Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools

Ruwase, Chen, Gibbons and Mowry

Carnegie MellonCarnegie Mellon

Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking

Tools

Olatunji Ruwase* Shimin Chen+

Phillip B. Gibbons+ Todd C. Mowry*

+ Intel Labs Pittsburgh*School of Computer ScienceCarnegie Mellon University


Carnegie Mellon

Bug detection using Lifeguards

Detect errors by monitoring execution of unmodified binary Exploit instruction-grained runtime information Block exploits before software patch [Savage et al. ‘97, Newsome & Song ’05, Nethercote et al. ‘07]

Significant program slowdown 10 - 100X using Dynamic Binary Instrumentation(DBI)

Valgrind, PIN, DynamoRIO

program

Lifeguard

Decoupled Lifeguards - 2 -


Carnegie Mellon

Why instruction grained Lifeguards are slow


program

mov %eax A

add %eax B

mov C %eaxcmp %ecx, %eax

taint(eax) = taint(A)

taint(C) = taint (eax)

taint(eax) |= taint(B)

TaintCheck lifeguard


Carnegie Mellon

mov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov reg_taint(%edx) %al

taint(eax) = taint(A)mov %eax Ataint(eax) |= taint(B)add %eax Btaint(C) = taint (eax)mov C %eaxcmp %ecx, %eax



program

Handler for memory-to-register copy instruction



Carnegie Mellon



mov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov reg_taint(%edx) %alSwitch execution context mov %eax ASwitch execution contexttaint(eax) |= taint(B)add %eax Btaint(C) = taint (eax)mov C %eaxcmp %ecx, %eax

mov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov reg_taint(%edx) %alSwith execution contextmov %eax ASwitch execution contextmov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)or reg_taint(%edx) %alSwitch execution contextadd %eax Bmov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov %al reg_taint(%edx) Switch execution contextmov C %eaxcmp %ecx, %eax

program



Carnegie Mellon

Optimizing Lifeguard code on program paths is hard


mov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov reg_taint(%edx) %alSwith execution contextmov %eax ASwitch execution contextmov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)or reg_taint(%edx) %alSwitch execution contextadd %eax Bmov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov %al reg_taint(%edx) Switch execution contextmov C %eaxcmp %ecx, %eax

Key obstacle is tight coupling of program & Lifeguard code

Instrumented program path


Carnegie Mellon

Decoupling Lifeguard execution


Unoptimized path handler

Instrumented program path


Carnegie Mellon

Lifeguard specific optimizations on program path


Program path

Unoptimized path

handler

Compose instruction handlers


Carnegie Mellon

Lifeguard specific optimizations on program path


Program path

Unoptimized path

handler

Optimized path handler

Original

Standard path opts

Lifeguard path opts

86 81(95%) 47(55%)

x86 instruction count of TaintCheck handler for mcf path

Compose instruction handlers


Carnegie Mellon

Outline

Dynamic path optimization of Decoupled Lifeguards

Decoupling Lifeguards: Challenges and Solutions

Using lifeguard domain knowledge for path optimizations

Evaluation

Conclusions



Carnegie Mellon



Issue 1: When to run Lifeguard code


At end of path where data is

available

Program path


Carnegie Mellon



Issue 2: How to pass data to Lifeguard

Program path

Buffer Optimized path handler

Marshalldata


Carnegie Mellon



Challenge 1: How to handle side exits

Program path

1

2

3

4

1

2

3

4

Path handler for side exits



Carnegie Mellon



Challenge 2: How to contain errors in the path

See paper for details of solution based on:1.Page protection to prevent data corruption2.Completing checks at function & system calls and indirect jumps

Program path



Carnegie Mellon

Outline

Dynamic path optimization of Decoupled Lifeguards


Using lifeguard domain knowledge for path optimizations

Evaluation

Conclusion



Carnegie Mellon

Lifeguard optimization opportunities


taint(esi) = taint(esi) | taint( )taint(edx) = taint(edi)taint(edi) = taint(esi)taint(edi) = taint(edi) | taint( )

taint(ecx) = taint( )taint(edi) = taint(edx) | taint(ecx)taint(ebx) = taint( )…

TaintCheck handler for mcf path

6 instructions to access metadata of program memory address

mov %ecx %eaxshr %ecx $16 mov %ecx level1_index(,%ecx,4)and %eax 0xffffshr %eax $2mov %eax (%eax,%ecx,1)mov reg_taint(%edx) %al

A

B

C

D

1. Alias analysis to reduce metadata accesses

2. Dead metadata update detection to eliminate instruction handlers


Carnegie Mellon

Alias analysis for metadata accesses


taint(esi) = taint(esi) | taint(A)taint(edx) = taint(edi)taint(edi) = taint(esi)taint(edi) = taint(edi) | taint(B)

taint(ecx) = taint(C)taint(edi) = taint(edx) | taint(ecx)taint(ebx) = taint(D)…

add %esi -0x24[%ebp]mov %edx %edimov %edi %esisub %edi -0x24[%ebp]…mov %ecx -0x24[%ebp]lea %edi [%edx,%ecx,1]mov %ebx 0x1c[%ebp]… mcf path TaintCheck handler for mcf

path

program


Carnegie Mellon

Alias analysis for metadata accesses


taint(esi) = taint(esi) | taint(A)taint(edx) = taint(edi)taint(edi) = taint(esi)taint(edi) = taint(edi) | taint(A)

taint(ecx) = taint(A)taint(edi) = taint(edx) | taint(ecx)taint(ebx) = taint(A+64)…Enables metadata access CSE

optimization described in paper


add %esi -0x24[%ebp]mov %edx %edimov %edi %esisub %edi -0x24[%ebp]…mov %ecx -0x24[%ebp]lea %edi [%edx,%ecx,1]mov %ebx 0x1c[%ebp]… mcf path

program


Carnegie Mellon

Eliminating dead instruction handlers


taint(esi) = taint(esi) | taint(A)taint(edx) = taint(edi)taint(edi) = taint(esi)taint(edi) = taint(edi) | taint(A)

taint(ecx) = taint(A) = taint(edx) | taint(ecx)taint(ebx) = taint(A+64)…

Dead taint(edi) updates

See paper for details of other optimizations: e.g eliminating loop redundancies


taint(edi)


Carnegie Mellon

Evaluation Lifeguards

AddrCheck: unallocated memory access Eraser: concurrency errors MemCheck: AddrCheck + uninitialized read errors TaintCheck: security errors

Lifeguard instrumentation platforms DBI (Valgrind ) & Hardware accelerated (LBA)

Decoupled lifeguard code on program paths of up to 8 branches



Carnegie Mellon

Lifeguard overhead reduction in Valgrind


AddrCheck

MemCheck

Standard path optimizations(SPO)

SPO + dead handler elimination(DHE)


Carnegie Mellon

Lifeguard overhead reduction in Valgrind


AddrCheck

MemCheck

24% reduction

6% reduction Limitations to improvements• Instrumentation overhead• No metadata access CSE

Standard path optimizations(SPO)

SPO + dead handler elimination(DHE)


Carnegie Mellon

Results with hardware assisted instrumentation (LBA)


AddrCheck

MemCheck TaintCheck

Eraser50% reduction 53%

reduction

42% reduction

38% reduction

SPO SPO + DHE SPO + DHE + Metadata access CSE


Carnegie Mellon

Conclusions


Decoupling: enables optimization of lifeguard code on program paths Correctness checking at a path granularity Multi-versioned checking code to handle side exits Page protection for containing errors

Lifeguard domain knowledge: enable redundancy elimination beyond standard optimizations Better alias analysis Lifeguard-specific dead code & common subexpression

elimination

Lifeguard overhead reductions Up to 24% on Valgrind Up to 53% on LBA

Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools

Documents

Transcript of Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools