4th International Conference on Principles and Practices ... - MADOC
4th International Conference on Principles and Practices ... - MADOC
4th International Conference on Principles and Practices ... - MADOC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
implementati<strong>on</strong>s are not compatible with the c<strong>on</strong>venti<strong>on</strong>al<br />
<strong>on</strong>e. This means that legacy C programs that expect c<strong>on</strong>venti<strong>on</strong>al<br />
pointer implementati<strong>on</strong> do not work correctly when<br />
compiled using them. J<strong>on</strong>es <strong>and</strong> Kelly proposed a backwardcompatible<br />
range check implementati<strong>on</strong>, but it has even<br />
higher runtime overhead[18]. Even when pointer format<br />
compatibility is a problem, we cannot ignore the fact that<br />
recompilati<strong>on</strong> itself adds costs, such as that for quality assurance.<br />
2.2 Virtual Machines<br />
Virtual machines[26, 9, 19] detect invalid memory accesses<br />
by m<strong>on</strong>itoring the executi<strong>on</strong> of memory access instructi<strong>on</strong>s<br />
as they interpret the machine instructi<strong>on</strong>s for executing the<br />
target program. While virtual machines are useful for debugging,<br />
they may not be appropriate for m<strong>on</strong>itoring programs<br />
in practical use because of their large runtime overhead.<br />
Koju[19] reports that the performance of a virtual<br />
machine is 231.2 times lower than that of the machine <strong>on</strong><br />
which it is running if the virtual machine m<strong>on</strong>itors all store<br />
instructi<strong>on</strong>s <strong>and</strong> is implemented as an interpreter. A virtual<br />
machine implementati<strong>on</strong> using dynamic translati<strong>on</strong> improves<br />
performance so that it is 11.7 times lower than that<br />
of the actual machine.<br />
Because our final goal is to m<strong>on</strong>itor applicati<strong>on</strong> server processes<br />
in practical use, approaches that significantly degrade<br />
performance are not appropriate. The heap protecti<strong>on</strong> domain<br />
suffers much less performance loss (up to two times<br />
lower than that of the actual machine, as described in secti<strong>on</strong><br />
6).<br />
2.3 Hardware<br />
Practical multiprogramming envir<strong>on</strong>ments should provide<br />
features that prevent a program executi<strong>on</strong> from invalidly accessing<br />
resources assigned to other program executi<strong>on</strong>s[10],<br />
<strong>and</strong> hardware <strong>and</strong> operating systems have been designed to<br />
prevent this. Most modern processors have been designed<br />
to provide address translati<strong>on</strong> <strong>and</strong> page protecti<strong>on</strong> features.<br />
Address translati<strong>on</strong> maps logical addresses to physical<br />
addresses. This feature ensures that each program executi<strong>on</strong><br />
is given a virtually isolated address space so<br />
that it cannot access memory assigned to another program<br />
executi<strong>on</strong>.<br />
Page protecti<strong>on</strong> divides the address space into fixed-length<br />
spaces, or pages, <strong>and</strong> sets permissi<strong>on</strong>s for page access.<br />
The heap protecti<strong>on</strong> domain is implemented using this<br />
feature.<br />
While most modern processors support protecti<strong>on</strong> by page,<br />
M<strong>on</strong>drian Memory Protecti<strong>on</strong>[31] supports it by word. Such<br />
fine-grained protecti<strong>on</strong> should be useful for protecting finegrained<br />
memory areas, such as words for global variables.<br />
Hardware-level detecti<strong>on</strong> against bugs which misuse n<strong>on</strong>pointer<br />
values as pointers has also been investigated so far.<br />
System/38 TM7 [12] assigns a tag bit to each memory word <strong>and</strong><br />
sets the tag bit value to 1 if the value in the corresp<strong>on</strong>ding<br />
memory word is a pointer, so as to permit a value in a<br />
memory word to be used as a pointer to reference memory<br />
<strong>on</strong>ly if the tag bit value is 1.<br />
7 PowerPC, System/38 <strong>and</strong> i5/OS are trademarks or registered<br />
trademarks of <str<strong>on</strong>g>Internati<strong>on</strong>al</str<strong>on</strong>g> Business Machines Corporati<strong>on</strong><br />
in the United States <strong>and</strong> other countries.<br />
2.4 Operating Systems<br />
An operating system implements virtual memory <strong>and</strong> memory<br />
access c<strong>on</strong>trol by using the address translati<strong>on</strong> <strong>and</strong> the<br />
page protecti<strong>on</strong> features provided by hardware.<br />
Mainstream operating systems such as Windows <strong>and</strong> Linux<br />
divide program executi<strong>on</strong>s into processes <strong>and</strong> assign a logical<br />
address space to each process. Because they provide memory<br />
access c<strong>on</strong>trol to each process, not to each thread, every<br />
thread in a process has the same memory access permissi<strong>on</strong>.<br />
This means that the heap protecti<strong>on</strong> feature presented here<br />
cannot be simply implemented in these operating systems.<br />
One implementati<strong>on</strong> of JVM <strong>on</strong> such an OS, MVM[8, 7],<br />
protects its heap from native method executi<strong>on</strong> by dividing<br />
executi<strong>on</strong> of the JVM into two processes: <strong>on</strong>e executes Java<br />
applicati<strong>on</strong>s <strong>and</strong> the other executes native methods. MVM<br />
protects a wider range of memory than our heap protecti<strong>on</strong><br />
feature does, because MVM protects stacks, global variables,<br />
<strong>and</strong> heap allocated using malloc() 8 . However, MVM suffers<br />
large runtime overhead from JNI calls, which are implemented<br />
using inter-process communicati<strong>on</strong> (IPC). Czajkowski<br />
estimated that the executi<strong>on</strong> time of SPECjvm98 is<br />
approximately ten times l<strong>on</strong>ger at most[8], if all JNI calls<br />
are implemented using IPC.<br />
Hydra[6, 20, 32], Opal[4], <strong>and</strong> i5/OS R○ [15] provide memory<br />
access c<strong>on</strong>trol features like the heap protecti<strong>on</strong> domain<br />
described here. i5/OS is a commercial OS currently in use,<br />
<strong>and</strong> JVMs for i5/OS[16] can easily support heap protecti<strong>on</strong>.<br />
However, to the best of our knowledge, there have been no<br />
reports like that presented here <strong>on</strong> the runtime overhead<br />
incurred in protecting the heap.<br />
3. IMPLEMENTATION OF THE HEAP PRO-<br />
TECTION DOMAIN<br />
We implemented the heap protecti<strong>on</strong> domain <strong>on</strong> Linux for<br />
IA32 processors using a page global directory (PGD), which<br />
is <strong>on</strong>e of the address translati<strong>on</strong> tables IA32 processors use<br />
to implement paging <strong>and</strong> page protecti<strong>on</strong>. This secti<strong>on</strong> first<br />
describes implementati<strong>on</strong> of virtual memory <strong>on</strong> IA32 processors<br />
<strong>and</strong> then describes the implementati<strong>on</strong> of the heap<br />
protecti<strong>on</strong> domain using PGD.<br />
3.1 Virtual memory <strong>on</strong> IA32 processors<br />
IA32 processors implement virtual memory using both<br />
segmentati<strong>on</strong> <strong>and</strong> paging[13]. They first translate each logical<br />
address into a linear address using segmentati<strong>on</strong> <strong>and</strong><br />
then translate the linear address into a physical address using<br />
paging.<br />
IA32 processors translate the linear address into a physical<br />
address as follows 9 .<br />
1. To translate linear address L, the processor first looks<br />
at its CR3 register because it holds the PGD address.<br />
8 Our seven years of JVM maintenance experience has shown<br />
that many of hard-to-analyze crashes came from invalid access<br />
to the heap for Java instances or dynamically compiled<br />
codes. We thus designed our heap protecti<strong>on</strong> feature to protect<br />
<strong>on</strong>ly the heap. Our heap protecti<strong>on</strong> feature does not<br />
protect the other memory areas to avoid runtime overhead.<br />
9 IA32 processors provide two paging implementati<strong>on</strong>s. One<br />
uses two-level address-translati<strong>on</strong> tables, <strong>and</strong> the other uses<br />
three-level address-translati<strong>on</strong> tables. We describe <strong>on</strong>ly the<br />
former because we used it to implement the heap protecti<strong>on</strong><br />
domain.<br />
105