![Page 1: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/1.jpg)
AddressSanitizerfor Windows
Timur IskhodzhanovGoogle
![Page 2: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/2.jpg)
AddressSanitizer (a.k.a. ASan)● High performance
○ Uses compile-time instrumentation○ Lightweight algorithm○ Multi-threaded
● Focuses on severe bugs○ buffer overflows○ uses of freed / unavailable memory○ and more
● Supports Linux, Mac OS; more in development
![Page 3: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/3.jpg)
ASan overview followsA more complete version:Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov,AddressSanitizer: a fast address sanity checker, Proceedings of the 2012 USENIX conference on Annual Technical Conference, 2012
![Page 4: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/4.jpg)
ASan code instrumentationOriginal code:
*addr = 42;
Instrumented pseudocode:if (!is_ok_to_use(addr)) print_report_and_crash();// memory is ok to use:*addr = 42;
![Page 5: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/5.jpg)
ASan shadow memoryA state of every aligned 8 bytes of memory is stored in a single shadow byte
Simple shadow address calculation shadow_addr = addr / 8 + offset
Allows very simple instrumentation,performed at LLVM IR level
![Page 6: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/6.jpg)
ASan shadow memory
● Easy to allocate memory for the shadow
● Fixed address range
● Have to do it early
Memory: 0x7fffffff
0x40000000
Shadow: 0x2fffffff 0x20000000
Memory: 0x1fffffff
0x00000000
![Page 7: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/7.jpg)
Function interception
Have to intercept some functions:● malloc, free, etc. – to track memory
● strlen, memcpy, etc. – to detect more errors
● pthread_create, etc. – to understand the app
![Page 8: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/8.jpg)
Error reporting
● Grab the current stack trace
● Pinpoint the (mis)accessed memory allocation
● Get extra info from allocation metadata
● Print out everything
● Terminate the process
![Page 9: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/9.jpg)
![Page 10: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/10.jpg)
![Page 11: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/11.jpg)
ASan for Windows – overview
● Goal: find nasty Chromium bugs on Windows
● Started in 2012 after ASan success on Linux
● “Beta” experience available mid-2014
![Page 12: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/12.jpg)
Progress overview● Instrumentation – no changes needed, thanks IR!
● Significant changes to the ASan run-time library (RTL)
● Massive effort on Clang C++ ABI support
● clang-cl bonus: can mix MSVC & Clang .obj files, supports automatic fallback(e.g. code with exceptions)
![Page 13: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/13.jpg)
C run-time support● Multiple C run-time (CRT) implementations:
○ /MT (static linkage)○ /MTd (static linkage, debug)○ /MD (DLL linkage)○ /MDd (DLL linkage, debug)
● Each CRT requires different handling● Currently supported: /MT, /MD● Each DLL might have its own copy of /MT CRT,
i.e. malloc, heap, CRT global state etc.
![Page 14: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/14.jpg)
/MT CRT supportEXE● Just define malloc, etc. to intercept them
● dllimport’ed functions like CreateThreadneed to be hot-patched at start-up
● Init ASan RTL as part of the first callocearly in CRT init
DLL● Redirect calls to intercepted functions from DLL
to the interceptor implementations in the EXE
![Page 15: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/15.jpg)
/MD CRT support
● Also need to hot-patch MSVCR*.dll early
● RTL is a DLL without dependencies to CRT, gets initialized earlier
![Page 16: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/16.jpg)
Report symbolization and debug infoASan requires line tables to be useful.
Added COFF line table debug info support to LLVM● Almost-free bonus: can step line by line in debuggers
(VS, windbg)● Can’t look up variable values though
![Page 17: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/17.jpg)
Deployment
● Can build and run Chromium
● Deployed to ClusterFuzz,found 50+ security bugs in 3 months
● We’re working with Mozilla Firefox andother OSS developers
![Page 18: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/18.jpg)
![Page 19: for Windows AddressSanitizer - LLVM for Windows.pdf · ASan overview follows A more complete version: Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer:](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b615d7e708231d4303c02/html5/thumbnails/19.jpg)
Please try AddressSanitizer on your Windows app
p.s. tests and patches are welcomeTimur Iskhodzhanov
Thanks for listening!