250 likes | 394 Vues
Archipelago: Trading Address Space for Reliability and Security V.B. Lvin, G. Novark, E.D. Berger (UMASS), B.G. Zorn (MSR). ASPLOS’08. Shimin Chen LBA Reading Group Presentation. Motivation. Memory errors in C/C++ programs Difficult to debug, easy to exploit
E N D
Archipelago: Trading Address Space for Reliability and SecurityV.B. Lvin, G. Novark, E.D. Berger (UMASS), B.G. Zorn (MSR). ASPLOS’08. Shimin Chen LBA Reading Group Presentation
Motivation • Memory errors in C/C++ programs • Difficult to debug, easy to exploit • Existing approaches not sufficient • Testing tools: valgrind, purify -- overhead • Conservative garbage collectors – no buffer overflow protection • Compiler-based approaches: need source code, runtime overhead/programmer intervention
This Paper • Idea: • 64-bit machine, large virtual address space • Allocate one object per page • Ensure the distance between objects is large • “Archipelago”: objects are in “islands”
Outline • Introduction • Background • Archipelago Architecture • Evaluation • Conclusions
unmapped committed reserved Virtual Memory Page State 3.munmap 3.munmap 1.mmap 2.First access: a fresh zero page 4.madvise(MADV_DONTNEED)
Probabilistic Memory Safety • DieHard • Ideal: an infinite heap memory is ideal • Objects are allocated fresh • Infinitely far away from each other • Never deallocated • Probabilistic: M-heap • M times larger than needed • Two objects are separated by M-1 unused objects w/ high prob
Outline • Introduction • Background • Archipelago Architecture • Evaluation • Conclusions
Overall Picture A Pre-loaded library replacing malloc/free etc.
Randomizing Object-Per-Page Allocator • Use mmap to reserve a pool of virtual pages (512MB) • madvise(MADV_RANDOM) • Pages are instantiated upon actual use • A bitmap: free/allocated • Allocation: randomly pick one page • Ensure the pool is at most half full • Bounds worst-case expected probes
Large objects Randomize in-page offset for CPU cache performance
Hot Object Space + Cold Storage • Problem: cannot afford a page per object • Observation: working set hypothesis • Solution: • Hot object per page: keep a fixed number • Cold object compacted • Saved in conventional heap • The virtual page is marked as not accessible, then released back to OS • Detect access then inflate it by segfault handler
Hot Object Space Details • FIFO queue for hot object pages • size configurable, default 5000 objects • Allocation: enqueue to tail • Queue Full: compact the head object • Access a compacted page: enqueue to tail
Cold Storage More Details • When compacting, detect the actual size of the object by scanning the page backwards until first non-zero • Overflowed buffer is copied correctly • mprotect(page, PROT_NONE) • madvise(page, MADV_DONTNEED)
Outline • Introduction • Background • Archipelago Architecture • Evaluation • Conclusions
Experimental Setup • Dual-processor (chip), 4-core/processor, 64-bit Intel Xeon at 2.33 Ghz • 4MB L2 cache • 8GB RAM • Linux kernel 2.6.22-rc2-mm1 • This version performs madvise lazily thus boost Archipelago’s performance • Compare against GNU Libc, and DieHard
Sever Applications (loopback network interface) About 2,000 ~ 10,000 objects per second Normalized performance
Memory Intensive espresso(allocate 1.5 million objects per second)
Injected Faults Free x allocations earlier 0.01~thousands faults, 0.001~hundreds faults, 0.0001~tens faults
Avoid Real Buffer Overflow • Pine • Squid
Conclusion • Taking advantage of large virtual address space • Object per virtual page • Hot objects use physical pages • Cold objects are compacted