Dynamic pointer tracking and its applications

Due to the significant limitations of static analysis and the dynamic nature of pointers in weakly typed programming languages like C and C++, the points-to sets obtained at compile time are quite conservative. Most static pointer analysis methods trade the precision for the analysis speed. The methods that perform the analysis in a reasonable amount of time are often context and/or flow insensitive. Other methods that are context, flow, and field sensitive have to perform the whole program inter-procedural analysis, and do not scale with respect to the program size. A large class of problems involving optimizations such as instruction prefetching, control and data speculation, redundant load/store instructions removal, instruction scheduling, and memory disambiguation suffer due to the imprecise and conservative points-to sets computed statically. One could possibly live without optimizations, but in domains involving memory security and safety, lack of the precise points-to sets can jeopardize the security and safety. In particular, the lack of dynamic points-to sets drastically reduce the ability to reason about a program’s memory access behavior, and thus illegal memory accesses can go unchecked leading to bugs as well as security holes. On the other hand, the points-to sets can be very useful for other domains such as the heap shape analysis and garbage collection. The knowledge of precise points-to sets is therefore becoming very important, but has received little attention so far beyond a few studies, which have shown that the pointers exhibit very interesting behaviors during execution. How to track such behaviors dynamically and benefit from them is the topic covered by this research. In this work, we propose a technique to compute the precise points-to sets through dynamic pointer tracking. First, the compiler performs the pointer analysis to obtain the static points-to sets. Then, the compiler analyzes the program, and inserts the necessary instructions to refine the points-to sets. At runtime, the inserted instructions automatically update the points-to sets. Dynamic pointer tracking in software can be expensive and can be a barrier to the practicality of such methods. Several optimizations including removal of redundant update, post-loop update, special pattern driven update removal, pointer initialization update removal, update propagation, invariant removal, and on demand update optimization are proposed. Our experimental results demonstrate that our mechanism is able to compute the points-to sets dynamically with tolerable overheads. Finally, the memory protection and garbage collection work are presented as the consumers of dynamic pointer tracking to illustrate its importance. In particular, it is shown how different memory properties can be easily tracked using the dynamic points-to sets opening newer possibilities.

[1]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[2]  Markus Mock,et al.  Program slicing with dynamic points-to sets , 2005, IEEE Transactions on Software Engineering.

[3]  Paul Feautrier,et al.  Direct parallelization of call statements , 1986, SIGPLAN '86.

[4]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[5]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[6]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.

[7]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[8]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[9]  Debin Gao,et al.  Gray-box extraction of execution graphs for anomaly detection , 2004, CCS '04.

[10]  Thomas A. Henzinger,et al.  Checking Memory Safety with Blast , 2005, FASE.

[11]  Paul R. Wilson,et al.  Dynamic Storage Allocation: A Survey and Critical Review , 1995, IWMM.

[12]  Hsien-Hsin S. Lee,et al.  InfoShield: a security architecture for protecting information usage in memory , 2006, The Twelfth International Symposium on High-Performance Computer Architecture, 2006..

[13]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[14]  Jong-Deok Choi,et al.  Interprocedural pointer alias analysis , 1999, TOPL.

[15]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[16]  Jong-Deok Choi,et al.  Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects , 1993, POPL '93.

[17]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[18]  Erez Petrank,et al.  Age-Oriented Garbage Collection , 2003 .

[19]  Steven A. Hofmeyr,et al.  Intrusion Detection via System Call Traces , 1997, IEEE Softw..

[20]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[21]  Erez Petrank,et al.  An on-the-fly mark and sweep garbage collector based on sliding views , 2003, OOPSLA 2003.

[22]  Christoph C. Michael,et al.  Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report , 2000, Recent Advances in Intrusion Detection.

[23]  Jong-Deok Choi,et al.  Flow-Insensitive Interprocedural Alias Analysis in the Presence of Pointers , 1994, LCPC.

[24]  George E. Collins,et al.  A method for overlapping and erasure of lists , 1960, CACM.

[25]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[26]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[27]  George Varghese,et al.  Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[28]  Darko Kirovski,et al.  A Hardware-Software Platform for Intrusion Prevention , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[29]  Kathryn S. McKinley,et al.  Ulterior reference counting: fast garbage collection without a long wait , 2003, OOPSLA 2003.

[30]  Xiangyu Zhang,et al.  Precise dynamic slicing algorithms , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[31]  Daniel G. Bobrow,et al.  An efficient, incremental, automatic garbage collector , 1976, CACM.

[32]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[33]  Miodrag Potkonjak,et al.  Enabling trusted software integrity , 2002, ASPLOS X.

[34]  Calton Pu,et al.  Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[35]  Guru Venkataramani,et al.  MemTracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging , 2007, 2007 IEEE 13th International Symposium on High Performance Computer Architecture.

[36]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[37]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[38]  Rafael Dueire Lins,et al.  Garbage collection: algorithms for automatic dynamic memory management , 1996 .

[39]  Susan Horwitz,et al.  Fast and accurate flow-insensitive points-to analysis , 1997, POPL '97.

[40]  Jignesh M. Patel,et al.  Data prefetching by dependence graph precomputation , 2001, Proceedings 28th Annual International Symposium on Computer Architecture.

[41]  Christopher Krügel,et al.  On the Detection of Anomalous System Call Arguments , 2003, ESORICS.

[42]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[43]  Weng-Fai Wong,et al.  Compiler orchestrated prefetching via speculation and predication , 2004, ASPLOS XI.

[44]  V. T. Rajan,et al.  An Efficient On-the-Fly Cycle Collection , 2005, CC.

[45]  Erez Petrank,et al.  Using Prefetching to Improve Reference-Counting Garbage Collectors , 2007, CC.

[46]  Tao Zhang,et al.  Memory Protection through Dynamic Access Control , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[47]  William Pugh,et al.  A practical algorithm for exact array dependence analysis , 1992, CACM.

[48]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[49]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[50]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[51]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[52]  Erez Petrank,et al.  An on-the-fly reference counting garbage collector for Java , 2001, OOPSLA '01.

[53]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[54]  Wei Liu,et al.  AccMon: Automatically Detecting Memory-Related Bugs via Program Counter-Based Invariants , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[55]  Markus Mock,et al.  Dynamic points-to sets: a comparison with static analyses and potential applications in program understanding and optimization , 2001, PASTE '01.

[56]  Chen-Yong Cher,et al.  Software prefetching for mark-sweep garbage collection: hardware analysis and software redesign , 2004, ASPLOS XI.

[57]  Henry G. Baker,et al.  Minimizing reference count updating with deferred and anchored pointers for functional data structures , 1994, SIGP.

[58]  Debin Gao,et al.  On Gray-Box Program Tracking for Anomaly Detection , 2004, USENIX Security Symposium.

[59]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[60]  Nathan P. Smith,et al.  Stack Smashing Vulnerabilities in the UNIX Operating System , 1997 .

[61]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[62]  B. Eatrice Creusillet,et al.  Exact vs. Approximate Array Region Analyses , 1996 .

[63]  Yunheung Paek,et al.  Efficient and precise array access analysis , 2002, TOPL.

[64]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[65]  Bowen Alpern,et al.  Implementing jalapeño in Java , 1999, OOPSLA '99.

[66]  Tao Zhang,et al.  Anomalous path detection with hardware support , 2005, CASES '05.

[67]  Manuvir Das,et al.  Unification-based pointer analysis with directional assignments , 2000, PLDI '00.

[68]  Monica S. Lam,et al.  Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[69]  Jakob Rehof,et al.  Scalable context-sensitive flow analysis using instantiation constraints , 2000, PLDI '00.

[70]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[71]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[72]  Todd M. Austin,et al.  The SimpleScalar tool set, version 2.0 , 1997, CARN.

[73]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[74]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[75]  Martin C. Rinard,et al.  Pointer analysis for multithreaded programs , 1999, PLDI '99.

[76]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.