SlideShare uma empresa Scribd logo

Potapenko, vyukov forewarned is forearmed. a san and tsan

DefconRussia
DefconRussia
1 de 61
Baixar para ler offline
Forewarned is forearmed: AddressSanitizer & ThreadSanitizer Timur Iskhodzhanov, Alexander Potapenko, Alexey Samsonov, Kostya Serebryany, Evgeniy Stepanov, Dmitry Vyukov November 2012
Agenda ● AddressSanitizer ○ detects use-after-free and buffer overflows (C++) ● ThreadSanitizer ○ detects data races (C++ & Go) ● Demos ● Practice
AddressSanitizer use-after-free and buffer overflows
Everything is in C/C++ (even if you don't notice that): ● VMs (Java, Perl, Python) ● DBs (MySQL, PostgreSQL) ● Web servers (Apache, nginx) ● Web browsers (Chrome, Firefox, Safari) ● Everything else (libpng, libz, libxyz)
Why C/C++? Efficient memory management + Proximity to hardware = Speed Hard to program + Hard to debug = Memory errors -- open gates to hackers
Debugging memory issues Binary instrumentation: ● Valgrind, Dr. Memory, Intel Parallel Studio, Purify, Bounds Checker, Insure++, ... ● Veeery slow (> 20x), heap bugs only Debug malloc: ● Page-level protection (efence, libgmalloc, Page Heap) ● Magic values ● Inaccurate (may miss bugs), slow, heap only
AddressSanitizer (ASan) Instrumenting compiler + a runtime library A bit of history: ● May 2011: v. 0.0 ● May 2012: part of LLVM 3.1 ● upcoming support in GCC 4.8 clang -fsanitize=address foo.c Works on Linux, Mac OS, Android
AddressSanitizer ● buffer overflows ○ Heap ○ Stack ○ Global objects ● use-after-free, use-after-return ● double-free, memcpy-param-overlap etc.
ASan vs Valgrind vs debug malloc Valgrind *-malloc ASan Heap out-of-bounds YES Sometimes YES Stack out-of-bounds NO NO YES Global out-of-bounds NO NO YES Use-after-free YES YES YES Use-after-return NO NO Sometimes Uninitialized reads YES NO NO CPU Overhead 10x-300x ?? 1.5x-3x
Report example: use-after-free ERROR: AddressSanitizer heap-use-after-free on address 0x7fe8740a6214 at pc 0x40246f bp 0x7fffe5e463e0 sp 0x7fffe5e463d8 READ of size 4 at 0x7fe8740a6214 thread T0 #0 0x40246f in main example_UseAfterFree.cc:4 #1 0x7fe8740e4c4d in __libc_start_main ??:0 0x7fe8740a6214 is located 4 bytes inside of 400-byte region freed by thread T0 here: #0 0x4028f4 in operator delete[](void*) _asan_rtl_ #1 0x402433 in main example_UseAfterFree.cc:4 previously allocated by thread T0 here: #0 0x402c36 in operator new[](unsigned long) _asan_rtl_ #1 0x402423 in main example_UseAfterFree.cc:2
Example: stack-buffer-overflow ERROR: AddressSanitizer stack-buffer-overflow on address 0x7f5620d981b4 at pc 0x4024e8 bp 0x7fff101cbc90 sp 0x7fff101cbc88 READ of size 4 at 0x7f5620d981b4 thread T0 #0 0x4024e8 in main example_StackOutOfBounds.cc:4 #1 0x7f5621db6c4d in __libc_start_main ??:0 #2 0x402349 in _start ??:0 Address 0x7f5620d981b4 is located at offset 436 in frame <main> of T0's stack: This frame has 1 object(s): [32, 432) 'stack_array'
Trophies ● Chromium (including Webkit) ● Hundreds of bugs within Google ● Firefox ● FreeType, FFmpeg, WebRTC, libjpeg-turbo ● Perl, LLVM, GCC ● MySQL ● mod_rails ● even VIM and Git! Which of the above do you use?
Fun facts Google paid > $130K to external security researchers using ASan (like attekett and miaubiz) One of the bugs Pinkie Pie exploited during the last Pwnium was in fact detectable with ASan
Shadow byte ● Every aligned 8-byte word of memory has only 9 states ● First N bytes are addressable, the rest 8-N bytes are not ● Can encode in 1 byte (shadow byte) ● Extreme: 128 application bytes map to 1 shadow byte. 0 7 6 5 Addressable 4 Unaddressable 3 Shadow 2 1 -1
Mapping: Shadow = (Addr>>3) + Offset Virtual address space 0xffffffff 0x40000000 Application Shadow mprotect-ed 0x3fffffff 0x28000000 0x27ffffff 0x24000000 0x23ffffff 0x20000000 0x1fffffff 0x00000000
Mapping: Shadow = (Addr>>3) + 0 Virtual address space 0xffffffff 0x20000000 Application Shadow mprotect-ed 0x1fffffff 0x04000000 0x03ffffff 0x00000000 ● Requires -fPIE -pie (linux) ● Gives ~6% speedup on x86_64
Instrumentation: 8 byte access *a = ... char *shadow = (a>>3)+Offset; if (*shadow) ReportError(a); *a = ...
Instrumentation: N byte access (N=1, 2, 4) *a = ... char *shadow = (a>>3)+Offset; if (*shadow && *shadow <= ((a&7)+N-1)) ReportError(a); *a = ...
Instrumentation example (x86_64) shr $0x3,%rax # shift by 3 mov $0x100000000000,%rcx or %rax,%rcx # add offset cmpb $0x0,(%rcx) # load shadow je 1f <foo+0x1f> # check for zero call 409920 # __asan_report movq $0x1234,(%rdi) # original store
Instrumenting stack void foo() { char a[328]; <------------- CODE -------------> }
Instrumenting stack void foo() { char rz1[32]; // 32-byte aligned char a[328]; char rz2[24]; char rz3[32]; int *shadow = (&rz1 >> 3) + kOffset; shadow[0] = 0xffffffff; // poison rz1 shadow[11] = 0xffffff00; // poison rz2 shadow[12] = 0xffffffff; // poison rz3 <------------- CODE -------------> shadow[0] = shadow[11] = shadow[12] = 0; }
Instrumenting globals int a; struct { int original; char redzone[60]; } a; // 32-aligned
Run-time library ● Initializes shadow memory at startup ● Provides full malloc replacement ○ Insert poisoned redzones around allocated memory ○ Quarantine for free-ed memory ○ Collect stack traces for every malloc/free ● Provides interceptors for functions like memset ● Prints error messages
Performance ● 1.7x on benchmarks (SPEC CPU 2006) ● Almost no slowdown for GUI programs ○ Chrome, Firefox ○ They don't consume all of CPU anyway ● 1.5x–4x slowdown for server side apps with -O2 ○ The larger the slower (instruction cache)
Memory overhead: 2x–4x ● Redzones ○ Heap: 128–255 bytes / allocation ○ Global: 32–63 bytes / global var ○ Stack: 32–63 bytes / addr-taken local var (stack size increased up to 3x) ● Fixed size quarantine (256M) ● Shadow: ○ mmap(MAP_NORESERVE) 1/8-th of all address space ■ 16T on 64-bit ■ 0.5G on 32-bit ○ not more than (Heap + Globals + Stack + Quarantine) / 8
Ok, we have a hammer. Now what?
Run the tests The more the better.
ASan @Chrome Pre-submit trybots (optional) Buildbots checking the new commits ClusterFuzz -- 50,000,000 tests/day Special "canary" Chrome build
Canarizing the desktop app
-1-day bug detection glider: Of course there're plenty of ClusterFuzz samples that we can use to show that ASan can detect problems in Chrome. But maybe there've been any actual exploits for problems detectable with ASan? cevans: Nothing springs to mind. Because of a combination of ASan, ClusterFuzz, our reward program, autoupdate and a culture of prompt bug fixing, we tend to find the bugs first, so no actual exploits.
Canarizing the production
Honeypot? Not sure. Maybe. I'm not a real welder. http://johns-jokes.com/afiles/images/saw_014_welding_mask.jpg
A poor man's sandbox ● bearable slowdown ○ < 2x on average ○ 3x–3.5x on large binaries (instruction cache) ● instant crashes on memory errors ○ a bit annoying for desktop users ○ good for server-side (though DoS still possible)
Is it safer? ASan is a blackbox (code and heap layout are uncommon) UAF/UAR ● need to exhaust the quarantine (250M) Buffer overflow ● need to break the shadow protection somehow ● or exploit an overflow in the library code
Still vulnerable – we can do better Not (yet) instrumented: ● JITted code ● inline assembly ● syscalls ● library routines ○ sprintf() is still a problem ○ wrappers to the rescue No redzones in PODs Little randomization
Future work ● Avoid redundant checks (static analysis) ● Instrument or recompile libraries ● Instrument inline assembly ● Adapt to use in a kernel ● Port to Windows ○ Mostly, frontend work (run-time works) ○ Plain C and simple C++ already works ○ Help is welcome!
ThreadSanitizer data races
ThreadSanitizer v1 ● Based on Valgrind ● Used since 2009 ● Slow (20x–300x slowdown) ○ Found thousands races ○ Faster than others ■ Helgrind (Valgrind) ■ Intel Parallel Inspector (PIN)
ThreadSanitizer v2 overview ● Simple compile-time instrumentation ● Redesigned run-time library ○ Fully parallel ○ No expensive atomics/locks on fast path ○ Scales to huge apps ○ Predictable memory footprint ○ Informative reports
Slowdown Application Tsan1 Tsan2 Tsan1/Tsan2 RPC benchmark 283x 8.5x 33x Server app test 28x 2x 14x String util test 30x 2.4x 13x
Compiler instrumentation void foo(int *p) { *p = 42; } void foo(int *p) { __tsan_func_entry(__builtin_return_address(0)); __tsan_write4(p); *p = 42; __tsan_func_exit() }
Direct mapping (64-bit Linux) Shadow = N * (Addr & kMask); // Requires -pie Application 0x7fffffffffff 0x7f0000000000 Protected 0x7effffffffff 0x200000000000 Shadow 0x1fffffffffff 0x180000000000 Protected 0x17ffffffffff 0x000000000000
Shadow cell An 8-byte shadow cell represents one memory TID access: ○ ~16 bits: TID (thread ID) ○ ~42 bits: Epoch (scalar clock) Epo ○ 5 bits: position/size in 8-byte word ○ 1 bit: IsWrite Full information (no more dereferences) Pos IsW
N shadow cells per 8 application bytes TID TID TID TID Epo Epo Epo Epo Pos Pos Pos Pos IsW IsW IsW IsW
Example: first access T1 E1 Write in thread T1 0:2 W
Example: second access T1 T2 E1 E2 Read in thread T2 0:2 4:8 W R
Example: third access T1 T2 T3 E1 E2 E3 Read in thread T3 0:2 4:8 0:4 W R R
Example: race? Race if E1 does not T1 T2 T3 "happen-before" E3 E1 E2 E3 0:2 4:8 0:4 W R R
Fast happens-before ● Constant-time operation ○ Get TID and Epoch from the shadow cell ○ 1 load from thread-local storage ○ 1 comparison ● Similar to FastTrack (PLDI'09)
Shadow word eviction ● When all shadow words are filled, one random is replaced
Informative reports ● Need to report stack traces for two memory accesses: ○ current (easy) ○ previous (hard) ● TSan1: ○ Stores fixed number of frames (default: 10) ○ Information is never lost ○ Reference-counting and garbage collection
Stack trace for previous access ● Per-thread cyclic buffer of events ○ 64 bits per event (type + PC) ○ Events: memory access, function entry/exit ○ Information will be lost after some time ● Replay the event buffer on report ○ Unlimited number of frames
Function interceptors ● 100+ interceptors ○ malloc, free, ... ○ pthread_mutex_lock, ... ○ strlen, memcmp, ... ○ read, write, ...
Trophies ● 200+ bugs in Google server-side apps (C++) ● 100+ bugs in Go programs ○ 30+ bugs in Go stdlib ● Several races in OpenSSL ○ 1 fixed, ~5 'benign'
Limitations ● Only 64-bit Linux ● Heavily relies on TLS ○ Slow TLS on some platforms ● Hard to port to 32-bit platforms :( ○ Too small address space ○ Expensive atomic 64-bit load/store ● Does not instrument: ○ pre-built libraries ○ inline assembly
Demo time
AddressSanitizer Stack use-after-return -- common in large programs with callbacks, very hard to debug. Stack buffer overflow -- can sometimes be caught by stack protectors. ASan detects both easily.
ThreadSanitizer Thread-unsafe reference counting => => execution of malicious code. Basically impossible to debug. TSan finds instantly, explains, helps to verify fix. $ clang -fsanitize=thread
Practice bug-list.txt -- list of bugs in the tests fuzz.sh -- run all the tests under ASan/TSan test*.cc -- tests accepting a 2-char argument, some arguments trigger bugs in the tests. $ clang -fsanitize=address -g t.c $ ./a.out aa 2>& | ./asan_symbolize.py $ clang -fsanitize=thread -fPIE -pie -g t.c $ ./a.out aa Task: map test numbers to bug descriptions
Q&A http://code.google.com/p/address-sanitizer/ http://code.google.com/p/thread-sanitizer/ {glider,dvyukov}@google.com

Recomendados

Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
AA-sort with SSE4.1
AA-sort with SSE4.1AA-sort with SSE4.1
AA-sort with SSE4.1MITSUNARI Shigeo
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugsComputer Science Club
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugsComputer Science Club
 
Multithreading done right
Multithreading done rightMultithreading done right
Multithreading done rightPlatonov Sergey
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...Positive Hack Days
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Gavin Guo
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXLLinaro
 

Recomendados

Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
AA-sort with SSE4.1
AA-sort with SSE4.1AA-sort with SSE4.1
AA-sort with SSE4.1MITSUNARI Shigeo
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugsComputer Science Club
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugsComputer Science Club
 
Multithreading done right
Multithreading done rightMultithreading done right
Multithreading done rightPlatonov Sergey
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...Positive Hack Days
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Gavin Guo
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXLLinaro
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
System Calls
System CallsSystem Calls
System CallsDavid Evans
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装MITSUNARI Shigeo
 
Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedDaniel Lemire
 
A Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingA Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingMatsuo and Tsumura lab.
 
Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Platonov Sergey
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsAndrei Pangin
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)David Evans
 
Checking the Source SDK Project
Checking the Source SDK ProjectChecking the Source SDK Project
Checking the Source SDK ProjectAndrey Karpov
 
Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Platonov Sergey
 
A Step Towards Data Orientation
A Step Towards Data OrientationA Step Towards Data Orientation
A Step Towards Data OrientationElectronic Arts / DICE
 
Introduction to Data Oriented Design
Introduction to Data Oriented DesignIntroduction to Data Oriented Design
Introduction to Data Oriented DesignElectronic Arts / DICE
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Sergey Platonov
 
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonLow-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonAMD Developer Central
 
Everything you wanted to know about Stack Traces and Heap Dumps
Everything you wanted to know about Stack Traces and Heap DumpsEverything you wanted to know about Stack Traces and Heap Dumps
Everything you wanted to know about Stack Traces and Heap DumpsAndrei Pangin
 
Kirk Shoop, Reactive programming in C++
Kirk Shoop, Reactive programming in C++Kirk Shoop, Reactive programming in C++
Kirk Shoop, Reactive programming in C++Sergey Platonov
 
Joel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDJoel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDSergey Platonov
 
Do we need Unsafe in Java?
Do we need Unsafe in Java?Do we need Unsafe in Java?
Do we need Unsafe in Java?Andrei Pangin
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 

Mais conteúdo relacionado

Mais procurados

Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装MITSUNARI Shigeo
 
Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedDaniel Lemire
 
A Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingA Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingMatsuo and Tsumura lab.
 
Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Platonov Sergey
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsAndrei Pangin
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)David Evans
 
Checking the Source SDK Project
Checking the Source SDK ProjectChecking the Source SDK Project
Checking the Source SDK ProjectAndrey Karpov
 
Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Platonov Sergey
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Sergey Platonov
 
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonLow-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonAMD Developer Central
 
Everything you wanted to know about Stack Traces and Heap Dumps
Everything you wanted to know about Stack Traces and Heap DumpsEverything you wanted to know about Stack Traces and Heap Dumps
Everything you wanted to know about Stack Traces and Heap DumpsAndrei Pangin
 
Kirk Shoop, Reactive programming in C++
Kirk Shoop, Reactive programming in C++Kirk Shoop, Reactive programming in C++
Kirk Shoop, Reactive programming in C++Sergey Platonov
 
Do we need Unsafe in Java?
Do we need Unsafe in Java?Do we need Unsafe in Java?
Do we need Unsafe in Java?Andrei Pangin
 

Mais procurados (19)

Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
 
System Calls
System CallsSystem Calls
System Calls
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装
 
Parsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons LearnedParsing JSON Really Quickly: Lessons Learned
Parsing JSON Really Quickly: Lessons Learned
 
A Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingA Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with Multithreading
 
Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”Rainer Grimm, “Functional Programming in C++11”
Rainer Grimm, “Functional Programming in C++11”
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap Dumps
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)
 
Checking the Source SDK Project
Checking the Source SDK ProjectChecking the Source SDK Project
Checking the Source SDK Project
 
Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”Bartosz Milewski, “Re-discovering Monads in C++”
Bartosz Milewski, “Re-discovering Monads in C++”
 
A Step Towards Data Orientation
A Step Towards Data OrientationA Step Towards Data Orientation
A Step Towards Data Orientation
 
Introduction to Data Oriented Design
Introduction to Data Oriented DesignIntroduction to Data Oriented Design
Introduction to Data Oriented Design
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
 
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonLow-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
 
Everything you wanted to know about Stack Traces and Heap Dumps
Everything you wanted to know about Stack Traces and Heap DumpsEverything you wanted to know about Stack Traces and Heap Dumps
Everything you wanted to know about Stack Traces and Heap Dumps
 
Kirk Shoop, Reactive programming in C++
Kirk Shoop, Reactive programming in C++Kirk Shoop, Reactive programming in C++
Kirk Shoop, Reactive programming in C++
 
Joel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDJoel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMD
 
Do we need Unsafe in Java?
Do we need Unsafe in Java?Do we need Unsafe in Java?
Do we need Unsafe in Java?
 

Semelhante a Potapenko, vyukov forewarned is forearmed. a san and tsan

Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기Ji Hun Kim
 
Kernelvm 201312-dlmopen
Kernelvm 201312-dlmopenKernelvm 201312-dlmopen
Kernelvm 201312-dlmopenHajime Tazaki
 
General Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics HardwareGeneral Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics HardwareDaniel Blezek
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 

Semelhante a Potapenko, vyukov forewarned is forearmed. a san and tsan (20)

Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
 
Yandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msanYandex may 2013 a san-tsan_msan
Yandex may 2013 a san-tsan_msan
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
Kernelvm 201312-dlmopen
Kernelvm 201312-dlmopenKernelvm 201312-dlmopen
Kernelvm 201312-dlmopen
 
General Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics HardwareGeneral Purpose Computing using Graphics Hardware
General Purpose Computing using Graphics Hardware
 
Valgrind
ValgrindValgrind
Valgrind
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Failure Of DEP And ASLR
Failure Of DEP And ASLRFailure Of DEP And ASLR
Failure Of DEP And ASLR
 
Meltdown & Spectre
Meltdown & Spectre Meltdown & Spectre
Meltdown & Spectre
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
Meltdown & spectre
Meltdown & spectreMeltdown & spectre
Meltdown & spectre
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 

Mais de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Mais de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Potapenko, vyukov forewarned is forearmed. a san and tsan

  • 1. Forewarned is forearmed: AddressSanitizer & ThreadSanitizer Timur Iskhodzhanov, Alexander Potapenko, Alexey Samsonov, Kostya Serebryany, Evgeniy Stepanov, Dmitry Vyukov November 2012
  • 2. Agenda ● AddressSanitizer ○ detects use-after-free and buffer overflows (C++) ● ThreadSanitizer ○ detects data races (C++ & Go) ● Demos ● Practice
  • 4. Everything is in C/C++ (even if you don't notice that): ● VMs (Java, Perl, Python) ● DBs (MySQL, PostgreSQL) ● Web servers (Apache, nginx) ● Web browsers (Chrome, Firefox, Safari) ● Everything else (libpng, libz, libxyz)
  • 5. Why C/C++? Efficient memory management + Proximity to hardware = Speed Hard to program + Hard to debug = Memory errors -- open gates to hackers
  • 6. Debugging memory issues Binary instrumentation: ● Valgrind, Dr. Memory, Intel Parallel Studio, Purify, Bounds Checker, Insure++, ... ● Veeery slow (> 20x), heap bugs only Debug malloc: ● Page-level protection (efence, libgmalloc, Page Heap) ● Magic values ● Inaccurate (may miss bugs), slow, heap only
  • 7. AddressSanitizer (ASan) Instrumenting compiler + a runtime library A bit of history: ● May 2011: v. 0.0 ● May 2012: part of LLVM 3.1 ● upcoming support in GCC 4.8 clang -fsanitize=address foo.c Works on Linux, Mac OS, Android
  • 8. AddressSanitizer ● buffer overflows ○ Heap ○ Stack ○ Global objects ● use-after-free, use-after-return ● double-free, memcpy-param-overlap etc.
  • 9. ASan vs Valgrind vs debug malloc Valgrind *-malloc ASan Heap out-of-bounds YES Sometimes YES Stack out-of-bounds NO NO YES Global out-of-bounds NO NO YES Use-after-free YES YES YES Use-after-return NO NO Sometimes Uninitialized reads YES NO NO CPU Overhead 10x-300x ?? 1.5x-3x
  • 10. Report example: use-after-free ERROR: AddressSanitizer heap-use-after-free on address 0x7fe8740a6214 at pc 0x40246f bp 0x7fffe5e463e0 sp 0x7fffe5e463d8 READ of size 4 at 0x7fe8740a6214 thread T0 #0 0x40246f in main example_UseAfterFree.cc:4 #1 0x7fe8740e4c4d in __libc_start_main ??:0 0x7fe8740a6214 is located 4 bytes inside of 400-byte region freed by thread T0 here: #0 0x4028f4 in operator delete[](void*) _asan_rtl_ #1 0x402433 in main example_UseAfterFree.cc:4 previously allocated by thread T0 here: #0 0x402c36 in operator new[](unsigned long) _asan_rtl_ #1 0x402423 in main example_UseAfterFree.cc:2
  • 11. Example: stack-buffer-overflow ERROR: AddressSanitizer stack-buffer-overflow on address 0x7f5620d981b4 at pc 0x4024e8 bp 0x7fff101cbc90 sp 0x7fff101cbc88 READ of size 4 at 0x7f5620d981b4 thread T0 #0 0x4024e8 in main example_StackOutOfBounds.cc:4 #1 0x7f5621db6c4d in __libc_start_main ??:0 #2 0x402349 in _start ??:0 Address 0x7f5620d981b4 is located at offset 436 in frame <main> of T0's stack: This frame has 1 object(s): [32, 432) 'stack_array'
  • 12. Trophies ● Chromium (including Webkit) ● Hundreds of bugs within Google ● Firefox ● FreeType, FFmpeg, WebRTC, libjpeg-turbo ● Perl, LLVM, GCC ● MySQL ● mod_rails ● even VIM and Git! Which of the above do you use?
  • 13. Fun facts Google paid > $130K to external security researchers using ASan (like attekett and miaubiz) One of the bugs Pinkie Pie exploited during the last Pwnium was in fact detectable with ASan
  • 14.
  • 15. Shadow byte ● Every aligned 8-byte word of memory has only 9 states ● First N bytes are addressable, the rest 8-N bytes are not ● Can encode in 1 byte (shadow byte) ● Extreme: 128 application bytes map to 1 shadow byte. 0 7 6 5 Addressable 4 Unaddressable 3 Shadow 2 1 -1
  • 16. Mapping: Shadow = (Addr>>3) + Offset Virtual address space 0xffffffff 0x40000000 Application Shadow mprotect-ed 0x3fffffff 0x28000000 0x27ffffff 0x24000000 0x23ffffff 0x20000000 0x1fffffff 0x00000000
  • 17. Mapping: Shadow = (Addr>>3) + 0 Virtual address space 0xffffffff 0x20000000 Application Shadow mprotect-ed 0x1fffffff 0x04000000 0x03ffffff 0x00000000 ● Requires -fPIE -pie (linux) ● Gives ~6% speedup on x86_64
  • 18. Instrumentation: 8 byte access *a = ... char *shadow = (a>>3)+Offset; if (*shadow) ReportError(a); *a = ...
  • 19. Instrumentation: N byte access (N=1, 2, 4) *a = ... char *shadow = (a>>3)+Offset; if (*shadow && *shadow <= ((a&7)+N-1)) ReportError(a); *a = ...
  • 20. Instrumentation example (x86_64) shr $0x3,%rax # shift by 3 mov $0x100000000000,%rcx or %rax,%rcx # add offset cmpb $0x0,(%rcx) # load shadow je 1f <foo+0x1f> # check for zero call 409920 # __asan_report movq $0x1234,(%rdi) # original store
  • 21. Instrumenting stack void foo() { char a[328]; <------------- CODE -------------> }
  • 22. Instrumenting stack void foo() { char rz1[32]; // 32-byte aligned char a[328]; char rz2[24]; char rz3[32]; int *shadow = (&rz1 >> 3) + kOffset; shadow[0] = 0xffffffff; // poison rz1 shadow[11] = 0xffffff00; // poison rz2 shadow[12] = 0xffffffff; // poison rz3 <------------- CODE -------------> shadow[0] = shadow[11] = shadow[12] = 0; }
  • 23. Instrumenting globals int a; struct { int original; char redzone[60]; } a; // 32-aligned
  • 24. Run-time library ● Initializes shadow memory at startup ● Provides full malloc replacement ○ Insert poisoned redzones around allocated memory ○ Quarantine for free-ed memory ○ Collect stack traces for every malloc/free ● Provides interceptors for functions like memset ● Prints error messages
  • 25. Performance ● 1.7x on benchmarks (SPEC CPU 2006) ● Almost no slowdown for GUI programs ○ Chrome, Firefox ○ They don't consume all of CPU anyway ● 1.5x–4x slowdown for server side apps with -O2 ○ The larger the slower (instruction cache)
  • 26. Memory overhead: 2x–4x ● Redzones ○ Heap: 128–255 bytes / allocation ○ Global: 32–63 bytes / global var ○ Stack: 32–63 bytes / addr-taken local var (stack size increased up to 3x) ● Fixed size quarantine (256M) ● Shadow: ○ mmap(MAP_NORESERVE) 1/8-th of all address space ■ 16T on 64-bit ■ 0.5G on 32-bit ○ not more than (Heap + Globals + Stack + Quarantine) / 8
  • 27. Ok, we have a hammer. Now what?
  • 28. Run the tests The more the better.
  • 29. ASan @Chrome Pre-submit trybots (optional) Buildbots checking the new commits ClusterFuzz -- 50,000,000 tests/day Special "canary" Chrome build
  • 31. -1-day bug detection glider: Of course there're plenty of ClusterFuzz samples that we can use to show that ASan can detect problems in Chrome. But maybe there've been any actual exploits for problems detectable with ASan? cevans: Nothing springs to mind. Because of a combination of ASan, ClusterFuzz, our reward program, autoupdate and a culture of prompt bug fixing, we tend to find the bugs first, so no actual exploits.
  • 33. Honeypot? Not sure. Maybe. I'm not a real welder. http://johns-jokes.com/afiles/images/saw_014_welding_mask.jpg
  • 34. A poor man's sandbox ● bearable slowdown ○ < 2x on average ○ 3x–3.5x on large binaries (instruction cache) ● instant crashes on memory errors ○ a bit annoying for desktop users ○ good for server-side (though DoS still possible)
  • 35. Is it safer? ASan is a blackbox (code and heap layout are uncommon) UAF/UAR ● need to exhaust the quarantine (250M) Buffer overflow ● need to break the shadow protection somehow ● or exploit an overflow in the library code
  • 36. Still vulnerable – we can do better Not (yet) instrumented: ● JITted code ● inline assembly ● syscalls ● library routines ○ sprintf() is still a problem ○ wrappers to the rescue No redzones in PODs Little randomization
  • 37. Future work ● Avoid redundant checks (static analysis) ● Instrument or recompile libraries ● Instrument inline assembly ● Adapt to use in a kernel ● Port to Windows ○ Mostly, frontend work (run-time works) ○ Plain C and simple C++ already works ○ Help is welcome!
  • 38. ThreadSanitizer data races
  • 39. ThreadSanitizer v1 ● Based on Valgrind ● Used since 2009 ● Slow (20x–300x slowdown) ○ Found thousands races ○ Faster than others ■ Helgrind (Valgrind) ■ Intel Parallel Inspector (PIN)
  • 40. ThreadSanitizer v2 overview ● Simple compile-time instrumentation ● Redesigned run-time library ○ Fully parallel ○ No expensive atomics/locks on fast path ○ Scales to huge apps ○ Predictable memory footprint ○ Informative reports
  • 41. Slowdown Application Tsan1 Tsan2 Tsan1/Tsan2 RPC benchmark 283x 8.5x 33x Server app test 28x 2x 14x String util test 30x 2.4x 13x
  • 42. Compiler instrumentation void foo(int *p) { *p = 42; } void foo(int *p) { __tsan_func_entry(__builtin_return_address(0)); __tsan_write4(p); *p = 42; __tsan_func_exit() }
  • 43. Direct mapping (64-bit Linux) Shadow = N * (Addr & kMask); // Requires -pie Application 0x7fffffffffff 0x7f0000000000 Protected 0x7effffffffff 0x200000000000 Shadow 0x1fffffffffff 0x180000000000 Protected 0x17ffffffffff 0x000000000000
  • 44. Shadow cell An 8-byte shadow cell represents one memory TID access: ○ ~16 bits: TID (thread ID) ○ ~42 bits: Epoch (scalar clock) Epo ○ 5 bits: position/size in 8-byte word ○ 1 bit: IsWrite Full information (no more dereferences) Pos IsW
  • 45. N shadow cells per 8 application bytes TID TID TID TID Epo Epo Epo Epo Pos Pos Pos Pos IsW IsW IsW IsW
  • 46. Example: first access T1 E1 Write in thread T1 0:2 W
  • 47. Example: second access T1 T2 E1 E2 Read in thread T2 0:2 4:8 W R
  • 48. Example: third access T1 T2 T3 E1 E2 E3 Read in thread T3 0:2 4:8 0:4 W R R
  • 49. Example: race? Race if E1 does not T1 T2 T3 "happen-before" E3 E1 E2 E3 0:2 4:8 0:4 W R R
  • 50. Fast happens-before ● Constant-time operation ○ Get TID and Epoch from the shadow cell ○ 1 load from thread-local storage ○ 1 comparison ● Similar to FastTrack (PLDI'09)
  • 51. Shadow word eviction ● When all shadow words are filled, one random is replaced
  • 52. Informative reports ● Need to report stack traces for two memory accesses: ○ current (easy) ○ previous (hard) ● TSan1: ○ Stores fixed number of frames (default: 10) ○ Information is never lost ○ Reference-counting and garbage collection
  • 53. Stack trace for previous access ● Per-thread cyclic buffer of events ○ 64 bits per event (type + PC) ○ Events: memory access, function entry/exit ○ Information will be lost after some time ● Replay the event buffer on report ○ Unlimited number of frames
  • 54. Function interceptors ● 100+ interceptors ○ malloc, free, ... ○ pthread_mutex_lock, ... ○ strlen, memcmp, ... ○ read, write, ...
  • 55. Trophies ● 200+ bugs in Google server-side apps (C++) ● 100+ bugs in Go programs ○ 30+ bugs in Go stdlib ● Several races in OpenSSL ○ 1 fixed, ~5 'benign'
  • 56. Limitations ● Only 64-bit Linux ● Heavily relies on TLS ○ Slow TLS on some platforms ● Hard to port to 32-bit platforms :( ○ Too small address space ○ Expensive atomic 64-bit load/store ● Does not instrument: ○ pre-built libraries ○ inline assembly
  • 58. AddressSanitizer Stack use-after-return -- common in large programs with callbacks, very hard to debug. Stack buffer overflow -- can sometimes be caught by stack protectors. ASan detects both easily.
  • 59. ThreadSanitizer Thread-unsafe reference counting => => execution of malicious code. Basically impossible to debug. TSan finds instantly, explains, helps to verify fix. $ clang -fsanitize=thread
  • 60. Practice bug-list.txt -- list of bugs in the tests fuzz.sh -- run all the tests under ASan/TSan test*.cc -- tests accepting a 2-char argument, some arguments trigger bugs in the tests. $ clang -fsanitize=address -g t.c $ ./a.out aa 2>& | ./asan_symbolize.py $ clang -fsanitize=thread -fPIE -pie -g t.c $ ./a.out aa Task: map test numbers to bug descriptions