<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 3/24/16 10:46 AM, Zhengyang Liu via
llvm-dev wrote:<br>
</div>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<meta http-equiv="Context-Type" content="text/html;
charset=Windows-1252">
<div id="divtagdefaultwrapper">
<div><span>Abstraction</span><br>
</div>
<div>----------------------------------</div>
<div><span><br>
</span></div>
<div>This projects will enhance the ‘Baggy Bounds with Accurate
Checking’ [1] work. I will provide more efficient runtime
checks in BBAC framework by adding more informations to the
memory object’s padding area. A new padding area scheme will
be designed to make these informations compact and efficient
to fetch. I will create some new runtime checks on these
additional informations. </div>
<div><br>
</div>
<div>Project Background</div>
<div><span>----------------------------------</span><br>
</div>
<div><span><br>
</span></div>
<div>Baggy [2] is a compiler-time transform and runtime
hardening solution that detects out-of-bounds pointer
arithmetic errors. The memory allocation in Baggy are wrapped
with a allocator that aligns all memory objects on a
power-of-two address space and pads the size of the memory
object to be an equivalent power-of-two. In this way the
layout of memory can be encoded compactly, and the meta-data
about the memory object can be fetched in constant time. Baggy
stores its memory objects layout in a contiguous array. With
the memory object’s location and size informations, Beggy can
do a simple check to determine if a pointer q computed from
pointer p stays within the same allocation size.</div>
<div><br>
</div>
<div>Baggy Bounds with Accurate Checking (BBAC) inherits the
memory layout from Baggy. It stores precise object size at the
end of the padding data, making it accurate and efficient to
lookup object bounds meta-data at runtime.</div>
<div><br>
</div>
<div>Overview</div>
<div><span>----------------------------------</span><br>
</div>
<div><br>
</div>
<div>Inspired by Beggy </div>
</div>
</blockquote>
<br>
It should be "Baggy" and not "Beggy." Also, I prefer "BBC" over
"Baggy," but that is just my personal preference.<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div>and BBAC, I realize that there is still a lot we can do on
BBAC. We can use padding area of a memory object to prevent
various memory errors. Concretely speaking, first, I will
focus on the kinds of errors we will check. Second, I need to
come up with addtional data needed to be stored. Third, this
work needs a well-designed meta-data encoding to ensure the
additional data to be compact in size and efficient in lookup.
Thus I will design a padding area encoding scheme. And a
runtime hardening support is needed to guarantee the safety of
program execution. Finally I will adopt some benchmarks, to
evaluate the performance of this scheme.</div>
</div>
</blockquote>
<br>
First, you should clearly state that a prototype version of BBAC is
already implemented in the SAFECode compiler, and you should explain
which types of run-time checks it already performs.<br>
<br>
You should also clearly state which types of errors you plan to
detect within the GSoC time frame. For example, if you are going to
implement explicit checks for dangling pointers, you should describe
exactly how you plan to implement those checks (e.g., what metadata
is required, when that metadata will be created and updated, and how
run-time checks will use it). Cite sources as needed.<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div><br>
</div>
<div>For example, to implement accurate dangling pointer error
checks, we can add points-to sets to the padding area. This
enhancement will make it possible to find the dangling pointer
stored in heap. With the help of runtime check on memory
objects, we can easily locate the pointers which points to the
deallocated memory.</div>
</div>
</blockquote>
<br>
Storing points-to set information in the metadata will allow you to
detect casting errors and some dangling pointer errors, but it will
not catch all. If you have a dangling pointer to one memory object
and it points to another memory object in the same set due to a
dangling pointer error, your approach will not detect the error.<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div><br>
</div>
<div>For another example, to ensure thread safety at runtime, we
can add guarded_by relations to the memory object’s padding
area.</div>
</div>
</blockquote>
<br>
You should not assume that the reader knows what "guarded_by"
means. You should briefly describe it and cite a source (preferably
a peer-reviewed paper if possible).<br>
<br>
Please keep in mind that your proposal will be reviewed by people
other than the potential mentor (in other words, I won't be the only
person reviewing your proposal). You should make sure that your
proposal is comprehensible to them.<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div> With the help of constant time runtime check, this
enhancement will efficiently gurantee that all the operations
to a memory are provided by a particular mutex lock.</div>
<div><br>
</div>
<div>Criteria of Success</div>
<div><span>----------------------------------</span><br>
</div>
<div>I will mainly focus on the points-to enhanment of BBAC, so
the criteria of success is :</div>
<div><br>
</div>
<div>1. Expand padding area to store some additional
informations (at least points-to sets).</div>
</div>
</blockquote>
<br>
This already exists.<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div>2. A encoding scheme to keep these informations in a
limited memory space.</div>
</div>
</blockquote>
<br>
You can add as much padding as you want, so it's not clear to me why
this is needed.<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div>3. Runtime support to check the memory object related bugs
(at least pointer dangling in heaps).</div>
<div>4. Benchmarks on the generated executables.</div>
</div>
</blockquote>
<br>
Which benchmarks do you plan to use?<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div><br>
</div>
<div>Timeline </div>
<div><span>----------------------------------</span><br>
</div>
<div>Before GSoC’16 Official Startup </div>
<div>+ Port SAFECode to latest LLVM release (LLVM 3.8.0).</div>
</div>
</blockquote>
<br>
This should really be done as part of GSoC.<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div>+ Get familiar with SAFECode compiler.</div>
<div>+ Design the new checks and list the informations needed by
these checks.</div>
<div>+ Read more publications on runtime memory hardening.</div>
<div>Week 1</div>
<div>+ Design the encoding scheme of padding area.</div>
</div>
</blockquote>
<br>
Your proposal should, ideally, provide a rough sketch of the design
so that it isn't being worked on during GSoC.<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div>Week 2 - 4</div>
<div>+ Build the pass infrastructure on SAFECode to
automatically generate hardening instructions.</div>
<div>+ Implement new memory operating functions, to support
embedding the additional informations to the padding area.</div>
<div>Week 5 - 6</div>
<div>+ Implement points-to related checks (mainly pointer
dangling check).</div>
</div>
</blockquote>
<br>
Which points-to analysis will you be using?<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div>Week 7 - 8</div>
<div>+ Implement the other checks. This will be discussed with
John Criswell.</div>
<div>Week 9 - 11</div>
<div>+ Adopt benchmarks on the generated executables. Evaluate
the performance.</div>
<div>+ After GSoC’16 </div>
<div>Work out a research paper on this work.</div>
</div>
</blockquote>
<br>
Making this into a research paper would be great!<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div><br>
</div>
<div>About Me</div>
<div><span>----------------------------------</span><br>
</div>
<div>I am Zhengyang, a M.S. candidate at Beijing University of
Posts and Telecomunications working in the area of static
program analysis. My CV can be found in [2]. Most of my works
are based on Clang Static Analyzer. I have contributed to
Static Analysis Suite (SAS) from CERN PH-SFT as Google Summer
of Code 2015 project. About the preparation for this proposal,
I have studied several research papers of compiler time
transform and runtime program hardening techniques. I am
interested in working with LLVM community, and hoping to
contribute to this summer with LLVM. <br>
</div>
</div>
</blockquote>
<br>
I recommend attaching a full-fledged CV or resume with your proposal
instead of providing a link (though a link will do if there is no
other way to attach a CV/resume). You want to give the reviewers as
little work to do as possible when reviewing your application.<br>
<br>
Regards,<br>
<br>
John Criswell<br>
<br>
<blockquote
cite="mid:SG2PR06MB0427A78CEB7868470D0FC79EFD820@SG2PR06MB0427.apcprd06.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper">
<div><br>
</div>
<div>Contact</div>
<div><span>----------------------------------</span><br>
</div>
<div>Zhengyang Liu,</div>
<div>Networking Security Research Center,</div>
<div>State Key Labs of Networking and Switching Technology,</div>
<div>Beijing University of Posts and Telecommunications,
Beijing, China.</div>
<div><br>
</div>
<div>Email: <a class="moz-txt-link-abbreviated" href="mailto:zhengyang-liu@hotmail.com">zhengyang-liu@hotmail.com</a></div>
<div>Mobilie: (+86) 185-1911-7347</div>
<div><br>
</div>
<div>Reference</div>
<div><span>----------------------------------</span><br>
</div>
<div>[1] Ding, Baozeng, et al. "Baggy bounds with accurate
checking." Software Reliability Engineering Workshops
(ISSREW), 2012 IEEE 23rd International Symposium on. IEEE,
2012.</div>
<div>[2] Akritidis, Periklis, et al. "Baggy Bounds Checking: An
Efficient and Backwards-Compatible Defense against
Out-of-Bounds Errors." USENIX Security Symposium. 2009.</div>
<div>[2] <a class="moz-txt-link-freetext" href="http://zhengyangl.com/cv.pdf">http://zhengyangl.com/cv.pdf</a></div>
<div><br>
</div>
<div><br>
</div>
<div>The latest update of this proposal can be found in the
following link. Please let me know your comments on this
proposal as a GSoC project. Any comments on how to refine this
proposal are welcome. I will be very grateful if someone puts
me in the right direction for the project.</div>
<div><br>
</div>
<div><a class="moz-txt-link-freetext" href="https://docs.google.com/document/d/1SNmdULUqN52zDhM1Odw93DW_vX-2WlL0VgceNWaMLP0/edit?usp=sharing">https://docs.google.com/document/d/1SNmdULUqN52zDhM1Odw93DW_vX-2WlL0VgceNWaMLP0/edit?usp=sharing</a></div>
<div><br>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
LLVM Developers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:llvm-dev@lists.llvm.org">llvm-dev@lists.llvm.org</a>
<a class="moz-txt-link-freetext" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev">http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
John Criswell
Assistant Professor
Department of Computer Science, University of Rochester
<a class="moz-txt-link-freetext" href="http://www.cs.rochester.edu/u/criswell">http://www.cs.rochester.edu/u/criswell</a></pre>
</body>
</html>