Zhang Gen,Wang Peng-Fei,Yue Tai,Zhou Xu,Lu Kai

DOI: https://doi.org/10.1007/s11390-021-1593-4

IF: 1.871

2021-01-01

Journal of Computer Science and Technology

Abstract:Allocation, dereferencing, and freeing of memory data in kernels are coherently linked. There widely exist real cases where the correctness of memory is compromised. This incorrectness in kernel memory brings about significant security issues, e.g., information leaking. Though memory allocation, dereferencing, and freeing are closely related, previous work failed to realize they are closely related. In this paper, we study the life-cycle of kernel memory, which consists of allocation, dereferencing, and freeing. Errors in them are called memory life-cycle (MLC) bugs. We propose an in-depth study of MLC bugs and implement a memory life-cycle bug sanitizer (MEBS) for MLC bug detection. Utilizing an inter-procedural global call graph and novel identification approaches, MEBS can reveal memory allocation, dereferencing, and freeing sites in kernels. By constructing a modified define-use chain and examining the errors in the life-cycle, MLC bugs can be identified. Moreover, the experimental results on the latest kernels demonstrate that MEBS can effectively detect MLC bugs, and MEBS can be scaled to different kernels. More than 100 new bugs are exposed in Linux and FreeBSD, and 12 common vulnerabilities and exposures (CVE) are assigned.

Gang Chen,Hai Jin,Deqing Zou,Bing Bing Zhou,Zhenkai Liang,Weide Zheng,Xuanhua Shi

DOI: https://doi.org/10.1109/TDSC.2013.25

2013-01-01

Abstract:AbstractBuffer overflow attacks still pose a significant threat to the security and availability of today's computer systems. Although there are a number of solutions proposed to provide adequate protection against buffer overflow attacks, most of existing solutions terminate the vulnerable program when the buffer overflow occurs, effectively rendering the program unavailable. The impact on availability is a serious problem on service-oriented platforms. This paper presents SafeStack, a system that can automatically diagnose and patch stack-based buffer overflow vulnerabilities. The key technique of our solution is to virtualize memory accesses and move the vulnerable buffer into protected memory regions, which provides a fundamental and effective protection against recurrence of the same attack without stopping normal system execution. We developed a prototype on a Linux system, and conducted extensive experiments to evaluate the effectiveness and performance of the system using a range of applications. Our experimental results showed that SafeStack can quickly generate runtime patches to successfully handle the attack's recurrence. Furthermore, SafeStack only incurs acceptable overhead for the patched applications.

Yunlong Lyu,Yi Fang,Yiwei Zhang,Qibin Sun,Siqi Ma,Elisa Bertino,Kangjie Lu,Juanru Li

DOI: https://doi.org/10.1109/sp46214.2022.9833613

2022-01-01

Abstract:Existing tools for the automated detection of memory corruption bugs are not very effective in practice. They typically recognize only standard memory management (MM) APIs (e.g., malloc and free) and assume a naive paired-use model—an allocator is followed by a specific deallocator. However, we observe that programmers very often design their own MM functions and that these functions often manifest two major characteristics: (1) Custom allocator functions perform multi-object or nested allocation which then requires structure-aware deallocation functions. (2) Custom allocators and deallocators follow an unpaired-use model. A more effective detection thus needs to adapt those characteristics and capture memory bugs related to non-standard MM behaviors. In this paper, we present a MM function aware memory bug detection technique by introducing the concept of structure-aware and object-centric Memory Operation Synopsis (MOS). A MOS abstractly describes the memory objects of a given MM function, how they are managed by the function, and their structural relations. By utilizing MOS, a bug detection could explore much less code but is still capable of handling multi-object or nested allocations and does not rely on the paired-use model. In addition, to extensively find MM functions and automatically generate MOS for them, we propose a new identification approach that combines natural language processing (NLP) and data flow analysis, which enables the efficient and comprehensive identification of MM functions, even in very large code bases. We implement a MOS-enhanced memory bug detection system, Goshawk, to discover memory bugs caused by complex and custom MM behaviors. We applied Goshawk to well-tested and widely-used open source projects including OS kernels, server applications, and IoT SDKs. Goshawk outperforms the state-of-the-art data flow analysis driven bug detection tools by an order of magnitude in analysis speed and the number of accurately identified MM functions, reports the discovered bugs with a developer-friendly, MOS based description, and successfully detects 92 new double-free and use-after-free bugs.

Gang Chen,Hai Jin,Deqing Zou,Weiqi Dai

DOI: https://doi.org/10.1007/978-3-642-40820-5_31

2013-01-01

Abstract:Memory vulnerabilities have severely affect system security and availability. Although there are a number of solutions proposed to defense against memory vulnerabilities, most of existing solutions protect the entire life cycle of the application or survive attacks after detecting attacks. This paper presents OPSafe, a system that make applications safely survive memory vulnerabilities for a period of time from the starting or in runtime with users' demand. OPSafe can provide a hot-portable Green Zone of any size with users' demand, where all the subsequent allocated memory objects including stack objects and heap objects are reallocated and safely managed in a protected memory area. When users open the green zone, OPSafe uses a comprehensive memory management in the protected memory area to adaptively allocate buffers with multiple times of their defined sizes and randomly place them. Combined with objects free masking techniques, OPSafe can avoid overrunning each other and dangling pointer errors as well as double free or invalid free errors. Once closing the green zone, OPSafe clears away all objects in the protected area and then frees the protected area. We have developed a Linux prototype and evaluated it using four applications which contains a wide range of vulnerabilities. The experimental results show that OPSafe can conveniently create and destruct a hot-portable green zone where the vulnerable application can survive crashes and eliminate erroneous execution.

Qiang Zeng,Mingyi Zhao,Peng Liu

DOI: https://doi.org/10.1109/dsn.2015.54

2015-06-01

Abstract:For decades buffer overflows have been one of the most prevalent and dangerous software vulnerabilities. Although many techniques have been proposed to address the problem, they mostly introduce a very high overhead while others assume the availability of a separate system to pinpoint attacks or provide detailed traces for defense generation, which is very slow in itself and requires considerable extra resources. We propose an efficient solution against heap buffer overflows that integrates exploit detection, defense generation, and overflow prevention in a single system, named HeapTherapy. During program execution it conducts on-the-fly lightweight trace collection and exploit detection, and initiates automated diagnosis upon detection to generate defenses in realtime. It can handle both over-write and over-read attacks, such as the recent Heartbleed attack. The system has no false positives, and keeps effective under polymorphic exploits. It is compliant with mainstream hardware and operating systems, and does not rely on specific allocation algorithms. We evaluated HeapTherapy on a variety of services (database, web, and ftp) and benchmarks (SPEC CPU2006); it incurs a very low average overhead in terms of both speed (6.2%) and memory (7.7%).

Rui Chang,Liehui Jiang,Wenzhi Chen,Yang Xiang,Yuxia Cheng,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1007/s10586-017-0833-4

2017-01-01

Cluster Computing

Abstract:With the rapid development of Internet of Things technology and the promotion of embedded devices’ computation performance, smart devices are probably open to security threats and attacks while connecting with rich and novel Internet. Attracting lots of attention in embedded system security community recently, Trusted Execution Environment (TEE), allows for the execution of arbitrary code within environments completely isolated from the rest of a system. However, existing memory protection methods in a TEE are inadequate. In general, the software-based formal methods are not practical and the hardware-based implementation approaches lack of theoretical proof. To address the memory isolation and protection problems in TEE, in this paper, we propose a practical memory integrity protection method on an ARM-based platform, called MIPE, to defend against security threats including kernel data attacks and direct memory access attacks. MIPE utilizes TrustZone technique to create a isolated execution environment, which can protect the sensitive code and data against attacks. To present the integrity protection strategies, we provide the design of MIPE using B method, which is a practical formal method. We also implement MIPE on the Xilinx Zynq ZC702 evaluation board. The evaluation results show that the automatic proof rate of machines using B method is about 78.32%, and the proposed method is effective and feasible in terms of both load time and overhead.

Dongwei Chen,Daliang Xu,Dong Tong,kang dae sun,Xuetao Guan,Chun Yang,Xu Cheng

2020-01-01

Abstract:Memory spatial errors, i.e., buffer overflow vulnerabilities, have been a well-known issue in computer security for a long time and remain one of the root causes of exploitable vulnerabilities. Most of the existing mitigation tools adopt a fail-stop strategy to protect programs from intrusions, which means the victim program will be terminated upon detecting a memory safety violation. Unfortunately, the fail-stop strategy harms the availability of software. In this paper, we propose Saturation Memory Access (SMA), a memory spatial error mitigation mechanism that prevents out-of-bounds access without terminating a program. SMA is based on a key observation that developers generally do not rely on out-of-bounds accesses to implement program logic. SMA modifies dynamic memory allocators and adds paddings to objects to form an enlarged object boundary. By dynamically correcting all the out-of-bounds accesses to operate on the enlarged protecting boundaries, SMA can tolerate out-of-bounds accesses. For the sake of compatibility, we chose tagged pointers to record the boundary metadata of a memory object in the pointer itself, and correct the address upon detecting out-of-bounds access. We have implemented the prototype of SMA on LLVM 10.0. Our results show that our compiler enables the programs to execute successfully through buffer overflow attacks. Experiments on MiBench show that our prototype incurs an overhead of 78\%. Further optimizations would require ISA supports.

Xiaoqiang Wang,Xuguo Wang,Fangfang Zhu,Qingguo Zhou,Rui Zhou

DOI: https://doi.org/10.1109/ISSSR.2016.028

2016-01-01

Abstract:Lots of studies have shown that memory hardware error rates are orders of magnitude higher than previously reported. In order to fight with these memory hardware errors, many memory testing tools have been developed, especially software level online memory testers, which means these memory testers implemented in software can work with the OS (operating system) at the same time. However, validation of these online memory testers is a hard work. Since the real broken memory chips is hard to find and using a virtual machine to do this work is really complex. So we have developed a memory error injection tool - MEI (Memory Error Injection), which is implemented in software on Linux platform and easy to use. The core function of MEI is implemented in the form of a Linux kernel module. MEI also provides some user space tools for memory errors injection and manipulation. The testers to be validated need to use the read interfaces provided by MEI. We have used two exists memory testers, the modified RAMpage and COMeT+ model, to validate the effectiveness of MEI. The results of experiments have shown that these two testers could detect the emulated memory hardware errors injected by MEI effectively.

Zhe Chen,Rui Yan,Yingzi Ma,Yulei Sui,Jingling Xue

DOI: https://doi.org/10.1145/3637227

IF: 3.685

2023-12-11

ACM Transactions on Software Engineering and Methodology

Abstract:C is a dominant programming language for implementing system and low-level embedded software. Unfortunately, the unsafe nature of its low-level control of memory often leads to memory errors. Dynamic analysis has been widely used to detect memory errors at runtime. However, existing monitoring algorithms for dynamic analysis are not yet satisfactory as they cannot deterministically and completely detect some types of errors, e.g., segment confusion errors, sub-object overflows, use-after-frees and memory leaks. We propose a new monitoring algorithm, namely Smatus , short for smart status , that improves memory safety by performing comprehensive dynamic analysis. The key innovation is to maintain at runtime a small status node for each memory object. A status node records the status value and reference count of an object, where the status value denotes the liveness and segment type of this object, and the reference count tracks the number of pointer variables pointing to this object. Smatus maintains at runtime a pointer metadata for each pointer variable, to record not only the base and bound of a pointer’s referent but also the address of the referent’s status node. All the pointers pointing to the same referent share the same status node in their pointer metadata. A status node is smart in the sense that it is automatically deleted when it becomes useless (indicated by its reference count reaching zero). To the best of our knowledge, Smatus represents the most comprehensive approach of its kind. We have evaluated Smatus by using a large set of programs including the NIST Software Assurance Reference Dataset, MSBench, MiBench, SPEC and stress testing benchmarks. In terms of effectiveness (detecting different types of memory errors), Smatus outperforms state-of-the-art tools, Google’s AddressSanitizer, SoftBoundCETS and Valgrind, as it is capable of detecting more errors. In terms of performance (the time and memory overheads), Smatus outperforms SoftBoundCETS and Valgrind in terms of both lower time and memory overheads incurred, and is on par with AddressSanitizer in terms of the time and memory overhead tradeoff made (with much lower memory overheads incurred).

computer science, software engineering

Haoliang Dong,Wei Sun,Bin Wang,Haiyang Sun,Zhengwei Qi,Haibing Guan,Yaozu Dong

DOI: https://doi.org/10.1109/CLUSTER.2012.68

2012-01-01

Cluster Computing

Abstract:Memory failures are common in clusters, and their destructive effects (e.g., increasing downtime and losing data) make users suffer great loss. Current memory availability strategies mostly require extra expensive hardware. Software approaches based on check pointing technologies intend to reduce the expense, but their high overhead limits the practical usage. In this paper, we present a novel system called Memvisor to provide software mirrored memory for applications. Specifically, all memory write instructions are duplicated. Data written to memory are synchronized to backup space. If memory failures happen, Memvisor will recover the data from the backup space. Compared with traditional software approaches, the instruction-level synchronization lowers the probability of data loss and reduces backup overhead. The results show that even in the worst case, Memvisor outperforms the state-of-the-art software approaches.

Fei-yi SHEN,Yan-yuan ZHANG,Yi LIN

DOI: https://doi.org/10.3969/j.issn.1006-2475.2015.07.023

2015-01-01

Abstract:Memory management is important in real-time system. This paper develops a new dynamic memory management algo-rithm based on Buddy system and TLSF algorithm on consideration of both real-time and fragmentation rate. The new algorithm deals with large and small pieces of memory in different ways. Buddy system is used to manage small pieces while large ones are organized by two-level segregating indices. This paper performs experimental study on μCos-III OS by implementing the new method and which shows good performance in both time-consuming and fragmentation rate. At present the method has been ap-plied to an actual project.

Xian Chen,Wenzhi Chen,Peng Long,Zhongyong Lu,Zonghui Wang

DOI: https://doi.org/10.1109/cbd.2013.32

2013-01-01

Abstract:For the ability to explore the memory's fullest potential, memory de-duplication has been widely experimented with in current main stream virtualization platforms. A lot of work has been done to improve the efficiency of memory de-duplication, while too little attention was paid to the introduced security issues which have been proved by prior work. To deal with this security risk and efficiently manage the memory we start our work in this paper. We first conduct extensive experiments on different OS platforms to study the realistic situation of page sharing. By analyzing the results we find: 1) Page sharing is contributed mostly by self-sharing (nearly 90%), and the self-sharing rate varies significantly between Linux and Windows OS platforms. Compared with self-sharing the inter-VM sharing rate is extremely low, under 1% in most cases. 2) Page size has a larger influence on Linux platform than Windows platform, so sub-page de-duplication proposed in prior work may achieve better performance on Linux platform. On the basis of above findings we propose a group-based secure page sharing model (or GSKSM), in which we consider both VM processes and normal processes. We have successfully implemented it in Linux kernel 3.6.6, and the experiment results show it works well with negligible overhead. Finally based on GSKSM we further present an efficient memory management approach (or SEMMA), which combines GSKSM and balloon technique to efficiently manage the memory, and the preliminary experiment result is satisfactory.

Wei Sun,Chao Zhang,Runze Wang

DOI: https://doi.org/10.1109/isise.2012.113

2012-01-01

Abstract:As the size of memory in servers becomes larger and larger, the availability of them is under big pressure as memory failures are common. Memory failures may cause data lose and programs even systems corrupted. This could be a disaster in systems which are occupied in military and finance area. To improve the memory availability, some solutions try to mitigate the occurrence of memory errors while most strategies focus on memory failure tolerance. Hardware solutions like mirror memory needs expensive peripheral equipments while existing software approaches are somewhat complicated and limited by the high overhead in practical usage. In this paper, we present a novel lightweight binary translation framework called Multimem to improve system memory access availability. It is a software approach achieving hardware mirror memory feature via static binary translation technology. Multimem switches native systems to high available systems with two or more copies of memory so when memory failures happen, systems could recover the data from the replica. It is flexible to configure systems availability level as the higher level will be, the larger number of memory backups will be offered. The instruction level memory synchronization reduces backup overhead and lowers the probability of data loss compared with traditional software approaches. The results show that Multimem brings 33% overhead at most.

Bin Wang,Zhengwei Qi,Haibing Guan,Haoliang Dong,Wei Sun,Yaozu Dong

DOI: https://doi.org/10.1145/2493123.2462910

2013-01-01

Abstract:ABSTRACTToday's commercial cloud service providers require the availability with an annual uptime percentage at least 99.95\%. While memory errors become norms instead of exceptions with the increasing memory's density and capacity in cloud applications. Thus, uncorrected errors from DRAM can be a significant source of system downtime. To address this increasingly important concern, both hardware and software memory mirroring technologies are studied nowadays to provide memory high availability. However, hardware solutions like mirror memory, which uses doubled chip, need dedicated and costly peripheral hardware. While existing software approaches, i.e., virtual machine's checkpoint technology, reduce the expense but incur the high overhead in practical usage. In this paper, we present a novel system called \emph{k}Memvisor to provide system-wide high availability memory mirroring. It is a software approach achieving flexible multi-granularity memory mirroring via virtualization and binary translation technology. Specifically, kMemvisor first creates backup space of the same size of the specified memory for applications or virtual machines. We can flexibly set memory areas to be mirrored or not mirrored from application level to system-wide. Then, all memory write instructions in the native memory space are captured and instrumented by mirror memory write instructions to synchronize the data in backup space. Furthermore, this instruction level memory synchronization reduces backup overhead and lowers the probability of data loss compared with traditional software approaches. So kMemvisor could use data from the backup space to recover when memory failures happen. The results show that kMemvisor causes 55% overhead in the worst case of system-wide high availability and 30% average for the real world applications, which outperforms the state-of-the-art software approaches even in the worst case.

Guoxi Li,Wenzhi Chen,Yang Xiang

DOI: https://doi.org/10.1109/tc.2020.3009124

2021-01-01

Abstract:Currently, with the booming growth of cloud computing, workloads from broad ranges of functions and demands are crammed into a single physical machine. They lay considerable stress on the need of evolution of the operating system underneath, especially the memory subsystem. Even enhancing large pages with main memory compression is not intuitively straightforward due to rigid rules imposed by the state-of-the-art manager Buddy System from the beginning of the design. To relieve the aforementioned problems and provide broader design space for system designers, we propose Zweilous, a clean slate physical memory management framework. It is self-contained, highly decoupled, and thus can co-exist with the vanilla memory manager. Separate self-contained metadata/functions guarantee a flexible extension with little modification to current frameworks. To show it is easy to add enhanced functions that accelerate the evolution of the memory management subsystem, we implement Hzmem, a new large page memory manager redesign enhanced with the function of main memory compression. Our method achieves competitive performance compared with native and virtualized large page support, effective memory size increased and fewer impacts on other parts of the operating system.

Ling Yuan,Siyuan Zhou,Peng Pan,Zhenjiang Wang

DOI: https://doi.org/10.3390/e24070947

2022-07-07

Abstract:With the expansion of the scale and complexity of multimedia software, the detection of software defects has become a research hotspot. Because of the large scale of the existing software code, the efficiency and accuracy of the existing software defect detection algorithms are relatively low. We propose an intelligent memory leak detection scheme MLD based on defect modes in software. Based on the analysis of existing memory leak defect modes, we summarize memory operation behaviors (allocation, release and transfer) and present a state machine model. We employ a fuzzy matching algorithm based on regular expression to determine the memory operation behaviors and then analyze the change in the state machine to assess the vulnerability in the source code. To improve the efficiency of detection and solve the problem of repeated detection at the function call point, we propose a function summary method for memory operation behaviors. The experimental results demonstrate that the method we proposed has high detection speed and accuracy. The algorithm we proposed can identify the defects of the software, reduce the risk of being attacked to ensure safe operation.

Weizhong Qiang,Weifeng Li,Hai Jin,Jayachander Surbiryala

DOI: https://doi.org/10.1109/access.2019.2908022

IF: 3.9

2019-01-01

IEEE Access

Abstract:Highly efficient languages, such as C/C++, have low-level control over memory. Due to the lack of validity detection for pointers and garbage collection for memory, developers are responsible for dynamic memory management by explicitly allocating and deallocating memory. However, explicit memory management brings a large number of memory safety-related vulnerabilities, such as use-after-free. The threat of use-after-free vulnerabilities has become more and more serious due to their high level of the severity and quick emergence of the number. In this paper, a dynamic defense system is proposed against use-after-free exploits by introducing an approach based on multi-level pointers that insert intermediate pointers between a heap object and its related pointers. First, the relationship between a heap object to be protected, and the related pointers pointing to it, is established by combing with intermediate pointers. Then, all of the accesses to this object via its related pointers can only be achieved through these intermediate pointers. Finally, to prevent the dangling pointers from being dereferenced to this object, all the intermediate pointers related to this object are invalidated when it is freed so that any access to a freed object can be prevented due to the invalidated intermediate pointers. The prototype system MPChecker is implemented, which can prevent use-after-free exploits for C/C++ multi-threaded programs. Compared with the related methods, MPChecker can protect pointers that are copied in a type-unsafe way from being de-referenced to freed objects. In addition, it can also defend against dangling pointers located on the whole memory, including the stack, the heap, and global memory, rather than the heap only. The defense capability is proved by protecting against two exploits to a real-world program, comparing the support of type-unsafe copy with a self-written program. The performance evaluation of MPChecker with some benchmarks, multi-threaded programs, and real-world programs, shows its comparable efficiency.

Jingfeng Xue,Changzhen Hu,Hongyu Ren,Rui Ma,Jian Li

DOI: https://doi.org/10.1109/NLPKE.2011.6138200

2011-01-01

Abstract:Applications written in unsafe languages like C and C++ are vulnerable to memory errors such as buffer overflows and dangling pointers. Such errors can lead to program crashes, security vulnerabilities, and unpredictable behavior. Aiming at the problem, PSC, a new probabilistic safeguard C, is proposed in this paper. At the basis of Diehard, memory allocating strategy is improved in PSC. PSC can avoid memory errors in all probability during software executing by combing random memory allocating algorithm and virtual memory. Physical memory consumption is decreased by building hot object space working set and compressing non frequently used objects. Experiments show PSC is better than Diehard for memory errors prevention and physical memory consumption. So it is a valid memory errors prevention technology based on probability. © 2011 IEEE.

Xue Jingfeng,Hu Changzhen,Guo Xiaojing,Leng Bingxin,Ma Rui

2012-01-01

China Communications

Abstract:Some unsafe languages, like C and C + +, let programmers maximize performance but are vulnerable to memory errors which can lead to program crashes and unpredictable behavior. Aiming to solve the problem, traditional memory allocating strategy is improved and a new probabilistic memory allocation technology is presented. By combining random memory allocating algorithm and virtual memory, memory errors are avoided in all probability during software executing. By replacing default memory allocator to manage allocation of heap memory, buffer overflows and dangling pointers are prevented. Experiments show it is better than Diehard of the following aspects: memory errors prevention, performance in memory allocation set and ability of controlling working set. So probabilistic memory allocation is a valid memory errors prevention technology and it can tolerate memory errors and provide probabilistic memory safety effectively.

Kaiming Huang,Mathias Payer,Zhiyun Qian,Jack Sampson,Gang Tan,Trent Jaeger

2024-08-20

Abstract:Heap memory errors remain a major source of software vulnerabilities. Existing memory safety defenses aim at protecting all objects, resulting in high performance cost and incomplete protection. Instead, we propose an approach that accurately identifies objects that are inexpensive to protect, and design a method to protect such objects comprehensively from all classes of memory errors. Towards this goal, we introduce the Uriah system that (1) statically identifies the heap objects whose accesses satisfy spatial and type safety, and (2) dynamically allocates such "safe" heap objects on an isolated safe heap to enforce a form of temporal safety while preserving spatial and type safety, called temporal allocated-type safety. Uriah finds 72.0% of heap allocation sites produce objects whose accesses always satisfy spatial and type safety in the SPEC CPU2006/2017 benchmarks, 5 server programs, and Firefox, which are then isolated on a safe heap using Uriah allocator to enforce temporal allocated-type safety. Uriah incurs only 2.9% and 2.6% runtime overhead, along with 9.3% and 5.4% memory overhead, on the SPEC CPU 2006 and 2017 benchmarks, while preventing exploits on all the heap memory errors in DARPA CGC binaries and 28 recent CVEs. Additionally, using existing defenses to enforce their memory safety guarantees on the unsafe heap objects significantly reduces overhead, enabling the protection of heap objects from all classes of memory errors at more practical costs.

Cryptography and Security