Software Bugs Bite!

Yuanyuan (YY) Zhou

Associate ProfessorDept. of Computer Science

Univ. of Illinois, Urbana-Champaignyyzhou@cs.uiuc.edu

YY. Zhou University of Illinois, Urbana-Champaign Slide 2

My Story: Zig-zag my way to System When young--------------------parents want me to be a business woman

College application-----------Applied for BioChemistry But changed unknowingly to CS (Reason: parents were chemistry teachers)

1st graduate school----------Mathematics at Univ. of Virginia

1st research area at Princeton-------------Theory

1st year as a system student --------------Negative Felt that system is trivial----you can actually understand system talks

2nd year at Princeton---Wanted to quit to go to medical school

1st job after Ph.D Co-founded a startup for 2 years (realize that I am probably not a business woman)

1st year at UIUC ------- in the architecture group

Now-----try to be a doctor to cure software “diseases”

YY. Zhou University of Illinois, Urbana-Champaign Slide 3

Family & Fun

A supportive husband + 2 girls Husband is my motivation to work on software bugs My daughters inspired several research ideas (e.g Rx)

and help me realize life is much more than my career

Hobby Skiing, hiking .... but Illinois?

Switched to ice skating and growing vegetables Computer games (a Civilization fan)

YY. Zhou University of Illinois, Urbana-Champaign Slide 4

Health of Computers

We want computers to be dependable Aircraft control systems Hospital monitor systems Financial transactions systems Internet services Cell phones, PDAs,

smart home appliances, cars

YY. Zhou University of Illinois, Urbana-Champaign Slide 5

Bad News: Software Bugs

Software bug is a major concern Counts for 40% system failure [Marcus2000] Costs $59.5 billion annually [NIST]

YY. Zhou University of Illinois, Urbana-Champaign Slide 6

Severe Software Clinical Cases Therac-25 (radiation therapy machine ) accidents

(1985-1987) the injured patients died from lethal dosage of radiation caused

by a software bug

Code Red worm exploited a buffer overflow in Microsoft’s IIS server Cost over $2.6 billion and Infected 350,000 servers in <14

hours

2003 North America blackout Caused by a race condition in GE Energy's XA/21 monitoring

software

YY. Zhou University of Illinois, Urbana-Champaign Slide 7

Why Software Bugs?

Why do we get ill? Nature

Answer: human nature On average, programmers inject 10 bugs

per thousand lines of code

YY. Zhou University of Illinois, Urbana-Champaign Slide 8

Debugging is Hard for large software

Cure/diagnose a disease is hard… Impossible to test every cases

Many bugs are hidden, “latent bugs”

Some bugs are hard to reproduce Configuration, timing and running environment

dependent

Hard to find root causes Root causes may be far away from the symptom

YY. Zhou University of Illinois, Urbana-Champaign Slide 9

Type of Software Defects

Specification bugs Even the specification is wrong

Design bugs The design is erroneous

Implementation bugs Buffer overflow, memory leak, memory

corruption, etc.

YY. Zhou University of Illinois, Urbana-Champaign Slide 10

Classification of Implementation Bugs

Deterministic vs. non-deterministic Root causes

Memory bugs Memory leaks ?? Memory corruption

Buffer overflow ?? Dangling pointer ?? ..

Semantics Unhandled exceptions Copy-paste bugs …

Concurrency Data races ?? Atomicity violations ?? Deadlocks ?? …

YY. Zhou University of Illinois, Urbana-Champaign Slide 11

Bugs and Security Attacks?

Why are we in the same session? Software bug is a major source of security

vulnerabilities Bouncer (Tuesday) Memory safety (Wednesday)

Example: Buffer overflow Stack smashing attack

Started from November 1996 Still the basis for many attacks Who knows this attack?

YY. Zhou University of Illinois, Urbana-Champaign Slide 12

The Stack

YY. Zhou University of Illinois, Urbana-Champaign Slide 13

Buggy Program

void buggy(char * in){

int i;

char buffer[4];

for(i=0; in[i]!=0; i++)

buffer[i] = in[i];

}

Where is the bug?

What happens if in is “Aleph One”?

YY. Zhou University of Illinois, Urbana-Champaign Slide 14

Buggy Code’s Stack

0x65000000

0x00000000 int i

0x65000004

0x00000000 char buffer[4]

0x65000008

0x8000003D saved FP

0x6500000C

0x02000000 return address

0x65000010

0x10000000 char * in

0x65000014

0x00000000 old stack frame…

A l e p h _ O n e \0

41 6C 65 70 68 20 4F 6E 65 00 Program will start copying…

YY. Zhou University of Illinois, Urbana-Champaign Slide 15

Buggy Code’s Stack

0x65000000

0x00000001 int i

0x65000004

0x41000000 char buffer[4]

0x65000008

0x8000003D saved FP

0x6500000C

0x02000000 return address

0x65000010

0x10000000 char * in

0x65000014

0x00000000 old stack frame…

A l e p h _ O n e \0

41 6C 65 70 68 20 4F 6E 65 00 Program will start copying…

YY. Zhou University of Illinois, Urbana-Champaign Slide 16

Buggy Code’s Stack

0x65000000

0x00000002 int i

0x65000004

0x416C0000 char buffer[4]

0x65000008

0x8000003D saved FP

0x6500000C

0x02000000 return address

0x65000010

0x10000000 char * in

0x65000014

0x00000000 old stack frame…

A l e p h _ O n e \0

41 6C 65 70 68 20 4F 6E 65 00 Program will start copying…

YY. Zhou University of Illinois, Urbana-Champaign Slide 17

Buggy Code’s Stack

0x65000000

0x00000003 int i

0x65000004

0x416C6500 char buffer[4]

0x65000008

0x8000003D saved FP

0x6500000C

0x02000000 return address

0x65000010

0x10000000 char * in

0x65000014

0x00000000 old stack frame…

A l e p h _ O n e \0

41 6C 65 70 68 20 4F 6E 65 00 Program will start copying…

YY. Zhou University of Illinois, Urbana-Champaign Slide 18

Buggy Code’s Stack

0x65000000

0x00000004 int i

0x65000004

0x416C6570 char buffer[4]

0x65000008

0x8000003D saved FP

0x6500000C

0x02000000 return address

0x65000010

0x10000000 char * in

0x65000014

0x00000000 old stack frame…

A l e p h _ O n e \0

41 6C 65 70 68 20 4F 6E 65 00 Program will start copying… and continue.

YY. Zhou University of Illinois, Urbana-Champaign Slide 19

Buggy Code’s Stack

0x65000000

0x00000005 int i

0x65000004

0x416C6570 char buffer[4]

0x65000008

0x6800003D saved FP

0x6500000C

0x02000000 return address

0x65000010

0x10000000 char * in

0x65000014

0x00000000 old stack frame…

A l e p h _ O n e \0

41 6C 65 70 68 20 4F 6E 65 00 C isn’t bounds checked…

YY. Zhou University of Illinois, Urbana-Champaign Slide 20

Buggy Code’s Stack

0x65000000

0x00000008 int i

0x65000004

0x416C6570 char buffer[4]

0x65000008

0x68204F6E saved FP

0x6500000C

0x02000000 return address

0x65000010

0x10000000 char * in

0x65000014

0x00000000 old stack frame…

A l e p h _ O n e \0

41 6C 65 70 68 20 4F 6E 65 00 What happens next?

YY. Zhou University of Illinois, Urbana-Champaign Slide 21

Buggy Code’s Stack

0x65000000

0x00000009 int i

0x65000004

0x416C6570 char buffer[4]

0x65000008

0x68204F6E saved FP

0x6500000C

0x65000000 return address

0x65000010

0x10000000 char * in

0x65000014

0x00000000 old stack frame…

A l e p h _ O n e \0

41 6C 65 70 68 20 4F 6E 65 00 We’ve overwritten the return address!

YY. Zhou University of Illinois, Urbana-Champaign Slide 22

Buggy Code’s Stack

0x65000000

0x00000009 int i

0x65000004

0x416C6570 char buffer[4]

0x65000008

0x68204F6E saved FP

0x6500000C

0x65000000 return address

0x65000010

0x10000000 char * in

0x65000014

0x00000000 old stack frame…

A l e p h _ O n e \0

41 6C 65 70 68 20 4F 6E 65 00 How to use it to hijack the program to do

whatever you want?

YY. Zhou University of Illinois, Urbana-Champaign Slide 23

So How to Deal with Bugs?

Compile time

Run time

Recovery

Safe Language Example:

Java Transactional Memory (Mon)

Analogy:Eat healthy, exercise…

Pro: can prevent some bugs

Cons: Other types of bugs still occur May be inefficient for some apps: server, OS.

On-line

Debugging

Off-line

Design time

Diagnosis

YY. Zhou University of Illinois, Urbana-Champaign Slide 24

So How to Deal with Bugs?

Static Checking Program analysis & Model checking

Example:Engler’s groupiComment [Tuesday]

Analogy: CAT Scan

Pros: No run time overhead Good Coverage

Cons: No accurate information Need specification, annotation

Compile time

Run time

Recovery

On-line

Debugging

Off-line

Design time

Diagnosis

YY. Zhou University of Illinois, Urbana-Champaign Slide 25

So How to Deal with Bugs?

Check during execution

Example: MUVI [Monday]

Analogy:Heart monitor

Pros: Accurate run-time information

Cons:Large overheadCoverage limitation

Dynamic Checking

Compile time

Run time

Recovery

On-line

Debugging

Off-line

Design time

Diagnosis

YY. Zhou University of Illinois, Urbana-Champaign Slide 26

So How to Deal with Bugs?

Example: gdb Time travel machine

Analogy:Doctor’s appointment

Pros: Program-specific

Cons: Time and effort-consuming

Interactive Debugging

Compile time

Run time

Recovery

On-line

debugging

Off-line

Design time

Diagnosis

YY. Zhou University of Illinois, Urbana-Champaign Slide 27

So How to Deal with Bugs?

Example: simple restart rollback and reexecute

Analogy:Electric shock

Advantage: Simple and general

Limitation: Cannot recover from all failuresOutput commit problem

Generic Recovery

Compile time

Run time

Recovery

On-line

Debugging

Off-line

Design time

Diagnosis

YY. Zhou University of Illinois, Urbana-Champaign Slide 28

So How to Deal with Bugs?

Example: Core dump Execution tracesTriage (Tuesday)

Analogy:Triage (self-diagnosis)

Advantage: Simple and general

Limitation: Require significant offline manual efforts Privacy concerns

Online Diagnosis

Compile time

Run time

Recovery

On-line

Debugging

Off-line

Design time

Diagnosis

YY. Zhou University of Illinois, Urbana-Champaign Slide 29

Evaluation Methodology

Benchmarks Siemens benchmark Too small

Bug injection May not be representative

Find new bugs in open source code Better to be confirmed by developers

Use existing bugs Especially dynamic checking----need bugs to manifest

YY. Zhou University of Illinois, Urbana-Champaign Slide 30

Evaluation Metrics for Bug Detection

Soundness: No false negatives Prove there is no such violation May report many false bugs

Completeness: No false positives All violations detected are true May not find all the bugs

Scalability: scalable to real programs

Very hard to achieve all Always need to tradeoff one for the others

YY. Zhou University of Illinois, Urbana-Champaign Slide 31

Open Problems

Bug Detection Detecting semantic and concurrency bugs Reduce false positives

Bug diagnosis On-site diagnosis Distributed systems diagnosis Deterministic replay on multicore /multiprocessors

Bug recovery Automatic bug fixing Bug survival with reduced functionality

YY. Zhou University of Illinois, Urbana-Champaign Slide 32

Conclusions

Software bugs have existed for decades and will continue to exist

Fighting bugs is important

Fighting bugs is a fun and interdisciplinary Compiler, software engineering, systems,

hardware, data mining, machine learning, statistics, …

YY. Zhou University of Illinois, Urbana-Champaign Slide 33

Thanks!

YY. Zhou University of Illinois, Urbana-Champaign Slide 34

More Bug’s Cartoon