HeapMD: identifying heap-based bugs using anomaly detection

We present the design, implementation, and evaluation of HeapMD, a dynamic analysis tool that finds heap-based bugs using anomaly detection. HeapMD is based upon the observation that, in spite of the evolving nature of the heap, several of its properties remain stable. HeapMD uses this observation in a novel way: periodically, during the execution of the program, it computes a suite of metrics which are sensitive to the state of the heap. These metrics track heap behavior, and the stability of the heap reflects quantitatively in the values of these metrics. The "normal" ranges of stable metrics, obtained by running a program on multiple inputs, are then treated as indicators of correct behaviour, and are used in conjunction with an anomaly detector to find heap-based bugs. Using HeapMD, we were able to find 40 heap-based bugs, 31 of them previously unknown, in 5 large, commercial applications.

[1]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[2]  Laurie J. Hendren,et al.  Is it a tree, a DAG, or a cyclic graph? A shape analysis for heap-directed pointers in C , 1996, POPL '96.

[3]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[4]  Michael D. Ernst,et al.  Dynamically discovering likely program invariants , 2000 .

[5]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000 .

[6]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[7]  Matthew Arnold,et al.  A framework for reducing the cost of instrumented code , 2001, PLDI '01.

[8]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[10]  Andrew James Edwards,et al.  Binary transformation in a distributed environment , 2001 .

[11]  Amitabh Srivastava,et al.  Vulcan Binary transformation in a distributed environment , 2001 .

[12]  Martin Hirzel,et al.  Bursty Tracing: A Framework for Low-Overhead Temporal Profiling , 2001 .

[13]  Brad Calder,et al.  Automatically characterizing large scale program behavior , 2002, ASPLOS X.

[14]  M. Lam,et al.  Tracking down software bugs using automatic anomaly detection , 2002, Proceedings of the 24th International Conference on Software Engineering. ICSE 2002.

[15]  Rastislav Bodík,et al.  An efficient profile-analysis framework for data-layout optimizations , 2002, POPL '02.

[16]  Martin C. Rinard,et al.  Role-based exploration of object-oriented programs , 2002, ICSE '02.

[17]  Amer Diwan,et al.  Understanding the connectivity of heap objects , 2002, ISMM '02.

[18]  Dawson R. Engler,et al.  Z-Ranking: Using Statistical Analysis to Counter the Impact of Static Analysis Approximations , 2003, SAS.

[19]  Michelle L. Crane,et al.  Runtime Conformance Checking of Objects Using Alloy , 2003, RV@CAV.

[20]  Yutao Zhong,et al.  Predicting whole-program locality through reuse distance analysis , 2003, PLDI.

[21]  Michael I. Jordan,et al.  Bug isolation via remote program sampling , 2003, PLDI.

[22]  Brad Calder,et al.  Phase tracking and prediction , 2003, ISCA '03.

[23]  Nicholas Nethercote,et al.  Valgrind: A Program Supervision Framework , 2003, RV@CAV.

[24]  Martin Rinard,et al.  Automatic detection and repair of errors in data structures , 2003, OOPSLA 2003.

[25]  Yuanyuan Zhou,et al.  CP-Miner: A Tool for Finding Copy-paste and Related Bugs in Operating System Code , 2004, OSDI.

[26]  Eran Yahav,et al.  Verifying safety properties using separation and heterogeneous abstractions , 2004, PLDI '04.

[27]  Junfeng Yang,et al.  Correlation exploitation in error ranking , 2004, SIGSOFT '04/FSE-12.

[28]  Wei Liu,et al.  AccMon: Automatically Detecting Memory-Related Bugs via Program Counter-Based Invariants , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[29]  Matthias Hauswirth,et al.  Low-overhead memory leak detection using adaptive statistical profiling , 2004, ASPLOS XI.

[30]  Chen Ding,et al.  Locality phase prediction , 2004, ASPLOS XI.

[31]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[32]  Radu Rugina,et al.  Region-based shape analysis with tracked locations , 2005, POPL '05.

[33]  Shuvendu K. Lahiri,et al.  Verifying properties of well-founded linked lists , 2006, POPL '06.

[34]  Yuanyuan Zhou,et al.  Rx: Treating bugs as allergies—a safe method to survive software failures , 2007, TOCS.