James Clause, profile picture
Uploaded byJames Clause
617 views

Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)

The document discusses advanced dynamic analysis techniques for leak detection. It describes how dynamic taint analysis works by assigning taint marks, propagating those marks, and checking the marks. This allows detecting where memory was allocated but not freed. The document outlines an implementation of leak detection as a Valgrind tool that intercepts memory functions and instruments instructions. It summarizes the current status of handling different languages and platforms. Future work ideas include improving the leakpoint tool and collaborating with Apple on new analysis techniques based on the experiences gained.

Embed presentation

Downloaded 10 times
Advanced dynamic analysis for leak detection Jim Clause Chris Friesen - Manager Analysis Tools Group
Current analysis tools Shark Instruments
≈ X-ray Current analysis tools Shark Instruments
≈ X-ray MRI Current analysis tools Shark Instruments
≈ X-ray MRI Current analysis tools Shark Instruments ≈?
≈ X-ray MRI Current analysis tools Shark Instruments C A B 312 Z 3 Dynamic taint analysis ≈
Dynamic taint analysis C A B Z
Dynamic taint analysis 1 Assign taint marks C A B Z
Dynamic taint analysis 1 Assign taint marks C A B 312 Z
Dynamic taint analysis 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
Dynamic taint analysis 1 Assign taint marks 2 Propagate taint marks C A B 312 Z
Dynamic taint analysis 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z
Dynamic taint analysis 1 Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z C A B 312 Z 3
Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errors
Attack detection / prevention Prevent stack smashing, SQL injection, buffer overruns, etc. Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errors
Information policy enforcement ensure classified information does not leave the system Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errors
Testing Coverage metrics, test data generation heuristic, etc. ✔/✘ Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errors
Data lifetime track how long sensitive data remain in the application Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errors
Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errorsMemory errors Detect illegal memory access, leak detection, etc.
Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errorsMemory errors Detect illegal memory access, leak detection, etc.leak detection
Detecting leaks is easy, fixing them is hard
Detecting leaks is easy, fixing them is hard @interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { //[_object release]; [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end
Detecting leaks is easy, fixing them is hard @interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { //[_object release]; [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; }
Detecting leaks is easy, fixing them is hard @interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { //[_object release]; [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; } leaks: This object is leaked
Leakpoint overview Discover where the last pointer to un-freed memory is lost
Leakpoint overview Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost
Leakpoint overview Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 Discover where the last pointer to un-freed memory is lost
Leakpoint overview Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost
Leakpoint overview Assign taint marks Propagate taint marks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 3 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost
@interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; } Detecting leaks is easy, fixing them is easier
@interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; } leakpoint: This object is leaked Detecting leaks is easy, fixing them is easier
@interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; } leakpoint: Last reference was lost here leakpoint: This object is leaked Detecting leaks is easy, fixing them is easier
@interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; } [_object release]; leakpoint: Last reference was lost here leakpoint: This object is leaked Detecting leaks is easy, fixing them is easier
Leakpoint implementation • Implemented as aValgrind tool (www.valgrind.org) ■ intercept libc memory management functions ■ instrument binary instructions to perform propagation
Lost pointer to 0x1C93AC0 (16 bytes)  allocated at:   at calloc+105   by _internal_class_createInstanceFromZone+149   by _internal_class_createInstance+31   by +[NSObject allocWithZone:]+155 (NSObject.m:445)   by +[NSObject alloc]+41 (NSObject.m:432)   by create+97 (main.m:29)   by main+17 (main.m:38)  leaked at:   at free+103   by _internal_object_dispose+81   by NSDeallocateObject+223 (NSObject.m:207)   by -[Container dealloc]+53 (container.m:13)   by main+43 (main.m:40) Leakpoint implementation • Implemented as aValgrind tool (www.valgrind.org) ■ intercept libc memory management functions ■ instrument binary instructions to perform propagation
leaks Lost pointer to 0x1C93AC0 (16 bytes)  allocated at:   at calloc+105   by _internal_class_createInstanceFromZone+149   by _internal_class_createInstance+31   by +[NSObject allocWithZone:]+155 (NSObject.m:445)   by +[NSObject alloc]+41 (NSObject.m:432)   by create+97 (main.m:29)   by main+17 (main.m:38)  leaked at:   at free+103   by _internal_object_dispose+81   by NSDeallocateObject+223 (NSObject.m:207)   by -[Container dealloc]+53 (container.m:13)   by main+43 (main.m:40) Leakpoint implementation • Implemented as aValgrind tool (www.valgrind.org) ■ intercept libc memory management functions ■ instrument binary instructions to perform propagation
leakpoint leaks Lost pointer to 0x1C93AC0 (16 bytes)  allocated at:   at calloc+105   by _internal_class_createInstanceFromZone+149   by _internal_class_createInstance+31   by +[NSObject allocWithZone:]+155 (NSObject.m:445)   by +[NSObject alloc]+41 (NSObject.m:432)   by create+97 (main.m:29)   by main+17 (main.m:38)  leaked at:   at free+103   by _internal_object_dispose+81   by NSDeallocateObject+223 (NSObject.m:207)   by -[Container dealloc]+53 (container.m:13)   by main+43 (main.m:40) Leakpoint implementation • Implemented as aValgrind tool (www.valgrind.org) ■ intercept libc memory management functions ■ instrument binary instructions to perform propagation
Leakpoint: current status
Leakpoint: current status Handle basic C / C++ / Objective C
Leakpoint: current status Handle basic C / C++ / Objective C✔
Leakpoint: current status Handle basic C / C++ / Objective C✔ Handle CoreFoundation
Leakpoint: current status Handle basic C / C++ / Objective C✔ Handle CoreFoundation✔
Leakpoint: current status Handle basic C / C++ / Objective C Handle Cocoa ✔ Handle CoreFoundation✔
Need to investigate approximately 40 false positive (probably) leak reports • Interface Builder unarchiving • CoreData Leakpoint: current status Handle basic C / C++ / Objective C Handle Cocoa ✔ Handle CoreFoundation✔
Need to investigate approximately 40 false positive (probably) leak reports • Interface Builder unarchiving • CoreData Leakpoint: current status Handle basic C / C++ / Objective C Handle Cocoa ✔ Handle CoreFoundation✔ 64bit compatible
Need to investigate approximately 40 false positive (probably) leak reports • Interface Builder unarchiving • CoreData Leakpoint: current status Handle basic C / C++ / Objective C Handle Cocoa ✔ Handle CoreFoundation✔ 64bit compatible✔
A real leak?: _NSImageMalloc void *_NSImageMalloc(NSZone* zone, size_t size) { // allocate storage aligned to 32 bytes. we do this by // allocating an extra 32 bytes, finding the address in the proper // location and storing the delta in one of the previous 32 bytes. void *unaligned = NSZoneMalloc(zone, size + BITMAP_DATA_ALIGNMENT); if(unaligned != NULL) { uintptr_t aligned = ((uintptr_t)unaligned + BITMAP_DATA_ALIGNMENT) & ~(BITMAP_DATA_ALIGNMENT - 1); (unsigned char*)aligned[-1] = aligned - (uintptr_t) unaligned; return (void*)aligned; } else { return NULL; } }
Overhead Powerful but expensive 50 -100x overheads are common
Overhead Powerful but expensive 50 -100x overheads are common Recommended usage: run cheap tools to check for errors run expensive tools to diagnose errors
Future work + Leakpoint ( )
Future work Impact + Leakpoint ( )
Future work • Apple ■ new leak detection tool ■ experience with dynamic taint analysis Impact + Leakpoint ( )
Future work • Apple ■ new leak detection tool ■ experience with dynamic taint analysis • Me ■ experience withValgrind ■ experience analyzing large commercial code base Impact + Leakpoint ( )
Questions?

More Related Content

PPTX
Do we need Unsafe in Java?
byAndrei Pangin
 
PDF
sizeof(Object): how much memory objects take on JVMs and when this may matter
byDawid Weiss
 
PDF
Unbearable Test Code Smell
bySteven Mak
 
PDF
C++ game development with oxygine
bycorehard_by
 
DOCX
Travel management
by1Parimal2
 
PDF
Обзор фреймворка Twisted
byMaxim Kulsha
 
PPTX
How Data Flow analysis works in a static code analyzer
byAndrey Karpov
 
PDF
Grails/Groovyによる開発事例紹介
byKiyotaka Oku
 
Do we need Unsafe in Java?
byAndrei Pangin
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
byDawid Weiss
 
Unbearable Test Code Smell
bySteven Mak
 
C++ game development with oxygine
bycorehard_by
 
Travel management
by1Parimal2
 
Обзор фреймворка Twisted
byMaxim Kulsha
 
How Data Flow analysis works in a static code analyzer
byAndrey Karpov
 
Grails/Groovyによる開発事例紹介
byKiyotaka Oku
 

What's hot

PDF
PVS-Studio in 2021 - Error Examples
byAndrey Karpov
 
ODP
EcmaScript 6
byManoj Kumar
 
PDF
Construire une application JavaFX 8 avec gradle
byThierry Wasylczenko
 
PDF
.NET Multithreading and File I/O
byJussi Pohjolainen
 
PDF
HelsinkiJS meet-up. Dmitry Soshnikov - ECMAScript 6
byDmitry Soshnikov
 
PDF
Advanced Java Practical File
bySoumya Behera
 
PPTX
ES6 in Real Life
byDomenic Denicola
 
PPT
Mod04 debuggers
byPeter Haase
 
KEY
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
byMasahiro Nagano
 
PDF
Introduction to web programming for java and c# programmers by @drpicox
byDavid Rodenas
 
PDF
Design Patterns Reconsidered
byAlex Miller
 
PDF
Csw2016 gawlik bypassing_differentdefenseschemes
byCanSecWest
 
DOC
Ds 2 cycle
byChaitanya Kn
 
PDF
#JavaFX.forReal() - ElsassJUG
byThierry Wasylczenko
 
PDF
The Ring programming language version 1.2 book - Part 79 of 84
byMahmoud Samir Fayed
 
PDF
Oxygine 2 d objects,events,debug and resources
bycorehard_by
 
PPT
Ggug spock
bySkills Matter
 
PDF
Concurrency Concepts in Java
byDoug Hawkins
 
PDF
Better Software: introduction to good code
byGiordano Scalzo
 
PDF
First Steps. (db4o - Object Oriented Database)
byWildan Maulana
 
PVS-Studio in 2021 - Error Examples
byAndrey Karpov
 
EcmaScript 6
byManoj Kumar
 
Construire une application JavaFX 8 avec gradle
byThierry Wasylczenko
 
.NET Multithreading and File I/O
byJussi Pohjolainen
 
HelsinkiJS meet-up. Dmitry Soshnikov - ECMAScript 6
byDmitry Soshnikov
 
Advanced Java Practical File
bySoumya Behera
 
ES6 in Real Life
byDomenic Denicola
 
Mod04 debuggers
byPeter Haase
 
Designing Opeation Oriented Web Applications / YAPC::Asia Tokyo 2011
byMasahiro Nagano
 
Introduction to web programming for java and c# programmers by @drpicox
byDavid Rodenas
 
Design Patterns Reconsidered
byAlex Miller
 
Csw2016 gawlik bypassing_differentdefenseschemes
byCanSecWest
 
Ds 2 cycle
byChaitanya Kn
 
#JavaFX.forReal() - ElsassJUG
byThierry Wasylczenko
 
The Ring programming language version 1.2 book - Part 79 of 84
byMahmoud Samir Fayed
 
Oxygine 2 d objects,events,debug and resources
bycorehard_by
 
Ggug spock
bySkills Matter
 
Concurrency Concepts in Java
byDoug Hawkins
 
Better Software: introduction to good code
byGiordano Scalzo
 
First Steps. (db4o - Object Oriented Database)
byWildan Maulana
 

Viewers also liked

PPT
Nmr Course
bySimon Stromberg
 
PDF
Snl 5 white paper
byMaksim Gladkiy
 
PPS
SEIC - Pipeline Modelling Software for GAS
byLetizia Conter
 
PPT
American Leak Detection - Description of Services
byJoshua Butler
 
KEY
Cross-platform logging and analytics
byDrew Crawford
 
PPTX
SOG data: Understanding Data as Information
byMicheleTyler
 
Nmr Course
bySimon Stromberg
 
Snl 5 white paper
byMaksim Gladkiy
 
SEIC - Pipeline Modelling Software for GAS
byLetizia Conter
 
American Leak Detection - Description of Services
byJoshua Butler
 
Cross-platform logging and analytics
byDrew Crawford
 
SOG data: Understanding Data as Information
byMicheleTyler
 

Similar to Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)

PDF
Introduction to Objective - C
byJussi Pohjolainen
 
PPT
Objective C Memory Management
byAhmed Magdy Ezzeldin, MSc.
 
PDF
Memory Management and Leaks in Postgres from pgext.day 2025
byPhil Eaton
 
PPTX
C++ memory leak detection
byVõ Hòa
 
PDF
Managing Memory in Swift (Yes, that's a thing)
byCarl Brown
 
PDF
iPhone Memory Management
byVadim Zimin
 
PDF
Advanced debugging
byAli Akhtar
 
PDF
Software Design: Impact of Memory Usage (Copying, Cloning and Aliases)
byAdair Dingle
 
PDF
TotalView - Memory debugging in parallel and distributed applications
byIBM India Smarter Computing
 
PDF
Introduction to objective c
bysagaroceanic11
 
PPT
Lecture 3-ARC
byZiku Spartan
 
PDF
20140531 serebryany lecture02_find_scary_cpp_bugs
byComputer Science Club
 
PDF
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
byJames Clause
 
KEY
Objective-C & iPhone for .NET Developers
byBen Scheirman
 
PDF
Taint-based Dynamic Analysis (CoC Research Day 2009)
byJames Clause
 
PPT
Memory management in Objective C
byNeha Gupta
 
PPTX
Memory protection using dynamic tainting
byUSERAAPKA
 
PDF
Lecture 10 slides (february 4, 2010)
byBruce Lee
 
PDF
MSL2009. Valgrind
byJuan A. Suárez Romero
 
PDF
Efficient and linear static approach for finding the memory leak in C
byIJECEIAES
 
Introduction to Objective - C
byJussi Pohjolainen
 
Objective C Memory Management
byAhmed Magdy Ezzeldin, MSc.
 
Memory Management and Leaks in Postgres from pgext.day 2025
byPhil Eaton
 
C++ memory leak detection
byVõ Hòa
 
Managing Memory in Swift (Yes, that's a thing)
byCarl Brown
 
iPhone Memory Management
byVadim Zimin
 
Advanced debugging
byAli Akhtar
 
Software Design: Impact of Memory Usage (Copying, Cloning and Aliases)
byAdair Dingle
 
TotalView - Memory debugging in parallel and distributed applications
byIBM India Smarter Computing
 
Introduction to objective c
bysagaroceanic11
 
Lecture 3-ARC
byZiku Spartan
 
20140531 serebryany lecture02_find_scary_cpp_bugs
byComputer Science Club
 
Leakpoint: Pinpointing the Causes of Memory Leaks (ICSE 2010)
byJames Clause
 
Objective-C & iPhone for .NET Developers
byBen Scheirman
 
Taint-based Dynamic Analysis (CoC Research Day 2009)
byJames Clause
 
Memory management in Objective C
byNeha Gupta
 
Memory protection using dynamic tainting
byUSERAAPKA
 
Lecture 10 slides (february 4, 2010)
byBruce Lee
 
MSL2009. Valgrind
byJuan A. Suárez Romero
 
Efficient and linear static approach for finding the memory leak in C
byIJECEIAES
 

More from James Clause

PDF
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
byJames Clause
 
PDF
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
byJames Clause
 
PDF
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
byJames Clause
 
PDF
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
byJames Clause
 
PDF
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
byJames Clause
 
PDF
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
byJames Clause
 
PDF
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
byJames Clause
 
PDF
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
byJames Clause
 
PDF
Enabling and Supporting the Debugging of Field Failures (Job Talk)
byJames Clause
 
PDF
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
byJames Clause
 
PDF
Energy-directed Test Suite Optimization (GREENS 2013)
byJames Clause
 
PDF
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
byJames Clause
 
Penumbra: Automatically Identifying Failure-Relevant Inputs (ISSTA 2009)
byJames Clause
 
Effective Memory Protection Using Dynamic Tainting (ASE 2007)
byJames Clause
 
Camouflage: Automated Anonymization of Field Data (ICSE 2011)
byJames Clause
 
A Technique for Enabling and Supporting Debugging of Field Failures (ICSE 2007)
byJames Clause
 
Enabling and Supporting the Debugging of Software Failures (PhD Defense)
byJames Clause
 
Demand-Driven Structural Testing with Dynamic Instrumentation (ICSE 2005)
byJames Clause
 
Dytan: A Generic Dynamic Taint Analysis Framework (ISSTA 2007)
byJames Clause
 
Debugging Field Failures by Minimizing Captured Executions (ICSE 2009: NIER e...
byJames Clause
 
Enabling and Supporting the Debugging of Field Failures (Job Talk)
byJames Clause
 
Initial Explorations on Design Pattern Energy Usage (GREENS 12)
byJames Clause
 
Energy-directed Test Suite Optimization (GREENS 2013)
byJames Clause
 
Investigating the Impacts of Web Servers on Web Application Energy Usage (GRE...
byJames Clause
 

Recently uploaded

PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
December Patch Tuesday
byIvanti
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 

Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)

  • 1.
    Advanced dynamic analysis forleak detection Jim Clause Chris Friesen - Manager Analysis Tools Group
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
    ≈ X-ray MRI Current analysis tools SharkInstruments C A B 312 Z 3 Dynamic taint analysis ≈
  • 7.
  • 8.
    Dynamic taint analysis 1Assign taint marks C A B Z
  • 9.
    Dynamic taint analysis 1Assign taint marks C A B 312 Z
  • 10.
    Dynamic taint analysis 1Assign taint marks 2 Propagate taint marks C A B 312 Z
  • 11.
    Dynamic taint analysis 1Assign taint marks 2 Propagate taint marks C A B 312 Z
  • 12.
    Dynamic taint analysis 1Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z
  • 13.
    Dynamic taint analysis 1Assign taint marks 3 Check taint marks 2 Propagate taint marks C A B 312 Z C A B 312 Z 3
  • 14.
    Attack detection /prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errors
  • 15.
    Attack detection /prevention Prevent stack smashing, SQL injection, buffer overruns, etc. Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errors
  • 16.
    Information policy enforcement ensureclassified information does not leave the system Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errors
  • 17.
    Testing Coverage metrics, testdata generation heuristic, etc. ✔/✘ Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errors
  • 18.
    Data lifetime track howlong sensitive data remain in the application Attack detection / prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errors
  • 19.
    Attack detection /prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errorsMemory errors Detect illegal memory access, leak detection, etc.
  • 20.
    Attack detection /prevention Information policy enforcement Testing Data lifetime Applications of dynamic tainting Memory errorsMemory errors Detect illegal memory access, leak detection, etc.leak detection
  • 21.
    Detecting leaks iseasy, fixing them is hard
  • 22.
    Detecting leaks iseasy, fixing them is hard @interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { //[_object release]; [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end
  • 23.
    Detecting leaks iseasy, fixing them is hard @interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { //[_object release]; [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; }
  • 24.
    Detecting leaks iseasy, fixing them is hard @interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { //[_object release]; [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; } leaks: This object is leaked
  • 25.
    Leakpoint overview Discover wherethe last pointer to un-freed memory is lost
  • 26.
    Leakpoint overview Assign taint marks Propagate taintmarks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 1 1 1 Discover where the last pointer to un-freed memory is lost
  • 27.
    Leakpoint overview Assign taint marks Propagate taintmarks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 Discover where the last pointer to un-freed memory is lost
  • 28.
    Leakpoint overview Assign taint marks Propagate taintmarks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost
  • 29.
    Leakpoint overview Assign taint marks Propagate taintmarks Check taint marks ptr1 = malloc(...) ➔ ptr1 ptr2 = calloc(...) ➔ ptr2 ptr3 = ptr1 ➔ ptr3 , ptr1 ptr1 = NULL ➔ ptr1 , ptr3 ptr4 = ptr2 + 1 ➔ ptr4 , ptr2 Report error if taint mark’s count is zero and memory has not been freed. 2 3 1 1 1 1 2 2 2 1 1 2 2 In general propagation follows standard pointer arithmetic rules Discover where the last pointer to un-freed memory is lost
  • 30.
    @interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; } Detecting leaks is easy, fixing them is easier
  • 31.
    @interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; } leakpoint: This object is leaked Detecting leaks is easy, fixing them is easier
  • 32.
    @interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; } leakpoint: Last reference was lost here leakpoint: This object is leaked Detecting leaks is easy, fixing them is easier
  • 33.
    @interface Container:NSObject { id _object; } @end @implementation Container - (void) dealloc { [super dealloc]; } - (void) setObject:(id)obj { [_object release]; _object = [obj retain]; } @end Container *create() { Container *c = [[Container alloc] init]; NSObject *o = [[NSObject alloc] init]; [c setObject:o]; [o release]; return c; } int main(...) { Container *c = create(); … [c release]; } [_object release]; leakpoint: Last reference was lost here leakpoint: This object is leaked Detecting leaks is easy, fixing them is easier
  • 34.
    Leakpoint implementation • Implementedas aValgrind tool (www.valgrind.org) ■ intercept libc memory management functions ■ instrument binary instructions to perform propagation
  • 35.
    Lost pointer to0x1C93AC0 (16 bytes)  allocated at:   at calloc+105   by _internal_class_createInstanceFromZone+149   by _internal_class_createInstance+31   by +[NSObject allocWithZone:]+155 (NSObject.m:445)   by +[NSObject alloc]+41 (NSObject.m:432)   by create+97 (main.m:29)   by main+17 (main.m:38)  leaked at:   at free+103   by _internal_object_dispose+81   by NSDeallocateObject+223 (NSObject.m:207)   by -[Container dealloc]+53 (container.m:13)   by main+43 (main.m:40) Leakpoint implementation • Implemented as aValgrind tool (www.valgrind.org) ■ intercept libc memory management functions ■ instrument binary instructions to perform propagation
  • 36.
    leaks Lost pointer to0x1C93AC0 (16 bytes)  allocated at:   at calloc+105   by _internal_class_createInstanceFromZone+149   by _internal_class_createInstance+31   by +[NSObject allocWithZone:]+155 (NSObject.m:445)   by +[NSObject alloc]+41 (NSObject.m:432)   by create+97 (main.m:29)   by main+17 (main.m:38)  leaked at:   at free+103   by _internal_object_dispose+81   by NSDeallocateObject+223 (NSObject.m:207)   by -[Container dealloc]+53 (container.m:13)   by main+43 (main.m:40) Leakpoint implementation • Implemented as aValgrind tool (www.valgrind.org) ■ intercept libc memory management functions ■ instrument binary instructions to perform propagation
  • 37.
    leakpoint leaks Lost pointer to0x1C93AC0 (16 bytes)  allocated at:   at calloc+105   by _internal_class_createInstanceFromZone+149   by _internal_class_createInstance+31   by +[NSObject allocWithZone:]+155 (NSObject.m:445)   by +[NSObject alloc]+41 (NSObject.m:432)   by create+97 (main.m:29)   by main+17 (main.m:38)  leaked at:   at free+103   by _internal_object_dispose+81   by NSDeallocateObject+223 (NSObject.m:207)   by -[Container dealloc]+53 (container.m:13)   by main+43 (main.m:40) Leakpoint implementation • Implemented as aValgrind tool (www.valgrind.org) ■ intercept libc memory management functions ■ instrument binary instructions to perform propagation
  • 38.
  • 39.
    Leakpoint: current status Handlebasic C / C++ / Objective C
  • 40.
    Leakpoint: current status Handlebasic C / C++ / Objective C✔
  • 41.
    Leakpoint: current status Handlebasic C / C++ / Objective C✔ Handle CoreFoundation
  • 42.
    Leakpoint: current status Handlebasic C / C++ / Objective C✔ Handle CoreFoundation✔
  • 43.
    Leakpoint: current status Handlebasic C / C++ / Objective C Handle Cocoa ✔ Handle CoreFoundation✔
  • 44.
    Need to investigateapproximately 40 false positive (probably) leak reports • Interface Builder unarchiving • CoreData Leakpoint: current status Handle basic C / C++ / Objective C Handle Cocoa ✔ Handle CoreFoundation✔
  • 45.
    Need to investigateapproximately 40 false positive (probably) leak reports • Interface Builder unarchiving • CoreData Leakpoint: current status Handle basic C / C++ / Objective C Handle Cocoa ✔ Handle CoreFoundation✔ 64bit compatible
  • 46.
    Need to investigateapproximately 40 false positive (probably) leak reports • Interface Builder unarchiving • CoreData Leakpoint: current status Handle basic C / C++ / Objective C Handle Cocoa ✔ Handle CoreFoundation✔ 64bit compatible✔
  • 47.
    A real leak?:_NSImageMalloc void *_NSImageMalloc(NSZone* zone, size_t size) { // allocate storage aligned to 32 bytes. we do this by // allocating an extra 32 bytes, finding the address in the proper // location and storing the delta in one of the previous 32 bytes. void *unaligned = NSZoneMalloc(zone, size + BITMAP_DATA_ALIGNMENT); if(unaligned != NULL) { uintptr_t aligned = ((uintptr_t)unaligned + BITMAP_DATA_ALIGNMENT) & ~(BITMAP_DATA_ALIGNMENT - 1); (unsigned char*)aligned[-1] = aligned - (uintptr_t) unaligned; return (void*)aligned; } else { return NULL; } }
  • 48.
    Overhead Powerful but expensive 50-100x overheads are common
  • 49.
    Overhead Powerful but expensive 50-100x overheads are common Recommended usage: run cheap tools to check for errors run expensive tools to diagnose errors
  • 50.
  • 51.
  • 52.
    Future work • Apple ■new leak detection tool ■ experience with dynamic taint analysis Impact + Leakpoint ( )
  • 53.
    Future work • Apple ■new leak detection tool ■ experience with dynamic taint analysis • Me ■ experience withValgrind ■ experience analyzing large commercial code base Impact + Leakpoint ( )
  • 54.