Architectural support for low overhead detection of memory violations
Proceedings of the Conference on Design, Automation and Test in Europe
| Hi-index | 0.00 |
Bugs caused by improperly bounded program inputs cost software companies millions of dollars annually. These bugs can be exploited by malicious users, allowing them to overwrite buffers and execute harmful code. This thesis describes a dynamic approach for detecting input-related software faults that is both efficient and reduces the dependence on the input provided to the program. We address one of the major drawbacks associated with dynamic bug detection: its dependence on the particular input. Typically, users must specify precise inputs in order to expose bugs. Our approach relaxes this requirement by shadowing input-derived variables with additional state that characterizes the allowed bounds. Potentially hazardous program sites, such as array references and string functions, are checked against the entire range of values that users could specify. If a specifiable input could cause a fault, the program would display an error message. Overall, our approach found several bugs including two high-risk security bugs in a recent version of OpenSSH. Our checker was implemented using MUSE, a general-purpose instrumentation tool we created. Users can add instrumentation to programs by snatching patterns using a pattern specification language. In addition to creating bug detection tools, users can create profilers, coverage tools, and debugging aids using MUSE. Finding software faults at run-time impacts performance. To lessen this impact, a static analysis phase determines which variables need to be shadowed with additional state, called shadowed state. Only variables that contain input data and contain a value that eventually will be used in a dangerous operation require shadowed state. Subsequently, instrumentation is only applied to statements that need shadowed state. This optimization reduced the number of instrumentation sites by 68% and improved performance by 50% on average across a set of benchmarks and networking programs. In addition, we improved the management of shadowed state by tightly integrating the instrumentation with the compiler. This optimization shifts the burden of looking up shadowed state from run-time to compile-time for local variables. By itself, improving shadowed state management improved performance by 33%. Overall, performance improved by 58% when both performance optimizations were applied.