ensuring code safety without run-time checks for real-time control systems
DESCRIPTION
Ensuring Code Safety Without Run-time Checks for Real-time Control Systems. -Presented by Sumant Kowshik Joint Work With Dinakar Dhurjati and Vikram Adve. University of Illinois at Urbana-Champaign. Supported by NSF U. Illinois. Motivation. - PowerPoint PPT PresentationTRANSCRIPT
Ensuring Code Safety Without Run-time Checks for Real-time Control Systems -Presented by Sumant KowshikJoint Work With Dinakar Dhurjati and Vikram Adve.
University of Illinois at Urbana-ChampaignSupported by NSF U. Illinois
Reliable online upgrade of control software. Control code upgrade can have Timing errors Logical errors Runtime software faults Violate memory safety.
Bugs or attacks due to memory errors. Platforms with limited address protection Malicious upgrades compromise system and
the framework for reliable upgrade. Insider attacks: SANS/FBI report.
Motivation
Reliable online upgrade of control software. Control code upgrade can have Timing errors Logical errors Runtime software faults Violate memory safety.
Attacks disguised as upgrades. Platforms with limited address protection Malicious upgrades compromise system and
the framework for reliable upgrade. Insider attacks: SANS/FBI report.
Motivation
Simplex
Motivation II Memory safety: static checking? Avoid run-time overhead Early bug detection
Static checking for general languages difficult. Impose restrictions on the language – Control-C Rationale: Structure of control code Computationally intensive, use dense arrays Simple data structures, dynamic memory. Mostly in C.
Related work What’s wrong with existing solutions? Java, RT-Java, Ccured, Safe-C etc.
Runtime checks Garbage collection
Current Alternatives Vault [PLDI01], Cyclone[PLDI02]
Target general applications Annotations: cumbersome. Runtime checks.
Complementary techniques Proof carrying code: compiler untrusted. Vault, Engler et al [OSDI00], Wagner et al.
Checking library code.
Contributions of control-C Targets embedded/control code. 100% static checking to guarantee safety. Easy portability: As close to C as possible. Novel language features Region-based dynamic memory: single
region active at a time. Array sizes, index expressions and loop
bounds affine expressions.
Trade-off : expressiveness for control codes vs. safety checking compiler technology vs. portability.
Outline of Talk Introduction Context System assumptions Attacks. Language rules Implementation Results
http://www-rtsl.cs.uiuc.edu/drii/download
Catch runtime, logical and timing errors Kicks out the offending controller.
Stack overflow detected.Accesses to a range of reserved addresses Eg. Linux – high gigabyte (1GB of 4GB) reserved
The system
upgrade
Safety cont.SimplexDecision
logic
input
output
Unsafe code Fatal memory errors can be due to Variable referencing memory outside the bounds of
its data type. Bad casting, pointer arithmetic, uninitialized pointers Array bounds violation Use of pointer to freed memory.
Example: char killcode[] = “\x55\x89…\xc3\x90”; void controlFunc(float a, float b) { int *ret = (int *)&ret + 2; *ret = killcode; } Jumps in the code to data areas/non-code areas. Calls to unknown functions.
Control-C – Basic Issues Start with C No syntactic changes, only usage changes. Basic issues. Type safety.
No casts involving pointers. No pointer arithmetic. Scalar pointers need to be initialized
explicitly before being dereferenced or before taking their address.
Control-C – Dynamic Memory
Problem : Pointers to freed memory.Solution : Region-based memory allocation Define RInit, RFree, RMalloc No explicit free call
Single region active at a time. All local and global scalar pointers dead at region free.
Example – Region Usage
Illegal Code
…int *p, **t;RInit();p = RMalloc(4 * sizeof(int));RInit(); …RFree();RFree();t = &p;func(**t);
Legal Code
if(cond) { RInit(); t = 4;}else { RInit(); t = 8;}p = RMalloc(t);RFree();
Multiple regions active
Pointer p not dead after RFreePotentially
Control-C – Array indexing. Problem : Checking for array bounds Index expression must evaluate to a value
within array bounds Difficulty: Analysis of constraints on symbolic
integer expressions. Solution : Loop bounds affine w.r.t. array size Index expression affine w.r.t loop index
variables or the size of array.
Example – Legal Array Usageextern M, N;main() { … if (( N > 0) && (N < 5)) { B = (int *)RMalloc(N * 30); intialize(B); C = generate(B, 20); } }
int * generate(int *B, int n) { int *A,i,j,k,; if (B[n] > 0) { A = (int *) RMalloc(5 * B[n] + 10); for (i=M; i < B[n]+M ; ++i) { j = i - M; k = j * 4; A[k] = j ; } … }
Symbolic constant M cancels out
Array sizes not constant.
Interprocedural
propagation
Control-C : Aggregate Types
Problem : Analysis of pointers in aggregate types (structs, arrays). Solution : Use of pointers to freed memory Structs or arrays containing pointers must be
allocated dynamically using malloc or alloca. Solution : Initialization Initializing pointers to base of reserved address
range. Thus, we can have arbitrary pointer-
based data structures and arrays.
Outline of Talk Introduction Context System assumptions Attacks. Language rules Implementation Results
Implementation LLVM compiler framework http://llvm.cs.uiuc.edu Things gotten for free
Source language independence Type safety (except for cast) Jumps to code locations only. Link-time interprocedural analysis +
separate compilation. SSA.
Control-C Compiler Features
Pointers Global dataflow analysis ensuring that
all pointers are initialized Array bounds analysis Interprocedural constraint propagation
for bounds checking. Regions Liveness analysis of pointers upon
RFree.
Results
Language expressive enough for control? How easy is it to port from C?
Pointer arithmetic replaced by index variable array traversal Dynamic memory: use regions Unions with pointers need to be split
Application
Platform
Lines
Pendulum Linux 300
Pendubot Windows 1300
TinyOS Linux 300
Dyn memory
Arrays
Ptrs
No Yes No
Yes Yes Yes
No Yes Yes
Changed0
35
0
Results II Restrictions detect all potential attacks? Simplex: Inverted pendulum
Uninitialized pointersPointer arithmeticIllegal castsArray overflow.
Conclusions and Future Work
Control-C aims at guaranteeing absolute safety using static checking alone The language is close to C and is expressive enough for control/embedded applications Future work Expand the scope of the language Detect illegal system calls/illegal sequences
of system calls Formally verifying that control-C guarantees
memory safety
Merci Beaucoup!