Fast As a Shadow, Expressive As a Tree: Hybrid Memory Monitoring for C
Total Page:16
File Type:pdf, Size:1020Kb
Fast as a Shadow, Expressive as a Tree: Hybrid Memory Monitoring for C Nikolai Kosmatov1 with Arvid Jakobsson2, Guillaume Petiot1 and Julien Signoles1 [email protected] [email protected] SASEFOR, November 24, 2015 A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 1 / 48 Outline Context and motivation Frama-C, a platform for analysis of C code Motivation The memory monitoring library An overview Patricia trie model Shadow memory based model The Hybrid model Design principles Illustrating example Dataflow analysis An overview How it proceeds Evaluation Conclusion and future work A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 2 / 48 Context and motivation Frama-C, a platform for analysis of C code Outline Context and motivation Frama-C, a platform for analysis of C code Motivation The memory monitoring library An overview Patricia trie model Shadow memory based model The Hybrid model Design principles Illustrating example Dataflow analysis An overview How it proceeds Evaluation Conclusion and future work A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 3 / 48 Context and motivation Frama-C, a platform for analysis of C code A brief history I 90's: CAVEAT, Hoare logic-based tool for C code at CEA I 2000's: CAVEAT used by Airbus during certification process of the A380 (DO-178 level A qualification) I 2002: Why and its C front-end Caduceus (at INRIA) I 2006: Joint project on a successor to CAVEAT and Caduceus I 2008: First public release of Frama-C (Hydrogen) I Today: Frama-C Sodium (v.11) I Multiple projects around the platform I A growing community of users. I and of developers A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 4 / 48 Context and motivation Frama-C, a platform for analysis of C code Frama-C at a glance I A Framework forModularAnalysis ofC code I Developed at CEA LIST in collaboration with INRIA Saclay I Released under LGPL license I ACSL annotation language I Extensible plugin oriented platform I Collaboration of analyses over same code I Inter plugin communication through ACSL formulas I Adding specialized plugins is easy I http://frama-c.com/ [Kirchner et al. FAC 2015] A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 5 / 48 Context and motivation Frama-C, a platform for analysis of C code ACSL: ANSI/ISO C Specification Language I Based on the notion of contract, like in Eiffel, JML I Allows users to specify functional properties of programs I Allows communication between various plugins I Independent from a particular analysis I Manual at http://frama-c.com/acsl Basic Components I First-order logic I Pure C expressions I C types + Z (integer) and R (real) I Built-in predicates and logic functions particularly over pointers: \valid(p) \valid(p+0..2), \separated(p+0..2,q+0..5), \block_length(p) A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 6 / 48 Context and motivation Frama-C, a platform for analysis of C code Example: a C program annotated in ACSL /*@ r e q u i r e s n>=0 && n v a l i d ( t + ( 0 . n −1)); a s s i g n s nnothing ; e n s u r e s n r e s u l t != 0 <==> ( n f o r a l l integer j ; 0 <= j < n ==> t [ j ] == 0 ) ; */ i n t a l l z e r o s ( i n t t [ ] , i n t n ) f i n t k ; /*@ loop invariant 0 <= k <= n ; loop invariant n f o r a l l integer j ; 0<=j <k ==> t [ j ]==0; loop assigns k ; loop variant n−k ; */ f o r ( k = 0 ; k < n ; k++) i f ( t [ k ] != 0) r e t u r n 0 ; r e t u r n 1 ; Can be proven g in Frama-C/WP A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 7 / 48 Context and motivation Frama-C, a platform for analysis of C code Main Frama-C plugins VALUE Aora¨ı Jessie WP Agen Abstract Interpretation Specification Generation Mthread Deductive Verification Slicing Concurrency Spare code Formal Methods E-ACSL Code Transformation Frama-C Plugins PathCrawler Dynamic Analysis STADY Semantic constant folding LTEST Browsing of unfamiliar code SANTE Metrics computation Scope & Data-flow browsing Impact Analysis Variable occurrences A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 8 / 48 Context and motivation Motivation Outline Context and motivation Frama-C, a platform for analysis of C code Motivation The memory monitoring library An overview Patricia trie model Shadow memory based model The Hybrid model Design principles Illustrating example Dataflow analysis An overview How it proceeds Evaluation Conclusion and future work A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 9 / 48 Context and motivation Motivation The C language is risky! I Low-level operations I Widely used for critical software I Lack of security mechanisms Runtime errors are common: I Division by 0 I Invalid array index I Invalid pointer I Non initialized variable I Out-of-bounds shifting I Arithmetical overflow I ... A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 10 / 48 Context and motivation Motivation Memory safety violations in C programs Spacial safety violations: I out-of-bounds access, unintialized/manufactured/null pointer access Temporal safety violations: I dangling stack/heap pointer access (use-after-free), multiple dealloc's Many advanced techniques and tools proposed, relying on: I object metadata [Jones & Kelly, VEE'97], [Ruwase & Lam, NDSS'04], [Xu et al, FSE'04], [Djurjati & Adve, ICSE'06], [Arkitidis et al, USENIX'09] I fat pointers Safe C [Austin et al, PLDI'94], FailSafe C [Oiwa, PLDI'09] I combined techniques CAWDOR [SCAM'12], MemSafe [Soft.,Pract.Exp.,2013] I shadow memory Valgrind [PLDI'07], AddressSanitizer [USENIX ATC'12] Our objective is different: efficiently support runtime checking of memory related annotations for an expressive specification language A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 11 / 48 Context and motivation Motivation E-ACSL Language E-ACSL, an executable subset of ACSL: I it is verifiable in finite time, suitable for runtime assertion checking I limitations: only bounded quantification, no axioms, no lemmas I Includes builtin memory-related predicates E-ACSL2C is a runtime verification tool for E-ACSL specifications: 0 I it translates annotated program p into another program p 0 I p exits with error message if an annotation is violated 0 I otherwise p and p have the same behavior [Delahaye et al. SAC 2013] A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 12 / 48 Monitoring level Byte Byte Block Block Block Block-level information such as block length and base address is not needed to verify byte-level predicates. Context and motivation Motivation Motivation Support efficient runtime checking for memory-related E-ACSL constructs for a pointer p such as: E-ACSL keyword Its semantics nvalid(p) True iff p is valid ninitialized(p) True iff ∗p has been initialized nblock length(p) Length of p's memory block nbase address(p) Base address of p's memory block noffset(p) Offset of p in its memory block A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 13 / 48 Context and motivation Motivation Motivation Support efficient runtime checking for memory-related E-ACSL constructs for a pointer p such as: E-ACSL keyword Its semantics Monitoring level nvalid(p) True iff p is valid Byte ninitialized(p) True iff ∗p has been initialized Byte nblock length(p) Length of p's memory block Block nbase address(p) Base address of p's memory block Block noffset(p) Offset of p in its memory block Block Block-level information such as block length and base address is not needed to verify byte-level predicates. A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 13 / 48 Context and motivation Motivation Example C program p annotated with E-ACSL i n t a [ ] = f1 ,2 ,3 , 4g , l e n = 4 , i , * a i n v ; /*@ assert len>0; */ a inv = malloc( s i z e o f ( i n t )* l e n ) ; f o r ( i = l e n − 1 ; i >= 0 ; i ) f /*@ assert\ v a l i d (a+i); */ a i n v [ l e n − i − 1 ] = a [ i ] ; g // array a_inv is inversed f r e e ( a i n v ) ; ai nv A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 14 / 48 Context and motivation Motivation Example C program p0 translated by E-ACSL2C (simplified) i n t a [ ] = f1 ,2 ,3 , 4g , l e n = 4 , i , * a i n v ; /*@ assert len>0; */ e a c s l a s s e r t ( l e n > 0 ) ; a inv = malloc( s i z e o f ( i n t )* l e n ) ; f o r ( i = l e n − 1 ; i >= 0 ; i ) f /*@ assert\ v a l i d (a+i); */ i n t e a c s l v a l i d = v a l i d ( a + i , s i z e o f ( i n t )); e a c s l a s s e r t ( e a c s l v a l i d ) ; a i n v [ l e n − i − 1 ] = a [ i ] ; g // array a_inv is inversed f r e e ( a i n v ) ; ai nv A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 15 / 48 The memory monitoring library An overview Outline Context and motivation Frama-C, a platform for analysis of C code Motivation The memory monitoring library An overview Patricia trie model Shadow memory based model The Hybrid model Design principles Illustrating example Dataflow analysis An overview How it proceeds Evaluation Conclusion and future work A.Jakobsson, N.Kosmatov, J.Signoles (CEA) Hybrid Memory Monitoring for C 2015-11-24 16 / 48 The memory monitoring library An overview The memory monitoring library, an overview E-ACSL2C performs a non-invasive C code instrumentation of p into p0: 0 I p records memory block (object) metadata in the store I validity information (including base address, size) whenever a new block is allocated I initialization information whenever a byte is assigned 0 I p queries the store to evaluate memory related E-ACSL constructs The memory monitoring library provides primitives for record/query operations.