Emery Berger - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

Emery Berger

Description:

Runtime Systems: Old School. Hardware. Programming Language. Compiler. Object Code. Libraries ... Old Issues. Then: Computers were small and slow = runtime ... – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 43
Provided by: Office20041671
Category:
Tags: berger | emery | old | school

less

Transcript and Presenter's Notes

Title: Emery Berger


1
  • Emery Berger
  • University of Massachusetts Amherst

TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. AAAAA
2
About Me
  • Associate Professor at University of
    Massachusetts Amherst
  • PhD UT-Austin 2002
  • Research interests programming languages,
    runtime systems, operating systems

3
Runtime Systems
  • Emery Berger
  • University of Massachusetts Amherst

TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. AAAAA
4
Runtime Systems Old School
Programming Language
Compiler
Libraries
Linker
Object Code
Hardware
5
Runtime Systems Old School
Programming Language
Compiler
Libraries
Linker
Object Code
Hardware
6
New School
Programming Language
Interpreter
JIT Compiler
Libraries
Security Mgr.
Dynamic Linker
Garbage Collector
Profiling, Auditing
Concurrency Mgr.
Debugging Support
Object Code
Hardware
7
Old Issues
  • Then Computers were small and slow gt runtime
    systems must be
  • Memory-efficient
  • Fast
  • Now Computers increasingly powerful
  • Memory efficiency less important
  • Speed still relevant, but not vital

8
Small Slow
9
What I Do
  • Two hottest topics in PLDI this yearcorrectness
    concurrency
  • Most research focuses on finding bugsmy
    research agenda (one of them)Automatically make
    programs run correctly, even if they are buggy
  • Target bugs in C/C/Java(memory errors,
    concurrency)

10
Problems with C/C
  • Widely-used fast but unsafenumerous
    opportunities for errors security
    vulnerabilities
  • Double free
  • Invalid free
  • Uninitialized reads
  • Dangling pointers
  • Buffer overflows (stack heap)

11
Common Error Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward

char str new char8 fscanf
(socket,s,str)
12
Common Error Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward

char str new char8 fscanf
(socket,s,str)
13
Common Error Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward

char str new char8 fscanf
(socket,s,str)
bad object(too small)
14
Common Error Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward

char str new char8 fscanf
(socket,s,str)
? bytes past end
bad object(too small)
15
Common Error Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward

char str new char8 fscanf
(socket,s,str)
? bytes past end
bad object(too small)
16
Common Error Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward

char str new char8 fscanf
(socket,s,str)
glibc detected free() invalid next
size Segmentation fault (core dumped) root_at_loca
lhost
Especially risky for server applications
17
Probabilistic Safety
  • Correct execution in face of errorsPLDI 2006,
    ASPLOS 2008
  • DieHard randomized runtime system for C/C
    provably increases odds of benign errors

benign overflow
1
6
3
2
5
4
18
Probabilistic Safety
  • Correct execution in face of errorsPLDI 2006,
    ASPLOS 2008
  • DieHard randomized runtime system for C/C
    provably increases odds of benign errors

benign overflow
1
6
3
2
5
4
2
4
5
3
1
6
malignant overflow
19
Probabilistic Safety
  • Correct execution in face of errorsPLDI 2006,
    ASPLOS 2008
  • DieHard randomized runtime system for C/C
    provably increases odds of benign errors
  • Pbuffer overflow has no effect gt n,Efraction
    of users with correct execution gt n
  • Prevents heap-based security exploits
  • Reduces effects of real bugs (Squid,
    Firefox)

benign overflow
1
6
3
2
5
4
2
4
5
3
1
6
malignant overflow
20
Probabilistic Safety
  • Correct execution in face of errorsPLDI 2006,
    ASPLOS 2008
  • DieHard randomized runtime system for C/C
    provably increases odds of benign errors
  • Optional replication use multiple cores
    further increases reliability security

21
Diagnosing Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward

char str new char8 fscanf
(socket,s,str)
? bytes past end
bad object(too small)
22
Diagnosing Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward
  • Not necessarily contiguous

char str new char8 fscanf
(socket,s,str)
? bytes past end
23
Diagnosing Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward
  • Not necessarily contiguous

char str new char8 fscanf
(socket,s,str)
? bytes past end
24
Diagnosing Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward
  • Not necessarily contiguous

char str new char8 fscanf
(socket,s,str)
? bytes past end
25
Diagnosing Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward
  • Not necessarily contiguous

char str new char8 fscanf
(socket,s,str)
? bytes past end
26
Diagnosing Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward
  • Not necessarily contiguous

char str new char8 fscanf
(socket,s,str)
? bytes past end
1. Heap provides no useful information
27
Diagnosing Buffer Overflows
  • Canonical buffer overflow
  • Allocate object too small
  • Write past end nukes object ? bytes forward
  • Not necessarily contiguous

char str new char8 fscanf
(socket,s,str)
? bytes past end
2. No way to detect corruption
28
Isolating Buffer Overflows
  • Canaries in freed space detect corruption

known random value
dead canary corruption
Red possiblebadobject
Green notbadobject
8
10
2
9
3
4
5
1
7
object id (allocation time)
29
Isolating Buffer Overflows
  • Canaries in freed space detect corruption
  • Run multiple times with DieFast allocator

Red possiblebadobject
Green notbadobject
8
2
9
3
4
5
1
7
10
30
Isolating Buffer Overflows
  • Canaries in freed space detect corruption
  • Run multiple times with DieFast allocator

Red possiblebadobject
Green notbadobject
8
10
2
9
3
4
5
1
7
1
8
7
5
3
2
9
10
6
4
31
Isolating Buffer Overflows
  • Canaries in freed space detect corruption
  • Run multiple times with DieFast allocator
  • Key insight Overflow must be at same ?

Red possiblebadobject
Green notbadobject
8
10
2
9
3
4
5
1
7
1
8
7
5
3
2
9
10
6
4
32
Isolating Buffer Overflows
  • Canaries in freed space detect corruption
  • Run multiple times with DieFast allocator
  • Key insight Overflow must be at same ?

Red possiblebadobject
Green notbadobject
8
10
2
9
4
5
1
7
3
1
8
7
5
3
2
9
6
4
10
33
Isolating Buffer Overflows
  • Canaries in freed space detect corruption
  • Run multiple times with DieFast allocator
  • Key insight Overflow must be at same ?

Red possiblebadobject
Green notbadobject
8
10
2
9
3
4
5
1
7
1
8
7
5
3
2
9
6
4
10
34
Isolating Buffer Overflows
  • Canaries in freed space detect corruption
  • Run multiple times with DieFast allocator
  • Key insight Overflow must be at same ?

Red possiblebadobject
Green notbadobject
8
10
2
9
3
4
5
1
7
1
8
7
5
3
10
6
4
9
2
35
Isolating Buffer Overflows
  • Canaries in freed space detect corruption
  • Run multiple times with DieFast allocator
  • Key insight Overflow must be at same ?
  • object 9 overflowed, with high probability

Red possiblebadobject
Green notbadobject
8
10
2
9
3
4
5
1
7
1
8
7
5
3
2
9
10
6
4
4
9
6
3
8
5
7
2
1
36
Correcting Errors
  • Exterminator PLDI 2007corrects errors
    automatically
  • detects prevents overflowspads overflowed
    objects malloc(8) ? malloc(8 d)
  • detects prevents dangling pointersdefers
    frees free(ptr) ? delay d mallocs
    free(ptr)

1
1
?
37
Empirical Results Real Faults
  • Mozilla 1.7.3 buffer overflow
  • Debug scenario
  • repeated load of PoC 23 runs to fix overflow
  • Deployed scenario
  • different browsing sessions 34 runs to fix

38
New Challenges
39
New Challenges
40
New Challenges
41
New Challenges
How do we exploitthese processors without making
programs just crash faster?
Were working on this now
42
Systems at UMass Amherst
  • 40 Faculty, 20 in Systems
  • Areas include Databases, Distributed Computing,
    Graphics, Information Retrieval, Mobility,
    Networking, Operating Systems, Privacy,
    Programming Languages, Security, Sensor Nets,
    Software Engineering
  • Very collaborative
  • Ph.D. only
  • www.cs.umass.edu
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Emery Berger" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!