Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Efficient Memory Shadowing for 64-bit Architectures ISMM 2010, Toronto, Canada June 6, 2010.

Qin Zhao (MIT)Derek Bruening (VMware)Saman Amarasinghe (MIT)

Efficient Memory Shadowing for 64-bit Architectures

ISMM 2010, Toronto, CanadaJune 6, 2010

Dynamic Program Analysis

• Understand Program Behavior– Optimization– Debugging– Security– Memory management

• Shadow Memory Tools– Maintain meta-data for every memory location– Update meta-data on every memory operation

ISMM, Toronto, Canada, 6/6/2010 2

Examples

• Memory Error Detection– MemCheck [VEE’07]– Purify [USENIX’92]– Dr. Memory

• Dynamic Information Flow Tracking– LIFT [MICRO’39]– TaintTrace [ISCC’06]

• Multi-threaded Program Analysis– Eraser [TCS’97]– Helgrind

• Memory Usage Analysis– CETS [ISMM’10]– Staleness


Shadow Memory System

• Shadow Memory Manager– Meta-data for application memory– Memory mapping scheme (addrA addrS)

• DMS (Direct Mapping)• SMS (Segmented Mapping)

• Instrumentor– Every memory operation

• Address calculation• Meta-data update

– Expensive• MemCheck (~25x)

– ~12x for addrA addrS

ISMM, Toronto, Canada, 6/6/2010

a.outa.out

stack stack

libc libc

Application Memory

Shadow Memory

heap heap

4

Direct Mapping Scheme (DMS)• Single memory region for entire address space.• Translation:• Issue: address conflict between memA and memS


dispaddraddr AS

lea [addr] %r1add %r1 disp %r1

DMS-32 SMS-32 DMS-64 SMS-640

1

2

3

4

5

1.80

2.40

4.67

Slowdown relative to

native execution

Application

Shadow

5

DMS-32 SMS-32 DMS-64 SMS-640

1

2

3

4

5

1.80

2.40

4.67


native execution

Segmented Mapping Scheme (SMS)• Shadow segment per application segment• Translation:

– Segment lookup (address indexing)– Address translation


lea [addr] %r1mov %r1 %r2shr %r2, 16 %r2add %r1, disp[%r2] %r1

segAS dispaddraddr

addrA

addrS

App 1

Shd 1

Shd 2

App 2

Segment table

6

Kernel space

Shadow Memory Mapping

• Scaling to 64-bit Architecture– DMS

• Infeasible due to memory layout


a.out

Unusable space

stack

User space

vsyscall

247

264

7



• Infeasible due to memory layout– Single-Level SMS

• Too big (~4 billion entries)


addrA

8



• Infeasible due to memory layout– Single-Level SMS

• Too big (~4 billion entries)– Multi-Level SMS

• Even more expensive

ISMM, Toronto, Canada, 6/6/2010DMS-32 SMS-32 DMS-64 SMS-64

0

1

2

3

4

5

1.80

2.40

4.67


native execution

addrA

9

Umbra (CGO’10)

• Scaling to 64-bit Architecture– Single-Level SMS is too big but sparse

• Umbra (CGO’10)– Eliminate empty entries– Compact table– Walk the table to find the entry


DMS-32 SMS-32 DMS-64 SMS-64 Umbra-640

1

2

3

4

5

1.80

2.40

4.67

2.49


native execution

Umbra (CGO’10)

• Reference Uni-Cache– Software cache per instr per thread

• Segment tag & displacement• Check uni-cache before table walk

• 99.97% hit ratio


tag = addrA & mask;if (cachetag != tag) { … // table walk} addrS = addrA + cachedisp

EMS64: Key Idea

• Umbra

• EMS64 – Speculatively use a disp without check– Smart shadow memory placement

• Notified by memory access violation fault for incorrect displacement


tag = addrA & mask;if (cachetag != tag) { … // table walk (0.03%)}addrS = addrA + cachedisp

EMS64: Example

A0

A2

S0

0: Application

2: Shadow

11: Application

12: Unavailable

S2 10: Shadow

13: Unavailable

15: Unavailable

14: Unavailable

6: Shadow7: ApplicationA1

S1

Displacement: {-1, 2}


9: Reserved

13: Unavailable/Reserved


EMS64: Potential Problem

A0

A2

S0

0: Application

2: Shadow

11: Application

12: Unavailable

S2 10: Shadow

14: Unavailable


S1



9: Reserved



EMS64: Final Solution

A0

A2

S0

0: Application

2: Shadow

11: Application

12: Unavailable

S2 10: Shadow



14: Unavailable


S1



9: Reserved

4: Reserved

5: Reserved

1: Reserved


8: Reserved

Slot Finding Problem

• Given n slots: – k Application slots– x Empty slots– y Reserved slots

• Find k S-slots.– For each slot A i, there is one associated slot S with

displacement di where di = Si - Ai.

– For each slot Ai and each existing displacement dj where di≠dj, slot ((Ai + dj) mod n) is an R-slot or an E-slot.

– For each slot S and any existing valid displacement di slot, slot ((S + di) mod n) is an R-slot or an E-slot.


A0 A1 E0 E1 E2 E3 E4 R0

Ai Application slot

Shadow slot

Ei Empty slot

Ri Reserved slot

Si

S0 S1 R1 R2

Slot Finding Problem

• Given n slots: – k Application slots– x Empty slots– y Reserved slots

• Can We Find k S-slots?– Depends on layout!– Guarantee to find it, for 48-bit address space, if

• Application memory < 250 GB– Proof

• x ≥ 8k2+2k+1• We can always find an Si for Ai if #E-slot > #conflicts


Ai Application slot

Shadow slot

Ei Empty slot

Ri Reserved slot

Si

Implementation & Optimization

• Implementation– Shadow memory allocation– Add signal handler– Remove reference uni-cache check

• Optimization– Restore uni-cache checks for instructions that access

multiple segments, e.g., references from memcpy• When number of access violation exceed 2


lea [addr] %r1 add %r1, unicachedisp %r1

18

Experimental ResultsSlowdown relative to

native execution


DMS-32 SMS-32 SMS-64 Umbra-64 EMS-640.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

4.0

4.5

5.0

1.80

2.40

4.67

2.49

1.81

19

Thank You

• Download– http://people.csail.mit.edu/qin_zhao/umbra/

• Q & A


http://people.csail.mit.edu/qin_zhao/umbra/

Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Efficient Memory Shadowing for 64-bit Architectures ISMM 2010, Toronto, Canada June 6, 2010.

Documents