Software Bugs Bite!
Yuanyuan (YY) Zhou
Associate ProfessorDept. of Computer Science
Univ. of Illinois, [email protected]
YY. Zhou University of Illinois, Urbana-Champaign Slide 2
My Story: Zig-zag my way to System When young--------------------parents want me to be a business woman
College application-----------Applied for BioChemistry But changed unknowingly to CS (Reason: parents were chemistry teachers)
1st graduate school----------Mathematics at Univ. of Virginia
1st research area at Princeton-------------Theory
1st year as a system student --------------Negative Felt that system is trivial----you can actually understand system talks
2nd year at Princeton---Wanted to quit to go to medical school
1st job after Ph.D Co-founded a startup for 2 years (realize that I am probably not a business woman)
1st year at UIUC ------- in the architecture group
Now-----try to be a doctor to cure software “diseases”
YY. Zhou University of Illinois, Urbana-Champaign Slide 3
Family & Fun
A supportive husband + 2 girls Husband is my motivation to work on software bugs My daughters inspired several research ideas (e.g Rx)
and help me realize life is much more than my career
Hobby Skiing, hiking .... but Illinois?
Switched to ice skating and growing vegetables Computer games (a Civilization fan)
YY. Zhou University of Illinois, Urbana-Champaign Slide 4
Health of Computers
We want computers to be dependable Aircraft control systems Hospital monitor systems Financial transactions systems Internet services Cell phones, PDAs,
smart home appliances, cars
YY. Zhou University of Illinois, Urbana-Champaign Slide 5
Bad News: Software Bugs
Software bug is a major concern Counts for 40% system failure [Marcus2000] Costs $59.5 billion annually [NIST]
YY. Zhou University of Illinois, Urbana-Champaign Slide 6
Severe Software Clinical Cases Therac-25 (radiation therapy machine ) accidents (1985-
1987) the injured patients died from lethal dosage of radiation caused
by a software bug
Code Red worm exploited a buffer overflow in Microsoft’s IIS server Cost over $2.6 billion and Infected 350,000 servers in <14 hours
2003 North America blackout Caused by a race condition in GE Energy's XA/21 monitoring
software
YY. Zhou University of Illinois, Urbana-Champaign Slide 7
Why Software Bugs?
Why do we get ill? Nature
Answer: human nature On average, programmers inject 10 bugs
per thousand lines of code
YY. Zhou University of Illinois, Urbana-Champaign Slide 8
Debugging is Hard for large software
Cure/diagnose a disease is hard… Impossible to test every cases
Many bugs are hidden, “latent bugs”
Some bugs are hard to reproduce Configuration, timing and running environment
dependent
Hard to find root causes Root causes may be far away from the symptom
YY. Zhou University of Illinois, Urbana-Champaign Slide 9
Type of Software Defects
Specification bugs Even the specification is wrong
Design bugs The design is erroneous
Implementation bugs Buffer overflow, memory leak, memory
corruption, etc.
YY. Zhou University of Illinois, Urbana-Champaign Slide 10
Classification of Implementation Bugs
Deterministic vs. non-deterministic Root causes
Memory bugs Memory leaks ?? Memory corruption
Buffer overflow ?? Dangling pointer ?? ..
Semantics Unhandled exceptions Copy-paste bugs …
Concurrency Data races ?? Atomicity violations ?? Deadlocks ?? …
YY. Zhou University of Illinois, Urbana-Champaign Slide 11
Bugs and Security Attacks? Why are we in the same session? Software bug is a major source of security
vulnerabilities Bouncer (Tuesday) Memory safety (Wednesday)
Example: Buffer overflow Stack smashing attack
Started from November 1996 Still the basis for many attacks Who knows this attack?
YY. Zhou University of Illinois, Urbana-Champaign Slide 12
The Stack
YY. Zhou University of Illinois, Urbana-Champaign Slide 13
Buggy Program
void buggy(char * in){int i;char buffer[4];for(i=0; in[i]!=0; i++)buffer[i] = in[i];
}Where is the bug?What happens if in is “Aleph One”?
YY. Zhou University of Illinois, Urbana-Champaign Slide 14
Buggy Code’s Stack
0x65000000
0x00000000 int i
0x65000004
0x00000000 char buffer[4]
0x65000008
0x8000003D saved FP
0x6500000C
0x02000000 return address
0x65000010
0x10000000 char * in
0x65000014
0x00000000 old stack frame…
A l e p h _ O n e \041 6C 65 70 68 20 4F 6E 65 00 Program will start copying…
YY. Zhou University of Illinois, Urbana-Champaign Slide 15
Buggy Code’s Stack
0x65000000
0x00000001 int i
0x65000004
0x41000000 char buffer[4]
0x65000008
0x8000003D saved FP
0x6500000C
0x02000000 return address
0x65000010
0x10000000 char * in
0x65000014
0x00000000 old stack frame…
A l e p h _ O n e \041 6C 65 70 68 20 4F 6E 65 00 Program will start copying…
YY. Zhou University of Illinois, Urbana-Champaign Slide 16
Buggy Code’s Stack
0x65000000
0x00000002 int i
0x65000004
0x416C0000 char buffer[4]
0x65000008
0x8000003D saved FP
0x6500000C
0x02000000 return address
0x65000010
0x10000000 char * in
0x65000014
0x00000000 old stack frame…
A l e p h _ O n e \041 6C 65 70 68 20 4F 6E 65 00 Program will start copying…
YY. Zhou University of Illinois, Urbana-Champaign Slide 17
Buggy Code’s Stack
0x65000000
0x00000003 int i
0x65000004
0x416C6500 char buffer[4]
0x65000008
0x8000003D saved FP
0x6500000C
0x02000000 return address
0x65000010
0x10000000 char * in
0x65000014
0x00000000 old stack frame…
A l e p h _ O n e \041 6C 65 70 68 20 4F 6E 65 00 Program will start copying…
YY. Zhou University of Illinois, Urbana-Champaign Slide 18
Buggy Code’s Stack
0x65000000
0x00000004 int i
0x65000004
0x416C6570 char buffer[4]
0x65000008
0x8000003D saved FP
0x6500000C
0x02000000 return address
0x65000010
0x10000000 char * in
0x65000014
0x00000000 old stack frame…
A l e p h _ O n e \041 6C 65 70 68 20 4F 6E 65 00 Program will start copying… and continue.
YY. Zhou University of Illinois, Urbana-Champaign Slide 19
Buggy Code’s Stack
0x65000000
0x00000005 int i
0x65000004
0x416C6570 char buffer[4]
0x65000008
0x6800003D saved FP
0x6500000C
0x02000000 return address
0x65000010
0x10000000 char * in
0x65000014
0x00000000 old stack frame…
A l e p h _ O n e \041 6C 65 70 68 20 4F 6E 65 00 C isn’t bounds checked…
YY. Zhou University of Illinois, Urbana-Champaign Slide 20
Buggy Code’s Stack
0x65000000
0x00000008 int i
0x65000004
0x416C6570 char buffer[4]
0x65000008
0x68204F6E saved FP
0x6500000C
0x02000000 return address
0x65000010
0x10000000 char * in
0x65000014
0x00000000 old stack frame…
A l e p h _ O n e \041 6C 65 70 68 20 4F 6E 65 00 What happens next?
YY. Zhou University of Illinois, Urbana-Champaign Slide 21
Buggy Code’s Stack
0x65000000
0x00000009 int i
0x65000004
0x416C6570 char buffer[4]
0x65000008
0x68204F6E saved FP
0x6500000C
0x65000000 return address
0x65000010
0x10000000 char * in
0x65000014
0x00000000 old stack frame…
A l e p h _ O n e \041 6C 65 70 68 20 4F 6E 65 00 We’ve overwritten the return address!
YY. Zhou University of Illinois, Urbana-Champaign Slide 22
Buggy Code’s Stack
0x65000000
0x00000009 int i
0x65000004
0x416C6570 char buffer[4]
0x65000008
0x68204F6E saved FP
0x6500000C
0x65000000 return address
0x65000010
0x10000000 char * in
0x65000014
0x00000000 old stack frame…
A l e p h _ O n e \041 6C 65 70 68 20 4F 6E 65 00 How to use it to hijack the program to do
whatever you want?
YY. Zhou University of Illinois, Urbana-Champaign Slide 23
So How to Deal with Bugs?
Compile time
Run time
Recovery
Safe Language Example:
Java Transactional Memory (Mon)
Analogy:Eat healthy, exercise…
Pro: can prevent some bugs
Cons: Other types of bugs still occur May be inefficient for some apps: server, OS.
On-line
Debugging
Off-line
Design time
Diagnosis
YY. Zhou University of Illinois, Urbana-Champaign Slide 24
So How to Deal with Bugs?
Static Checking Program analysis & Model checking
Example:Engler’s groupiComment [Tuesday]
Analogy: CAT Scan
Pros: No run time overhead Good Coverage
Cons: No accurate information Need specification, annotation
Compile time
Run time
Recovery
On-line
Debugging
Off-line
Design time
Diagnosis
YY. Zhou University of Illinois, Urbana-Champaign Slide 25
So How to Deal with Bugs?
Check during execution
Example: MUVI [Monday]
Analogy:Heart monitor
Pros: Accurate run-time information
Cons:Large overheadCoverage limitation
Dynamic Checking
Compile time
Run time
Recovery
On-line
Debugging
Off-line
Design time
Diagnosis
YY. Zhou University of Illinois, Urbana-Champaign Slide 26
So How to Deal with Bugs?
Example: gdb Time travel machine
Analogy:Doctor’s appointment
Pros: Program-specific
Cons: Time and effort-consuming
Interactive Debugging
Compile time
Run time
Recovery
On-line
debugging
Off-line
Design time
Diagnosis
YY. Zhou University of Illinois, Urbana-Champaign Slide 27
So How to Deal with Bugs?
Example: simple restart rollback and reexecute
Analogy:Electric shock
Advantage: Simple and general
Limitation: Cannot recover from all failuresOutput commit problem
Generic Recovery
Compile time
Run time
Recovery
On-line
Debugging
Off-line
Design time
Diagnosis
YY. Zhou University of Illinois, Urbana-Champaign Slide 28
So How to Deal with Bugs?
Example: Core dump Execution tracesTriage (Tuesday)
Analogy:Triage (self-diagnosis)
Advantage: Simple and general
Limitation: Require significant offline manual efforts Privacy concerns
Online Diagnosis
Compile time
Run time
Recovery
On-line
Debugging
Off-line
Design time
Diagnosis
YY. Zhou University of Illinois, Urbana-Champaign Slide 29
Evaluation Methodology
Benchmarks Siemens benchmark Too small
Bug injection May not be representative
Find new bugs in open source code Better to be confirmed by developers
Use existing bugs Especially dynamic checking----need bugs to manifest
YY. Zhou University of Illinois, Urbana-Champaign Slide 30
Evaluation Metrics for Bug Detection
Soundness: No false negatives Prove there is no such violation May report many false bugs
Completeness: No false positives All violations detected are true May not find all the bugs
Scalability: scalable to real programs
Very hard to achieve all Always need to tradeoff one for the others
YY. Zhou University of Illinois, Urbana-Champaign Slide 31
Open Problems Bug Detection
Detecting semantic and concurrency bugs Reduce false positives
Bug diagnosis On-site diagnosis Distributed systems diagnosis Deterministic replay on multicore /multiprocessors
Bug recovery Automatic bug fixing Bug survival with reduced functionality
YY. Zhou University of Illinois, Urbana-Champaign Slide 32
Conclusions
Software bugs have existed for decades and will continue to exist
Fighting bugs is important
Fighting bugs is a fun and interdisciplinary Compiler, software engineering, systems,
hardware, data mining, machine learning, statistics, …
YY. Zhou University of Illinois, Urbana-Champaign Slide 33
Thanks!
YY. Zhou University of Illinois, Urbana-Champaign Slide 34
More Bug’s Cartoon
Top Related