Experiments with property driven monitoring of C programs

Monitoring is a dynamic technique that observes executions of programs and detects errors at runtime. The key issue in monitoring is performance overhead: if the overhead is too high, then monitoring takes too long to terminate or runs out of system resources. This thesis investigates aspects of monitoring for bug detection, seeking implementations that identify errors precisely and that have overheads acceptable for use with testing. These concerns are addressed by instantiating monitoring analyses for the problems of memory leaks and disclosure of confidential information, and using experimentation to investigate incurred overheads. A generalisation is then provided over primitives identified during the instantiations. This enables monitoring via abstract specifications aimed at reducing the cost of developing monitoring analysis from scratch. First, this thesis presents an approach to memory leak detection. The key issue addressed by the author’s technique is detection of locations where the leaked memory was lost. Leak detection is enabled by tracking each allocated memory block and computing the dereference of the block’s address space. This represents reachability of the memory block with respect to program variables. Unreachable blocks that have not been de-allocated by the program are reported as memory leaks at the end of execution. The locations of leakage are given by the locations where blocks were last reachable. The results of experimentation with the prototype implementation for C programs indicate that, for monitoring test suites of UNIX utilities and programs selected from the Standard Performance Evaluation Corporation (SPEC) CPU datasets, the overheads of the present approach compare favourably to the results produced by the Valgrind memory debugger. This thesis also describes an approach to preventing leakage of sensitive information used by a program. The technique analyses values and has the ability to identify whether a disclosed value represents an information leak with respect to the values considered secret at runtime. This is enabled by tracking secret values and checking whether assignments transfer secret values to publicly observable locations. A prototype implementation for C programs was used to analyse security-oriented UNIX utilities and programs chosen from the SPEC CPU datasets. The results of the experiments indicate that the overhead required to detect password disclosure in real

[1]  David R. Hanson,et al.  The icon programming language: an overview , 1979, SIGP.

[2]  Landon P. Cox,et al.  TightLip: Keeping Applications from Spilling the Beans , 2007, NSDI.

[3]  Richard H. Crawford,et al.  A dataflow approach to event‐based debugging , 1991, Softw. Pract. Exp..

[4]  Alejandro Russo,et al.  On-the-fly inlining of dynamic security monitors , 2012, Comput. Secur..

[5]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[6]  Padmanabhan Krishnan,et al.  Combining Static Analysis and Constraint Solving for Automatic Test Case Generation , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[7]  David Keppel,et al.  Shade: a fast instruction-set simulator for execution profiling , 1994, SIGMETRICS.

[8]  Heike Wehrheim,et al.  Jass - Java with Assertions , 2001, RV@CAV.

[9]  Mahesh Viswanathan,et al.  Runtime Assurance Based On Formal Specifications , 1999, PDPTA.

[10]  Clinton L. Jeffery,et al.  A lightweight architecture for program execution monitoring , 1998, PASTE '98.

[11]  Alessandro Orso,et al.  LEAKPOINT: pinpointing the causes of memory leaks , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[12]  Stephen J. Garland,et al.  Larch: Languages and Tools for Formal Specification , 1993, Texts and Monographs in Computer Science.

[13]  Nikolai Kosmatov,et al.  Frama-C - A Software Analysis Perspective , 2012, SEFM.

[14]  Oege de Moor,et al.  Making trace monitors feasible , 2007, OOPSLA.

[15]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[16]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[17]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.

[18]  Nicholas Nethercote,et al.  Using Valgrind to Detect Undefined Value Errors with Bit-Precision , 2005, USENIX Annual Technical Conference, General Track.

[19]  Amitabh Srivastava,et al.  Analysis Tools , 2019, Public Transportation Systems.

[20]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[21]  Alexander Aiken,et al.  Relational queries over program traces , 2005, OOPSLA '05.

[22]  Yuanyuan Zhou,et al.  SafeMem: exploiting ECC-memory for detecting memory leaks and memory corruption during production runs , 2005, 11th International Symposium on High-Performance Computer Architecture.

[23]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[24]  David C. Luckham Programming with Specifications: An Introduction to ANNA, A Language for Specifying Ada Programs , 1990 .

[25]  Xavier Leroy,et al.  Mechanized Semantics for the Clight Subset of the C Language , 2009, Journal of Automated Reasoning.

[26]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[27]  Robert J. Walker,et al.  Implementing protocols via declarative event patterns , 2004, SIGSOFT '04/FSE-12.

[28]  Mireille Ducassé,et al.  Generic and Efficient Program Monitoring by trace analysis , 2003, ArXiv.

[29]  Wolfgang Polak,et al.  Formal Verification of Ada Programs , 1990, IEEE Trans. Software Eng..

[30]  Venkatesan T. Chakaravarthy New results on the computability and complexity of points--to analysis , 2003, POPL '03.

[31]  Albert L. Baker,et al.  Preliminary design of JML: a behavioral interface specification language for java , 2006, SOEN.

[32]  Gregg Rothermel,et al.  Sofya: A Flexible Framework for Development of Dynamic Program Analyses for Java Software , 2006 .

[33]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[34]  Woosup Lim,et al.  Memory leak detection with context awareness , 2012, RACS.

[35]  Gary T. Leavens An Overview of Larch/C++: Behavioral Specifications for C++ Modules , 1996 .

[36]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[37]  Zoltan Somogyi,et al.  The Execution Algorithm of Mercury, an Efficient Purely Declarative Logic Programming Language , 1996, J. Log. Program..

[38]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[39]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[40]  Michael D. Bond,et al.  Bell: bit-encoding online memory leak detection , 2006, ASPLOS XII.

[41]  Gregg Rothermel,et al.  Sofya: Supporting Rapid Development of Dynamic Program Analyses for Java , 2007, 29th International Conference on Software Engineering (ICSE'07 Companion).

[42]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[43]  Cheng Wang,et al.  StarDBT: An Efficient Multi-platform Dynamic Binary Translation System , 2007, Asia-Pacific Computer Systems Architecture Conference.

[44]  Sriram Sankar,et al.  Two-dimensional pinpointing: debugging with formal specifications , 1991, IEEE Software.

[45]  Clinton L. Jeffery,et al.  A configurable automatic instrumentation tool for ANSI C , 1998, Proceedings 13th IEEE International Conference on Automated Software Engineering (Cat. No.98EX239).

[46]  Grigore Rosu,et al.  Java-MOP: A Monitoring Oriented Programming Environment for Java , 2005, TACAS.

[47]  Padmanabhan Krishnan,et al.  A concise specification language for trace monitoring , 2015, SAC.

[48]  Nikolai Kosmatov,et al.  An Optimized Memory Monitoring for Runtime Assertion Checking of C Programs , 2013, RV.

[49]  Martin Leucker,et al.  Teaching Runtime Verification , 2011, RV.

[50]  Santosh Pande,et al.  Automated memory leak detection for production use , 2014, ICSE.

[51]  Clinton L. Jeffery,et al.  The Alamo Execution Monitor Architecture , 2000, WLPE@ICLP.

[52]  James Coyle,et al.  The Importance of Run-Time Error Detection , 2009, Parallel Tools Workshop.

[53]  Dawn Xiaodong Song,et al.  TaintEraser: protecting sensitive data leaks using application-level taint tracking , 2011, OPSR.

[54]  Sriram Sankar,et al.  Concurrent runtime monitoring of formally specified programs , 1993, Computer.

[55]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[56]  Padmanabhan Krishnan,et al.  Comparing model checking and static program analysis: A case study in error detection approaches , 2010 .

[57]  Peter Hui,et al.  Temporal Aspects as Security Automata , 2005 .

[58]  Amer Diwan,et al.  On the type accuracy of garbage collection , 2000, ISMM '00.

[59]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[60]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[61]  David Rosenblum,et al.  An implementation of Anna , 1985, SIGAda '85.

[62]  Derek Bruening,et al.  Efficient, transparent, and comprehensive runtime code manipulation , 2004 .

[63]  Padmanabhan Krishnan,et al.  A low-overhead, value-tracking approach to information flow security , 2016, Inf. Softw. Technol..

[64]  Michael D. Bond,et al.  Tolerating memory leaks , 2008, OOPSLA.

[65]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[66]  Ondrej Lhoták,et al.  Adding trace matching with free variables to AspectJ , 2005, OOPSLA '05.

[67]  David W. Wall,et al.  A practical system fljr intermodule code optimization at link-time , 1993 .

[68]  Guru Venkataramani,et al.  MemTracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging , 2007, 2007 IEEE 13th International Symposium on High Performance Computer Architecture.

[69]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[70]  Bin Luo,et al.  A framework for dynamic program analyzers , 1993, OOPSLA '93.

[71]  Peter C. Bates Debugging Heterogeneous Distributed Systems Using Event-Based Models of Behavior , 1995, ACM Trans. Comput. Syst..

[72]  Clinton L. Jeffery,et al.  A framework for execution monitoring in icon , 1994, Softw. Pract. Exp..

[73]  Narciso Martí-Oliet,et al.  The Maude System , 1999, RTA.

[74]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[75]  Padmanabhan Krishnan,et al.  A Dynamic Approach to Locating Memory Leaks , 2013, ICTSS.

[76]  Bernd Bruegge BEE : a basis for distributed event environments : reference manual , 1990 .

[77]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[78]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[79]  Gary T. Leavens,et al.  Behavioral interface specification languages , 2012, CSUR.

[80]  Peng Liu,et al.  LeakProber: a framework for profiling sensitive data leakage paths , 2011, CODASPY '11.

[81]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[82]  Mario Südholt,et al.  An expressive aspect language for system applications with Arachne , 2005, AOSD '05.

[83]  Marieke Huisman,et al.  Preliminary Design of BML: A Behavioral Interface Specification Language for Java Bytecode , 2007, FASE.

[84]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[85]  Qin Zhao,et al.  Practical memory checking with Dr. Memory , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[86]  Rémi Douence,et al.  Trace-Based Aspects , 2004 .

[87]  Mireille Ducassé,et al.  Generic program monitoring by trace analysis , 2002, Theory Pract. Log. Program..

[88]  Insup Lee,et al.  Information extraction for run-time formal analysis , 2001 .

[89]  Bertrand Meyer,et al.  Object-Oriented Software Construction, 2nd Edition , 1997 .

[90]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[91]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[92]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[93]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[94]  Cristina Cifuentes Parfait - A Scalable Bug Checker for C Code , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[95]  Mahesh Viswanathan,et al.  Java-MaC: a Run-time Assurance Tool for Java Programs , 2001, RV@CAV.

[96]  J. Filliâtre,et al.  ACSL: ANSI/ISO C Specification Language , 2008 .

[97]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[98]  Volker Stolz,et al.  Temporal Assertions using AspectJ , 2006, Electron. Notes Theor. Comput. Sci..

[99]  Hans-J. Boehm,et al.  Dynamic memory allocation and garbage collection , 1995 .

[100]  Koushik Sen,et al.  Rule-Based Runtime Verification , 2004, VMCAI.

[101]  Koen De Bosschere,et al.  Precise Detection of Memory Leaks , 2004 .

[102]  Howard Barringer,et al.  Rule Systems for Run-time Monitoring: from Eagle to RuleR , 2010, J. Log. Comput..

[103]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[104]  Martin Leucker,et al.  jUnitRV-Adding Runtime Verification to jUnit , 2013, NASA Formal Methods.

[105]  Gary T. Leavens,et al.  The Larch/Smalltalk interface specification language , 1994, TSEM.

[106]  Frank P. Coyle Review of 'The power of events: An introduction to complex event processing in distributed enterprise systems,' by David Luckham, Addison Wesley Professional, May 2002 , 2003, UBIQ.

[107]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[108]  Flemming Nielson,et al.  Semantics with applications - a formal introduction , 1992, Wiley professional computing.

[109]  Nikolai Kosmatov,et al.  Common specification language for static and dynamic analysis of C programs , 2013, SAC '13.

[110]  David Luckham,et al.  The power of events - an introduction to complex event processing in distributed enterprise systems , 2002, RuleML.

[111]  Grigore Rosu,et al.  JavaMOP: Efficient parametric runtime monitoring framework , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[112]  Stephen N. Freund,et al.  The RoadRunner Dynamic Analysis Framework for Concurrent Programs , 2010, PASTE '10.

[113]  Grigore Rosu,et al.  Monitoring Java Programs with Java PathExplorer , 2001, RV@CAV.

[114]  Marcelo d'Amorim,et al.  A Formal Monitoring-Based Framework for Software Development and Analysis , 2004, ICFEM.

[115]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, Electron. Notes Theor. Comput. Sci..

[116]  Thomas H. Austin,et al.  Multiple facets for dynamic information flow , 2012, POPL '12.

[117]  Koen De Bosschere,et al.  DIOTA: Dynamic Instrumentation, Optimization and Transformation of Applications , 2002, PACT 2002.

[118]  Matthias Hauswirth,et al.  Low-overhead memory leak detection using adaptive statistical profiling , 2004, ASPLOS XI.

[119]  Vincent Simonet Flow Caml in a Nutshell , 2003 .

[120]  James R. Larus,et al.  EEL: machine-independent executable editing , 1995, PLDI '95.

[121]  Dawson R. Engler,et al.  Static Analysis Versus Model Checking for Bug Finding , 2005, CONCUR.

[122]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[123]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[124]  A. Prasad Sistla,et al.  Preventing Information Leaks through Shadow Executions , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[125]  Emery D. Berger,et al.  Efficiently and precisely locating memory leaks and bloat , 2009, PLDI '09.

[126]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[127]  David Wetherall,et al.  Privacy oracle: a system for finding application leaks with black box differential testing , 2008, CCS.

[128]  Doron Drusinsky,et al.  The Temporal Rover and the ATG Rover , 2000, SPIN.

[129]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[130]  Wanli Ma,et al.  Password Entropy and Password Quality , 2010, 2010 Fourth International Conference on Network and System Security.

[131]  Marcelo d'Amorim,et al.  Event-based runtime verification of java programs , 2005, WODA '05.

[132]  Michael Franz,et al.  Fine-Grained Information Flow Analysis and Enforcement in a Java Virtual Machine , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).