Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
158 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

GWP-ASan: Sampling-Based Detection of Memory-Safety Bugs in Production (2311.09394v2)

Published 15 Nov 2023 in cs.SE and cs.PL

Abstract: Despite the recent advances in pre-production bug detection, heap-use-after-free and heap-buffer-overflow bugs remain the primary problem for security, reliability, and developer productivity for applications written in C or C++, across all major software ecosystems. Memory-safe languages solve this problem when they are used, but the existing code bases consisting of billions of lines of C and C++ continue to grow, and we need additional bug detection mechanisms. This paper describes a family of tools that detect these two classes of memory-safety bugs, while running in production, at near-zero overhead. These tools combine page-granular guarded allocation and low-rate sampling. In other words, we added an "if" statement to a 36-year-old idea and made it work at scale. We describe the basic algorithm, several of its variants and implementations, and the results of multi-year deployments across mobile, desktop, and server applications.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (29)
  1. James P. Anderson “Computer security technology planning study”, 1972
  2. Hilarie Orman “The Morris worm: A fifteen-year perspective” In IEEE Security & Privacy 1.5 IEEE, 2003, pp. 35–43
  3. “Valgrind: a framework for heavyweight dynamic binary instrumentation” In PLDI ACM, 2007, pp. 89–100 DOI: 10.1145/1250734.1250746
  4. “AddressSanitizer: A Fast Address Sanity Checker” In USENIX USENIX Association, 2012, pp. 309–318 URL: https://www.usenix.org/conference/atc12/technical-sessions/presentation/serebryany
  5. “Memory Tagging and how it improves C/C++ memory safety” In CoRR abs/1802.09517, 2018 arXiv:1802.09517
  6. “M7: Oracle’s Next-Generation Sparc Processor” In IEEE Micro 35.2, 2015, pp. 36–45 DOI: 10.1109/MM.2015.35
  7. Kostya Serebryany “ARM Memory Tagging Extension and How It Improves C/C++ Memory Safety” In login Usenix Mag. 44.2, 2019 URL: https://www.usenix.org/publications/login/summer2019/serebryany
  8. Larry Smith “Shift-Left Testing” In Dr. Dobb’s J. 26.9 USA: CMP Media, Inc., 2001
  9. “SoK: Eternal War in Memory” In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013 IEEE Computer Society, 2013 DOI: 10.1109/SP.2013.13
  10. Alex Gaynor “What science can tell us about C and C++’s security”, 2020 URL: https://alexgaynor.net/2020/may/27/science-on-memory-unsafety-and-security/
  11. Bruce Perens “efence: Electric Fence Malloc Debugger”, 2003 URL: https://web.archive.org/web/20100829220331/http://perens.com/FreeSoftware/ElectricFence/
  12. Microsoft Corporation “GFlags and PageHeap”, 2022 URL: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/gflags-and-pageheap
  13. “Google-Wide Profiling: A Continuous Profiling Infrastructure for Data Centers” In IEEE Micro 30.4, 2010, pp. 65–79 DOI: 10.1109/MM.2010.68
  14. Brian Randell “On Failures and Faults” In FME 2003: Formal Methods, International Symposium of Formal Methods Europe, Pisa, Italy, September 8-14, 2003, Proceedings 2805, Lecture Notes in Computer Science Springer, 2003 DOI: 10.1007/978-3-540-45236-2\_3
  15. John L. Hennessy and David A. Patterson “Computer Architecture - A Quantitative Approach, 5th Edition” Morgan Kaufmann, 2012
  16. The TCMalloc Authors “TCMalloc: Thread-Caching Malloc”, 2023 URL: https://github.com/google/tcmalloc
  17. Adrian Taylor, Bartek Nowierski and Kentaro Hara “Use-after-freedom: MiraclePtr”, 2022 URL: https://security.googleblog.com/2022/09/use-after-freedom-miracleptr.html
  18. The LLVM Authors “compiler-rt runtime libraries”, 2023 URL: https://compiler-rt.llvm.org/
  19. Chris Lattner and Vikram S. Adve “LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation” In CGO IEEE Computer Society, 2004, pp. 75–88 DOI: 10.1109/CGO.2004.1281665
  20. Jonathan Corbet “The SLUB allocator” In Linux Weekly News (LWN), 2007 URL: https://lwn.net/Articles/229984/
  21. The Linux Kernel Authors “Static Keys”, 2023 URL: https://docs.kernel.org/staging/static-keys.html
  22. Gray Watson “Debug Malloc Library”, 2020 URL: https://dmalloc.com/docs/dmalloc.pdf
  23. “Bug isolation via remote program sampling” In PLDI ACM, 2003 DOI: 10.1145/781131.781148
  24. George C. Necula, Scott McPeak and Westley Weimer “CCured: type-safe retrofitting of legacy code” In POPL ACM, 2002 DOI: 10.1145/503272.503286
  25. “Statistical debugging using compound boolean predicates” In ISSTA ACM, 2007 DOI: 10.1145/1273463.1273467
  26. Matthias Hauswirth and Trishul M. Chilimbi “Low-overhead memory leak detection using adaptive statistical profiling” In ASPLOS ACM, 2004 DOI: 10.1145/1024393.1024412
  27. “GWP-TSan: Zero-Cost Detection of Data Races in Production”, 2020 URL: https://llvm.org/devmtg/2020-09/slides/Morehouse-GWP-Tsan.pdf
  28. The Linux Kernel Authors “Memory Protection Keys”, 2023 URL: https://www.kernel.org/doc/html/latest/core-api/protection-keys.html
  29. “Lightweight UaF Detector”, 2022 URL: https://docs.google.com/document/d/1xfGa_IMtFZiQ3beOmkncEafODwn4U90ZyL4NfPaAtDY/edit?resourcekey=0-89BZl1SVILB6ylOHula0IA
Citations (1)
View on Semantic Scholar

Summary

  • The paper presents a novel sampling-based algorithm that uses guard pages to detect heap-use-after-free and heap-buffer-overflow bugs in C/C++ applications.
  • It combines page-granular guarded allocation with low-rate sampling to achieve near-zero runtime overhead in production environments.
  • Empirical evaluations demonstrate its effectiveness across platforms, identifying over 550 bugs in Google’s server applications and numerous issues in Chrome and Android.

Overview of GWP-ASan: Sampling-Based Detection of Memory-Safety Bugs in Production

The paper presents "GWP-ASan: Sampling-Based Detection of Memory-Safety Bugs in Production," a paper introducing a family of tools designed to detect memory-safety bugs specifically heap-use-after-free and heap-buffer-overflow bugs in C and C++ applications. The authors highlight the persistent challenge posed by these bugs across major software ecosystems, even amidst significant advancements in pre-production bug detection techniques. The paper details a comprehensive approach that incorporates page-granular guarded allocation combined with low-rate sampling, achieving near-zero overhead when these tools are run in production environments.

Technical Contributions

The core technical contribution of this paper is the refined algorithmic incorporation of guard pages and sampling mechanisms to detect runtime memory-safety violations while minimizing performance overhead. The authors revisit the decades-old Electric Fence memory management concept, enhancing it with an "if" statement to enable scalable production use. The key elements of the algorithm include:

  • Guard Allocation: Using memory management unit (MMU) capabilities, it places inaccessible guard pages around allocated memory to catch illegal accesses.
  • Sampling Mechanism: It implements a low-probability sampling technique controlled by a lightweight decision function to determine when to apply guarded allocations.

The paper further elucidates the deployment of GWP-ASan across various platforms, including Google server applications, the Chrome browser, Android, Firefox, Apple platforms, and the Linux kernel. Each implementation demonstrates nuanced adjustments to the basic algorithm to cater to the specific context of the software environment and hardware constraints.

Results and Observations

Empirical evaluations reveal the effectiveness of GWP-ASan across different systems. For instance, in Google's server-side software, the tool identified over 550 unique bugs in 2023 alone, predominantly heap-use-after-free issues. The deployments on Chrome and Android also yield substantial results in identifying security vulnerabilities, emphasising the tool's potential impact in commercial applications. In Android, out of nearly 11.7 million collected crash reports, 1,972 unique stack traces were discovered.

Significant statistical insights presented include the distribution of bug occurrence frequencies. The deployment data suggests that most bugs are captured infrequently, with GWP-ASan catching many only once—highlighting the critical nature of GWP-ASan's probabilistic detection in vast production environments.

Practical Implications

The practical implications of this research are profound for the software development community. GWP-ASan offers an alternative, efficient solution for detecting memory safety violations without imposing the typical runtime penalties associated with dynamic analysis. Consequently, it presents itself as a complementary tool to more pervasive dynamic analysis techniques used in pre-production testing, such as AddressSanitizer (ASan) and HardwareAddressSanitizer (HWASan).

However, the paper also underscores the intrinsic limitations associated with sampling-based detection. Given its low per-instance detection likelihood, GWP-ASan primarily surfaces frequently occurring memory errors in production, leaving the less frequent—and potentially severe—bugs undiscovered unless they manifest frequently.

Future Directions

The paper outlines compelling avenues for future research and enhancements. These include the development of extensions or new algorithms aimed at other classes of memory bugs, such as stack-use-after-return, and data races, as well as approaches to account for and mitigate the undetected infrequent bugs. The authors advocate for leveraging emerging hardware capabilities to further optimize sampling rates and improve detection fidelity.

Enhancements are suggested not only in the form of algorithmic innovations but also in feedback mechanisms that dynamically adjust sampling strategies based on historical data to improve discoverability for elusive bugs. Such strategies could lead to a nuanced, adaptable deployment model boosting overall software robustness.

Conclusion

In conclusion, by leveraging a well-founded yet previously overlooked approach and augmenting it with modern sampling techniques, GWP-ASan establishes itself as a pivotal tool in the ongoing endeavor to enhance the memory safety of legacy and new software offerings. This paper’s contribution is vital, particularly during a transitional phase wherein the software industry progressively adopts memory-safe languages while still managing extensive C and C++ codebases.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown