How to Shadow Every Byte of Memory Used by a Program

1. How to Shadow Every Byte of Memory Used by a Program 2007. 11. 1

2. Thesis • 현존하는 dynamic binary analysis tool들은 강력한 shadow memory 기법을 사용하는데 세부적으로 고려 되지 않으므로, 이 논문에서는 Valgrind가 제공하는 Memcheck의 shadow memory 구현을 설명하고 실험을 통하여 기존 도구들보다 효율적이고 견고함을 보인다. NeSe07h

3. What is Shadow Memory? • lets a tool remember something about the history of every memory location and/or value in memory • DBA tools using shadow memory • Memcheck, TaintCheck, Eraser, Hobbes,Annelid, Redux, pinSEL…. • hard to implement well • Speed: large amounts of extra state, shadow memory operations • Robustness: portable, don’t affect original memory, compact using memory history of memory( allocation, defined,…) not use NeSe07h

4. Memcheck • a memory error detector designed for C and C++ programs • maintains three kinds of meta data about the running client • A bits. • 0 : unaddressable byte • 1 : addressable byte • V bits. • 0 : defined bit • 1 : undefined bit • Heap blocks. Detect • bad or repeated frees of heap blocks • memory leaks NeSe07h

5. … … … V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V A A A A A A A A A A A A … Shadow Memory Data Structures SM1 DSM SM2 PM 0KB 64KB 128KB 192KB 3904KB 3968KB 4032KB NeSe07h

6. Loads, Stores and Range • Range • NOACCESS : unaddressable • UNDEFINED : addressable and fully undefined • DEFINED : addressable and fully defined get_vbits8 32-bit address get_SM get_abit NeSe07h

7. Problems of a Simple Implementation • Do not shadow the shadows • If SMs are all nKB and they are guaranteed to be nKB-aligned, there will be no overlapping. • far away from the client’s original data • Possible corruption of shadow memory by the client • far away from the client’s original data • warned about any wild writes by DSM SMX(a 72KB SM, which covers 64KB of address space) Y (4KB of client data) SMX (a 72KB SM, which covers 64KB of address space) NeSe07h

8. Secondary V bits Table Using AVL Tree SM2 SM1 D U A VA VA … … … D … … U A Full V bits Full V bits D U A VA VA D U A … VA VA VA VA 0KB 128KB 192KB 64KB 3904KB 3968KB 4032KB … A Better Implementation DMS Defined Undefined noAccess • M1 : Faster loads and stores • M2 : Faster range-setting • M3 : Faster stack pointer updates • M4 : Compressed V bits DEFINED UNDEFINED NOACCESS PARTDEFINED If(va == PARTDEFINED) PM NeSe07h

9. Evaluation • Robustness • cite its number of users • the range of software and systems it has been used on • Experiment • CPU : 2.4GHz Intel Core 2 Duo (32bit mode) • RAM : 1GB RAM • OS : SUSE Linux 10.2 (kernel 2.6.18.2) • Valgrind : pre-3.2.0 version • Benchmark : SPEC* CPU 2000 *) Standard Performance Evaluation Corporation NeSe07h

10. Performance of six Memcheck variants(M0-05) and Nulgrind(NL) NeSe07h

11. Related Work • Hobbes, TaintTrace, LIFT and Eraser • half-and-half [NeSe07a] • Purify • a bit table that holds a two-bit state code for each byte in the heap, stack, data and bss sections • VisualThreads ,pinSEL and DRD • two-level table User Space Shadow Space half-and-half NeSe07h

12. Future Work • 64-bit address spaces and multi-processor machines need to be addressed • shadow memory tools could still be improved • new tools that use shadow memory in new ways could be created NeSe07h

13. Contributions • First detailed description of Memcheck’ shadow memory and any robust shadow memory implementation • have discussed in general of Memcheck except its shadow memory • make the difference between a toy and a real-world tool • First experimental evaluation of shadow memory • Novel shadow memory optimizations • faster, smaller NeSe07h

14. Appendix int p,t; char *nf, *ba; if(p==5){ //초기화 되지 않은 변수의 조건문 변수로 사용 t=p+1; } printf("%d is not initialized\n",p); //초기화되지 않은 변수의 사용 ba = (char*)malloc(sizeof(char)*10); free(ba); nf = (char*)malloc(sizeof(char)*10); ba[0] = '1'; //free된 변수에 접근 nf[10] = '1'; //배열크기 이상의 접근 exit(t); //system call에 초기화되지 않은 변수 포함 1 2 3 4 5 NeSe07h

15. Appendix ==12493== Conditional jump or move depends on uninitialised value(s) ==12493== at 0x80483F9: main (in /home/hogi/a.out) 1 ==12493== Use of uninitialised value of size 4 … ==12493== Conditional jump or move depends on uninitialised value(s) ==12493== by 0x6004C2: printf (in /lib/libc-2.5.so) ==12493== by 0x8048416: main (in /home/hogi/a.out) 2 ==12493== Invalid write of size 1==12493== at 0x8048443: main (in /home/hogi/a.out)==12493== Address 0x401A028 is 0 bytes inside a block of size 10 free'd==12493== at 0x4004FDA: free (vg_replace_malloc.c:233)==12493== by 0x8048430: main (in /home/hogi/a.out) 3 NeSe07h

16. Appendix ==12493== Invalid write of size 1==12493== at 0x804844C: main (in /home/hogi/a.out)==12493== Address 0x401A072 is 0 bytes after a block of size 10 alloc'd==12493== at 0x40053C0: malloc (vg_replace_malloc.c:149)==12493== by 0x804843C: main (in /home/hogi/a.out) 4 ==12493== Syscall param exit_group(exit_code) contains uninitialised byte(s)==12493== at 0x649E84: _Exit (in /lib/libc-2.5.so)==12493== by 0x8048460: main (in /home/hogi/a.out)--12493-- REDIR: 0x629540 (memset) redirected to 0x4006540 (memset) 5 NeSe07h