1 / 24

Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools

Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools. Olatunji Ruwase * Shimin Chen + Phillip B. Gibbons + Todd C. Mowry *. * School of Computer Science Carnegie Mellon University. + Intel Labs Pittsburgh. Bug detection using Lifeguards.

bedros
Télécharger la présentation

Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools Olatunji Ruwase* Shimin Chen+ Phillip B. Gibbons+ Todd C. Mowry* *School of Computer Science Carnegie Mellon University +Intel Labs Pittsburgh

  2. Bug detection using Lifeguards program Lifeguard • Detect errors by monitoring execution of unmodified binary • Exploit instruction-grained runtime information • Block exploits before software patch • [Savage et al. ‘97, Newsome & Song ’05, Nethercote et al. ‘07] • Significant program slowdown • 10 - 100X using Dynamic Binary Instrumentation(DBI) • Valgrind, PIN, DynamoRIO - 2 -

  3. Why instruction grained Lifeguards are slow program TaintCheck lifeguard mov %eax A add %eax B mov C %eax cmp %ecx, %eax taint(eax) = taint(A) taint(eax) |= taint(B) taint(C) = taint (eax) - 3 -

  4. Why instruction grained Lifeguards are slow program TaintCheck lifeguard taint(eax) = taint(A) mov %eax A taint(eax) |= taint(B) add %eax B taint(C) = taint (eax) mov C %eax cmp %ecx, %eax mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al Handler for memory-to-register copy instruction - 4 -

  5. Why instruction grained Lifeguards are slow mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) movreg_taint(%edx) %al Swith execution context mov %eax A Switch execution context mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) or reg_taint(%edx) %al Switch execution context add %eax B mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov %al reg_taint(%edx) Switch execution context mov C %eax cmp %ecx, %eax program TaintCheck lifeguard mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) movreg_taint(%edx) %al Switch execution context mov %eax A Switch execution context taint(eax) |= taint(B) add %eax B taint(C) = taint (eax) mov C %eax cmp %ecx, %eax - 5 -

  6. Optimizing Lifeguard code on program paths is hard mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) movreg_taint(%edx) %al Swith execution context mov %eax A Switch execution context mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) or reg_taint(%edx) %al Switch execution context add %eax B mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov %al reg_taint(%edx) Switch execution context mov C %eax cmp %ecx, %eax Key obstacle is tight coupling of program & Lifeguard code Instrumented program path - 6 -

  7. Decoupling Lifeguard execution Unoptimized path handler Instrumented program path - 7 -

  8. Lifeguard specific optimizations on program path Compose instruction handlers Program path Unoptimized path handler - 8 -

  9. Lifeguard specific optimizations on program path x86 instruction count of TaintCheck handler for mcf path Compose instruction handlers Program path Optimized path handler Unoptimized path handler - 9 -

  10. Outline Dynamic path optimization of Decoupled Lifeguards Decoupling Lifeguards: Challenges and Solutions Using lifeguard domain knowledge for path optimizations Evaluation Conclusions - 10 -

  11. Decoupling Lifeguards: Challenges and Solutions Issue 1: When to run Lifeguard code Optimized path handler Program path At end of path where data is available - 11 -

  12. Decoupling Lifeguards: Challenges and Solutions Issue 2: How to pass data to Lifeguard Marshall data Buffer Optimized path handler Program path - 12 -

  13. Decoupling Lifeguards: Challenges and Solutions Challenge 1: How to handle side exits 1 1 2 2 3 3 Optimized path handler 4 4 Path handler for side exits Program path - 13 -

  14. Decoupling Lifeguards: Challenges and Solutions Challenge 2: How to contain errors in the path See paper for details of solution based on: Page protection to prevent data corruption Completing checks at function & system calls and indirect jumps Program path Optimized path handler - 14 -

  15. Outline Dynamic path optimization of Decoupled Lifeguards Decoupling Lifeguards: Challenges and Solutions Using lifeguard domain knowledge for path optimizations Evaluation Conclusion - 15 -

  16. Lifeguard optimization opportunities Alias analysis to reduce metadata accesses Dead metadata update detection to eliminate instruction handlers taint(esi) = taint(esi) | taint( ) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint( ) taint(ecx) = taint( ) taint(edi) = taint(edx) | taint(ecx) taint(ebx) = taint( ) … A B C mov %ecx %eax shr %ecx $16 mov %ecx level1_index(,%ecx,4) and %eax 0xffff shr %eax $2 mov %eax (%eax,%ecx,1) mov reg_taint(%edx) %al D TaintCheck handler for mcf path 6 instructions to access metadata of program memory address - 16 -

  17. Alias analysis for metadata accesses add %esi -0x24[%ebp] mov %edx %edi mov %edi %esi sub %edi -0x24[%ebp] … mov %ecx -0x24[%ebp] lea %edi [%edx,%ecx,1] mov %ebx 0x1c[%ebp] … program taint(esi) = taint(esi) | taint(A) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint(B) taint(ecx) = taint(C) taint(edi) = taint(edx) | taint(ecx) taint(ebx) = taint(D) … mcf path TaintCheck handler for mcf path - 17 -

  18. Alias analysis for metadata accesses add %esi -0x24[%ebp] mov %edx %edi mov %edi %esi sub %edi -0x24[%ebp] … mov %ecx -0x24[%ebp] lea %edi [%edx,%ecx,1] mov %ebx 0x1c[%ebp] … program taint(esi) = taint(esi) | taint(A) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint(A) taint(ecx) = taint(A) taint(edi) = taint(edx) | taint(ecx) taint(ebx) = taint(A+64) … mcf path TaintCheck handler for mcf path Enables metadata access CSE optimization described in paper - 18 -

  19. Eliminating dead instruction handlers taint(esi) = taint(esi) | taint(A) taint(edx) = taint(edi) taint(edi) = taint(esi) taint(edi) = taint(edi) | taint(A) taint(ecx) = taint(A) = taint(edx) | taint(ecx) taint(ebx) = taint(A+64) … Dead taint(edi) updates See paper for details of other optimizations: e.g eliminating loop redundancies taint(edi) TaintCheck handler for mcf path - 19 -

  20. Evaluation • Lifeguards • AddrCheck: unallocated memory access • Eraser: concurrency errors • MemCheck: AddrCheck + uninitialized read errors • TaintCheck: security errors • Lifeguard instrumentation platforms • DBI (Valgrind ) & Hardware accelerated (LBA) • Decoupled lifeguard code on program paths of up to 8 branches - 20 -

  21. Lifeguard overhead reduction in Valgrind AddrCheck MemCheck Standard path optimizations(SPO) SPO + dead handler elimination(DHE) - 21 -

  22. Lifeguard overhead reduction in Valgrind AddrCheck 24% reduction 6% reduction MemCheck • Limitations to improvements • Instrumentation overhead • No metadata access CSE Standard path optimizations(SPO) SPO + dead handler elimination(DHE) - 22 -

  23. Results with hardware assisted instrumentation (LBA) SPO SPO + DHE SPO + DHE + Metadata access CSE AddrCheck 50% reduction Eraser 53% reduction MemCheck TaintCheck 38% reduction 42% reduction - 23 -

  24. Conclusions • Decoupling: enables optimization of lifeguard code on program paths • Correctness checking at a path granularity • Multi-versioned checking code to handle side exits • Page protection for containing errors • Lifeguard domain knowledge: enable redundancy elimination beyond standard optimizations • Better alias analysis • Lifeguard-specific dead code & common subexpression elimination • Lifeguard overhead reductions • Up to 24% on Valgrind • Up to 53% on LBA - 24 -

More Related