations of redzone-based approach 1. What if a pointer accesses beyond redzone? 2. What if a dangling pointer accesses after another object is allocated in the region? objx ptrx ptrx ptrx objy objx objz Spatial memory error Temporal memory error 6
15 Limitations of redzone-based approach 1. What if a pointer accesses beyond redzone? 2. What if a dangling pointer accesses after another object is allocated in the region? objx ptrx ptrx ptrx objy objx Cannot detect! objz Spatial memory error Temporal memory error 6
16 Motivation To enhance detectability of redzonebased memory error detection P1. Large gap to detect spatial memory errors P2. Large quarantine zone to detect temporal memory errors P1 obj1 P1 obj1 P1 7
17 Motivation To enhance detectability of redzonebased memory error detection P1. Large gap to detect spatial memory errors P2. Large quarantine zone to detect temporal memory errors P2 P2 P1 obj1 P1 obj2 obj1 P1 7
18 Motivation To enhance detectability of redzonebased memory error detection P1. Large gap to detect spatial memory errors P2. Large quarantine zone to detect temporal memory errors Huge physical memory required P2 P2 P1 obj1 P1 obj2 obj1 P1 7
19 MEDS overview Enhances detectability of redzone-based memory error detection Idea: Fully utilize 64-bit virtual address space to support P1. Large gap to detect spatial error P2. Large quarantine zone to detect temporal error Approach: minimize physical memory use Page aliasing allocator and page protection Hierarchical memory error detection 8
20 Page aliasing (P1) Maps multiple virtual pages to single physical page Virtual obj1 obj2 A memory page Allocated Redzone Page aliasing obj4 9
21 Page aliasing (P1) Maps multiple virtual pages to single physical page Virtual obj1 obj2 Physical obj1 obj2 obj3 obj4 A memory page Allocated Redzone Page aliasing obj4 9
22 Page aliasing (P1) Maps multiple virtual pages to single physical page Virtual obj1 obj2 Physical obj1 obj2 obj3 obj4 Redzone itself does not occupy physical memory A memory page Allocated Redzone Page aliasing obj4 9
23 Page protection (P1) Redzone only pages are unmapped Virtual obj1 obj2 Physical obj1 obj2 obj3 obj4 A memory page Unmapped page Allocated Redzone Page aliasing 10
24 Page protection (P1) Redzone only pages are unmapped Virtual obj1 Physical Do not occupy shadow memory and physical memory obj2 obj1 obj2 obj3 obj4 A memory page Unmapped page Allocated Redzone Page aliasing 10
25 Page aliasing & Page protection (P2) Virtual obj1 obj4 Physical obj1 obj2 obj3 obj4 A memory page Unmapped page Allocated Redzone Page aliasing 11
26 Page aliasing & Page protection (P2) Virtual obj1 Virtual Quarantined Physical Physical obj4 obj1 obj2 obj3 obj4 obj4 obj2 obj3 obj4 A memory page Unmapped page Allocated Redzone Page aliasing 11
27 Page aliasing & Page protection (P2) Virtual obj1 Virtual Quarantined Physical Physical obj4 obj1 obj2 obj3 obj4 obj4 objx obj2 obj3 obj4 A memory page Unmapped page objx Allocated Redzone Page aliasing 11
28 Page aliasing & Page protection (P2) Virtual obj1 obj4 Physical obj1 obj2 obj3 obj4 Virtual Quarantined obj4 Physical objx obj2 obj3 obj4 Reuse physical memory immediately, while not reusing virtual addresses A memory page Unmapped page objx Allocated Redzone Page aliasing 11
29 Hierarchical memory error detection Many different ways to represent redzones Further optimizing physical memory uses ptr 12
30 Hierarchical memory error detection Many different ways to represent redzones Further optimizing physical memory uses ptr #1. Shadow memory is invalid 12
31 Hierarchical memory error detection Many different ways to represent redzones Further optimizing physical memory uses ptr #1. Shadow memory is invalid #2. Virtual page is unmapped 12
32 Hierarchical memory error detection Many different ways to represent redzones Further optimizing physical memory uses ptr #1. Shadow memory is invalid #2. Virtual page is unmapped #3. Shadow memory is unmapped 12
33 Evaluation Configuration ASan MEDS Improv. Redzone bytes 4MB 16,384x Quarantine 128MB 80TB 65,536x ASan cannot use configuration for MEDS (lack of memory) Compatibility Performance: 2 times slowdown Detection (fuzz testing): 68% more detection 13
34 Compatibility Unit tests from real-world applications Test cases in Chrome, Firefox, Nginx All Passed Memory error unit tests ASan unit tests All Passed NIST Juliet test suites All Passed except random access tests ASan: 35% vs. MEDS: 98% 14
35 Micro-scale performance overhead TLB misses 5 times more than ASan (more virtual pages with page aliasing) Number of system calls mmap(), munmap(), and mremap() 32 times more than ASan (page aliasing and page protection) Memory footprint 218% more than baseline 68% more than ASan (much larger redzone and quarantine) 15
36 End-to-end performance overhead 108% compared to baseline, 86% to ASan Baseline 0 Chrome Firefox Apache Nginx ASan MEDS 16
37 End-to-end performance overhead 108% compared to baseline, 86% to ASan % to baseline 22% to ASan 1 Baseline 0 Chrome Firefox Apache Nginx ASan MEDS 16
38 End-to-end performance overhead 108% compared to baseline, 86% to ASan % to baseline 22% to ASan Large number of small objects on stack 243% to baseline 211% to ASan 1 Baseline 0 Chrome Firefox Apache Nginx ASan MEDS 16
39 Detection (fuzz testing) Run AFL (8 cores, 6 hours) Despite the performance overhead, explore 68.3% more unique crashes than ASan ASan 17
40 Detection (fuzz testing) Run AFL (8 cores, 6 hours) Despite the performance overhead, explore 68.3% more unique crashes than ASan MEDS finds more unique crashes in initial phase, but saturated in the end ASan 17
41 Detection (fuzz testing) Number of unique crashes with time spent (metacam) Found crashes Saturated Time spent (hrs) ASan MEDS 18
42 How MEDS explores more crashes? More input sets can be detected Higher probability to detect Bugs can be found earlier than ASan Fuzzer can focus on the other paths MEDS can detect the cases that ASan cannot detect Always bypass redzone e.g., Miscalculation of structure array size Size of the structure is larger than redzone size Access to certain element cannot be detected. int a[10]; a[x] = x; struct A { int num[10]; }; struct A *a = malloc(sizeof(struct A));... (a+i)->num[8] = i; 19
43 How MEDS explores more crashes? More input sets can be detected Higher probability to detect Bugs can be found earlier than ASan Fuzzer can focus on the other paths MEDS can detect the cases that ASan cannot detect Always bypass redzone e.g., Miscalculation of structure array size Size of the structure is larger than redzone size Access to certain element cannot be detected. int a[10]; a[x] = x; struct A { int num[10]; }; struct A *a = malloc(sizeof(struct A));... (a+i)->num[8] = i; 19
44 How MEDS explores more crashes? More input sets can be detected Higher probability to detect Bugs can be found earlier than ASan Fuzzer can focus on the other paths MEDS can detect the cases that ASan cannot detect Always bypass redzone e.g., Miscalculation of structure array size Size of the structure is larger than redzone size Access to certain element cannot be detected. int a[10]; a[x] = x; struct A { int num[10]; }; struct A *a = malloc(sizeof(struct A));... (a+i)->num[8] = i; 19
45 How MEDS explores more crashes? More input sets can be detected Higher probability to detect Bugs can be found earlier than ASan Fuzzer can focus on the other paths MEDS can detect the cases that ASan cannot detect Always bypass redzone e.g., Miscalculation of structure array size Size of the structure is larger than redzone size Access to certain element cannot be detected. int a[10]; a[x] = x; struct A { int num[10]; }; struct A *a = malloc(sizeof(struct A));... (a+i)->num[8] = i; 19
46 Conclusion Idea Support large gap and large quarantine zone Approach Page aliasing and page protection Hierarchical memory error detection Despite overhead (108%), MEDS finds more crashes during fuzz testing (68.3%) Open source will be available soon Please use to detect bugs 20
47 Thank you for listening! 21
Enhancing Memory Error Detection for Larg e-scale Applications and Fuzz testing
Enhancing Memory Error Detection for Larg e-scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, C hengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock
More informationHA2lloc: Hardware-Assisted Secure Allocator
HA2lloc: Hardware-Assisted Secure Allocator Orlando Arias, Dean Sullivan, Yier Jin {oarias,dean.sullivan}@knights.ucf.edu yier.jin@ece.ufl.edu University of Central Florida University of Florida June 25,
More informationNew features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany
New features in AddressSanitizer LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany Agenda AddressSanitizer (ASan): a quick reminder New features: Initialization-order-fiasco Stack-use-after-scope
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationCopyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis
Finding security vulnerabilities by fuzzing and dynamic code analysis Security Vulnerabilities Top code security vulnerabilities don t change much: Security Vulnerabilities Top code security vulnerabilities
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationStack Bounds Protection with Low Fat Pointers
Stack Bounds Protection with Low Fat Pointers Gregory J. Duck, Roland H.C. Yap, and Lorenzo Cavallaro NDSS 2017 Overview Heap Bounds Protection with Low Fat Pointers, CC 2016 Stack New method for detecting
More informationDieHard: Probabilistic Memory Safety for Unsafe Programming Languages
DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery Berger University of Massachusetts Amherst Ben Zorn Microsoft Research Problems with Unsafe Languages C, C++: pervasive apps,
More informationPreventing Use-after-free with Dangling Pointers Nullification
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University
More informationlogistics: ROP assignment
bug-finding 1 logistics: ROP assignment 2 2013 memory safety landscape 3 2013 memory safety landscape 4 different design points memory safety most extreme disallow out of bounds usually even making out-of-bounds
More informationCSC 405 Introduction to Computer Security Fuzzing
CSC 405 Introduction to Computer Security Fuzzing Alexandros Kapravelos akaprav@ncsu.edu Let s find some bugs (again) We have a potentially vulnerable program The program has some inputs which can be controlled
More informationIntegrating Reliable Memory in Databases
Integrating Reliable Memory in Databases Wee Teck Ng, Peter M. Chen Computer Science and Engineering Division Electrical Engineering and Computer Science University of Michigan Objectives Introduce the
More informationUsing static analysis to detect use-after-free on binary code
Using static analysis to detect use-after-free on binary code Josselin Feist Laurent Mounier Marie-Laure Potet Verimag / University of Grenoble - Alpes France SDTA 2014 - Clermont-Ferrand 5 décembre 2014
More informationFast dynamic program analysis Race detection. Konstantin Serebryany May
Fast dynamic program analysis Race detection Konstantin Serebryany May 20 2011 Agenda Dynamic program analysis Race detection: theory ThreadSanitizer: race detector Making ThreadSanitizer
More informationFuzzing. compass-security.com 1
Fuzzing compass-security.com 1 Fuzzing Finding bugs by bombarding target with nonconform data Think: Flip a few bits in a PDF, then start Acrobat with that PDF Just more automated Steps: Create input corpus
More informationMemory management. Johan Montelius KTH
Memory management Johan Montelius KTH 2017 1 / 22 C program # include int global = 42; int main ( int argc, char * argv []) { if( argc < 2) return -1; int n = atoi ( argv [1]); int on_stack
More informationTHE GOOD, BAD AND UGLY ABOUT POINTERS. Problem Solving with Computers-I
THE GOOD, BAD AND UGLY ABOUT POINTERS Problem Solving with Computers-I The good: Pointers pass data around efficiently Pointers and arrays 100 104 108 112 116 ar 20 30 50 80 90 ar is like a pointer to
More information! What is main memory? ! What is static and dynamic allocation? ! What is segmentation? Maria Hybinette, UGA. High Address (0x7fffffff) !
Memory Questions? CSCI [4 6]730 Operating Systems Main Memory! What is main memory?! How does multiple processes share memory space?» Key is how do they refer to memory addresses?! What is static and dynamic
More informationThe Fuzzing Project https://fuzzing-project.org/
The Fuzzing Project https://fuzzing-project.org/ Hanno Böck 1 / 18 Motivation Motivation Fuzzing C Memory Bugs Invalid memory access example Do you use tools like strings, less, file, convert, ldd, unzip,...?
More informationVariation of Pointers
Variation of Pointers A pointer is a variable whose value is the address of another variable, i.e., direct address of the memory location. Like any variable or constant, you must declare a pointer before
More informationSGXBounds Memory Safety for Shielded Execution
SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,
More informationLecture 21. Monday, February 28 CS 470 Operating Systems - Lecture 21 1
Lecture 21 Case study guidelines posted Case study assignments Third project (virtual memory simulation) will go out after spring break. Extra credit fourth project (shell program) will go out after that.
More informationCSE351 Winter 2016, Final Examination March 16, 2016
CSE351 Winter 2016, Final Examination March 16, 2016 Please do not turn the page until 2:30. Rules: The exam is closed-book, closed-note, etc. Please stop promptly at 4:20. There are 125 (not 100) points,
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationAdvanced Debugging and the Address Sanitizer
Developer Tools #WWDC15 Advanced Debugging and the Address Sanitizer Finding your undocumented features Session 413 Mike Swingler Xcode UI Infrastructure Anna Zaks LLVM Program Analysis 2015 Apple Inc.
More information2018/10/29 22:25 1/5 Linux Processes vs NuttX Tasks
2018/10/29 22:25 1/5 Linux Processes vs NuttX Tasks Linux Processes vs NuttX Tasks You may be used to running programs that are stored in files on Linux or Windows. If you transition to using NuttX tasks
More informationDnmaloc: a more secure memory allocator
Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
More informationLimitations of the stack
The heap hic 1 Limitations of the stack int *table_of(int num, int len) { int table[len+1]; for (int i=0; i
More informationHDFI: Hardware-Assisted Data-flow Isolation
HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia
More informationCS-527 Software Security
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017 Eternal
More informationUniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/
More informationOperating Systems. IV. Memory Management
Operating Systems IV. Memory Management Ludovic Apvrille ludovic.apvrille@telecom-paristech.fr Eurecom, office 470 http://soc.eurecom.fr/os/ @OS Eurecom Outline Basics of Memory Management Hardware Architecture
More informationMoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. Shankara Pailoor, Andrew Aday, Suman Jana Columbia University
MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation Shankara Pailoor, Andrew Aday, Suman Jana Columbia University 1 OS Fuzzing Popular technique to find OS vulnerabilities Primarily
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Homework 2 Due: Monday, February 22nd, at 11:59pm Instructions. This homework is due Monday, February 22nd, at 11:59pm. It must be submitted electronically
More informationMemory Management. Outline. Memory. Virtual Memory. Instructor: Dr. Tongping Liu
Outline Memory Management Instructor: Dr Tongping Liu Virtual memory Page-based memory management Ø Page table and address translation Multi-level page table Translation lookaside buffer (TLB) Demand paging
More informationLast week. Data on the stack is allocated automatically when we do a function call, and removed when we return
Last week Data can be allocated on the stack or on the heap (aka dynamic memory) Data on the stack is allocated automatically when we do a function call, and removed when we return f() {... int table[len];...
More informationMotivations for Virtual Memory Virtual Memory Oct. 29, Why VM Works? Motivation #1: DRAM a Cache for Disk
class8.ppt 5-23 The course that gives CMU its Zip! Virtual Oct. 29, 22 Topics Motivations for VM Address translation Accelerating translation with TLBs Motivations for Virtual Use Physical DRAM as a Cache
More information2 nd Half. Memory management Disk management Network and Security Virtual machine
Final Review 1 2 nd Half Memory management Disk management Network and Security Virtual machine 2 Abstraction Virtual Memory (VM) 4GB (32bit) linear address space for each process Reality 1GB of actual
More informationMotivation for Dynamic Memory. Dynamic Memory Allocation. Stack Organization. Stack Discussion. Questions answered in this lecture:
CS 537 Introduction to Operating Systems UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department Dynamic Memory Allocation Questions answered in this lecture: When is a stack appropriate? When is
More informationVirtual Memory Oct. 29, 2002
5-23 The course that gives CMU its Zip! Virtual Memory Oct. 29, 22 Topics Motivations for VM Address translation Accelerating translation with TLBs class9.ppt Motivations for Virtual Memory Use Physical
More informationSoftware Security IV: Fuzzing
1 Software Security IV: Fuzzing Chengyu Song Slides modified from Dawn Song 2 Administrivia Homework1 Due: Friday Oct 27 11:59pm Questions regarding reading materials Talk Security R&D in a Security Company:
More informationIn Java we have the keyword null, which is the value of an uninitialized reference type
+ More on Pointers + Null pointers In Java we have the keyword null, which is the value of an uninitialized reference type In C we sometimes use NULL, but its just a macro for the integer 0 Pointers are
More informationECE 598 Advanced Operating Systems Lecture 10
ECE 598 Advanced Operating Systems Lecture 10 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 17 February 2015 Announcements Homework #1 and #2 grades, HW#3 Coming soon 1 Various
More informationCS370 Operating Systems
CS370 Operating Systems Colorado State University Yashwant K Malaiya Fall 2017 Lecture 20 Main Memory Slides based on Text by Silberschatz, Galvin, Gagne Various sources 1 1 Pages Pages and frames Page
More informationPrecise Garbage Collection for C. Jon Rafkind * Adam Wick + John Regehr * Matthew Flatt *
Slide No. 1 Precise Garbage Collection for C Jon Rafkind * Adam Wick + John Regehr * Matthew Flatt * * University of Utah + Galois, Inc. Slide No. 2 Motivation C Used to implement important programs Web
More informationIronclad C++ A Library-Augmented Type-Safe Subset of C++
Ironclad C++ A Library-Augmented Type-Safe Subset of C++ Christian DeLozier, Richard Eisenberg, Peter-Michael Osera, Santosh Nagarakatte*, Milo M. K. Martin, and Steve Zdancewic October 30, 2013 University
More informationCache Performance (H&P 5.3; 5.5; 5.6)
Cache Performance (H&P 5.3; 5.5; 5.6) Memory system and processor performance: CPU time = IC x CPI x Clock time CPU performance eqn. CPI = CPI ld/st x IC ld/st IC + CPI others x IC others IC CPI ld/st
More informationlpengfei Ding & Chenfu Bao lsecurity Researcher & Baidu X-Lab lfocused on Mobile, IoT and Linux kernel security
lpengfei Ding & Chenfu Bao lsecurity Researcher & Developer @ Baidu X-Lab lfocused on Mobile, IoT and Linux kernel security l Introduction l Past Compat Vulnerabilities l Newly Identified Compat Vulnerabilities
More informationCS527 Software Security
Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and
More informationDynamic Storage Allocation
6.172 Performance Engineering of Software Systems LECTURE 10 Dynamic Storage Allocation Charles E. Leiserson October 12, 2010 2010 Charles E. Leiserson 1 Stack Allocation Array and pointer A un Allocate
More informationMemory Management! How the hardware and OS give application pgms:" The illusion of a large contiguous address space" Protection against each other"
Memory Management! Goals of this Lecture! Help you learn about:" The memory hierarchy" Spatial and temporal locality of reference" Caching, at multiple levels" Virtual memory" and thereby " How the hardware
More informationRecap: Memory Management
, 4/13/2018 EE445M/EE360L.12 Embedded and Real-Time Systems/ Real-Time Operating Systems : Memory Protection, Virtual Memory, Paging References: T. Anderson, M. Dahlin, Operating Systems: Principles and
More informationTI2725-C, C programming lab, course
Valgrind tutorial Valgrind is a tool which can find memory leaks in your programs, such as buffer overflows and bad memory management. This document will show per example how Valgrind responds to buggy
More informationRandom-Access Memory (RAM) Systemprogrammering 2007 Föreläsning 4 Virtual Memory. Locality. The CPU-Memory Gap. Topics
Systemprogrammering 27 Föreläsning 4 Topics The memory hierarchy Motivations for VM Address translation Accelerating translation with TLBs Random-Access (RAM) Key features RAM is packaged as a chip. Basic
More informationDesign Issues 1 / 36. Local versus Global Allocation. Choosing
Design Issues 1 / 36 Local versus Global Allocation When process A has a page fault, where does the new page frame come from? More precisely, is one of A s pages reclaimed, or can a page frame be taken
More informationRandom-Access Memory (RAM) Systemprogrammering 2009 Föreläsning 4 Virtual Memory. Locality. The CPU-Memory Gap. Topics! The memory hierarchy
Systemprogrammering 29 Föreläsning 4 Topics! The memory hierarchy! Motivations for VM! Address translation! Accelerating translation with TLBs Random-Access (RAM) Key features! RAM is packaged as a chip.!
More informationCS7810 Prefetching. Seth Pugsley
CS7810 Prefetching Seth Pugsley Predicting the Future Where have we seen prediction before? Does it always work? Prefetching is prediction Predict which cache line will be used next, and place it in the
More informationCISC 360. Virtual Memory Dec. 4, 2008
CISC 36 Virtual Dec. 4, 28 Topics Motivations for VM Address translation Accelerating translation with TLBs Motivations for Virtual Use Physical DRAM as a Cache for the Disk Address space of a process
More informationMemory Management Strategies for Data Serving with RDMA
Memory Management Strategies for Data Serving with RDMA Dennis Dalessandro and Pete Wyckoff (presenting) Ohio Supercomputer Center {dennis,pw}@osc.edu HotI'07 23 August 2007 Motivation Increasing demands
More informationCS 261 Fall Mike Lam, Professor. Virtual Memory
CS 261 Fall 2016 Mike Lam, Professor Virtual Memory Topics Operating systems Address spaces Virtual memory Address translation Memory allocation Lingering questions What happens when you call malloc()?
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationINITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS
INITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS Pages 792 to 800 Anna Rakitianskaia, University of Pretoria INITIALISING POINTER VARIABLES Pointer variables are declared by putting
More informationDefeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)
Defeating Code Reuse Attacks with Minimal Tagged Architecture by Samuel Fingeret B.S., Massachusetts Institute of Technology (2014) Submitted to the Department of Electrical Engineering and Computer Science
More informationDieHard: Memory Error Fault Tolerance in C and C++
DieHard: Memory Error Fault Tolerance in C and C++ Ben Zorn Microsoft Research In collaboration with Emery Berger and Gene Novark, Univ. of Massachusetts Ted Hart, Microsoft Research DieHard: Memory Error
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 Recap Paged MMU: Two main Issues Translation speed can be slow TLB Table size is big Multi-level page table
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More informationFuzzing techniques & software vulnerabilities
Xavier Claude Mathieu Fourcroy William Robinet Conostix S.A. 17th October 2016 Agenda 1 2 3 4 Definition Definition Origins Context Why fuzzing? Fuzzing techniques Definition Automated testing technique
More informationGuarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University
Guarding Vulnerable Code: Module 1: Sanitization Mathias Payer, Purdue University http://hexhive.github.io 1 Vulnerabilities everywhere? 2 Common Languages: TIOBE 18 Jul 2018 Jul 2017 Change Language 1
More informationChapter 8. Virtual Memory
Operating System Chapter 8. Virtual Memory Lynn Choi School of Electrical Engineering Motivated by Memory Hierarchy Principles of Locality Speed vs. size vs. cost tradeoff Locality principle Spatial Locality:
More informationVirtual Memory I. Jo, Heeseung
Virtual Memory I Jo, Heeseung Today's Topics Virtual memory implementation Paging Segmentation 2 Paging Introduction Physical memory Process A Virtual memory Page 3 Page 2 Frame 11 Frame 10 Frame 9 4KB
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationProject 3: Virtual Memory
Project 3: Virtual Memory Prof. Jin-Soo Kim ( jinsookim@skku.edu) TA Bak jin-yeong (dongdm@gmail.com) Go gyeong-min (gkm2164@gmail.com) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu
More informationLAB3: VIRTUAL MEMORY. Operating Systems 2015 Spring by Euiseong Seo
LAB3: VIRTUAL MEMORY Operating Systems 2015 Spring by Euiseong Seo Background: Paging (1) Paging in the x86 architecture Background: Paging (2) Current Pintos VM implementation Use paging Page size: 4KB
More informationTaintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 is: A Fuzzing tool Checksum-Aware Directed Why a new fuzzing
More informationVirtual Memory. CS 351: Systems Programming Michael Saelee
Virtual Memory CS 351: Systems Programming Michael Saelee registers cache (SRAM) main memory (DRAM) local hard disk drive (HDD/SSD) remote storage (networked drive / cloud) previously: SRAM
More informationThe Virtual Memory Abstraction. Memory Management. Address spaces: Physical and Virtual. Address Translation
The Virtual Memory Abstraction Memory Management Physical Memory Unprotected address space Limited size Shared physical frames Easy to share data Virtual Memory Programs are isolated Arbitrary size All
More informationPersistent Storage - Datastructures and Algorithms
Persistent Storage - Datastructures and Algorithms 1 / 21 L 03: Virtual Memory and Caches 2 / 21 Questions How to access data, when sequential access is too slow? Direct access (random access) file, how
More informationOperating Systems. Operating System Structure. Lecture 2 Michael O Boyle
Operating Systems Operating System Structure Lecture 2 Michael O Boyle 1 Overview Architecture impact User operating interaction User vs kernel Syscall Operating System structure Layers Examples 2 Lower-level
More informationMemory Allocator Security
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be
More informationHeartbleed Bug. Anthony Postiglione. Department of Electrical & Computer Engineering Missouri University of Science and Technology
Heartbleed Bug Anthony Postiglione Department of Electrical & Computer Engineering Missouri University of Science and Technology avp275@mst.edu rev. 14.0 Introduction What is Heartbleed? Discovery Presentation
More informationSystem Assertions. Andreas Zeller
System Assertions Andreas Zeller System Invariants Some properties of a program must hold over the entire run: must not access data of other processes must handle mathematical exceptions must not exceed
More informationPrinceton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management
Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Agenda The need for DMM DMM using the heap section DMMgr 1: Minimal implementation DMMgr 2: Pad
More informationVirtual Memory Outline
Virtual Memory Outline Background Demand Paging Copy-on-Write Page Replacement Allocation of Frames Thrashing Memory-Mapped Files Allocating Kernel Memory Other Considerations Operating-System Examples
More informationMemory Safety for Low- Level Software/Hardware Interactions
Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Montreal or Bust! Vikram Adve Safety Future is Bright User-space memory safety is improving Safe languages SAFECode,
More informationHigh Performance Computing and Programming, Lecture 3
High Performance Computing and Programming, Lecture 3 Memory usage and some other things Ali Dorostkar Division of Scientific Computing, Department of Information Technology, Uppsala University, Sweden
More informationFuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team
Fuzzing AOSP For the Masses AOSP for the Masses Attack Android Right Out of the Box Dan Austin, Google Dan Austin Google Android SDL Research Team Exploitation: Find the Needle Needles are Interesting
More informationAllocating Memory. Where does malloc get memory? See mmap.c 1-2
Allocating Memory Where does malloc get memory? See mmap.c 1-2 Picking Virtual Addresses See mmap2.c and mmap3.c 3 Freeing Pages See munmap.c 4 Pages and Processes See mmap+fork.c and mmap+fork2.c 5 Copy-on-Write
More informationClass Information ANNOUCEMENTS
Class Information ANNOUCEMENTS Third homework due TODAY at 11:59pm. Extension? First project has been posted, due Monday October 23, 11:59pm. Midterm exam: Friday, October 27, in class. Don t forget to
More informationImproving Linux Development with better tools. Andi Kleen. Oct 2013 Intel Corporation
Improving Linux Development with better tools Andi Kleen Oct 2013 Intel Corporation ak@linux.intel.com Linux complexity growing Source lines in Linux kernel All source code 16.5 16 15.5 M-LOC 15 14.5 14
More informationTolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich
XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,...
More informationMemory Management. Disclaimer: some slides are adopted from book authors slides with permission 1
Memory Management Disclaimer: some slides are adopted from book authors slides with permission 1 CPU management Roadmap Process, thread, synchronization, scheduling Memory management Virtual memory Disk
More informationThe combination of pointers, structs, and dynamic memory allocation allow for creation of data structures
Data Structures in C C Programming and Software Tools N.C. State Department of Computer Science Data Structures in C The combination of pointers, structs, and dynamic memory allocation allow for creation
More informationComputer Systems A Programmer s Perspective 1 (Beta Draft)
Computer Systems A Programmer s Perspective 1 (Beta Draft) Randal E. Bryant David R. O Hallaron August 1, 2001 1 Copyright c 2001, R. E. Bryant, D. R. O Hallaron. All rights reserved. 2 Contents Preface
More informationIS THERE A HOLE IN YOUR RISC-V SECURITY STACK? JOTHY ROSENBERG DOVER MICROSYSTEMS
IS THERE A HOLE IN YOUR RISC-V SECURITY STACK? JOTHY ROSENBERG DOVER MICROSYSTEMS I understand the difference in destruction is dramatic, but this has a whiff of August 1945. Someone just used a new weapon,
More informationVirtual Memory. Motivation:
Virtual Memory Motivation:! Each process would like to see its own, full, address space! Clearly impossible to provide full physical memory for all processes! Processes may define a large address space
More informationCoverage-guided Fuzzing of Individual Functions Without Source Code
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results
More informationCS510 Operating System Foundations. Jonathan Walpole
CS510 Operating System Foundations Jonathan Walpole File System Performance File System Performance Memory mapped files - Avoid system call overhead Buffer cache - Avoid disk I/O overhead Careful data
More informationCIS Operating Systems Memory Management Cache and Demand Paging. Professor Qiang Zeng Spring 2018
CIS 3207 - Operating Systems Memory Management Cache and Demand Paging Professor Qiang Zeng Spring 2018 Process switch Upon process switch what is updated in order to assist address translation? Contiguous
More informationECE 598 Advanced Operating Systems Lecture 12
ECE 598 Advanced Operating Systems Lecture 12 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 1 March 2018 Announcements Next homework will be due after break. Midterm next Thursday
More informationwe are here I/O & Storage Layers Recall: C Low level I/O Recall: C Low Level Operations CS162 Operating Systems and Systems Programming Lecture 18
I/O & Storage Layers CS162 Operating Systems and Systems Programming Lecture 18 Systems April 2 nd, 2018 Profs. Anthony D. Joseph & Jonathan Ragan-Kelley http://cs162.eecs.berkeley.edu Application / Service
More information