Exterminator- A ... with High Probability.pdf - DSpace at CUSAT ...

More documents

Recommendations

Info

Exterminator canaries into the dangled object triggers a cascade of errors that corrupt large segments of the heap. In these cases, the corruption destroys the information Exterminator requires to isolate the error. Figure: The number of images required for Exterminator to isolate and correct dangling pointer errors In cumulative mode, however, Exterminator successfully isolates all 10 injected errors. For runs where no large-scale heap corruption occurs, Exterminator requires between 22 and 30 executions to isolate and correct the errors. In each case, 15 failures must be observed before the erroneous site pair crosses the likelihood threshold. Because objects are overwritten randomly, the number of runs required to yield 15 failures varies. Where writing canaries corrupts a large fraction of the heap, Exterminator requires 18 failures and 34 total runs. In some of the runs, execution continues long enough for the allocator to reuse the culprit object, preventing Exterminator from observing that it was overwritten. Real Faults We also tested Exterminator with actual bugs in two applications: the Squid web caching server, and the Mozilla web browser. Squid web cache: Version 2.3s5 of Squid has a buffer overflow; certain inputs cause Squid to crash with either the GNU libc allocator or the Boehm-Demers-Weiser collector. We run Squid three times under Exterminator in iterative mode with an input that triggers a buffer overflow. Exterminator continues executing correctly in each run, but the overflow corrupts a canary. Exterminator’s error isolation algorithm identifies a single allocation site as the culprit and generates a pad of exactly 6 bytes, fixing the error. Dept. Of Computer Science & Engg. ~ 21 ~ Cochin University of Science & Technology
Exterminator Mozilla web browser: We also tested Exterminator’s cumulative mode on a known heap overflow inMozilla 1.7.3 / Firefox 1.0.6 and earlier. This overflow (bug 307259) occurs because of an error in Mozilla’s processing of Unicode characters in domain names. Not only is Mozilla multi-threaded, leading to non-deterministic allocation behavior, but even slight differences in moving the mouse cause allocation sequences to diverge. Thus, neither replicated nor iterative modes can identify equivalent objects across multiple runs. We perform two case studies that represent plausible scenarios for using Exterminator’s cumulative mode. In the first study, the user starts Mozilla and immediately loads a page that triggers the error. This scenario corresponds to a testing environment where a proof-of-concept input is available. In the second study, the user first navigates through a selection of pages (different on each run), and then visits the error-triggering page. This scenario approximates deployed use where the error is triggered in the wild. In both cases, Exterminator correctly identifies the overflow with no false positives. In the first case, Exterminator requires 23 runs to isolate the error. In the second, it requires 34 runs. We believe that this scenario requires more runs because the site that produces the overflowed object allocates more correct objects, making it harder to identify it as erroneous. 7.3 Patch Overhead Exterminator’s approach to correcting memory errors does not impose additional execution time overhead in the presence of patches. However, it consumes additional space, either by padding allocations or by deferring deallocations. We measure the space overhead for buffer overflow corrections by multiplying the size of the pad by the maximum number of live objects that Exterminator patches. The most space overhead we observe is for the buffer overflow experiment with overflows of size 36, where the total increased space overhead is between 320 and 2816 bytes. We measure space overhead for dangling pointer corrections by multiplying the object size by the number of allocations for which the object is deferred; that is, we compute the total additional drag. In the dangling pointer experiment, the amount of excess memory ranges from 32 bytes to 1024 bytes (one 256 byte object is deferred for 4 deallocations). This amount constitutes less than 1% of the maximum memory consumed by the application. Dept. Of Computer Science & Engg. ~ 22 ~ Cochin University of Science & Technology
Page 1 and 2: Exterminator: Automatically Correct
Page 3 and 4: ACKNOWLEDGEMENT First of all let me
Page 5 and 6: Exterminator: Automatically Correct
Page 7 and 8: Exterminator dangling pointer error
Page 9 and 10: 3. Software Architecture Exterminat
Page 11 and 12: 3.3 DieFast: A Probabilistic Debugg
Page 13 and 14: Exterminator that the object will n
Page 15 and 16: Cumulative Mode Exterminator While
Page 17 and 18: Exterminator For small overflows, t
Page 19 and 20: 5. CUMULATIVE ERROR ISOLATION Exter
Page 21 and 22: 6. Error Correction Exterminator Ho
Page 23 and 24: 6.4 Collaborative Correction Exterm
Page 25: 7.2 Memory Error Correction Inject
Page 29 and 30: Exterminator neither source code no
Page 31 and 32: 10. Conclusion Exterminator This pa

Exterminator- A ... with High Probability.pdf - DSpace at CUSAT ...

Create successful ePaper yourself

Delete template?

Save as template?