checking memory safety with blast dirk beyer, et al. fase 2005 kaist cs750b 2006 fall seonggun kim
Post on 22-Dec-2015
216 Views
Preview:
TRANSCRIPT
2
Outline
• Memory Safety
• Two-step Approach– CCured: a type-based memory safety analyzer– BLAST: a temporal safety property checker
• CCured
• Conclusion– An improvement in the memory safety analysis
3
Memory Safety
• Essential for security systems– Invalid memory access can…
• Cause a process to crash• Produce incorrect results
– Buffer overflows are the basis of many attacks
• Memory bugs– Dereferencing null-pointer– Dereferencing outside of object bounds– Freeing non-pointers– Using freed memory
4
C and Memory Safety
• C is designed and used for efficiency– Allows many ‘unsafe’ operations
• E.g., casting to arbitrary types
– Sacrifices safety for efficiency
• A solution: Run-time checking
int array[10];…if ( (array+i >= array+10) || (array+i < array)) {exit(EXIT_FAILURE);}val = array[i];
Inserted code
5
Run-time Overhead
• Run-time checking causes slow-down– Time spent executing inserted code– E.g., IBM Rational® Purify: 10x slow-down
• But, in many C programs,– Most pointers are used safely– Only small portions are responsible for unsafe
behavior
• Static analysis can eliminate many run-time checking
6
Checking Memory Safety with BLAST
• BLAST can guarantee a pointer is safely used– by checking if the location labeled
__BLAST_ERROR is reachable– If __BLAST_ERROR is not reachable, we can
eliminate the corresponding checking codeOBJ *p = malloc(sizeof(OBJ));…if (p == NULL) { __BLAST_ERROR: ;}val = p->value;
7
Disadvantage of BLAST
• Expensive (takes long time)– Path sensitive– Generates an execution trace
• Overkill for some checksNot good for large programs
• Solution– Combine BLAST with more efficient tool: CCured
8
Combining BLAST and CCured
• CCured– Efficient– More runtime
checks
• BLAST– Expensive– More powerful– Feedback
• Together– Efficient– Fewer runtime checks– Feedback
CCured
BLAST
program code checking code
9
CCured
• The CCured System
CCuredTranslator
Compile &Execute
C ProgramInstrumented
C Program
Halt: MemorySafety Violation
Success
10
A Little More about CCured
• A type-based memory safety analyzer for C
• Classifies the pointers according to usage– Type-inference– SAFE, SEQ, WILD– Transform normal pointers to “fat-pointers”
• Annotates with run-time checks– SAFE: Null-check– SEQ: check array bound– WILD: check non-pointer and bounds and non-null
11
A Little More about CCured
• Classifies the pointers according to usage casting arith. on pointer
– SAFE: NO NO– SEQ: NO YES– WILD: YES YES (roughly)
• Annotates with run-time checks– SAFE: null-check– SEQ: array bound check (implicit null-check)– WILD: null-check + bound check + non-pointer check
• Remove redundant checks by naïve optimizer
12
SAFE Pointer Invariants and Representation
T * SAFE– Prototypical example: FILE *fp = fopen(filename, “r”);– Can be 0 or a pointer to storage containing a T– All aliases agree on the type of the referenced storage– Must do null-check before dereference– Inexpensive to store and to use (just null-check)
p
statically typed home area
T
x:assert(x.p != null);
13
SEQ Pointer Invariants and Representation
T * SEQ– Can be 0– Can be involved in pointer arithmetic: val = array++;– Null check and bounds check before use– Carries the bounds of a home area consisting of a seq
uence of T’s– All SAFE or SEQ aliases agree on the type of the refere
nced areabase p end
statically typed home area
TT … T…
assert(x.b <= x.p);assert(x.p <= x.e – sizeof(T));x:
14
WILD Pointer Invariants and Representation
T * WILD– Can be a non-pointer (any primitive)– Carries the bounds of a dynamic home area– Has only WILD pointer aliases– Must do a non-pointer and a bounds check– Must maintain the tags when writing (1 bit per
word)
dynamically typed home areaend tag bits
base pindicates which words contain base
assert(x.b != null);assert(x.b <= x.p);assert(x.p <= len(x.b) – sizeof(T’));if (typeof(*(x.p)) is *WILD) assert(tag(x.b, x.p+1) == 1);
15
Example
1: OBJ* f (int **a) {2: int **x;3: int **y = a + 10;4: for (x = a; x < y; x++)5: *x = *y;6: return (OBJ*) *y;7: }
1: OBJ *WILD f (int *WILD *SEQ a) {2: int *WILD *SEQ x;3: int *WILD *SAFE y = a + 10;4: for (x = a; x < y; x++)5: *x = *y;6: return (OBJ *WILD) *y;7: }
16
Example (cont)
1: OBJ *WILD f (int *WILD *SEQ a) {2: int *WILD *SEQ x;3: int *WILD *SAFE y = a + 10;4: for (x = a; x < y; x++)5: *x = *y;6: return (OBJ *WILD) *y;7: }
1 : OBJ *WILD f (int *WILD *SEQ a) {2 : int *WILD *SEQ x;3 : int *WILD *SAFE y = a + 10;4 : for (x = a; x < y; x++)5’: __CHECK_SEQ(x);5”; __CHECK_SAFE(y);5 : *x = *y;6 : return (OBJ *WILD) *y;7 : }
17
Experimental Results of CCured
LOC %Safe %Seq %Wild CCured Ratio Purify Ratio
compress
1590 87 12 0 1.25 28
go 29315 96 4 0 2.01 51
ijpeg 31371 36 1 62 2.15 30
li 7761 93 6 0 1.86 50
bh 2053 80 18 0 1.53 94
bisort 707 90 10 0 1.03 42
em3d 557 85 15 0 2.44 7
ks 973 92 8 0 1.47 31
health 725 93 7 0 0.94 25
18
CCured + BLAST
• Null-pointer dereferencing
1. Annotate a program using CCured• __CHECK_NULL(p);
2. Replace the call to __CHECK_NULL to __BLAST_CHECK_NULL• void __BLAST_CHECK_NULL(void *p) {
if (!p) { __BLAST_ERROR: ; }}
3. Check if __BLAST_ERROR: is reachable
20
Conclusion and Discussion
• An improvement in the memory safety analysis– Scalability and precision
• Pros– A kind of coarse-grained refinement– C.E. can be used for debugging
• Cons– Only handles null-pointer check
• Pointers can be regarded as Boolean variables• State explosion for array bound checking?
21
References
• http://www.inf.ethz.ch/personal/daniekro/classes/se-sem/ss2005/slides/geissbuehler.ppt
• http://nenya.ms.mff.cuni.cz/teaching/seminars/2006-04-11-Adamek-Blast.pdf
• http://osq.cs.berkeley.edu/retreat02/Weimer-CCured.ppt
• http://chess.eecs.berkeley.edu/publications/talks/02/neculaResOverview.ppt
top related