SlideShare a Scribd company logo

Stale pointers are the new black

V
Vincenzo Iozzo

The document discusses using static analysis techniques like pointer analysis to detect bugs involving stale pointers. It presents an approach that first converts programs to SSA form and then performs intraprocedural and interprocedural pointer analysis to track pointer aliases and detect when pointers may be used after the memory they point to has been freed or reallocated. The analysis combines dataflow and abstract interpretation to build and propagate pointer alias information within and across functions to find potential stale pointer bugs.

Technology
1 of 63
Download to read offline
Stale  pointers  are  the  new  black   Vincenzo  Iozzo,  Giovanni  Gola   vincenzo.iozzo@zynamics.com   giovanni.gola@mail.polimi.it  
Disclaimer   In  this  talk  you  won’t  see  all  those  formulas,  formal  definiEon,  code  snippets   and  bullets.     From  past  experiences  the  speaker  learned  that  all  the  aforemenEoned   elements  are  no  useful  in  making  people  understand  your  idea.   You  instead  will  see  a  lot  of  funny  pictures  which  the  speaker  hopes  will   convey  beHer  the  understanding  of  the  ideas  explained  in  the  talk   You  don’t  want  slides  like   this,  do  you?  
Stale  pointers  are  the  new  black  
MoEvaEons  
Different  approaches  then..  
..  Or  StaEc  Analysis!   • Dataflow  analysis   • Model  Checking   • Theorem  Proving  
Our  Idea  
How  it  works   Intraprocedural   Interprocedural   SSA  Form   Bug  detecEon   pointer  analysis   pointer  analysis  
Single  StaEc  Assignment  Form  
Example   mov  eax,  0x40   mov  eax,  0x100   mov  ebx,  0x2   cmp  ecx,  edx   Jle  1   mov  ebx,  0x4   mov  ebx,  0x20  
Looks  beHer,  right?   mov  eax_0,  0x40   mov  eax_1,  0x100   mov  ebx_0,  0x2   cmp  ecx,  edx   Jle  1   mov    ebx_1,  0x4   mov  ebx_2,  0x20  
How  about  now?   mov  eax_0,  0x40   Mov  eax_1,  0x100   Mov  ebx_0,  0x2   cmp  ecx,  edx   Jle  1   mov  ebx_1,  0x4   mov  ebx_2,  0x20   mov    ecx,  ebx_?  
Tah-­‐dah!   mov  eax_0,  0x40   mov  eax_1,  0x100   mov  ebx_0,  0x2   cmp  ecx,  edx   Jle  1   mov    ebx_1,  0x4   mov  ebx_2,  0x20   mov  0x4,   ebx_return_from_phi  
Intermediate  language  interlude  
Enter  REIL   A  small  introducEon  to  the  REIL  meta  language   • small  RISC  instrucEon  set  (17  instrucEons)       • ArithmeEc  instrucEons  (ADD,  SUB,  MUL,  DIV,  MOD,  BSH)     • Bitwise  instrucEons  (AND,  OR,  XOR)     • Logical  instrucEons  (BISZ,  JCC)     • Data  transfer  instrucEons  (LDM,  STM,  STR)     • Other  instrucEons  (NOP,  UNDEF,  UNKN)     • register  machine       • unlimited  number  of  temp  registers     • side  effect  free     • no  excepEons,  floaEng  point,  64Bit,  ..    
Example  
Translated  
Back  to  SSA    
Flavours   • Non-­‐pruned   • Semi-­‐pruned   • Pruned  
Non-­‐locals   ldm  0x1000,  t0   add  t0,  t1,  t2   ldm  t2,  ,  t3   t0  is  a   non-­‐ ldm  t0,  t4   local    
Algorithm   • Find  non-­‐locals   • Place  phi-­‐funcEons   • Recursively  rename  variables  
A  funcEon  
In  SSA  Form  
Detour..  Abstract  interpretaEon  
Abstract  InterpretaEon  
Abstract  InterpretaEon..  formally     Give  several  semanEcs  linked  by  relaEons  of       abstracEon    
MonoREIL  
So  what  you  need?   •  The  control  flow  graph  of  a  funcEon   •  A  way  to  walk  the  CFG   •  The  lahce     – Its  elements   – A  way  to  combine  lahce  elements   •  An  iniEal  state   •  REIL  instrucEons  effects  on  the  lahce  
One  constraint!     The  lahce  has  to  saEsfy  the  ascending  chain       condiEon  
Now  the  analysis  itself  
Intraprocedural  Analysis   •  Pointer  Analysis:  Efficiency   •  Shape  Analysis:  Precision   •  Alias  Set  Analysis:  Tradeoff  between  the   two  
Data  Structures   •  push()  and  pop()  on  linked  lists:  30%   faster   •  Hash  consing:  30%  memory  saving  
Transfer  FuncEons  
combine()   •  Filter  out  non-­‐live  variables  from  each  alias   list:   •  live-­‐out(inst)  ⊆  vars(dom(inst))   •  Alias  list  ∩  vars(sdom(Φ)):   •  pop()  from  the  list  unEl     top(alias  list)  ∈  vars(sdom(Φ))   •  Add  aliases  defined  by  Φ  funcEons   •  Unite  the  sets  of  lists  
Data  Structures  Again  
Example  
Tracking  parameters  and  return   •  IDA  effecEvely  tracks  parameters   •  return  is  idenEfied  by  guessing  the   calling  convenEon  
Interprocedural  Analysis  
Algorithm   •  Flow-­‐insensiEve   •  Context-­‐sensiEve   •  Implemented  in  BinNavi:   •  walks  on  the  PCG  
Procedure  Call  Graph  
TransformaEons  
TransformaEons  
TransformaEons  
TransformaEons  
combine()  
Bug  DetecEon  
Callgraph  pruning  
Callgraph  pruning  
Callgraph  pruning  
Marking  destructor()  calls  
Algorithm    v  is  a  tracked  alias   •   X  is  a  basic  block  of  F  that  calls  the  destructor   •  •  B  is  a  basic  block  of  F  that  accesses  v  or  calls  a  funcEon     that  accesses  v   •  Verify  the  following:       if  B  ∈  dom(X)  ⇒  v  is  a  stale  pointer    if  B  !∈  dom(X)  ∧  B  ∈  succ(X)  ⇒  v  may  be  a  stale  pointer    if  X  !∈  dom(B)  ∧  X  ∈  succ(B)  ⇒  v  may  cause  memory  leak   • if  X  !∈  dom(B)  ∧  X  !∈  succ(B)  ⇒  v  causes  memory  leak    Iterate  subsEtuEng:   •  • F  with  each  of  its  callers   • X  with  a  basic  block  that  calls  F  
Example   No  bugs  
Example   No  bugs  
Example   Use  amer  free  bug  
Example   Use  amer  free  bug  
Example   Use  amer  free  bug  (maybe)  
Example   Use  amer  free  bug  (maybe)  
Example   No  bugs  
Example   Use  amer  free  bug  
Example   Use  amer  free  bug  (maybe)  
What’s  the  catch   •  We  cannot  handle  all  data  structures   •  We  cannot  handle  funcEon  pointers   •  We  have  false  posiEves   •  We  have  false  negaEves   •  Some  “smart  pointers”-­‐like  interfaces  might   not  be  covered   •  The  best  use  is  for  C++  life-­‐span  issues  
Future   •  Increase  the  number  of  covered  data  structure   •  Use  a  solver  to  reduce  false  posiEves   •  Import  dynamic  analysis  data  to  miEgate  the   funcEon  pointers  problem  
That’s  all  folks  

Recommended

Lz77 by ayush
Lz77 by ayushLz77 by ayush
Lz77 by ayush
Ayush Gupta
 
Introduction to Scala
Introduction to ScalaIntroduction to Scala
Introduction to Scala
Brian Hsu
 
Cheat Sheet java
Cheat Sheet javaCheat Sheet java
Cheat Sheet java
arkslideshareacc
 
C# loops
C# loopsC# loops
C# loops
baabtra.com - No. 1 supplier of quality freshers
 
Milot Shala - C++ (OSCAL2014)
Milot Shala - C++ (OSCAL2014)Milot Shala - C++ (OSCAL2014)
Milot Shala - C++ (OSCAL2014)
Open Labs Albania
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paper
Vincenzo Iozzo
 
DEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksDEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliks
Felipe Prado
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
Hackito Ergo Sum
 

Recommended

Lz77 by ayush
Lz77 by ayushLz77 by ayush
Lz77 by ayush
Ayush Gupta
 
Introduction to Scala
Introduction to ScalaIntroduction to Scala
Introduction to Scala
Brian Hsu
 
Cheat Sheet java
Cheat Sheet javaCheat Sheet java
Cheat Sheet java
arkslideshareacc
 
C# loops
C# loopsC# loops
C# loops
baabtra.com - No. 1 supplier of quality freshers
 
Milot Shala - C++ (OSCAL2014)
Milot Shala - C++ (OSCAL2014)Milot Shala - C++ (OSCAL2014)
Milot Shala - C++ (OSCAL2014)
Open Labs Albania
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paper
Vincenzo Iozzo
 
DEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksDEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliks
Felipe Prado
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
Hackito Ergo Sum
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Sergey Platonov
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
frank2
 
Beating Floating Point at its Own Game: Posit Arithmetic
Beating Floating Point at its Own Game: Posit ArithmeticBeating Floating Point at its Own Game: Posit Arithmetic
Beating Floating Point at its Own Game: Posit Arithmetic
inside-BigData.com
 
Data structures
Data structuresData structures
Data structures
Pranav Gupta
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Willem van Ketwich
 
The walking 0xDEAD
The walking 0xDEADThe walking 0xDEAD
The walking 0xDEAD
Carlos Garcia Prado
 
8086 labmanual
8086 labmanual8086 labmanual
8086 labmanual
nagnitw2006
 
8086 labmanual
8086 labmanual8086 labmanual
8086 labmanual
iravi9
 
Protecting C++
Protecting C++Protecting C++
Protecting C++
Pavel Filonov
 
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019 Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
corehard_by
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
UTD Computer Security Group
 
Chapter1c
Chapter1cChapter1c
Chapter1c
MaeEstherMaguadMaralit
 
C language programming
C language programmingC language programming
C language programming
pullarao29
 
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Jonathan Salwan
 
Assembler
AssemblerAssembler
Assembler
Mohd Arif
 
Faster, More Effective Flowgraph-based Malware Classification
Faster, More Effective Flowgraph-based Malware ClassificationFaster, More Effective Flowgraph-based Malware Classification
Faster, More Effective Flowgraph-based Malware Classification
Silvio Cesare
 
Taint analysis
Taint analysisTaint analysis
Taint analysis
Edgar Barbosa
 
Javascript engine performance
Javascript engine performanceJavascript engine performance
Javascript engine performance
Duoyi Wu
 
Assem -lect-6
Assem -lect-6Assem -lect-6
Assem -lect-6
Dolly Angel
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
n|u - The Open Security Community
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
Vincenzo Iozzo
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paper
Vincenzo Iozzo
 

More Related Content

Similar to Stale pointers are the new black

Beating Floating Point at its Own Game: Posit Arithmetic
Beating Floating Point at its Own Game: Posit ArithmeticBeating Floating Point at its Own Game: Posit Arithmetic
Beating Floating Point at its Own Game: Posit Arithmetic
inside-BigData.com
 
8086 labmanual
8086 labmanual8086 labmanual
8086 labmanual
iravi9
 
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019 Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
corehard_by
 
Faster, More Effective Flowgraph-based Malware Classification
Faster, More Effective Flowgraph-based Malware ClassificationFaster, More Effective Flowgraph-based Malware Classification
Faster, More Effective Flowgraph-based Malware Classification
Silvio Cesare
 
Javascript engine performance
Javascript engine performanceJavascript engine performance
Javascript engine performance
Duoyi Wu
 

Similar to Stale pointers are the new black (20)

Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
 
Beating Floating Point at its Own Game: Posit Arithmetic
Beating Floating Point at its Own Game: Posit ArithmeticBeating Floating Point at its Own Game: Posit Arithmetic
Beating Floating Point at its Own Game: Posit Arithmetic
 
Data structures
Data structuresData structures
Data structures
 
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van KetwichCreating a Fibonacci Generator in Assembly - by Willem van Ketwich
Creating a Fibonacci Generator in Assembly - by Willem van Ketwich
 
The walking 0xDEAD
The walking 0xDEADThe walking 0xDEAD
The walking 0xDEAD
 
8086 labmanual
8086 labmanual8086 labmanual
8086 labmanual
 
8086 labmanual
8086 labmanual8086 labmanual
8086 labmanual
 
Protecting C++
Protecting C++Protecting C++
Protecting C++
 
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019 Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
Защищая С++. Павел Филонов ➠ CoreHard Autumn 2019
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
 
Chapter1c
Chapter1cChapter1c
Chapter1c
 
C language programming
C language programmingC language programming
C language programming
 
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
 
Assembler
AssemblerAssembler
Assembler
 
Faster, More Effective Flowgraph-based Malware Classification
Faster, More Effective Flowgraph-based Malware ClassificationFaster, More Effective Flowgraph-based Malware Classification
Faster, More Effective Flowgraph-based Malware Classification
 
Taint analysis
Taint analysisTaint analysis
Taint analysis
 
Javascript engine performance
Javascript engine performanceJavascript engine performance
Javascript engine performance
 
Assem -lect-6
Assem -lect-6Assem -lect-6
Assem -lect-6
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 

More from Vincenzo Iozzo

A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
Vincenzo Iozzo
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paper
Vincenzo Iozzo
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPpery
Vincenzo Iozzo
 

More from Vincenzo Iozzo (11)

A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paper
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPpery
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paper
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
 
Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009Let Your Mach-O Fly, Black Hat DC 2009
Let Your Mach-O Fly, Black Hat DC 2009
 
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
Fun and Games with Mac OS X and iPhone Payloads, Black Hat Europe 2009
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 

Recently uploaded

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 

Recently uploaded (20)

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 

Stale pointers are the new black

  • 1. Stale  pointers  are  the  new  black   Vincenzo  Iozzo,  Giovanni  Gola   vincenzo.iozzo@zynamics.com   giovanni.gola@mail.polimi.it  
  • 2. Disclaimer   In  this  talk  you  won’t  see  all  those  formulas,  formal  definiEon,  code  snippets   and  bullets.     From  past  experiences  the  speaker  learned  that  all  the  aforemenEoned   elements  are  no  useful  in  making  people  understand  your  idea.   You  instead  will  see  a  lot  of  funny  pictures  which  the  speaker  hopes  will   convey  beHer  the  understanding  of  the  ideas  explained  in  the  talk   You  don’t  want  slides  like   this,  do  you?  
  • 3. Stale  pointers  are  the  new  black  
  • 6. ..  Or  StaEc  Analysis!   • Dataflow  analysis   • Model  Checking   • Theorem  Proving  
  • 8. How  it  works   Intraprocedural   Interprocedural   SSA  Form   Bug  detecEon   pointer  analysis   pointer  analysis  
  • 10. Example   mov  eax,  0x40   mov  eax,  0x100   mov  ebx,  0x2   cmp  ecx,  edx   Jle  1   mov  ebx,  0x4   mov  ebx,  0x20  
  • 11. Looks  beHer,  right?   mov  eax_0,  0x40   mov  eax_1,  0x100   mov  ebx_0,  0x2   cmp  ecx,  edx   Jle  1   mov    ebx_1,  0x4   mov  ebx_2,  0x20  
  • 12. How  about  now?   mov  eax_0,  0x40   Mov  eax_1,  0x100   Mov  ebx_0,  0x2   cmp  ecx,  edx   Jle  1   mov  ebx_1,  0x4   mov  ebx_2,  0x20   mov    ecx,  ebx_?  
  • 13. Tah-­‐dah!   mov  eax_0,  0x40   mov  eax_1,  0x100   mov  ebx_0,  0x2   cmp  ecx,  edx   Jle  1   mov    ebx_1,  0x4   mov  ebx_2,  0x20   mov  0x4,   ebx_return_from_phi  
  • 15. Enter  REIL   A  small  introducEon  to  the  REIL  meta  language   • small  RISC  instrucEon  set  (17  instrucEons)       • ArithmeEc  instrucEons  (ADD,  SUB,  MUL,  DIV,  MOD,  BSH)     • Bitwise  instrucEons  (AND,  OR,  XOR)     • Logical  instrucEons  (BISZ,  JCC)     • Data  transfer  instrucEons  (LDM,  STM,  STR)     • Other  instrucEons  (NOP,  UNDEF,  UNKN)     • register  machine       • unlimited  number  of  temp  registers     • side  effect  free     • no  excepEons,  floaEng  point,  64Bit,  ..    
  • 20. Non-­‐locals   ldm  0x1000,  t0   add  t0,  t1,  t2   ldm  t2,  ,  t3   t0  is  a   non-­‐ ldm  t0,  t4   local    
  • 21. Algorithm   • Find  non-­‐locals   • Place  phi-­‐funcEons   • Recursively  rename  variables  
  • 26. Abstract  InterpretaEon..  formally     Give  several  semanEcs  linked  by  relaEons  of       abstracEon    
  • 28. So  what  you  need?   •  The  control  flow  graph  of  a  funcEon   •  A  way  to  walk  the  CFG   •  The  lahce     – Its  elements   – A  way  to  combine  lahce  elements   •  An  iniEal  state   •  REIL  instrucEons  effects  on  the  lahce  
  • 29. One  constraint!     The  lahce  has  to  saEsfy  the  ascending  chain       condiEon  
  • 30. Now  the  analysis  itself  
  • 31. Intraprocedural  Analysis   •  Pointer  Analysis:  Efficiency   •  Shape  Analysis:  Precision   •  Alias  Set  Analysis:  Tradeoff  between  the   two  
  • 32. Data  Structures   •  push()  and  pop()  on  linked  lists:  30%   faster   •  Hash  consing:  30%  memory  saving  
  • 34. combine()   •  Filter  out  non-­‐live  variables  from  each  alias   list:   •  live-­‐out(inst)  ⊆  vars(dom(inst))   •  Alias  list  ∩  vars(sdom(Φ)):   •  pop()  from  the  list  unEl     top(alias  list)  ∈  vars(sdom(Φ))   •  Add  aliases  defined  by  Φ  funcEons   •  Unite  the  sets  of  lists  
  • 37. Tracking  parameters  and  return   •  IDA  effecEvely  tracks  parameters   •  return  is  idenEfied  by  guessing  the   calling  convenEon  
  • 39. Algorithm   •  Flow-­‐insensiEve   •  Context-­‐sensiEve   •  Implemented  in  BinNavi:   •  walks  on  the  PCG  
  • 51. Algorithm    v  is  a  tracked  alias   •   X  is  a  basic  block  of  F  that  calls  the  destructor   •  •  B  is  a  basic  block  of  F  that  accesses  v  or  calls  a  funcEon     that  accesses  v   •  Verify  the  following:       if  B  ∈  dom(X)  ⇒  v  is  a  stale  pointer    if  B  !∈  dom(X)  ∧  B  ∈  succ(X)  ⇒  v  may  be  a  stale  pointer    if  X  !∈  dom(B)  ∧  X  ∈  succ(B)  ⇒  v  may  cause  memory  leak   • if  X  !∈  dom(B)  ∧  X  !∈  succ(B)  ⇒  v  causes  memory  leak    Iterate  subsEtuEng:   •  • F  with  each  of  its  callers   • X  with  a  basic  block  that  calls  F  
  • 52. Example   No  bugs  
  • 53. Example   No  bugs  
  • 54. Example   Use  amer  free  bug  
  • 55. Example   Use  amer  free  bug  
  • 56. Example   Use  amer  free  bug  (maybe)  
  • 57. Example   Use  amer  free  bug  (maybe)  
  • 58. Example   No  bugs  
  • 59. Example   Use  amer  free  bug  
  • 60. Example   Use  amer  free  bug  (maybe)  
  • 61. What’s  the  catch   •  We  cannot  handle  all  data  structures   •  We  cannot  handle  funcEon  pointers   •  We  have  false  posiEves   •  We  have  false  negaEves   •  Some  “smart  pointers”-­‐like  interfaces  might   not  be  covered   •  The  best  use  is  for  C++  life-­‐span  issues  
  • 62. Future   •  Increase  the  number  of  covered  data  structure   •  Use  a  solver  to  reduce  false  posiEves   •  Import  dynamic  analysis  data  to  miEgate  the   funcEon  pointers  problem