safedrive: safe and recoverable extensions using language-based techniques
DESCRIPTION
SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques. Feng Zhou , Jeremy Condit, Zachary Anderson, Ilya Bagrak, Rob Ennals, Matthew Harren, George Necula, Eric Brewer CS Division, UC Berkeley and Intel Research Berkeley http://ivy.cs.berkeley.edu/safedrive/. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/1.jpg)
SafeDrive: Safe and Recoverable Extensions Using Language-Based
Techniques
Feng Zhou, Jeremy Condit, Zachary Anderson, Ilya Bagrak, Rob Ennals, Matthew Harren,
George Necula, Eric Brewer
CS Division, UC Berkeley and Intel Research Berkeley
http://ivy.cs.berkeley.edu/safedrive/
![Page 2: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/2.jpg)
2
The Problem
• OSes and applications often run loadable extensions
– e.g. Linux kernel, Apache, Firefox
– Run in the same protection domain
• Extensions are often buggier than hosts
– Device drivers cause a large percentage of Windows crashes
– Xbox hacked due to memory bugs in games
• SafeDrive detects and recovers from type-safety and memory-safety errors in Linux device drivers
![Page 3: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/3.jpg)
3
Approaches
• Separate hardware protection domains: Nooks [Swift et al], L4 [LeVasseur et al], Xen [Fraser et al]
– Relatively high overhead due to cross-domain calls, system specific
• Binary instrumentation: SFI [Wahbe et al, Small/Seltzer]
– High overhead, coarse-grained
• Static analysis + software guards: XFI [Erlingsson et al]
– Control flow safety
• What can be done at the C language level?
– Add fined-grained type-safety, to extensions only
– A way to recover from failures
![Page 4: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/4.jpg)
4
A Language-Based Approach to Extension Safety
• Light annotations in extension code and host API
– Buffer bounds, non-null pointers, nullterm strings, tagged unions
• Deputy src-to-src compiler emits safety checks when necessary
• Key: compatible extension-host binary interface
• Runtime tracks resource usage and restores system invariants at fail time
Annot.Source
Deputy
C w/ checks
GCC
Kernel Address Space
DriverModule
SafeDrive Runtime
& Recovery
Linux Kernel
![Page 5: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/5.jpg)
5
Deputy: Motivation
struct {
unsigned int len;
int * data;
} x;
for (i=0;i<x.len;i++) {
… x.data[i] …
}
• Common C code
• How to check memory safety?
• C pointers do not express extent of buffers (unlike Java)
![Page 6: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/6.jpg)
6
Previous Approach: Fat Pointers
• Used in CCured and Cyclone
• Compiler inserts extra bounds variables
• Changes memory layout
• Cannot be applied modularly
struct {
unsigned int len;
int * data;
int * data_b;
int * data_e;
} x;
for (i = 0; i < x.len; i++) {
if (x.data+i<x.data_b) abort();
if (x.data+i>=x.data_e) abort();
… x.data[i] …
}
![Page 7: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/7.jpg)
7
Deputy Bounds Annotations
struct {
unsigned int len;
int * count(len) data;
} x;
for(i = 0; i < x.len; i++) {
if (i<0||i>=x.len) abort();
… x.data[i] …
}
• Annotations use existing bounds info in programs, or constants
• Compiler emits runtime checks
• No memory layout change Can be applied to one extension a time
• Many checks can be optimized away
![Page 8: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/8.jpg)
8
Deputy Features
• Bounds: safe,count(n), bound(lo,hi)
– Default: safe
• Other annotations
– Null terminated string/buffer
– Tagged unions
– Open arrays
– Checks for printf() arguments
• Automatic bounds variables for local variables reduced annotation burden
![Page 9: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/9.jpg)
9
Deputy Guarantees
• Deputy guarantees type-safety if,
– Programmer correctly annotates globals and function parameters used by the extension
– Deallocation does not create dangling pointers
– Trusted casts are correct
– External modules / trusted code establish and preserve Deputy annotations
![Page 10: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/10.jpg)
10
Failure Handling
• Everything runs inside the same protection domain
• After Deputy check failure: could just halt
• More useful: clean-up extension and let host continue
• Assumption: restarts should fix most transient failures
Annot.Driver
Deputy
C w/ checks
GCC
Kernel Address Space
DriverModule
SafeDrive Runtime
& Recovery
Linux Kernel
![Page 11: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/11.jpg)
11
Update Tracking and Restarts
• Free resources and undo state changes done by driver
• Kernel API functions “wrapped” to do update tracking
– Compensations: spin_lock(l) vs. spin_unlock(l)
• After failure, undo updates in LIFO order
• Then restart driver
Annot.Driver
Deputy
C w/ checks
GCC
Kernel Address Space
DriverModule
Wrappers
Linux Kernel
UpdateTracking
Recovery
![Page 12: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/12.jpg)
12
Return Gracefully from Failure
Invariants:
• No driver code is executed after failure
Kernel:foo() {
}
Driver:bar2() {
}
Driver:bar1() {
}
Err code
![Page 13: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/13.jpg)
13
Return Gracefully from Failure
Invariants:
• No driver code is executed after failure
• No kernel function is forced to return early
Kernel:foo1() {
}
Driver:bar2() {
}
Driver:bar1() {
}
Kernel:foo2() {
}
lock()
unlock()
![Page 14: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/14.jpg)
14
Discussion
• Compared to Nooks
– Significantly less interception Much simpler overall
– Deputy does fine-grained per-allocation checks No separate heap/stack
– No help from virtual memory hardware
– Works for user-level applications and safe languages
• Compared to C++/Java exceptions
– Compensation does not contain any code from driver
– Only restores host state, not extension state
![Page 15: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/15.jpg)
15
Implementation
• Deputy compiler: 20K lines of OCaml
• Kernel patch to 2.6.15.5: 1K lines
• Kernel headers patch: 1.9K lines
• Patch for 6 drivers in 4 categories
– Network: e1000, tg3
– USB: usb-storage
– Sound: intel8x0, emu10k1
– Video: nvidia
![Page 16: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/16.jpg)
16
Evaluation: Recovery Rate
• Inject random errors with compile-time injection: 5 errors from one of 7 categories each time
– Faults chosen following empirical studies [Sullivan & Chillarege 91], [Christmansson & Chillarege 96]
– Scan overrun, loop fault, corrupt parameter, off-by-one, flipped condition, missing call, missing assignment
• Load buggy e1000 driver w/ and w/o SafeDrive
• Exercise by downloading a 89MB file, verifying it and unloading the driver
• Then rerun with original driver
![Page 17: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/17.jpg)
17
Recovery Rate Results
SafeDrive off 44 crashes 21 failures 75 passes
SafeDrive on
Static error 10 0 3
Runtime error 34 2 5
No problem detected
0 19 67
Recovery successes 44 (100%) 2 (100%) 8 (100%)
• 140 runs, 20 per fault category
• SafeDrive is effective at detecting and recovering from crashing problems, and can detect some statically.
![Page 18: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/18.jpg)
18
Annotation Burden
17011
260 270
13270
359
156
13252
136 118
2897
124167
11080
441
10126
224
100
1000
10000
100000
e1000 tg3 usb-storage intel8x0 emu10k1 nvidia
Original LOC
Deputy Annotations
Recovery Wrappers
• 1%-4% of lines with Deputy annotations
• Recovery wrappers can be automatically generated
![Page 19: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/19.jpg)
19
Annotations Break-down
Lines Changed
Bounds Strings Tagged Unions
Trusted Code
All 6 drivers
1544 379 83 2 390
Kernel headers
1866 187 260 8 140
• Common reasons for trusted casts and trusted code
– Polymorphic private data, e.g. netdev->priv
– Small number of cases where buffer bounds are not available
– Code manipulating pointer values directly, e.g. PTR_ERR(x)
![Page 20: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/20.jpg)
20
Performance
-174
12
9
8
13
23
6
14
4
0
0
-1.1
-1.3
0
0
0
0
-11
0
-20 -10 0 10 20Relative %, SafeDrive vs. native
Throughput
CPU
e1000 TCP recv
e1000 UDP recv
e1000 TCP send
e1000 UDP send
tg3 TCP recv
tg3 TCP send
usb-storage untar
emu10k aplay
intel8x0 aplay
nvidia xinit
• Nooks (Linux 2.4): e1000 TCP recv: 46% (vs. 4%), e1000 TCP send: 111% (vs. 12%)
![Page 21: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/21.jpg)
21
Conclusion
• SafeDrive does fine-grained memory safety checking for extensions with low overhead and few code changes
• A recovery scheme for in-process extensions via restarts
• It is feasible to get much of the safety guarantee in type-safe languages in extensions without abandoning existing systems in C
• Language technology makes extension isolation easier
http://ivy.cs.berkeley.edu/safedrive
http://deputy.cs.berkeley.edu
![Page 22: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/22.jpg)
22
![Page 23: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/23.jpg)
23
How do you change bounds/tags
struct {
unsigned int len;
int * count(len) data;
} x;
x.data = NULL;
if (x.data!=NULL && (A<0||A>len)) abort
x.len = A;
if (B<sizeof(int)*x.len) abort
x.data = malloc(B);
1
2
3
![Page 24: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/24.jpg)
24
Related Work
• Improving memory safety of C
– Safe C-like language: Cyclone [Morrisett et al]
– Hybrid checking (non-modular): CCured [Necula et al]
– Type qualifiers for static checking: CQual [Foster et al, Johnson/Wagner], Sparse [Torvalds]
• Improving OS/extension reliability
– Hardware protection: Nooks [Swift et al], L4 [LeVasseur et al], Xen [Fraser et al]
– Binary instrumentation: SFI [Wahbe et al, Small/Seltzer], XFI [Erlingsson]
– Using Cyclone: OKE [Bos/Samwel]
– Static validation of API usage: SLAM [Ball et al]
– Writing OS with safe language: Singularity [Patel et al]
![Page 25: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/25.jpg)
25
More Deputy Features
• Checking types of arguments in printf-like functions
• Bounds for open arrays
• Special support for memset(), memcpy()
• Trusted casts for programmer to override the type system
![Page 26: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/26.jpg)
26
Recovery Rate ResultsSafeDrive Crashes Mal-
functionsInnocuous Errors
Works
Off 44 21 n/a 75
On 0 19 8 113
• 140 runs, 20 per fault category
• SafeDrive prevented all 44 crashes with 100% recovery rate
– 5 of 7 categories caused crashes
– All caused by memory-safety errors
![Page 27: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/27.jpg)
27
Recovery Rate Results (2)
Detection Crashes Mal-function Innocuous Total
Static 10 0 3 13 (24%)
Dynamic 34 2 5 47 (76%)
Total 44 2 8 54
• 24% problems are detected statically, including 10 crashes
– e.g. wrong constant size for memcpy(), deref of uninitialized ptr
![Page 28: SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques](https://reader036.vdocuments.site/reader036/viewer/2022062517/56813ca2550346895da65065/html5/thumbnails/28.jpg)
28
– Wrappers are currently hand-written
– No session restoration for failed drivers