Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking Tools. Olatunji Ruwase * Shimin Chen + Phillip B. Gibbons + Todd C. Mowry *. * School of Computer Science Carnegie Mellon University. + Intel Labs Pittsburgh. Bug detection using Lifeguards. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Ruwase, Chen, Gibbons and Mowry
Carnegie MellonCarnegie Mellon
Decoupled Lifeguards: Enabling Path Optimizations for Dynamic Correctness Checking
Tools
Olatunji Ruwase* Shimin Chen+
Phillip B. Gibbons+ Todd C. Mowry*
+ Intel Labs Pittsburgh*School of Computer ScienceCarnegie Mellon University
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Bug detection using Lifeguards
Detect errors by monitoring execution of unmodified binary Exploit instruction-grained runtime information Block exploits before software patch [Savage et al. ‘97, Newsome & Song ’05, Nethercote et al. ‘07]
Significant program slowdown 10 - 100X using Dynamic Binary Instrumentation(DBI)
Key obstacle is tight coupling of program & Lifeguard code
Instrumented program path
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Decoupling Lifeguard execution
Decoupled Lifeguards - 7 -
Unoptimized path handler
Instrumented program path
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Lifeguard specific optimizations on program path
Decoupled Lifeguards - 8 -
Program path
Unoptimized path
handler
Compose instruction handlers
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Lifeguard specific optimizations on program path
Decoupled Lifeguards - 9 -
Program path
Unoptimized path
handler
Optimized path handler
Original
Standard path opts
Lifeguard path opts
86 81(95%) 47(55%)
x86 instruction count of TaintCheck handler for mcf path
Compose instruction handlers
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Outline
Dynamic path optimization of Decoupled Lifeguards
Decoupling Lifeguards: Challenges and Solutions
Using lifeguard domain knowledge for path optimizations
Evaluation
Conclusions
Decoupled Lifeguards - 10 -
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Decoupling Lifeguards: Challenges and Solutions
Decoupled Lifeguards - 11 -
Issue 1: When to run Lifeguard code
Optimized path handler
At end of path where data is
available
Program path
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Decoupling Lifeguards: Challenges and Solutions
Decoupled Lifeguards - 12 -
Issue 2: How to pass data to Lifeguard
Program path
Buffer Optimized path handler
Marshalldata
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Decoupling Lifeguards: Challenges and Solutions
Decoupled Lifeguards - 13 -
Challenge 1: How to handle side exits
Program path
1
2
3
4
1
2
3
4
Path handler for side exits
Optimized path handler
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Decoupling Lifeguards: Challenges and Solutions
Decoupled Lifeguards - 14 -
Challenge 2: How to contain errors in the path
See paper for details of solution based on:1.Page protection to prevent data corruption2.Completing checks at function & system calls and indirect jumps
Program path
Optimized path handler
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Outline
Dynamic path optimization of Decoupled Lifeguards
Decoupling Lifeguards: Challenges and Solutions
Using lifeguard domain knowledge for path optimizations
Decoupled lifeguard code on program paths of up to 8 branches
Decoupled Lifeguards - 20 -
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Lifeguard overhead reduction in Valgrind
Decoupled Lifeguards - 21 -
AddrCheck
MemCheck
Standard path optimizations(SPO)
SPO + dead handler elimination(DHE)
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Lifeguard overhead reduction in Valgrind
Decoupled Lifeguards - 22 -
AddrCheck
MemCheck
24% reduction
6% reduction Limitations to improvements• Instrumentation overhead• No metadata access CSE
Standard path optimizations(SPO)
SPO + dead handler elimination(DHE)
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Results with hardware assisted instrumentation (LBA)
Decoupled Lifeguards - 23 -
AddrCheck
MemCheck TaintCheck
Eraser50% reduction 53%
reduction
42% reduction
38% reduction
SPO SPO + DHE SPO + DHE + Metadata access CSE
Ruwase, Chen, Gibbons and Mowry
Carnegie Mellon
Conclusions
Decoupled Lifeguards - 24 -
Decoupling: enables optimization of lifeguard code on program paths Correctness checking at a path granularity Multi-versioned checking code to handle side exits Page protection for containing errors
Lifeguard domain knowledge: enable redundancy elimination beyond standard optimizations Better alias analysis Lifeguard-specific dead code & common subexpression
elimination
Lifeguard overhead reductions Up to 24% on Valgrind Up to 53% on LBA