how to shadow every byte of memory used by a...

23
1 How to Shadow Every Byte of How to Shadow Every Byte of Memory Used by a Program Memory Used by a Program Nicholas Nethercote — National ICT Australia Julian Seward — OpenWorks LLP

Upload: others

Post on 21-Jul-2020

5 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

1

How to Shadow Every Byte ofHow to Shadow Every Byte ofMemory Used by a ProgramMemory Used by a Program

Nicholas Nethercote — National ICT AustraliaJulian Seward — OpenWorks LLP

Page 2: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

2

Shadow memory toolsShadow memory tools

• Shadow every byte of memory with another value thatdescribes it

• This talk:– Why shadow memory is useful– How to implement it well

shadow valuetools

shadow memorytools

Page 3: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

3

ExamplesExamples

InvariantsDynCompB

Leaked secrets“Secret tracker”

Array bounds violationsAnnelidRun-time type errorsHobbes

System call side-effectspinSEL

Shadow memory helps find...Tool(s)

Dynamic dataflow graphsRedux

Uses of untrusted valuesTaintCheck, LIFT, TaintTrace

Data racesEraser, DRD, Helgrind, etc.Memory errorsMemcheck, Purify

properties

bugs

security

Page 4: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

4

Shadow memory is difficultShadow memory is difficult

• Performance– Lots of extra state, many operations instrumented

• Robustness

• Trade-offs must be made

shadow values

address space

original values

squeeze!

Page 5: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

5

An example tool: MemcheckAn example tool: Memcheck

Page 6: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

6

MemcheckMemcheck

• Three kinds of information:– A (“addressability”) bits: 1 bit / memory byte– V (“validity”) bits: 1 bit / register bit, 1 bit / memory bit– Heap blocks: location, size, allocation function

• Memory information:

AVVVVVVVV

0110 0101original memory byteshadow memory

V bits only used if A bit is “addressable”

Page 7: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

7

A simple implementationA simple implementation

Page 8: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

8

Basics (I)Basics (I)

AVVVVVVVV......AVVVVVVVVAVVVVVVVV

0- - - - - - - -......0- - - - - - - -0- - - - - - - -

AVVVVVVVV......AVVVVVVVVAVVVVVVVV

...PM

SM1 NoAccess DSM SM2

0KB 4032KB64KB 128KB 3904KB 3968KB

0

1

65535

FFFF00010x

Page 9: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

9

Basics (II)Basics (II)• Multi-byte shadow accesses:

– Combine multiple single-byte accesses– Complain if any unaddressable bytes accessed– Values loaded from unaddressable bytes marked as defined

• Range-setting (set_range)– Loop over many bytes, one at a time

• Range-checking– E.g.: write(fd, buf, n) -- check n bytes in buf

• Slow-down: 209.6x

Page 10: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

10

ComplicationsComplications

• Corruption of shadow memory– Possible with a buggy program– Originally used x86 segmentation, but not portable– Keep original and shadow memory far apart, and pray

• 64-bit machines– Three- or four-level structure would be slow– Two level structure extended to handle 32GB– Slow auxiliary table for memory beyond 32GB– Better solution is an open research question

Page 11: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

11

Four optimisationsFour optimisations

Page 12: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

12

#1: Faster loads and stores#1: Faster loads and stores

• Multi-byte loads/stores are very common– N separate lookups accesses is silly (where N = 2, 4, or 8)

• If access is aligned, fully addressable– Extract/write V bits for N shadow bytes at once– Else fall back to slow case: 1 in a 1000 or less

• Slow-down: 56.2x– 3.73x faster

Page 13: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

13

#2: Faster range-setting#2: Faster range-setting• Range-setting large areas is common

– Vectorise set_range– 8-byte stride works well

• Replacing whole SMs– If marking a 64KB chunk as NoAccess, replace the SM

with the NoAccess DSM– Add Defined and Undefined DSMs– Large read-only code sections covered by Defined DSM

• Slow-down: 34.7x– 1.62x faster, 1.97x smaller

Page 14: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

14

#3: Faster SP updates#3: Faster SP updates

• Stack pointer (SP) updates are very common

• Inc/dec size often small, statically known– E.g. 4, 8, 12, 16, 32 bytes

• More specialised range-setting functions– Unrolled versions of set_range()

• Slow-down: 27.2x– 1.28x faster

Page 15: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

15

#4: Compressed V bits#4: Compressed V bits• Partially-defined bytes (PDBs) are rare

– Memory: 1 A bit + 8 V bits → 2 VA bits– Four states: NoAccess, Undefined, Defined,PartDefined

– Full V bits for PDBs in secondary V bits table– Registers unchanged -- still 8 V bits per byte

• Slow-down: 23.4x– 4.29x smaller, 1.16x faster

• Obvious in hindsight, but took 3 years to identify

Page 16: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

16

DiscussionDiscussion

• Optimising principles:– Start with a simple implementation– Make the common cases fast– Exploit redundancy to reduce data sizes

• Novelty?– First detailed description of Memcheck’s shadow memory– First detailed description of a two-level table version– First detailed evaluation of shadow memory– Compressed V bits

Page 17: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

17

EvaluationEvaluation

Page 18: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

18

RobustnessRobustness

• Two-level table is very flexible– Small shadow memory chunks, each can go anywhere

• Earlier versions required large contiguous regions– Some programs require access to upper address space– Some Linux kernels have trouble mmap’ing large regions– Big problems with Mac OS X, AIX, other OSes

• Memcheck is robust– Standard Linux C and C++ development tool– Official: Linux, AIX; experimental: Mac OS X, FreeBSD

Page 19: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

19

SPEC 2000 PerformanceSPEC 2000 Performance

8.9x faster, 8.5x smaller1.16x faster, 4.29x smaller1.28x faster1.62x faster, 1.97x smaller 3.73x faster

Relative improvementSlow-downTool

Overall improvement23.4x+ compressed V bits27.2x+ faster SP updates34.7x+ faster range-setting56.2x+ faster loads/stores

209.6xSimple Memcheck4.3xNo instrumentation

• Shadow memory causes about half of Memcheck’soverhead

Page 20: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

20

Performance observationsPerformance observations• Performance is a traditional research obsession

“The subjective issues are important — ease of use and robustness, butperformance is the item which would be most interesting for theaudience.” (my emphasis)

• Users: slowness is #1 survey complaint– But most user emails are about bugs or interpreting results– Zero preparation is a big win

• Cost/benefit– People will use slow tools if they are sufficiently useful

Page 21: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

21

Alternative implementationAlternative implementation

• “Half-and-half”– Used by Hobbes, TaintTrace, (with variation) LIFT

z'...c'b'a'z...cbaoriginal memory shadow memory

• Compared to two-level table– Faster– Not robust enough for our purposes

constant offset

Page 22: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

22

If you remember nothing else...If you remember nothing else...

Page 23: How to Shadow Every Byte of Memory Used by a Programnjn.valgrind.org/pubs/shadow-memory2007-talk.pdf · VVVVVVVV A VVVVVVVV A PM ... SM 1 NoAccess DSM SM 2 0KB 64KB 128KB 3904KB3968KB4032KB

23

Take-home messagesTake-home messages• Shadow memory is powerful• Shadow memory can be implemented well• Implementations require trade-offs

www.valgrind.org