ensuring code safety without run-time checks for real-time control systems
DESCRIPTION
Ensuring Code Safety Without Run-time Checks for Real-time Control Systems. -Presented by Sumant Kowshik Joint Work With Dinakar Dhurjati and Vikram Adve. University of Illinois at Urbana-Champaign. Supported by NSF U. Illinois. Motivation. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/1.jpg)
Ensuring Code Safety Without Run-time Checks for Real-time Control Systems -Presented by Sumant KowshikJoint Work With Dinakar Dhurjati and Vikram Adve.
University of Illinois at Urbana-ChampaignSupported by NSF U. Illinois
![Page 2: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/2.jpg)
Reliable online upgrade of control software. Control code upgrade can have Timing errors Logical errors Runtime software faults Violate memory safety.
Bugs or attacks due to memory errors. Platforms with limited address protection Malicious upgrades compromise system and
the framework for reliable upgrade. Insider attacks: SANS/FBI report.
Motivation
![Page 3: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/3.jpg)
Reliable online upgrade of control software. Control code upgrade can have Timing errors Logical errors Runtime software faults Violate memory safety.
Attacks disguised as upgrades. Platforms with limited address protection Malicious upgrades compromise system and
the framework for reliable upgrade. Insider attacks: SANS/FBI report.
Motivation
Simplex
![Page 4: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/4.jpg)
Motivation II Memory safety: static checking? Avoid run-time overhead Early bug detection
Static checking for general languages difficult. Impose restrictions on the language – Control-C Rationale: Structure of control code Computationally intensive, use dense arrays Simple data structures, dynamic memory. Mostly in C.
![Page 5: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/5.jpg)
Related work What’s wrong with existing solutions? Java, RT-Java, Ccured, Safe-C etc.
Runtime checks Garbage collection
Current Alternatives Vault [PLDI01], Cyclone[PLDI02]
Target general applications Annotations: cumbersome. Runtime checks.
Complementary techniques Proof carrying code: compiler untrusted. Vault, Engler et al [OSDI00], Wagner et al.
Checking library code.
![Page 6: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/6.jpg)
Contributions of control-C Targets embedded/control code. 100% static checking to guarantee safety. Easy portability: As close to C as possible. Novel language features Region-based dynamic memory: single
region active at a time. Array sizes, index expressions and loop
bounds affine expressions.
Trade-off : expressiveness for control codes vs. safety checking compiler technology vs. portability.
![Page 7: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/7.jpg)
Outline of Talk Introduction Context System assumptions Attacks. Language rules Implementation Results
![Page 8: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/8.jpg)
http://www-rtsl.cs.uiuc.edu/drii/download
Catch runtime, logical and timing errors Kicks out the offending controller.
Stack overflow detected.Accesses to a range of reserved addresses Eg. Linux – high gigabyte (1GB of 4GB) reserved
The system
upgrade
Safety cont.SimplexDecision
logic
input
output
![Page 9: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/9.jpg)
Unsafe code Fatal memory errors can be due to Variable referencing memory outside the bounds of
its data type. Bad casting, pointer arithmetic, uninitialized pointers Array bounds violation Use of pointer to freed memory.
Example: char killcode[] = “\x55\x89…\xc3\x90”; void controlFunc(float a, float b) { int *ret = (int *)&ret + 2; *ret = killcode; } Jumps in the code to data areas/non-code areas. Calls to unknown functions.
![Page 10: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/10.jpg)
Control-C – Basic Issues Start with C No syntactic changes, only usage changes. Basic issues. Type safety.
No casts involving pointers. No pointer arithmetic. Scalar pointers need to be initialized
explicitly before being dereferenced or before taking their address.
![Page 11: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/11.jpg)
Control-C – Dynamic Memory
Problem : Pointers to freed memory.Solution : Region-based memory allocation Define RInit, RFree, RMalloc No explicit free call
Single region active at a time. All local and global scalar pointers dead at region free.
![Page 12: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/12.jpg)
Example – Region Usage
Illegal Code
…int *p, **t;RInit();p = RMalloc(4 * sizeof(int));RInit(); …RFree();RFree();t = &p;func(**t);
Legal Code
if(cond) { RInit(); t = 4;}else { RInit(); t = 8;}p = RMalloc(t);RFree();
Multiple regions active
Pointer p not dead after RFreePotentially
![Page 13: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/13.jpg)
Control-C – Array indexing. Problem : Checking for array bounds Index expression must evaluate to a value
within array bounds Difficulty: Analysis of constraints on symbolic
integer expressions. Solution : Loop bounds affine w.r.t. array size Index expression affine w.r.t loop index
variables or the size of array.
![Page 14: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/14.jpg)
Example – Legal Array Usageextern M, N;main() { … if (( N > 0) && (N < 5)) { B = (int *)RMalloc(N * 30); intialize(B); C = generate(B, 20); } }
int * generate(int *B, int n) { int *A,i,j,k,; if (B[n] > 0) { A = (int *) RMalloc(5 * B[n] + 10); for (i=M; i < B[n]+M ; ++i) { j = i - M; k = j * 4; A[k] = j ; } … }
Symbolic constant M cancels out
Array sizes not constant.
Interprocedural
propagation
![Page 15: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/15.jpg)
Control-C : Aggregate Types
Problem : Analysis of pointers in aggregate types (structs, arrays). Solution : Use of pointers to freed memory Structs or arrays containing pointers must be
allocated dynamically using malloc or alloca. Solution : Initialization Initializing pointers to base of reserved address
range. Thus, we can have arbitrary pointer-
based data structures and arrays.
![Page 16: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/16.jpg)
Outline of Talk Introduction Context System assumptions Attacks. Language rules Implementation Results
![Page 17: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/17.jpg)
Implementation LLVM compiler framework http://llvm.cs.uiuc.edu Things gotten for free
Source language independence Type safety (except for cast) Jumps to code locations only. Link-time interprocedural analysis +
separate compilation. SSA.
![Page 18: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/18.jpg)
Control-C Compiler Features
Pointers Global dataflow analysis ensuring that
all pointers are initialized Array bounds analysis Interprocedural constraint propagation
for bounds checking. Regions Liveness analysis of pointers upon
RFree.
![Page 19: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/19.jpg)
Results
Language expressive enough for control? How easy is it to port from C?
Pointer arithmetic replaced by index variable array traversal Dynamic memory: use regions Unions with pointers need to be split
Application
Platform
Lines
Pendulum Linux 300
Pendubot Windows 1300
TinyOS Linux 300
Dyn memory
Arrays
Ptrs
No Yes No
Yes Yes Yes
No Yes Yes
Changed0
35
0
![Page 20: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/20.jpg)
Results II Restrictions detect all potential attacks? Simplex: Inverted pendulum
Uninitialized pointersPointer arithmeticIllegal castsArray overflow.
![Page 21: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/21.jpg)
Conclusions and Future Work
Control-C aims at guaranteeing absolute safety using static checking alone The language is close to C and is expressive enough for control/embedded applications Future work Expand the scope of the language Detect illegal system calls/illegal sequences
of system calls Formally verifying that control-C guarantees
memory safety
![Page 22: Ensuring Code Safety Without Run-time Checks for Real-time Control Systems](https://reader036.vdocuments.net/reader036/viewer/2022062501/56816092550346895dcfb705/html5/thumbnails/22.jpg)
Merci Beaucoup!