HA2lloc: Hardware-Assisted Secure Allocator
Size: px
Start display at page:

Download "HA2lloc: Hardware-Assisted Secure Allocator"

Transcription

1 HA2lloc: Hardware-Assisted Secure Allocator Orlando Arias, Dean Sullivan, Yier Jin University of Central Florida University of Florida June 25, 2017 Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

2 Motivation Background and Motivation Why are we doing this? The state reflected by the Common Vulnerabilities and Exposures database. Memory errors account for the majority of the critical vulnerabilities Large security implications Arbitrary code execution (CVE , CVE , CVE ) Leakage of secrets (CVE , CVE , CVE ) No sign of slowing down Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

3 Motivation Background and Motivation Trends in memory errors % vulnerabilities Heap overflows Use after free Stack overflows Null-pointer dereference Integer overflow Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

4 Memory Errors Background and Motivation Types Spatial: read/write out of bounds 1 int array[10]; 2 3 array[10] = 10; /* out of bounds write */ Temporal: read/write after deallocation 1 int* array = malloc(10 * sizeof(*array)); 2 3 free(array); /* deallocate array */ 4 5 int i = array[0]; /* use after free on read */ Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

5 The Problem Background and Motivation What the attacker does int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array[4] array secret Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

6 The Problem Background and Motivation What the attacker does int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array[4] array secret Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

7 The Problem Background and Motivation What the attacker does int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array[4] array secret Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

8 The Problem Background and Motivation What the attacker does int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array[4] array secret Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

9 The Problem Background and Motivation What the attacker does int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array[4] array secret Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

10 The Problem Background and Motivation What the attacker does int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array[4] array secret Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

11 The Problem Background and Motivation What the attacker does int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array[4] array secret Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

12 The Problem Background and Motivation What the attacker does int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] secret alloc data Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

13 The Problem Background and Motivation What the attacker does int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] secret alloc data Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

14 The Problem Background and Motivation What the attacker does int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] secret alloc data Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

15 The Problem Background and Motivation What the attacker does int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] secret alloc data Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

16 The Problem Background and Motivation What the attacker does int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] secret alloc data Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

17 The Problem Background and Motivation What the attacker does int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] secret alloc data Attacker has access to secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

18 Solutions? Background and Motivation Previous Work Proposed Method CT RT TE SE PO Baggy Bounds Checking 60% AddressSanitizer 73% VTPin 17% WatchdogLite 29% Intel MPX n/a CHERI 0% 15% SPEC2000 evaluated. SPEC2006 evaluated. Microbenchmarks. CT Compile time defense, RT Run time defense, TE Temporal error handling, SE Spatial error handling, PO Performance overhead Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

19 Solutions? Background and Motivation Previous Work Proposed Method CT RT TE SE PO Baggy Bounds Checking 60% AddressSanitizer 73% VTPin 17% WatchdogLite 29% Intel MPX n/a CHERI 0% 15% SPEC2000 evaluated. SPEC2006 evaluated. Microbenchmarks. CT Compile time defense, RT Run time defense, TE Temporal error handling, SE Spatial error handling, PO Performance overhead Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

20 Solutions? Background and Motivation Previous Work Proposed Method CT RT TE SE PO Baggy Bounds Checking 60% AddressSanitizer 73% VTPin 17% WatchdogLite 29% Intel MPX n/a CHERI 0% 15% SPEC2000 evaluated. SPEC2006 evaluated. Microbenchmarks. CT Compile time defense, RT Run time defense, TE Temporal error handling, SE Spatial error handling, PO Performance overhead Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

21 Limitations Background and Motivation Why are memory errors still a problem? Completeness of the defense Completeness of analysis Compiler analysis is static, attacks are runtime Source code must be available for compiler-based approaches Performance overhead Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

22 Dynamic Allocations Introducing HA 2 lloc Observation Allocation size and location is always known at runtime Allocator knows when application frees memory Goals Provide heap buffer protection Handle both temporal and spatial errors Compatible with legacy applications Reduce hits in performance Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

23 Dynamic Allocations HA 2 lloc Components High Level Overview Userland Supervisor Hardware HA 2 lloc libc SYS halloc Kernel MMU BND Check xpte xpte Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

24 Dynamic Allocations HA 2 lloc s Allocator On Allocation process malloc() HA 2 lloc SYS halloc add header OS header pool add data return pointer pages map pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

25 Dynamic Allocations HA 2 lloc s Allocator On Allocation process malloc() HA 2 lloc SYS halloc add header OS header pool add data return pointer pages map pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

26 Dynamic Allocations HA 2 lloc s Allocator On Allocation process malloc() HA 2 lloc SYS halloc add header OS header pool add data return pointer pages map pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

27 Dynamic Allocations HA 2 lloc s Allocator On Allocation process malloc() HA 2 lloc SYS halloc add header OS header pool add data return pointer pages map pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

28 Dynamic Allocations HA 2 lloc s Allocator On Allocation process malloc() HA 2 lloc SYS halloc add header OS header pool add data return pointer pages map pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

29 Dynamic Allocations HA 2 lloc s Allocator On Allocation process malloc() HA 2 lloc SYS halloc add header OS header pool add data return pointer pages map pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

30 Dynamic Allocations HA 2 lloc s Allocator On Allocation process malloc() HA 2 lloc SYS halloc add header OS header pool add data return pointer pages map pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

31 Dynamic Allocations HA 2 lloc s Allocator Allocation constrains Allocator must take into account alignment requirements Type information is lost at compile time Must provide an aligment for a worst case scenario We allocate on 16 byte boundaries (256 starting points on a 4K page) Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

32 Dynamic Allocations HA 2 lloc s Allocator On Access page number xpte bounds data page offset 11:4 VA high low check Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

33 Dynamic Allocations HA 2 lloc s Allocator On Access page number xpte bounds data page offset 11:4 VA high low check Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

34 Dynamic Allocations HA 2 lloc s Allocator On Access page number xpte bounds data page offset 11:4 VA high low check Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

35 Dynamic Allocations HA 2 lloc s Allocator On Access page number xpte bounds data page offset 11:4 VA high low check Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

36 Dynamic Allocations HA 2 lloc s Allocator On Access page number xpte bounds data page offset 11:4 VA high low check Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

37 Spatial Errors Dynamic Allocations Back to the old code int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array secret Access Invalid OK Application receives SIGSEGV Attacker can not access secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

38 Spatial Errors Dynamic Allocations Back to the old code int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array secret Access Invalid OK Application receives SIGSEGV Attacker can not access secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

39 Spatial Errors Dynamic Allocations Back to the old code int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array secret Access Invalid OK Application receives SIGSEGV Attacker can not access secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

40 Spatial Errors Dynamic Allocations Back to the old code int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array secret Access Invalid OK Application receives SIGSEGV Attacker can not access secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

41 Spatial Errors Dynamic Allocations Back to the old code int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array secret Access Invalid OK Application receives SIGSEGV Attacker can not access secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

42 Spatial Errors Dynamic Allocations Back to the old code int array[3]; int secret[4]; for(size_t i = 0; i < top; i++) { transmit(array[i]); } array[0] array[1] array[2] array[3] array secret Access Invalid OK Application receives SIGSEGV Attacker can not access secret! Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

43 Spatial Errors Dynamic Allocations Imperative that The heap must be randomized Accomplished by SYS halloc Bounds forwarded syscall too Allocations must exhibit some form of redzones around them Heal alignment requirements and bounds encoding ensure this Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

44 Dynamic Allocations HA 2 lloc s Allocator On Deallocation process free() HA 2 lloc SYS munmap get info remove header OS header pool invalidated references pointer pages unmap pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

45 Dynamic Allocations HA 2 lloc s Allocator On Deallocation process free() HA 2 lloc SYS munmap get info remove header OS header pool invalidated references pointer pages unmap pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

46 Dynamic Allocations HA 2 lloc s Allocator On Deallocation process free() HA 2 lloc SYS munmap get info remove header OS header pool invalidated references pointer pages unmap pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

47 Dynamic Allocations HA 2 lloc s Allocator On Deallocation process free() HA 2 lloc SYS munmap get info remove header OS header pool invalidated references pointer pages unmap pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

48 Dynamic Allocations HA 2 lloc s Allocator On Deallocation process free() HA 2 lloc SYS munmap get info remove header OS header pool invalidated references pointer pages unmap pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

49 Dynamic Allocations HA 2 lloc s Allocator On Deallocation process free() HA 2 lloc SYS munmap get info remove header OS header pool invalidated references pointer pages unmap pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

50 Dynamic Allocations HA 2 lloc s Allocator On Deallocation process free() HA 2 lloc SYS munmap get info remove header OS header pool invalidated references pointer pages unmap pages Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

51 Temporal Errors Dynamic Allocations Back to the old code int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] bad access alloc data secret Program receives SIGSEGV Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

52 Temporal Errors Dynamic Allocations Back to the old code int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] bad access alloc data secret Program receives SIGSEGV Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

53 Temporal Errors Dynamic Allocations Back to the old code int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] bad access alloc data secret Program receives SIGSEGV Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

54 Temporal Errors Dynamic Allocations Back to the old code int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] bad access alloc data secret Program receives SIGSEGV Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

55 Temporal Errors Dynamic Allocations Back to the old code int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] bad access alloc data secret Program receives SIGSEGV Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

56 Temporal Errors Dynamic Allocations Back to the old code int* alloc_data = (int*)malloc(sizeof(*alloc_data) * 3); free(alloc_data); int* secret = (int*)malloc(sizeof(*secret) * 4); transmit(alloc_data[0]); alloc data[0] bad access alloc data secret Program receives SIGSEGV Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

57 Temporal Errors Dynamic Allocations Imperative that Proper handling of pages with multiple allocations Unmapped pages can not be remapped Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

58 Evaluation Preliminary Evaluation Performance Evaluation hmmer lbm libquantum mcf milc sjeng We are faster than glibc s allocator for large allocations. We are slower than glibc s allocator for small allocations. Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

59 Other Works Preliminary Evaluation Comparison to other works Proposed Method CT RT TE SE PO Baggy Bounds Checking 60% AddressSanitizer 73% VTPin 17% WatchdogLite 29% Intel MPX n/a CHERI 0% 15% Our approach 2.5% Tentative results. CT Compile time defense, RT Run time defense, TE Temporal error handling, SE Spatial error handling, PO Performance overhead Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

60 Conclusions Conclusion and Future Work Conclusion Memory errors are still relevant. Instrumentation-based approaches have issues. Bounds check can be done at runtime with minor overhead. Moving forward Implement hardware component. LEON3? Microarchitecture simulator? Further testing against actual attacks. Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

61 Thank you! Conclusions Questions? Arias, Sullivan, Jin ( UCF, UF) HA 2 lloc June 25, / 22

Similar documents

A program execution is memory safe so long as memory access errors never occur:

A program execution is memory safe so long as memory access errors never occur: A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories

More information

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual

More information

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, Chengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock

More information

Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization

Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue,

More information

CSE 153 Design of Operating Systems

CSE 153 Design of Operating Systems CSE 53 Design of Operating Systems Winter 28 Lecture 6: Paging/Virtual Memory () Some slides modified from originals by Dave O hallaron Today Address spaces VM as a tool for caching VM as a tool for memory

More information

Preventing Use-after-free with Dangling Pointers Nullification

Preventing Use-after-free with Dangling Pointers Nullification Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University

More information

Enhancing Memory Error Detection for Larg e-scale Applications and Fuzz testing

Enhancing Memory Error Detection for Larg e-scale Applications and Fuzz testing Enhancing Memory Error Detection for Larg e-scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, C hengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock

More information

CS-527 Software Security

CS-527 Software Security CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017 Eternal

More information

Lecture 19: Virtual Memory: Concepts

Lecture 19: Virtual Memory: Concepts CSCI-UA.2-3 Computer Systems Organization Lecture 9: Virtual Memory: Concepts Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Some slides adapted (and slightly modified) from: Clark Barrett

More information

Virtual Memory II CSE 351 Spring

Virtual Memory II CSE 351 Spring Virtual Memory II CSE 351 Spring 2018 https://xkcd.com/1495/ Virtual Memory (VM) Overview and motivation VM as a tool for caching Address translation VM as a tool for memory management VM as a tool for

More information

Dnmaloc: a more secure memory allocator

Dnmaloc: a more secure memory allocator Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium

More information

Practical Memory Safety with REST

Practical Memory Safety with REST 1 Practical Memory Safety with REST Kanad Sinha Simha Sethumadhavan Department of Computer Science Columbia University New York, NY, USA {kanad,simha}@cs.columbia.edu Abstract In this paper, we propose

More information

Carnegie Mellon. 16 th Lecture, Mar. 20, Instructors: Todd C. Mowry & Anthony Rowe

Carnegie Mellon. 16 th Lecture, Mar. 20, Instructors: Todd C. Mowry & Anthony Rowe Virtual Memory: Concepts 5 23 / 8 23: Introduction to Computer Systems 6 th Lecture, Mar. 2, 22 Instructors: Todd C. Mowry & Anthony Rowe Today Address spaces VM as a tool lfor caching VM as a tool for

More information

ECE 598 Advanced Operating Systems Lecture 10

ECE 598 Advanced Operating Systems Lecture 10 ECE 598 Advanced Operating Systems Lecture 10 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 17 February 2015 Announcements Homework #1 and #2 grades, HW#3 Coming soon 1 Various

More information

14 May 2012 Virtual Memory. Definition: A process is an instance of a running program

14 May 2012 Virtual Memory. Definition: A process is an instance of a running program Virtual Memory (VM) Overview and motivation VM as tool for caching VM as tool for memory management VM as tool for memory protection Address translation 4 May 22 Virtual Memory Processes Definition: A

More information

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing

More information

Motivations for Virtual Memory Virtual Memory Oct. 29, Why VM Works? Motivation #1: DRAM a Cache for Disk

Motivations for Virtual Memory Virtual Memory Oct. 29, Why VM Works? Motivation #1: DRAM a Cache for Disk class8.ppt 5-23 The course that gives CMU its Zip! Virtual Oct. 29, 22 Topics Motivations for VM Address translation Accelerating translation with TLBs Motivations for Virtual Use Physical DRAM as a Cache

More information

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks

More information

Virtual Memory II. CSE 351 Autumn Instructor: Justin Hsia

Virtual Memory II. CSE 351 Autumn Instructor: Justin Hsia Virtual Memory II CSE 35 Autumn 27 Instructor: Justin Hsia Teaching Assistants: Lucas Wotton Michael Zhang Parker DeWilde Ryan Wong Sam Gehman Sam Wolfson Savanna Yee Vinny Palaniappan https://xkcd.com/495/

More information

SGXBounds Memory Safety for Shielded Execution

SGXBounds Memory Safety for Shielded Execution SGXBounds Memory Safety for Shielded Execution Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia *, Pascal Felber, Christof Fetzer TU Dresden, * The University of Edinburgh,

More information

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/

More information

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned

More information

Virtual Memory Oct. 29, 2002

Virtual Memory Oct. 29, 2002 5-23 The course that gives CMU its Zip! Virtual Memory Oct. 29, 22 Topics Motivations for VM Address translation Accelerating translation with TLBs class9.ppt Motivations for Virtual Memory Use Physical

More information

Operating Systems. 09. Memory Management Part 1. Paul Krzyzanowski. Rutgers University. Spring 2015

Operating Systems. 09. Memory Management Part 1. Paul Krzyzanowski. Rutgers University. Spring 2015 Operating Systems 09. Memory Management Part 1 Paul Krzyzanowski Rutgers University Spring 2015 March 9, 2015 2014-2015 Paul Krzyzanowski 1 CPU Access to Memory The CPU reads instructions and reads/write

More information

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan, Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help

More information

Princeton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

Princeton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Agenda The need for DMM DMM using the heap section DMMgr 1: Minimal implementation DMMgr 2: Pad

More information

Stack Bounds Protection with Low Fat Pointers

Stack Bounds Protection with Low Fat Pointers Stack Bounds Protection with Low Fat Pointers Gregory J. Duck, Roland H.C. Yap, and Lorenzo Cavallaro NDSS 2017 Overview Heap Bounds Protection with Low Fat Pointers, CC 2016 Stack New method for detecting

More information

CS510 Operating System Foundations. Jonathan Walpole

CS510 Operating System Foundations. Jonathan Walpole CS510 Operating System Foundations Jonathan Walpole File System Performance File System Performance Memory mapped files - Avoid system call overhead Buffer cache - Avoid disk I/O overhead Careful data

More information

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document

More information

Memory Management! How the hardware and OS give application pgms:" The illusion of a large contiguous address space" Protection against each other"

Memory Management! How the hardware and OS give application pgms: The illusion of a large contiguous address space Protection against each other Memory Management! Goals of this Lecture! Help you learn about:" The memory hierarchy" Spatial and temporal locality of reference" Caching, at multiple levels" Virtual memory" and thereby " How the hardware

More information

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection

More information

virtual memory. March 23, Levels in Memory Hierarchy. DRAM vs. SRAM as a Cache. Page 1. Motivation #1: DRAM a Cache for Disk

virtual memory. March 23, Levels in Memory Hierarchy. DRAM vs. SRAM as a Cache. Page 1. Motivation #1: DRAM a Cache for Disk 5-23 March 23, 2 Topics Motivations for VM Address translation Accelerating address translation with TLBs Pentium II/III system Motivation #: DRAM a Cache for The full address space is quite large: 32-bit

More information

CS527 Software Security

CS527 Software Security Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and

More information

Dynamic Memory Allocation. Zhaoguo Wang

Dynamic Memory Allocation. Zhaoguo Wang Dynamic Memory Allocation Zhaoguo Wang Why dynamic memory allocation? Do not know the size until the program runs (at runtime). #define MAXN 15213 int array[maxn]; int main(void) { int i, n; scanf("%d",

More information

Segmentation. Multiple Segments. Lecture Notes Week 6

Segmentation. Multiple Segments. Lecture Notes Week 6 At this point, we have the concept of virtual memory. The CPU emits virtual memory addresses instead of physical memory addresses. The MMU translates between virtual and physical addresses. Don't forget,

More information

CISC 360. Virtual Memory Dec. 4, 2008

CISC 360. Virtual Memory Dec. 4, 2008 CISC 36 Virtual Dec. 4, 28 Topics Motivations for VM Address translation Accelerating translation with TLBs Motivations for Virtual Use Physical DRAM as a Cache for the Disk Address space of a process

More information

TI2725-C, C programming lab, course

TI2725-C, C programming lab, course Valgrind tutorial Valgrind is a tool which can find memory leaks in your programs, such as buffer overflows and bad memory management. This document will show per example how Valgrind responds to buggy

More information

Random-Access Memory (RAM) Systemprogrammering 2007 Föreläsning 4 Virtual Memory. Locality. The CPU-Memory Gap. Topics

Random-Access Memory (RAM) Systemprogrammering 2007 Föreläsning 4 Virtual Memory. Locality. The CPU-Memory Gap. Topics Systemprogrammering 27 Föreläsning 4 Topics The memory hierarchy Motivations for VM Address translation Accelerating translation with TLBs Random-Access (RAM) Key features RAM is packaged as a chip. Basic

More information

Virtual Memory II. CSE 351 Autumn Instructor: Justin Hsia

Virtual Memory II. CSE 351 Autumn Instructor: Justin Hsia Virtual Memory II CSE 35 Autumn 26 Instructor: Justin Hsia Teaching Assistants: Chris Ma Hunter Zahn John Kaltenbach Kevin Bi Sachin Mehta Suraj Bhat Thomas Neuman Waylon Huang Xi Liu Yufang Sun https://xkcd.com/495/

More information

Random-Access Memory (RAM) Systemprogrammering 2009 Föreläsning 4 Virtual Memory. Locality. The CPU-Memory Gap. Topics! The memory hierarchy

Random-Access Memory (RAM) Systemprogrammering 2009 Föreläsning 4 Virtual Memory. Locality. The CPU-Memory Gap. Topics! The memory hierarchy Systemprogrammering 29 Föreläsning 4 Topics! The memory hierarchy! Motivations for VM! Address translation! Accelerating translation with TLBs Random-Access (RAM) Key features! RAM is packaged as a chip.!

More information

Homework #3 CS2255 Fall 2012

Homework #3 CS2255 Fall 2012 Homework #3 CS2255 Fall 2012 MULTIPLE CHOICE 1. The, also known as the address operator, returns the memory address of a variable. a. asterisk ( * ) b. ampersand ( & ) c. percent sign (%) d. exclamation

More information

Pentium/Linux Memory System March 17, 2005

Pentium/Linux Memory System March 17, 2005 15-213 The course that gives CMU its Zip! Topics Pentium/Linux Memory System March 17, 2005 P6 address translation x86-64 extensions Linux memory management Linux page fault handling Memory mapping 17-linuxmem.ppt

More information

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2 CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,

More information

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow

More information

Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring

Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring NDSS 2012 Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring Donghai Tian 1,2, Qiang Zeng 2, Dinghao Wu 2, Peng Liu 2 and Changzhen Hu 1 1 Beijing Institute of Technology

More information

Runtime Defenses against Memory Corruption

Runtime Defenses against Memory Corruption CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,

More information

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return Last week Data can be allocated on the stack or on the heap (aka dynamic memory) Data on the stack is allocated automatically when we do a function call, and removed when we return f() {... int table[len];...

More information

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp

More information

SoK: Eternal War in Memory

SoK: Eternal War in Memory SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge

More information

High System-Code Security with Low Overhead

High System-Code Security with Low Overhead High System-Code Security with Low Overhead Jonas Wagner, Volodymyr Kuznetsov, George Candea, and Johannes Kinder École Polytechnique Fédérale de Lausanne Royal Holloway, University of London High System-Code

More information

Porting Linux to x86-64

Porting Linux to x86-64 Porting Linux to x86-64 Andi Kleen SuSE Labs ak@suse.de Abstract... Some implementation details with changes over the existing i386 port are discussed. 1 Introduction x86-64 is a new architecture developed

More information

IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE

IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE Stephen Checkoway and Hovav Shacham March 19, 2013 1 1 A vulnerable program #include int main() { void *p = malloc(100);

More information

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교 Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability

More information

Improving Error Checking and Unsafe Optimizations using Software Speculation. Kirk Kelsey and Chen Ding University of Rochester

Improving Error Checking and Unsafe Optimizations using Software Speculation. Kirk Kelsey and Chen Ding University of Rochester Improving Error Checking and Unsafe Optimizations using Software Speculation Kirk Kelsey and Chen Ding University of Rochester Outline Motivation Brief problem statement How speculation can help Our software

More information

Software security, secure programming

Software security, secure programming Software security, secure programming Lecture 4: Protecting your code against software vulnerabilities? (overview) Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Preamble Bad news several

More information

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta 1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)

More information

Virtual Memory 2: demand paging

Virtual Memory 2: demand paging Virtual Memory : demand paging also: anatomy of a process Guillaume Salagnac Insa-Lyon IST Semester Fall 8 Reminder: OS duties CPU CPU cache (SRAM) main memory (DRAM) fast storage (SSD) large storage (disk)

More information

ECE 598 Advanced Operating Systems Lecture 12

ECE 598 Advanced Operating Systems Lecture 12 ECE 598 Advanced Operating Systems Lecture 12 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 1 March 2018 Announcements Next homework will be due after break. Midterm next Thursday

More information

198:231 Intro to Computer Organization. 198:231 Introduction to Computer Organization Lecture 14

198:231 Intro to Computer Organization. 198:231 Introduction to Computer Organization Lecture 14 98:23 Intro to Computer Organization Lecture 4 Virtual Memory 98:23 Introduction to Computer Organization Lecture 4 Instructor: Nicole Hynes nicole.hynes@rutgers.edu Credits: Several slides courtesy of

More information

Today: Segmentation. Last Class: Paging. Costs of Using The TLB. The Translation Look-aside Buffer (TLB)

Today: Segmentation. Last Class: Paging. Costs of Using The TLB. The Translation Look-aside Buffer (TLB) Last Class: Paging Process generates virtual addresses from 0 to Max. OS divides the process onto pages; manages a page table for every process; and manages the pages in memory Hardware maps from virtual

More information

Baggy bounds checking. Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand

Baggy bounds checking. Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand Baggy bounds checking Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand C/C++ programs are vulnerable Lots of exis5ng code in C and C++ More being wrieen every day C/C++ programs are prone to

More information

CS 31: Intro to Systems Threading & Parallel Applications. Kevin Webb Swarthmore College November 27, 2018

CS 31: Intro to Systems Threading & Parallel Applications. Kevin Webb Swarthmore College November 27, 2018 CS 31: Intro to Systems Threading & Parallel Applications Kevin Webb Swarthmore College November 27, 2018 Reading Quiz Making Programs Run Faster We all like how fast computers are In the old days (1980

More information

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Goals of this Lecture Help you learn about: The need for dynamic* memory mgmt (DMM) Implementing

More information

Fast, precise dynamic checking of types and bounds in C

Fast, precise dynamic checking of types and bounds in C Fast, precise dynamic checking of types and bounds in C Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge p.1 Tool wanted if (obj >type == OBJ COMMIT) { if (process commit(walker,

More information

CS399 New Beginnings. Jonathan Walpole

CS399 New Beginnings. Jonathan Walpole CS399 New Beginnings Jonathan Walpole Virtual Memory (1) Page Tables When and why do we access a page table? - On every instruction to translate virtual to physical addresses? Page Tables When and why

More information

Balancing DRAM Locality and Parallelism in Shared Memory CMP Systems

Balancing DRAM Locality and Parallelism in Shared Memory CMP Systems Balancing DRAM Locality and Parallelism in Shared Memory CMP Systems Min Kyu Jeong, Doe Hyun Yoon^, Dam Sunwoo*, Michael Sullivan, Ikhwan Lee, and Mattan Erez The University of Texas at Austin Hewlett-Packard

More information

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007 Heap Off by 1 Overflow Illustrated Eric Conrad October 2007 1 The Attack Older CVS versions are vulnerable to an Off by 1 attack, where an attacker may insert one additional character into the heap CVS

More information

CS252 S05. Main memory management. Memory hardware. The scale of things. Memory hardware (cont.) Bottleneck

CS252 S05. Main memory management. Memory hardware. The scale of things. Memory hardware (cont.) Bottleneck Main memory management CMSC 411 Computer Systems Architecture Lecture 16 Memory Hierarchy 3 (Main Memory & Memory) Questions: How big should main memory be? How to handle reads and writes? How to find

More information

Baggy bounds with LLVM

Baggy bounds with LLVM Baggy bounds with LLVM Anton Anastasov Chirantan Ekbote Travis Hance 6.858 Project Final Report 1 Introduction Buffer overflows are a well-known security problem; a simple buffer-overflow bug can often

More information

Memory Management! Goals of this Lecture!

Memory Management! Goals of this Lecture! Memory Management! Goals of this Lecture! Help you learn about:" The memory hierarchy" Why it works: locality of reference" Caching, at multiple levels" Virtual memory" and thereby " How the hardware and

More information

1. Memory technology & Hierarchy

1. Memory technology & Hierarchy 1 Memory technology & Hierarchy Caching and Virtual Memory Parallel System Architectures Andy D Pimentel Caches and their design cf Henessy & Patterson, Chap 5 Caching - summary Caches are small fast memories

More information

Computer Systems A Programmer s Perspective 1 (Beta Draft)

Computer Systems A Programmer s Perspective 1 (Beta Draft) Computer Systems A Programmer s Perspective 1 (Beta Draft) Randal E. Bryant David R. O Hallaron August 1, 2001 1 Copyright c 2001, R. E. Bryant, D. R. O Hallaron. All rights reserved. 2 Contents Preface

More information

Short Notes of CS201

Short Notes of CS201 #includes: Short Notes of CS201 The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with < and > if the file is a system

More information

High Performance Computing and Programming, Lecture 3

High Performance Computing and Programming, Lecture 3 High Performance Computing and Programming, Lecture 3 Memory usage and some other things Ali Dorostkar Division of Scientific Computing, Department of Information Technology, Uppsala University, Sweden

More information

Inline Reference Monitoring Techniques

Inline Reference Monitoring Techniques Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code

More information

Virtual Memory. Motivations for VM Address translation Accelerating translation with TLBs

Virtual Memory. Motivations for VM Address translation Accelerating translation with TLBs Virtual Memory Today Motivations for VM Address translation Accelerating translation with TLBs Fabián Chris E. Bustamante, Riesbeck, Fall Spring 2007 2007 A system with physical memory only Addresses generated

More information

Code Injection Attacks Buffer Overflows

Code Injection Attacks Buffer Overflows CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 System Security Lecture 1 Code Injection Attacks Buffer Overflows Based on and extracted from Nickolai Zeldovitch, Computer System Security, course material at

More information

CS201 - Introduction to Programming Glossary By

CS201 - Introduction to Programming Glossary By CS201 - Introduction to Programming Glossary By #include : The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with

More information

Lectures 13 & 14. memory management

Lectures 13 & 14. memory management Lectures 13 & 14 Linked lists and memory management Courtesy of Prof. Garcia (UCB) CS61C L05 Introduction to C (pt 3) (1) Review Pointers and arrays are virtually same C knows how to increment pointers

More information

Virtual Memory Nov 9, 2009"

Virtual Memory Nov 9, 2009 Virtual Memory Nov 9, 2009" Administrivia" 2! 3! Motivations for Virtual Memory" Motivation #1: DRAM a Cache for Disk" SRAM" DRAM" Disk" 4! Levels in Memory Hierarchy" cache! virtual memory! CPU" regs"

More information

Physical memory vs. Logical memory Process address space Addresses assignment to processes Operating system tasks Hardware support CONCEPTS 3.

Physical memory vs. Logical memory Process address space Addresses assignment to processes Operating system tasks Hardware support CONCEPTS 3. T3-Memory Index Memory management concepts Basic Services Program loading in memory Dynamic memory HW support To memory assignment To address translation Services to optimize physical memory usage COW

More information

Memory Management. Goals of this Lecture. Motivation for Memory Hierarchy

Memory Management. Goals of this Lecture. Motivation for Memory Hierarchy Memory Management Goals of this Lecture Help you learn about: The memory hierarchy Spatial and temporal locality of reference Caching, at multiple levels Virtual memory and thereby How the hardware and

More information

15 Sharing Main Memory Segmentation and Paging

15 Sharing Main Memory Segmentation and Paging Operating Systems 58 15 Sharing Main Memory Segmentation and Paging Readings for this topic: Anderson/Dahlin Chapter 8 9; Siberschatz/Galvin Chapter 8 9 Simple uniprogramming with a single segment per

More information

Computer Systems. Virtual Memory. Han, Hwansoo

Computer Systems. Virtual Memory. Han, Hwansoo Computer Systems Virtual Memory Han, Hwansoo A System Using Physical Addressing CPU Physical address (PA) 4 Main memory : : 2: 3: 4: 5: 6: 7: 8:... M-: Data word Used in simple systems like embedded microcontrollers

More information

Intel P The course that gives CMU its Zip! P6/Linux Memory System November 1, P6 memory system. Review of abbreviations

Intel P The course that gives CMU its Zip! P6/Linux Memory System November 1, P6 memory system. Review of abbreviations 15-213 The course that gives CMU its Zip! P6/Linux ory System November 1, 01 Topics P6 address translation Linux memory management Linux fault handling memory mapping Intel P6 Internal Designation for

More information

Memory Management. Minsoo Ryu. Real-Time Computing and Communications Lab. Hanyang University.

Memory Management. Minsoo Ryu. Real-Time Computing and Communications Lab. Hanyang University. Memory Management Minsoo Ryu Real-Time Computing and Communications Lab. Hanyang University msryu@hanyang.ac.kr Topics Covered Introduction Memory Allocation and Fragmentation Address Translation Paging

More information

Memory Management Minsoo Ryu Real-Time Computing and Communications Lab. Hanyang University

Memory Management Minsoo Ryu Real-Time Computing and Communications Lab. Hanyang University Memory Management Minsoo Ryu Real-Time Computing and Communications Lab. Hanyang University msryu@hanyang.ac.kr Topics Covered Introduction Memory Allocation and Fragmentation Address Translation Paging

More information

Memory Management Basics

Memory Management Basics Memory Management Basics 1 Basic Memory Management Concepts Address spaces! Physical address space The address space supported by the hardware Ø Starting at address 0, going to address MAX sys! MAX sys!!

More information

Lecture Notes: Unleashing MAYHEM on Binary Code

Lecture Notes: Unleashing MAYHEM on Binary Code Lecture Notes: Unleashing MAYHEM on Binary Code Rui Zhang February 22, 2017 1 Finding Exploitable Bugs 1.1 Main Challenge in Exploit Generation Exploring enough of the state space of an application to

More information

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks

More information

Secure Coding Techniques

Secure Coding Techniques Secure Coding Techniques "... the world outside your function should be treated as hostile and bent upon your destruction" [Writing Secure Code, Howard and LeBlanc] "Distrust and caution are the parents

More information

unsigned char memory[] STACK ¼ 0x xC of address space globals function KERNEL code local variables

unsigned char memory[] STACK ¼ 0x xC of address space globals function KERNEL code local variables Graded assignment 0 will be handed out in section Assignment 1 Not that bad Check your work (run it through the compiler) Factorial Program Prints out ENTERING, LEAVING, and other pointers unsigned char

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.

More information

Memory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory.

Memory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory. Memory Management Page 1 Memory Management Wednesday, October 27, 2004 4:54 AM Memory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory. Two kinds

More information

CS 333 Introduction to Operating Systems. Class 11 Virtual Memory (1) Jonathan Walpole Computer Science Portland State University

CS 333 Introduction to Operating Systems. Class 11 Virtual Memory (1) Jonathan Walpole Computer Science Portland State University CS 333 Introduction to Operating Systems Class 11 Virtual Memory (1) Jonathan Walpole Computer Science Portland State University Virtual addresses Virtual memory addresses (what the process uses) Page

More information

Memory management. Johan Montelius KTH

Memory management. Johan Montelius KTH Memory management Johan Montelius KTH 2017 1 / 22 C program # include int global = 42; int main ( int argc, char * argv []) { if( argc < 2) return -1; int n = atoi ( argv [1]); int on_stack

More information

A Fast Instruction Set Simulator for RISC-V

A Fast Instruction Set Simulator for RISC-V A Fast Instruction Set Simulator for RISC-V Maxim.Maslov@esperantotech.com Vadim.Gimpelson@esperantotech.com Nikita.Voronov@esperantotech.com Dave.Ditzel@esperantotech.com Esperanto Technologies, Inc.

More information

Bypassing AddressSanitizer

Bypassing AddressSanitizer Abstract Bypassing AddressSanitizer Eric Wimberley September 5, 2013 This paper evaluates AddressSanitizer as a next generation memory corruption prevention framework. It provides demonstrable tests of

More information

Memory Corruption 101 From Primitives to Exploit

Memory Corruption 101 From Primitives to Exploit Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code

More information

Dynamic Allocation in C

Dynamic Allocation in C Dynamic Allocation in C C Pointers and Arrays 1 The previous examples involved only targets that were declared as local variables. For serious development, we must also be able to create variables dynamically,

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback