73 research outputs found
Garbage Collection in a Very Large Address Space
This research was done at the Artificial Intelligence Laboratory of the Massachusetts Institute of Technology and was supported by the Office of Naval Research under contract number N00014-75-C-0522.The address space is broken into areas that can be garbage collected separately. An area is analogous to a file on current systems. Each process has a local computation area for its stack and temporary storage that is roughly analogous to a job core image. A mechanism is introduced for maintaining lists of inter-area links, the key to separate garbage collection. This mechanism is designed to be placed in hardware and does not create much overhead. It could be used in a practical computer system that uses the same address space for all users for the life of the system. It is necessary for the hardware to implement a reference count scheme that is adequate for handling stack frames. The hardware also facilitates implementation of protection by capabilities without the use of unique codes. This is due to elimination of dangling references. Areas can be deleted without creating dangling references.MIT Artificial Intelligence Laboratory
Department of Defense Office of Naval Researc
Heap Abstractions for Static Analysis
Heap data is potentially unbounded and seemingly arbitrary. As a consequence,
unlike stack and static memory, heap memory cannot be abstracted directly in
terms of a fixed set of source variable names appearing in the program being
analysed. This makes it an interesting topic of study and there is an abundance
of literature employing heap abstractions. Although most studies have addressed
similar concerns, their formulations and formalisms often seem dissimilar and
some times even unrelated. Thus, the insights gained in one description of heap
abstraction may not directly carry over to some other description. This survey
is a result of our quest for a unifying theme in the existing descriptions of
heap abstractions. In particular, our interest lies in the abstractions and not
in the algorithms that construct them.
In our search of a unified theme, we view a heap abstraction as consisting of
two features: a heap model to represent the heap memory and a summarization
technique for bounding the heap representation. We classify the models as
storeless, store based, and hybrid. We describe various summarization
techniques based on k-limiting, allocation sites, patterns, variables, other
generic instrumentation predicates, and higher-order logics. This approach
allows us to compare the insights of a large number of seemingly dissimilar
heap abstractions and also paves way for creating new abstractions by
mix-and-match of models and summarization techniques.Comment: 49 pages, 20 figure
Recommended from our members
Inline and Sideline Approaches for Low-cost Memory Safety in C
System languages such as C or C++ are widely used for their high performance, however the allowance of arbitrary pointer arithmetic and type cast introduces a risk of memory corruptions. These memory errors cause unexpected termination of programs, or even worse, attackers can exploit them to alter the behavior of programs or leak crucial data.
Despite advances in memory safety solutions, high and unpredictable overhead remains a major challenge. Accepting that it is extremely difficult to achieve complete memory safety with the performance level suitable for production deployment, researchers attempt to strike a balance between performance, detection coverage, interoperability, precision, and detection timing. Some properties are much more desirable, e.g. the interoperability with pre-compiled libraries. Comparatively less critical properties are sacrificed for performance, for example, tolerating longer detection delay or narrowing down detection coverage by performing approximate or probabilistic checking or detecting only certain errors. Modern solutions compete for performance.
The performance matrix of memory safety solutions have two major assessment criteria β run-time and memory overheads. Researchers trade-off and balance performance metrics depending on its purpose or placement. Many of them tolerate the increase in memory use for better speed, since memory safety enforcement is more desirable for troubleshooting or testing during development, where a memory resource is not the main issue. Run-time overhead, considered more critical, is impacted by cache misses, dynamic instructions, DRAM row activations, branch predictions and other factors.
This research proposes, implements, and evaluates MIU: Memory Integrity Utilities containing three solutions β MemPatrol, FRAMER and spaceMiu. MIU suggests new techniques for practical deployment of memory safety by exploiting free resources with the following focuses: (1) achieving memory safety with overhead < 1% by using concurrency and trading off prompt detection and coverage; but yet providing eventual detection by a monitor isolation design of an in-register monitor process and the use of AES instructions (2) complete memory safety with near-zero false negatives focusing on eliminating overhead, that hardware support cannot resolve, by using a new tagged-pointer representation utilising the top unused bits of a pointer.Research Foundation of Kore
Recommended from our members
Providing Easy to Use and Fast Programming Support for Non-Volatile Memories
Non-Volatile Memory (NVM) technologies, such as 3D XPoint, offer DRAM-like performance and byte-addressable access to persistent data. NVMs promise an opportunity for fast, persistent data structures, and a wide range of applications stand to benefit from the performance potential of these technologies. These potential benefits are greatest when applications access NVM directly via load/store instructions rather than conventional file-based interfaces. Directly accessing NVM presents several challenges. In particular, applications need guaranteed consistency and safety semantics to protect their data structures in the face of system failures and programming errors.Implementing data structures that meet these requirements is challenging and error-prone. Existing methods for building persistent data structures require either in-depth code changes to an existing data structure or rewriting the data structure from scratch. Unfortunately, both of these methods are labor-intensive and error-prone.Failure-atomicity libraries and programming language extensions can simplify this task. However, all the proposed solutions either require pervasive changes to existing software or incur unacceptable overheads to runtime performance. As a result, porting legacy applications to leverage NVM is likely to be prohibitively difficult and time-consuming.This dissertation first presents Breeze, an NVM toolchain that minimizes the changes necessary to enable legacy code to reap the benefits of directly accessing NVM. In contrast to PMDK and NVM-Direct, Breeze reduces the programming effort of porting Memcached and MongoDB by up to 2.8Γ, while providing equal or superior performance.Second, it introduces NVHooks, a compiler that automatically annotates NVM accesses and avoids disruptive and error-prone changes to programs. NVHooks reduces the cost of these annotations by applying novel, NVM-specific optimizations to their placement. For our tested benchmarks, NVHooks matches the performance of hand-annotated code while minimizing programmer effort.Finally, it presents Pronto, a new NVM library that reduces the programming effort required to add persistence to volatile data structures. Pronto uses asynchronous semantic logging (ASL) to allow adding persistence to the existing volatile data structure (e.g., C++ Standard Template Library containers) with minor programming effort. ASL moves most durability code off the critical path. Our evaluation shows Pronto data structures outperform highly-optimized NVM data structures by a large margin
xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64
Memory safety in complex applications implemented in unsafe programming languages such as C/C++ is still an unresolved problem in practice. Such applications were often developed in an ad-hoc, security-ignorant fashion, and thus they contain many types of security issues. Many different types of defenses have been proposed in the past to mitigate these problems, some of which are even widely used in practice. However, advanced attacks are still able to circumvent these defenses, and the arms race is not (yet) over. On the defensive side, the most promising next step is a tighter integration of the hardware and software level: modern mitigation techniques are either accelerated using hardware extensions or implemented in the hard- ware by extensions of the instruction set architecture (ISA). In particular, memory tagging, as proposed by ARM or SPARC, promises to solve many issues for practical memory safety. Unfortunately, Intel x86-64, which represents the most important ISA for both the desktop and server domain, lacks support for hardware-accelerated memory tagging, so memory tagging is not considered practical for this platform.
In this paper, we present the design and implementation of an efficient, software-only pointer tagging scheme for Intel x86-64 based on a novel metadata embedding scheme. The basic idea is to alias multiple virtual pages to one physical page so that we can efficiently embed tag bits into a pointer. Furthermore, we introduce several optimizations that significantly reduce the performance impact of this approach to memory tagging. Based on this scheme, we propose a novel use-after-free mitigation scheme, called xTag, that offers better performance and strong security properties compared to state-of-the-art methods. We also show how double-free vulnerabilities can be mitigated. Our approach is highly compatible, allowing pointers to be passed back and forth between instrumented and non-instrumented code without losing metadata, and it is even compatible with inline assembly. We conclude that building exploit mitigation mechanisms on top of our memory tagging scheme is feasible on Intel x86-64, as demonstrated by the effective prevention of use-after-free bugs in the Firefox web browser
Garbage collection in distributed systems
PhD ThesisThe provision of system-wide heap storage has a number of advantages.
However, when the technique is applied to distributed systems
automatically recovering inaccessible variables becomes a serious problem.
This thesis presents a survey of such garbage collection techniques but
finds that no existing algorithm is entirely suitable. A new, general
purpose algorithm is developed and presented which allows individual
systems to garbage collect largely independently. The effects of these
garbage collections are combined, using recursively structured control
mechanisms, to achieve garbage collection of the entire heap with the
minimum of overheads. Experimental results show that new algorithm
recovers most inaccessible variables more quickly than a straightforward
garbage collection, giving an improved memory utilisation
λ©λͺ¨λ¦¬ 보νΈλ₯Ό μν 보μ μ μ± μ μννκΈ° μν μ½λ λ³ν κΈ°μ
νμλ
Όλ¬Έ(λ°μ¬)--μμΈλνκ΅ λνμ :곡과λν μ κΈ°Β·μ»΄ν¨ν°κ³΅νλΆ,2020. 2. λ°±μ€ν₯.Computer memory is a critical component in computer systems that needs to be protected to ensure the security of computer systems. It contains security sensitive data that should not be disclosed to adversaries. Also, it contains the important data for operating the system that should not be manipulated by the attackers. Thus, many security solutions focus on protecting memory so that sensitive data cannot be leaked out of the computer system or on preventing illegal access to computer data. In this thesis, I will present various code transformation techniques for enforcing security policies for memory protection. First, I will present a code transformation technique to track implicit data flows so that security sensitive data cannot leak through implicit data flow channels (i.e., conditional branches). Then I will present a compiler technique to instrument C/C++ program to mitigate use-after-free errors, which is a type of vulnerability that allow illegal access to stale memory location. Finally, I will present a code transformation technique for low-end embedded devices to enable execute-only memory, which is a strong security policy to protect secrets and harden the computing device against code reuse attacks.μ»΄ν¨ν° λ©λͺ¨λ¦¬λ μ»΄ν¨ν° μμ€ν
μ 보μμ μν΄ λ³΄νΈλμ΄μΌ νλ μ€μν μ»΄ν¬λνΈμ΄λ€. μ»΄ν¨ν° λ©λͺ¨λ¦¬λ 보μμ μ€μν λ°μ΄ν°λ₯Ό λ΄κ³ μμ λΏλ§ μλλΌ, μμ€ν
μ μ¬λ°λ₯Έ λμμ μν΄ κ³΅κ²©μμ μν΄ μ‘°μλμ΄μλ μλλ μ€μν λ°μ΄ν° κ°λ€μ μ μ₯νλ€. λ°λΌμ λ§μ 보μ μ루μ
μ λ©λͺ¨λ¦¬λ₯Ό 보νΈνμ¬ μ»΄ν¨ν° μμ€ν
μμ μ€μν λ°μ΄ν°κ° μ μΆλκ±°λ μ»΄ν¨ν° λ°μ΄ν°μ λν λΆλ²μ μΈ μ κ·Όμ λ°©μ§νλ λ° μ€μ μ λλ€. λ³Έ λ
Όλ¬Έμμλ λ©λͺ¨λ¦¬ 보νΈλ₯Ό μν 보μ μ μ±
μ μννκΈ° μν λ€μν μ½λ λ³ν κΈ°μ μ μ μνλ€. λ¨Όμ , νλ‘κ·Έλ¨μμ λΆκΈ°λ¬Έμ ν΅ν΄ 보μμ λ―Όκ°ν λ°μ΄ν°κ° μ μΆλμ§ μλλ‘ μμμ λ°μ΄ν° νλ¦μ μΆμ νλ μ½λ λ³ν κΈ°μ μ μ μνλ€. κ·Έ λ€μμΌλ‘ C / C ++ νλ‘κ·Έλ¨μ λ³ννμ¬ use-after-free μ€λ₯λ₯Ό μννλ μ»΄νμΌλ¬ κΈ°μ μ μ μνλ€. λ§μ§λ§μΌλ‘, μ€μ λ°μ΄ν°λ₯Ό 보νΈνκ³ μ½λ μ¬μ¬μ© 곡격μΌλ‘λΆν° λλ°μ΄μ€λ₯Ό κ°νν μ μλ κ°λ ₯ν 보μ μ μ±
μΈ μ€ν μ μ© λ©λͺ¨λ¦¬(execute-only memory)λ₯Ό μ μ¬μ μλ² λλ λλ°μ΄μ€μ ꡬννκΈ° μν μ½λ λ³ν κΈ°μ μ μ μνλ€.1 Introduction 1
2 Background 4
3 A Hardware-based Technique for Efficient Implicit Information Flow Tracking 8
3.1 Introduction 8
3.2 Related Work 10
3.3 Our Approach for Implicit Flow Tracking 12
3.3.1 Implicit Flow Tracking Scheme with Program Counter Tag 12
3.3.2 tP C Management Technique 15
3.3.3 Compensation for the Untaken Path 20
3.4 Architecture Design of IFTU 22
3.4.1 Overall System 22
3.4.2 Tag Computing Core 24
3.5 Performance and Area Analysis 26
3.6 Security Analysis 28
3.7 Summary 30
4 CRCount: Pointer Invalidation with Reference Counting to Mitigate Useafter-free in Legacy C/C++ 31
4.1 Introduction 31
4.2 Related Work 36
4.3 Threat Model 40
4.4 Implicit Pointer Invalidation 40
4.4.1 Invalidation with Reference Counting 40
4.4.2 Reference Counting in C/C++ 42
4.5 Design 44
4.5.1 Overview 45
4.5.2 Pointer Footprinting 46
4.5.3 Delayed Object Free 50
4.6 Implementation 53
4.7 Evaluation 56
4.7.1 Statistics 56
4.7.2 Performance Overhead 58
4.7.3 Memory Overhead 62
4.8 Security Analysis 67
4.8.1 Attack Prevention 68
4.8.2 Security considerations 69
4.9 Limitations 69
4.10 Summary 71
5 uXOM: Efficient eXecute-Only Memory on ARM Cortex-M 73
5.1 Introduction 73
5.2 Background 78
5.2.1 ARMv7-M Address Map and the Private Peripheral Bus (PPB) 78
5.2.2 Memory Protection Unit (MPU) 79
5.2.3 Unprivileged Loads/Stores 80
5.2.4 Exception Entry and Return 80
5.3 Threat Model and Assumptions 81
5.4 Approach and Challenges 82
5.5 uXOM 85
5.5.1 Basic Design 85
5.5.2 Solving the Challenges 89
5.5.3 Optimizations 98
5.5.4 Security Analysis 99
5.6 Evaluation 100
5.6.1 Runtime Overhead 103
5.6.2 Code Size Overhead 106
5.6.3 Energy Overhead 107
5.6.4 Security and Usability 107
5.6.5 Use Cases 108
5.7 Discussion 110
5.8 Related Work 111
5.9 Summary 113
6 Conclusion and Future Work 114
6.1 Future Work 115
Abstract (In Korean) 132
Acknowlegement 133Docto
Recommended from our members
Capability Memory Protection for Embedded Systems
This dissertation explores the use of capability security hardware and software in real-time and latency-sensitive embedded systems, to address existing memory safety and task isolation problems as well as providing new means to design a secure and scalable real-time system.
In addition, this dissertation looks into how practical and high-performance temporal memory safety can be achieved under a capability architecture.
State-of-the-art memory protection schemes for embedded systems typically present limited and inflexible solutions to memory protection and isolation, and fail to scale as embedded devices become more capable and ubiquitous.
I investigate whether a capability architecture is able to provide new angles to address memory safety issues in an embedded scenario.
Previous CHERI capability research focuses on 64-bit architectures in UNIX operating systems, which does not translate to typical 32-bit embedded processors with low-latency and real-time requirements.
I propose and implement the CHERI CC-64 encoding and the CHERI-64 coprocessor to construct a feasible capability-enabled 32-bit CPU.
In addition, I implement a real-time kernel for embedded systems atop CHERI-64.
On this hardware and software platform, I focus on exploring scalable task isolation and fine-grained memory protection enabled by capabilities in a single flat physical address space, which are otherwise difficult or impossible to achieve via state-of-the-art approaches.
Later, I present the evaluation of the hardware implementation and the software run-time overhead and real-time performance.
Even with capability support, CHERI-64 as well as other CHERI processors still expose major attack surfaces through temporal vulnerabilities like use-after-free.
A naive approach that sweeps memory to invalidate stale capabilities is inefficient and incurs significant cycle overhead and DRAM traffic.
To make sweeping revocation feasible, I introduce new architectural mechanisms and micro-architectural optimisations to substantially reduce the cost of memory sweeping and capability revocation.
Another factor of the cost is the frequency of memory sweeping.
I explore tradeoffs of memory allocator designs that use quarantine buffers and shadow space tags to prevent frequent unnecessary sweeping.
The evaluation shows that the optimisations and new allocator designs reduce the cost of capability sweeping revocation by orders of magnitude, making it already practical for most applications to adopt temporal safety under CHERI.CSC Cambridge Scholarshi
- β¦