A Smart Status Based Monitoring Algorithm for the Dynamic Analysis of Memory Safety

IF 6.6 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING ACM Transactions on Software Engineering and Methodology Pub Date : 2023-12-11 DOI:10.1145/3637227

Zhe Chen, Rui Yan, Yingzi Ma, Yulei Sui, Jingling Xue

{"title":"A Smart Status Based Monitoring Algorithm for the Dynamic Analysis of Memory Safety","authors":"Zhe Chen, Rui Yan, Yingzi Ma, Yulei Sui, Jingling Xue","doi":"10.1145/3637227","DOIUrl":null,"url":null,"abstract":"C is a dominant programming language for implementing system and low-level embedded software. Unfortunately, the unsafe nature of its low-level control of memory often leads to memory errors. Dynamic analysis has been widely used to detect memory errors at runtime. However, existing monitoring algorithms for dynamic analysis are not yet satisfactory as they cannot deterministically and completely detect some types of errors, e.g., segment confusion errors, sub-object overflows, use-after-frees and memory leaks. We propose a new monitoring algorithm, namely Smatus, short for smart status, that improves memory safety by performing comprehensive dynamic analysis. The key innovation is to maintain at runtime a small status node for each memory object. A status node records the status value and reference count of an object, where the status value denotes the liveness and segment type of this object, and the reference count tracks the number of pointer variables pointing to this object. Smatus maintains at runtime a pointer metadata for each pointer variable, to record not only the base and bound of a pointer’s referent but also the address of the referent’s status node. All the pointers pointing to the same referent share the same status node in their pointer metadata. A status node is smart in the sense that it is automatically deleted when it becomes useless (indicated by its reference count reaching zero). To the best of our knowledge, Smatus represents the most comprehensive approach of its kind. We have evaluated Smatus by using a large set of programs including the NIST Software Assurance Reference Dataset, MSBench, MiBench, SPEC and stress testing benchmarks. In terms of effectiveness (detecting different types of memory errors), Smatus outperforms state-of-the-art tools, Google’s AddressSanitizer, SoftBoundCETS and Valgrind, as it is capable of detecting more errors. In terms of performance (the time and memory overheads), Smatus outperforms SoftBoundCETS and Valgrind in terms of both lower time and memory overheads incurred, and is on par with AddressSanitizer in terms of the time and memory overhead tradeoff made (with much lower memory overheads incurred).","PeriodicalId":50933,"journal":{"name":"ACM Transactions on Software Engineering and Methodology","volume":"13 1","pages":""},"PeriodicalIF":6.6000,"publicationDate":"2023-12-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Software Engineering and Methodology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3637227","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

C is a dominant programming language for implementing system and low-level embedded software. Unfortunately, the unsafe nature of its low-level control of memory often leads to memory errors. Dynamic analysis has been widely used to detect memory errors at runtime. However, existing monitoring algorithms for dynamic analysis are not yet satisfactory as they cannot deterministically and completely detect some types of errors, e.g., segment confusion errors, sub-object overflows, use-after-frees and memory leaks.

We propose a new monitoring algorithm, namely Smatus, short for smart status, that improves memory safety by performing comprehensive dynamic analysis. The key innovation is to maintain at runtime a small status node for each memory object. A status node records the status value and reference count of an object, where the status value denotes the liveness and segment type of this object, and the reference count tracks the number of pointer variables pointing to this object. Smatus maintains at runtime a pointer metadata for each pointer variable, to record not only the base and bound of a pointer’s referent but also the address of the referent’s status node. All the pointers pointing to the same referent share the same status node in their pointer metadata. A status node is smart in the sense that it is automatically deleted when it becomes useless (indicated by its reference count reaching zero). To the best of our knowledge, Smatus represents the most comprehensive approach of its kind.

We have evaluated Smatus by using a large set of programs including the NIST Software Assurance Reference Dataset, MSBench, MiBench, SPEC and stress testing benchmarks. In terms of effectiveness (detecting different types of memory errors), Smatus outperforms state-of-the-art tools, Google’s AddressSanitizer, SoftBoundCETS and Valgrind, as it is capable of detecting more errors. In terms of performance (the time and memory overheads), Smatus outperforms SoftBoundCETS and Valgrind in terms of both lower time and memory overheads incurred, and is on par with AddressSanitizer in terms of the time and memory overhead tradeoff made (with much lower memory overheads incurred).

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

基于智能状态的内存安全动态分析监控算法

C 语言是实现系统和低级嵌入式软件的主流编程语言。遗憾的是，其低级内存控制的不安全性经常导致内存错误。动态分析已被广泛用于检测运行时的内存错误。然而，现有的动态分析监控算法还不能令人满意，因为它们无法确定性地完全检测到某些类型的错误，如段混淆错误、子对象溢出、使用后释放和内存泄漏。我们提出了一种新的监控算法，即 Smatus（智能状态的缩写），它通过执行全面的动态分析来提高内存安全性。该算法的主要创新点是在运行时为每个内存对象维护一个小型状态节点。状态节点记录对象的状态值和引用计数，其中状态值表示该对象的有效性和段类型，引用计数跟踪指向该对象的指针变量的数量。Smatus 会在运行时为每个指针变量维护一个指针元数据，不仅记录指针引用的基数和边界，还记录引用的状态节点地址。在指针元数据中，指向同一引用的所有指针共享同一个状态节点。状态节点是智能的，因为当它变得无用时（引用次数为零时），它就会被自动删除。据我们所知，Smatus 是同类中最全面的方法。我们使用大量程序对 Smatus 进行了评估，其中包括 NIST 软件保证参考数据集、MSBench、MiBench、SPEC 和压力测试基准。就有效性（检测不同类型的内存错误）而言，Smatus优于最先进的工具、Google的AddressSanitizer、SoftBoundCETS和Valgrind，因为它能检测出更多错误。在性能（时间和内存开销）方面，Smatus 的表现优于 SoftBoundCETS 和 Valgrind，时间和内存开销都更低，在时间和内存开销的权衡方面与 AddressSanitizer 不相上下（内存开销更低）。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

ACM Transactions on Software Engineering and Methodology 工程技术-计算机：软件工程

CiteScore

6.30

自引率

4.50%

发文量

164

审稿时长

>12 weeks

期刊介绍： Designing and building a large, complex software system is a tremendous challenge. ACM Transactions on Software Engineering and Methodology (TOSEM) publishes papers on all aspects of that challenge: specification, design, development and maintenance. It covers tools and methodologies, languages, data structures, and algorithms. TOSEM also reports on successful efforts, noting practical lessons that can be scaled and transferred to other projects, and often looks at applications of innovative technologies. The tone is scholarly but readable; the content is worthy of study; the presentation is effective.