JIANG Li,CHEN Jian,PING Ling-di,CHEN Xiao-ping

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.004

2010-01-01

Abstract:In multithreaded environment,sensitive information is often deliberately released by many real applications and sometimes information needs to become more confidential. In order to address this situation,a security policy was defined in the style of strong bisimulation equivalence,which can handle both information leaking and erasing. The policy controls what information is released and guarantees that attackers cannot exploit information releasing mechanisms to reveal more sensitive data than intended. Moreover,it ensures that public data after erasing cannot be abused by attackers. Then a secure transforming type system was proposed to enforce the security policy by using the cross-copying technique,which can eliminate internal timing covert channels resulting from the interplay between different threads. The transforming type system can transform an insecure program into a secure one,trying to close information leaks. The secure program has the same structure as the original program and models the same timing behavior. Finally,the soundness of the type system was proved with respect to the operational semantics. Results indicate that if a program can be transformed according to typing rules,the resulting program satisfies the security policy.

Wang Ji-min,Ping Ling-di,Pan Xue-zeng,Shen Hai-bin,Yan Xiao-lang

DOI: https://doi.org/10.1007/bf02842479

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:The C programming language is expressive and flexible, but not safe; as its expressive power and flexibility are obtained through unsafe language features, and improper use of these features can lead to program bugs whose causes are hard to identify. Since C is widely used, and it is impractical to rewrite all existing C programs in safe languages, so ways must be found to make C programs safe. This paper deals with the unsafe features of C and presents a survey on existing solutions to make C programs safe. We have studied binary-level instrumentation tools, source checkers, source-level instrumentation tools and safe dialects of C, and present a comparison of different solutions, summarized the strengths and weaknesses of different classes of solutions, and show measures that could possibly improve the accuracy or alleviate the overhead of existing solutions.

Mustakimur Khandaker,Abu Naser,Wenqing Liu,Zhi Wang,Yajin Zhou,Yueqiang Cheng

DOI: https://doi.org/10.1109/eurosp.2019.00017

2019-01-01

Abstract:Low-level languages like C/C++ are widely used in various applications for their performance and flexibility. Unfortunately, these languages are prone to memory corruption vulnerabilities, leading to control-flow hijacking attacks. Control flow integrity (CFI) is a general principle to enforce run-time control flow of a program to a pre-computed control-flow graph (CFG). While the traditional context-insensitive CFI falls short in protecting critical control transfers, recent context-sensitive CFI research shows promising improvements but has various limitations. We present Control Flow Integrity with Look Back (CFI-LB), a call-site sensitive CFI in which a conventional source-target control transfer is strengthened by a look back into its call-sites (return addresses). CFI-LB features the adaptive call-site sensitivity in which each indirect call has its own level of sensitivity and the multi-scope CFG to improve the security even if a precise context-sensitive static CFG is not available, especially for large programs such as GCC and NGINX. One of the CFGs is constructed by our localized concolic execution, which significantly extends the dynamic CFG with very low false positives. In addition, CFI-LB is the first CFI system explicitly designed to protect its reference monitors from race conditions. We have built a prototype of CFI-LB. The evaluation with SPEC CPU2006 benchmarks and NGINX indicates that CFI-LB has a low-performance overhead (less than 5% on average for the full protection) while increasing the security.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Hanru Jiang,Hongjin Liang,Siyang Xiao,Junpeng Zha,Xinyu Feng

DOI: https://doi.org/10.1145/3314221.3314595

2019-01-01

Abstract:Certified separate compilation is important for establishing end-to-end guarantees for certified systems consisting of multiple program modules. There has been much work building certified compilers for sequential programs. In this paper, we propose a language-independent framework consisting of the key semantics components and lemmas that bridge the verification gap between the compilers for sequential programs and those for (race-free) concurrent programs, so that the existing verification work for the former can be reused. One of the key contributions of the framework is a novel footprint-preserving compositional simulation as the compilation correctness criterion. The framework also provides a new mechanism to support confined benign races which are usually found in efficient implementations of synchronization primitives. With our framework, we develop CASCompCert, which extends CompCert for certified separate compilation of race-free concurrent Clight programs. It also allows linking of concurrent Clight modules with x86-TSO implementations of synchronization primitives containing benign races. All our work has been implemented in the Coq proof assistant.

Jinyu Li,Zhenzhou Ji,Yihao Zhou

DOI: https://doi.org/10.1109/ICCSD.2019.8843305

2019-01-01

Abstract:Dthreads is a multi-core deterministic thread library with good performance in recent years. It has great application value for programs with deterministic execution requirements. This paper focus on Dthreads scheduling process. In view of program's potential parallelism characteristics and the requirement of determinism, two optimization methods are introduced to improve the parallelism. The validity and performance of these two methods are verified by experiments. The results show that the two optimization methods can improve the running efficiency of program and guarantee determinism.

Miao Cai,Shenming Liu,Hao Huang

DOI: https://doi.org/10.1109/icpads.2017.00052

2017-01-01

Abstract:On the multicore and multiprocessor system, multithreaded applications which are kernel-intensive usually suffer from two kinds of performance issues, first one is frequent context switch between kernel/user mode. Another one is lock contention caused by non-scalable synchronization primitives (e.g., ticket spin lock) and may even result in performance degradation under heavy contention level. Unfortunately, current Linux threading model (i.e., NPTL) which adopts exception-based system call mechanism fails to reduce the excessive system call cost. Besides, conventional threading scheduler which is unconscious of lock contention also lacks the ability to limit the number of system-wide contending parallel threads. Both of them impede the application's throughput increment and may lead to the performance breakdown eventually. In this paper we propose a contention-aware threading framework to alleviate these two problems. Our proposed design is composed of two tightly contected components: system call batching via user-level thread library and a contention-aware scheduler based on non-work-conserving scheduling policy. The user-level threading library gathers multiple system call invocations transparently and deliverys these requests to the underlaying kernel working threads. Therefore, tScale improves application performance by reducing massive context switch cost. Then through continuing monitoring system-wide lock contention level and application's total throughput increment, tScale can quickly adjust the number of contending threads in order to sustain the maximum throughput. The prototype system is implemented on Linux 3.18.30 and Glibc 2.23. In microbenchmarks on a 32-core machine, experiment results show that our approach can not only improve the application throughput by up to 20% but also address the lock contention efficiently.

Xinyu Feng,Zhong Shao,Yu Guo,Yuan Dong

DOI: https://doi.org/10.1007/s10817-009-9118-9

2009-01-01

Journal of Automated Reasoning

Abstract:Hardware interrupts are widely used in the world’s critical software systems to support preemptive threads, device drivers, operating system kernels, and hypervisors. Handling interrupts properly is an essential component of low-level system programming. Unfortunately, interrupts are also extremely hard to reason about: they dramatically alter the program control flow and complicate the invariants in low-level concurrent code (e.g., implementation of synchronization primitives). Existing formal verification techniques—including Hoare logic, typed assembly language, concurrent separation logic, and the assume-guarantee method—have consistently ignored the issues of interrupts; this severely limits the applicability and power of today’s program verification systems. In this paper we present a novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads. We show that enabling and disabling interrupts can be formalized precisely using simple ownership-transfer semantics, and the same technique also extends to the concurrent setting. By carefully reasoning about the interaction among interrupt handlers, context switching, and synchronization libraries, we are able to—for the first time—successfully certify a preemptive thread implementation and a large number of common synchronization primitives. Our work provides a foundation for reasoning about interrupt-based kernel programs and makes an important advance toward building fully certified operating system kernels and hypervisors.

Bin LUO,Xiang-Lin FEI

2000-01-01

Journal of Computer Research and Development

Abstract:Multithread technology has been adopted in recently developed mainstream operating systems. Firstly the basic concepts of multithread are described. Secondly, three implementation methods of multithread mechanism that is user\|level threads, kernel\|level threads and combined approaches are discussed. Thirdly, application of multithread programming is introduced. Through the object\|oriented database management system NODBMS, how to use multithreads to realize multiple transaction processing is also introduced, and is proposed an effective query optimization algorithm of object\|oriented database system based on multithread technology.

Abdelhalim Amer,Huiwei Lu,Yanjie Wei,Pavan Balaji,Satoshi Matsuoka

DOI: https://doi.org/10.1145/2688500.2688522

2015-01-24

Abstract:Hybrid MPI+Threads programming has emerged as an alternative model to the “MPI everywhere” model to better handle the increasing core density in cluster nodes. While the MPI standard allows multithreaded concurrent communication, such flexibility comes with the cost of maintaining thread safety within the MPI implementation, typically implemented using critical sections. In contrast to previous works that studied the importance of critical-section granularity in MPI implementations, in this paper we investigate the implication of critical-section arbitration on communication performance. We first analyze the MPI runtime when multithreaded concurrent communication takes place on hierarchical memory systems. Our results indicate that the mutex-based approach that most MPI implementations use today can incur performance penalties due to unfair arbitration. We then present methods to mitigate these penalties with a first-come, first-served arbitration and a priority locking scheme that favors threads doing useful work. Through evaluations using several benchmarks and applications, we demonstrate up to 5-fold improvement in performance.

Xiaoqi Yang,Qilong Zheng,Guoliang Chen

DOI: https://doi.org/10.4108/infoscale.2007.200

2007-01-01

Abstract:With the increasing popularity of shared-memory programming model, especially at the advent of Multi-Core processors, more and more programmers hope to write parallel multithread programs conveniently and effectively with the help of parallel multithread programming interface. Unfortunately, these interfaces are not well accepted by sequential programmers, because of incomplete elimination of lower-level details, inflexibility selection of library functions, depending on specific compilers. This paper presents a unique generic object-oriented parallel multithread programming interface, which is designed and implemented to solve the drawbacks of current parallel multithread programming interfaces. Evaluation results show that programmers can benefit a lot from the interface.

Abdelhalim Amer,Huiwei Lu,Pavan Balaji,Milind Chabbi,Yanjie Wei,Jeff Hammond,Satoshi Matsuoka

DOI: https://doi.org/10.1145/3275443

2019-01-23

ACM Transactions on Parallel Computing

Abstract:In this article, we investigate contention management in lock-based thread-safe MPI libraries. Specifically, we make two assumptions: (1) locks are the only form of synchronization when protecting communication paths; and (2) contention occurs, and thus serialization is unavoidable. Our work distinguishes between lock acquisitions with respect to work being performed inside a critical section; productive vs. unproductive . Waiting for message reception without doing anything else inside a critical section is an example of unproductive lock acquisition. We show that the high-throughput nature of modern scalable locking protocols translates into better communication progress for throughput-intensive MPI communication but negatively impacts latency-sensitive communication because of overzealous unproductive lock acquisition. To reduce unproductive lock acquisitions, we devised a method that promotes threads with productive work using a generic two-level priority locking protocol. Our results show that using a high-throughput protocol for productive work and a fair protocol for less productive code paths ensures the best tradeoff for fine-grained communication, whereas a fair protocol is sufficient for more coarse-grained communication. Although these efforts have been rewarding, scalability degradation remains significant. We discuss techniques that diverge from the pure locking model and offer the potential to further improve scalability.

Xiaodong Zhang,Zijiang Yang,Qinghua Zheng,Pei Liu,Jialiang Chang,Yu Hao,Ting Liu

DOI: https://doi.org/10.1109/icst.2017.23

2017-01-01

Abstract:With the advent of multicore processors, there is a trend towards multithreading to take advantage of parallel computing resources. Due to greatly increased complexity, programmers need effective testing methodology that can thoroughly test multithreaded programs. There has been significant progress based on symbolic execution that attempts to exhaustively explore all the intra-thread paths and inter-thread interleavings. However, such testing approach faces two insuperable challenges. Firstly, exploring an astronomically large number of paths and interleavings limits its scalability. Secondly, a path itself does not directly help programmers understand program behavior. In this paper, we propose an alternate testing methodology that focuses on definition-use data flow instead of paths/interleavings. Such approach not only leads to orders of magnitude reduction in testing complexity, but also gives programmers direct help on examining the shared variable usage in a multithreaded program.

Yanning Du,Yinliang Zhao,Bo Han,Yuancheng Li

DOI: https://doi.org/10.1109/HPCC.2012.81

2012-01-01

Abstract:Speculative Multithreading (SpMT) approaches have gained wide popularity because they can get more parallelism by allowing two pieces of potentially conflicting code to execute in parallel while ensuring the correctness of the results by recovering from conflicts. However, the dividing-along-the-control-flow-path method employed by the traditional SpMT approach is unsuitable for a number of programs in which operations on different data structures are interleaved in the control flow path. If we linearly divide the program into threads along the control flow path, the operations on the same data structure will be divided among the different threads that are doomed to be prone to conflict when being executed concurrently. To effectively parallelize these programs, we proposed a data structure centric approach, in which the objects of a program are organized into different groups and the operations on the objects within the same group are dispatched to the same thread to be executed, thereby reducing the likelihood of conflict on the same data structure.

Xiaodong Zhang,Zijiang Yang,Qinghua Zheng,Yu Hao,Pei Liu,Lechen Yu,Ting Liu

DOI: https://doi.org/10.1109/access.2018.2835672

IF: 3.9

2018-01-01

IEEE Access

Abstract:Debugging multithread programs is extremely difficult because the basic assumption that underlies sequential program debugging, that is, the program behavior is deterministic under a fixed input, is no longer valid due to the nondeterminism attributed to thread scheduling. It is because the programs behavior is non-deterministic due to the nondeterminism of parallel execution, which makes debugging or testing multithreaded programs extremely difficult. In this paper, we propose a proactive debugging method to restore this basic assumption so that programmers can debug multithreaded programs as if they were sequential. Our approach is based on the synergistic integration of symbolic analysis and dynamic analysis techniques. In particular, symbolic analysis investigates the program behavior under the same input to search whether there is a thread schedule would trigger a bug or a not-yet-explored path. Dynamic analysis is to execute these new paths with the guide of the generated thread schedules, thereby further guiding the symbolic analysis. The net effect of applying this feedback loop is a systematic and complete coverage of the program behavior under a fixed test input. We implement the proposed approach in a prototype tool called proactive-debugger. Our experiments show that proactive-debugger outperforms both ESBMC and Maple, which are two powerful and well-known testing tools for failure detection in multithreaded programs.

Zhenzhou Tian,Ting Liu,Qinghua Zheng,Feifei Tong,Ming Fan,Zijiang Yang

DOI: https://doi.org/10.1145/2889160.2892653

2016-01-01

Abstract:Dynamic birthmarking used to be an effective approach to detecting software plagiarism. Yet the new trend towards multithreaded programming renders existing algorithms almost useless, due to the fact that thread scheduling nondeterminism severely perturbs birthmark generation and comparison. In this paper, we design a birthmark based on thread-related system calls. Such a birthmark is less susceptible to thread scheduling. The empirical study conducted on an open benchmark shows that the new birthmark is superior to existing birthmarks and is resilient against most state-of-the-art obfuscation techniques.

DU Yan-Ning,ZHAO Yin-Liang,HAN Bo,LI Yuan-Cheng

DOI: https://doi.org/10.3724/SP.J.1001.2013.04353

2013-01-01

Journal of Software

Abstract:While parallelizing a program, to ensure the correctness of the result, a parallel compiler can only adopt a conservative policy that if it cannot accurately determine whether two pieces of code will conflict while being executed in parallel, it does not permit them to be executed in parallel. Although this approach can ensure correctness, it also limits the amount of parallelism that can be exploited. A number of speculative multithreading (SpMT) approaches gained wide popularity because they can get more parallelism by allowing two pieces of potentially conflicting code to execute in parallel while ensuring the correctness of the results by recovering from conflicts. However, the dividing-along-the-control-flow-path method employed by the traditional SpMT approach is unsuitable for a number of programs in which operations on different data structures are interleaved in the control flow path. If the program is linearly divided into threads along the control flow path, the operations on the same data structure will be divided among the different threads that are doomed to be prone to conflict when being executed concurrently. To effectively parallelize these programs, this paper proposes a data structure centric approach, in which the objects of a program are organized into different groups and the operations on the objects within the same group are dispatched to the same thread for execution, thereby reducing the likelihood of conflict on the same data structure. © 2013 ISCAS.

Zhenzhou Tian,Ting Liu,Qinghua Zheng,Eryue Zhuang,Ming Fan,Zijiang Yang

DOI: https://doi.org/10.1109/tse.2017.2688383

IF: 7.4

2018-01-01

IEEE Transactions on Software Engineering

Abstract:As multithreaded programs become increasingly popular, plagiarism of multithreaded programs starts to plague the software industry. Although there has been tremendous progress on software plagiarism detection technology, existing dynamic birthmark approaches are applicable only to sequential programs, due to the fact that thread scheduling nondeterminism severely perturbs birthmark generation and comparison. We propose a framework called TOB (Thread-oblivious dynamic Birthmark) that revives existing techniques so they can be applied to detect plagiarism of multithreaded programs. This is achieved by thread-oblivious algorithms that shield the influence of thread schedules on executions. We have implemented a set of tools collectively called TOB-PD (TOB based Plagiarism Detection tool) by applying TOB to three existing representative dynamic birthmarks, including SCSSB (System Call Short Sequence Birthmark), DYKIS (DYnamic Key Instruction Sequence birthmark) and JB (an API based birthmark for Java). Our experiments conducted on large number of binary programs show that our approach exhibits strong resilience against state-of-the-art semantics-preserving code obfuscation techniques. Comparisons against the three existing tools SCSSB, DYKIS and JB show that the new framework is effective for plagiarism detection of multithreaded programs. The tools, the benchmarks and the experimental results are all publicly available.

Zhenzhou Tian,Ting Liu,Qinghua Zheng,Ming Fan,Eryue Zhuang,Zijiang Yang

DOI: https://doi.org/10.1016/j.jss.2016.06.014

IF: 3.5

2016-01-01

Journal of Systems and Software

Abstract:Dynamic birthmarking used to be an effective approach to detecting software plagiarism. Yet the new trend towards multithreaded programming renders existing algorithms almost useless, due to the fact that thread scheduling nondeterminism severely perturbs birthmark generation and comparison. In this paper, we redesign birthmark based software plagiarism detection algorithms to make such approach effective for multithreaded programs. Our birthmarks are abstractions of program behavioral characteristics based on thread-related system calls. Such birthmarks are less susceptible to thread scheduling as the system calls are the sources that impose thread scheduling rather than being affected. We have conducted an empirical study on a benchmark that consists of 234 versions of 35 different multithreaded programs. Our experiments show that the new birthmarks are superior to existing birthmarks and are resilient against most state-of-the-art obfuscation techniques. (C) 2016 Elsevier Inc. All rights reserved.

Kang Sun,Daliang Xu,Dongwei Chen,Xu Cheng,Dong Tong

2020-01-01

Abstract: Annex K of C11, bounds-checking interfaces, recently introduced a set of alternative functions to mitigate buffer overflows, primarily those caused by string/memory functions. However, poor compatibility limits their adoption. Failure oblivious computing can eliminate the possibility that an attacker can exploit memory errors to corrupt the address space and significantly increase the availability of systems. In this paper, we present S3Library (Saturation-Memory-Access Safer String Library), which is compatible with the standard C library in terms of function signature. Our technique automatically replaces unsafe deprecated memory/string functions with safer versions that perform bounds checking and eliminate buffer overflows via boundless memory. S3Library employs MinFat, a very compact pointer representation following the Less is More principle, to encode metadata into unused upper bits within pointers. In addition, S3Library utilizes Saturation Memory Access to eliminate illegal memory accesses into boundless padding area. Even if an out-of-bounds access is made, the fault program will not be interrupted. We implement our scheme within the LLVM framework on X86-64 and evaluate our approach on correctness, security, runtime performance and availability.