decoupled lifeguards: enabling path optimizations for dynamic correctness checking tools
DESCRIPTION
Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools. Olatunji Ruwase * Shimin Chen + Phillip B. Gibbons + Todd C. Mowry *. * School of Computer Science Carnegie Mellon University. + Intel Labs Pittsburgh. Bug detection using Lifeguards. - PowerPoint PPT PresentationTRANSCRIPT
Ruwase, Chen, Gibbons and Mowry
Carnegie MellonCarnegie Mellon
Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking
Tools
Olatunji Ruwase* Shimin Chen+
Phillip B. Gibbons+ Todd C. Mowry*
+ Intel Labs Pittsburgh*School of Computer ScienceCarnegie Mellon University
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Bug detection using Lifeguards
Detect errors by monitoring execution of unmodified binary Exploit instruction-grained runtime information Block exploits before software patch [Savage et al. ‘97, Newsome & Song ’05, Nethercote et al. ‘07]
Significant program slowdown 10 - 100X using Dynamic Binary Instrumentation(DBI)
Valgrind, PIN, DynamoRIO
program
Lifeguard
Decoupled Lifeguards - 2 -
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Why instruction grained Lifeguards are slow
Decoupled Lifeguards - 3 -
program
mov %eax A
add %eax B
mov C %eaxcmp %ecx, %eax
taint(eax) = taint(A)
taint(C) = taint (eax)
taint(eax) |= taint(B)
TaintCheck lifeguard
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
mov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov reg_taint(%edx) %al
taint(eax) = taint(A)mov %eax Ataint(eax) |= taint(B)add %eax Btaint(C) = taint (eax)mov C %eaxcmp %ecx, %eax
Why instruction grained Lifeguards are slow
Decoupled Lifeguards - 4 -
program
Handler for memory-to-register copy instruction
TaintCheck lifeguard
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Why instruction grained Lifeguards are slow
Decoupled Lifeguards - 5 -
mov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov reg_taint(%edx) %alSwitch execution context mov %eax ASwitch execution contexttaint(eax) |= taint(B)add %eax Btaint(C) = taint (eax)mov C %eaxcmp %ecx, %eax
mov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov reg_taint(%edx) %alSwith execution contextmov %eax ASwitch execution contextmov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)or reg_taint(%edx) %alSwitch execution contextadd %eax Bmov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov %al reg_taint(%edx) Switch execution contextmov C %eaxcmp %ecx, %eax
program
TaintCheck lifeguard
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Optimizing Lifeguard code on program paths is hard
Decoupled Lifeguards - 6 -
mov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov reg_taint(%edx) %alSwith execution contextmov %eax ASwitch execution contextmov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)or reg_taint(%edx) %alSwitch execution contextadd %eax Bmov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov %al reg_taint(%edx) Switch execution contextmov C %eaxcmp %ecx, %eax
Key obstacle is tight coupling of program & Lifeguard code
Instrumented program path
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Decoupling Lifeguard execution
Decoupled Lifeguards - 7 -
Unoptimized path handler
Instrumented program path
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Lifeguard specific optimizations on program path
Decoupled Lifeguards - 8 -
Program path
Unoptimized path
handler
Compose instruction handlers
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Lifeguard specific optimizations on program path
Decoupled Lifeguards - 9 -
Program path
Unoptimized path
handler
Optimized path handler
Original
Standard path opts
Lifeguard path opts
86 81(95%) 47(55%)
x86 instruction count of TaintCheck handler for mcf path
Compose instruction handlers
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Outline
Dynamic path optimization of Decoupled Lifeguards
Decoupling Lifeguards: Challenges and Solutions
Using lifeguard domain knowledge for path optimizations
Evaluation
Conclusions
Decoupled Lifeguards - 10 -
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Decoupling Lifeguards: Challenges and Solutions
Decoupled Lifeguards - 11 -
Issue 1: When to run Lifeguard code
Optimized path handler
At end of path where data is
available
Program path
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Decoupling Lifeguards: Challenges and Solutions
Decoupled Lifeguards - 12 -
Issue 2: How to pass data to Lifeguard
Program path
Buffer Optimized path handler
Marshalldata
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Decoupling Lifeguards: Challenges and Solutions
Decoupled Lifeguards - 13 -
Challenge 1: How to handle side exits
Program path
1
2
3
4
1
2
3
4
Path handler for side exits
Optimized path handler
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Decoupling Lifeguards: Challenges and Solutions
Decoupled Lifeguards - 14 -
Challenge 2: How to contain errors in the path
See paper for details of solution based on:1.Page protection to prevent data corruption2.Completing checks at function & system calls and indirect jumps
Program path
Optimized path handler
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Outline
Dynamic path optimization of Decoupled Lifeguards
Decoupling Lifeguards: Challenges and Solutions
Using lifeguard domain knowledge for path optimizations
Evaluation
Conclusion
Decoupled Lifeguards - 15 -
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Lifeguard optimization opportunities
Decoupled Lifeguards - 16 -
taint(esi) = taint(esi) | taint( )taint(edx) = taint(edi)taint(edi) = taint(esi)taint(edi) = taint(edi) | taint( )
taint(ecx) = taint( )taint(edi) = taint(edx) | taint(ecx)taint(ebx) = taint( )…
TaintCheck handler for mcf path
6 instructions to access metadata of program memory address
mov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov reg_taint(%edx) %al
A
B
C
D
1. Alias analysis to reduce metadata accesses
2. Dead metadata update detection to eliminate instruction handlers
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Alias analysis for metadata accesses
Decoupled Lifeguards - 17 -
taint(esi) = taint(esi) | taint(A)taint(edx) = taint(edi)taint(edi) = taint(esi)taint(edi) = taint(edi) | taint(B)
taint(ecx) = taint(C)taint(edi) = taint(edx) | taint(ecx)taint(ebx) = taint(D)…
add %esi -0x24[%ebp]mov %edx %edimov %edi %esisub %edi -0x24[%ebp]…mov %ecx -0x24[%ebp]lea %edi [%edx,%ecx,1]mov %ebx 0x1c[%ebp]… mcf path TaintCheck handler for mcf
path
program
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Alias analysis for metadata accesses
Decoupled Lifeguards - 18 -
taint(esi) = taint(esi) | taint(A)taint(edx) = taint(edi)taint(edi) = taint(esi)taint(edi) = taint(edi) | taint(A)
taint(ecx) = taint(A)taint(edi) = taint(edx) | taint(ecx)taint(ebx) = taint(A+64)…Enables metadata access CSE
optimization described in paper
TaintCheck handler for mcf path
add %esi -0x24[%ebp]mov %edx %edimov %edi %esisub %edi -0x24[%ebp]…mov %ecx -0x24[%ebp]lea %edi [%edx,%ecx,1]mov %ebx 0x1c[%ebp]… mcf path
program
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Eliminating dead instruction handlers
Decoupled Lifeguards - 19 -
taint(esi) = taint(esi) | taint(A)taint(edx) = taint(edi)taint(edi) = taint(esi)taint(edi) = taint(edi) | taint(A)
taint(ecx) = taint(A) = taint(edx) | taint(ecx)taint(ebx) = taint(A+64)…
Dead taint(edi) updates
See paper for details of other optimizations: e.g eliminating loop redundancies
TaintCheck handler for mcf path
taint(edi)
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Evaluation Lifeguards
AddrCheck: unallocated memory access Eraser: concurrency errors MemCheck: AddrCheck + uninitialized read errors TaintCheck: security errors
Lifeguard instrumentation platforms DBI (Valgrind ) & Hardware accelerated (LBA)
Decoupled lifeguard code on program paths of up to 8 branches
Decoupled Lifeguards - 20 -
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Lifeguard overhead reduction in Valgrind
Decoupled Lifeguards - 21 -
AddrCheck
MemCheck
Standard path optimizations(SPO)
SPO + dead handler elimination(DHE)
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Lifeguard overhead reduction in Valgrind
Decoupled Lifeguards - 22 -
AddrCheck
MemCheck
24% reduction
6% reduction Limitations to improvements• Instrumentation overhead• No metadata access CSE
Standard path optimizations(SPO)
SPO + dead handler elimination(DHE)
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Results with hardware assisted instrumentation (LBA)
Decoupled Lifeguards - 23 -
AddrCheck
MemCheck TaintCheck
Eraser50% reduction 53%
reduction
42% reduction
38% reduction
SPO SPO + DHE SPO + DHE + Metadata access CSE
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Conclusions
Decoupled Lifeguards - 24 -
Decoupling: enables optimization of lifeguard code on program paths Correctness checking at a path granularity Multi-versioned checking code to handle side exits Page protection for containing errors
Lifeguard domain knowledge: enable redundancy elimination beyond standard optimizations Better alias analysis Lifeguard-specific dead code & common subexpression
elimination
Lifeguard overhead reductions Up to 24% on Valgrind Up to 53% on LBA