Giter VIP home page Giter VIP logo

meds's Introduction

MEDS: Enhancing Memory Error Detection for Large-Scale Applications

Prerequisites

  • cmake and clang

Build MEDS supporting compiler

$ make

Build Using Docker

# build docker image
$ docker build -t meds .

# run docker image
$ docker run --cap-add=SYS_PTRACE -it meds /bin/bash

Testing MEDS

  • MEDS's testing runs original ASAN's testcases as well as MEDS specific testcases.

    • Copied ASAN's testcases in llvm/projects/compiler-rt/test/meds/TestCases/ASan
    • MEDS specific testcases in llvm/projects/compiler-rt/test/meds/TestCases/Meds

  • To run the test,

$ make test

Testing Time: 30.70s
 Expected Passes    : 183
 Expected Failures  : 1
 Unsupported Tests  : 50

Build applications with MEDS heap allocation and ASan stack and global

  • Given a test program test.cc,
$ cat > test.cc

int main(int argc, char **argv) {
  int *a = new int[10];
  a[argc * 10] = 1;
  return 0;
}
  • test.cc can be built using the option, -fsanitize=meds.
$ build/bin/clang++ -fsanitize=meds test.cc -o test
$ ./test

==90589==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x43fff67eb078 at pc 0x0000004f926d bp 0x7fffffffe440 sp 0x7fffffffe438
WRITE of size 4 at 0x43fff67eb078 thread T0
    #0 0x4f926c in main (/home/wookhyun/release/meds-release/a.out+0x4f926c)
    #1 0x7ffff6b5c82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #2 0x419cb8 in _start (/home/wookhyun/release/meds-release/a.out+0x419cb8)

Address 0x43fff67eb078 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/wookhyun/release/meds-release/a.out+0x4f926c) in main
Shadow bytes around the buggy address:
  0x08807ecf55b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x08807ecf55c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x08807ecf55d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x08807ecf55e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x08807ecf55f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x08807ecf5600: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00[fa]
  0x08807ecf5610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x08807ecf5620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x08807ecf5630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x08807ecf5640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x08807ecf5650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==90589==ABORTING

Options

  • -fsanitize=meds: Enable heap protection using MEDS (stack and global are protected using ASAN)

  • -mllvm -meds-stack=1: Enable stack protection using MEDS

  • -mllvm -meds-global=1 -mcmodel=large: Enable global protection using MEDS

    • This also requires --emit-relocs in LDFLAGS

  • Example: to protect heap/stack using MEDS and global using ASAN

$ clang -fsanitize=meds -mllvm -meds-stack=1 test.c -o test
  • Example: to protect heap/global using MEDS and stack using ASAN
$ clang -fsanitize=meds -mllvm -meds-global=1 -mcmodel=large -Wl,-emit-relocs test.c -o test
  • Example: to protect heap/stack/global using MEDS
$ clang -fsanitize=meds -mllvm -meds-stack=1 -mllvm -meds-global=1 -mcmodel=large -Wl,--emit-relocs

Contributors

meds's People

Contributors

d-ned avatar marsman1996 avatar nashi5566 avatar whhan avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

d-ned chubbymaggie inevity daydayup40 jaeseolee qiaoqiao444 feiyunwill marsman1996 nashi5566 cpslab-kaist

meds's Issues

Question about the redzone size.

Hi,

If I do not misunderstand the paper, the size of the MEDS redzone should be 4MB. But in the example below the redzone size seems much smaller than 4MB.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(){
    char *a = malloc(0x20);
    char *b = malloc(0x20);
    // char *a = malloc(0x1000000);
    // char *b = malloc(0x1000000);
    int offset = 0x4030;
    printf("a = %p, b = %p\n", a, b);
    printf("writing in %p\n", &a[offset]);
    a[offset] = 'a';
    free(a);
    free(b);
    return 0;
}

And the outout is:

a = 0x42e90657d010, b = 0x42e906581040

So the redzone size is about 16KB(0x42e906581040 - 0x42e90657d010 - 0x20 = 0x4010).

Thanks for any reply!

Failed to detect use-after-free when malloc more than 2MB buffer

MEDS fails to detect UAF error of the following malloc-free-malloc-use code with 2MB or larger buffer size:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(){
    char *a = malloc(0x200000); // 2MB
    // char *a = malloc(0x10000); // 64KB
    printf("a = %p\n", a);
    free(a);
    
    char *b;
    for(int i = 0; ; i++){
        b = malloc(0x200000);
        printf("i = %d, a = %p, b = %p\n", i, a, b);
        if(a == b)
            break;
        free(b);
    }
    
    int offset = 0x10;
    printf("writing in %p\n", (a+offset));
    a[offset] = 'a';

    free(b);
    return 0;
}

I compile and run this code in the docker with MEDS

$ docker run -v ~/MEDS/sample:/data --cap-add=SYS_PTRACE -it --rm meds /bin/bash
$ clang -fsanitize=meds -g -mllvm -meds-stack=1 -mllvm -meds-global=1 -mcmodel=large -Wl,--emit-relocs uaf-3.c -o uaf-3-meds
$ ./uaf-3-meds

Theoretically it should not break the for loop since the quarantine zone is 80T.
But the address of 'b' is equal to the address of 'a' during the first malloc.

But if the buffer is small (like 64KB), the 80T quarantine zone mechanism works fine.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.