Article

How to shadow every byte of memory used by a program

Authors:
Nicholas Nethercote

National ICT Australia, Melbourne, Australia

National ICT Australia, Melbourne, Australia
View Profile

,
Julian Seward

OpenWorks LLP, Cambridge, United Kngdm

OpenWorks LLP, Cambridge, United Kngdm
View Profile

VEE '07: Proceedings of the 3rd international conference on Virtual execution environmentsJune 2007Pages 65–74https://doi.org/10.1145/1254810.1254820

Published:13 June 2007Publication History

VEE '07: Proceedings of the 3rd international conference on Virtual execution environments

Pages 65–74

ABSTRACT

Several existing dynamic binary analysis tools use shadowmemory-they shadow, in software, every byte of memory used by a program with another value that says something about it. Shadow memory is difficult to implement both efficiently and robustly. Nonetheless, existing shadow memory implementations have not been studied in detail. This is unfortunate, because shadow memory is powerful-for example, some of the existing tools that use it detect critical errors such as bad memory accesses, data races, and uses of uninitialised or untrusted data. In this paper we describe the implementation of shadow memory in Memcheck, a popular memory checker built with Valgrind, a dynamic binary instrumentation framework. This implementation has several novel features that make it efficient: carefully chosen data structures and operations result in a mean slow-down factor of only 22.2 and moderate memory usage. This may sound slow, but we show it is 8.9 times faster and 8.5 times smaller on average than a naive implementation, and shadow memory operations account for only about half of Memcheck's execution time. Equally importantly, unlike some tools, Memcheck's shadow memory implementation is robust: it is used on Linux by thousands of programmers on sizeable programs such as Mozilla and OpenOffice, and is suited to almost any memory configuration. This is the first detailed description of a robust shadow memory implementation, and the first detailed experimental evaluation of any shadow memory implementation. The ideas within are applicable to any shadow memory tool built with any instrumentation framework.

References

D. Bruening, T. Garnett, and S. Amarasinghe. An infrastructure for adaptive dynamic optimization. In Proceedings of CGO'03, pages 265--276, San Francisco, California, USA, March 2003. Google ScholarDigital Library
M. Burrows. Personal communication, February 2006.Google Scholar
M. Burrows, S. N. Freund, and J. L. Wiener. Run-time type checking for binary programs. In Proceedings of CC 2003, pages 90--105, Warsaw, Poland, April 2003. Google ScholarDigital Library
W. Cheng, Q. Zhao, B. Yu, and S. Hiroshige. Tainttrace: Efficient flow tracing with dynamic binary rewriting. In Proceedings of ISCC 2006, pages 749--754, Cagliari, Sardinia, Italy, June 2006. Google ScholarDigital Library
J. J. Harrow, Jr. Runtime checking of multithreaded applications with Visual Threads. In Proceedings of SPIN 2000, pages 331--342, Stanford, California, USA, August 2000. Google ScholarDigital Library
R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, pages 125--136, San Francisco, California, USA, January 1992.Google Scholar
K. Hazelwood. Code Cache Management in Dynamic Optimization Systems. PhD thesis, Harvard University, Cambridge, Mass., USA, May 2004.Google Scholar
V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium, pages 191--206, San Francisco, California, USA, August 2002. Google ScholarDigital Library
C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of PLDI 2005, pages 191--200, Chicago, Illinois, USA, June 2005. Google ScholarDigital Library
A. Mühlenfeld and F. Wotawa. Fault detection in multi-threaded C++ server applications. In Informal Proceedings of TV06, pages 191--200, Seattle, Washington, USA, August 2006.Google Scholar
S. Narayanasamy, C. Pereira, H. Patil, R. Cohn, and B. Calder. Automatic logging of operation system effects to guide application--level architecture simulation. In Proceedings of SIGMetrics/Performance 2006, pages 216--227, St. Malo, France, June 2006. Google ScholarDigital Library
N. Nethercote. Dynamic Binary Analysis and Instrumentation. PhD thesis, University of Cambridge, United Kingdom, November 2004.Google Scholar
N. Nethercote and J. Fitzhardinge. Bounds-checking entire programs without recompiling. In Informal Proceedings of SPACE 2004, Venice, Italy, January 2004.Google Scholar
N. Nethercote and A. Mycroft. Redux: A dynamic dataflow tracer. Electronic Notes in Theoretical Computer Science, 89(2), 2003.Google Scholar
N. Nethercote and J. Seward. Valgrind: A program supervision framework. Electronic Notes in Theoretical Computer Science, 89(2), 2003.Google Scholar
Nicholas Nethercote and Julian Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of PLDI 2007, San Diego, California, USA, June 2007. Google ScholarDigital Library
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of NDSS '05, San Diego, California, USA, February 2005.Google Scholar
F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, and Y. Wu. Lift: A low-overhead practical information flow tracking system for detecting security attacks. In Proceedings of the Annual IEEE/ACM International Symposium on Microarchitecture (Micro'06), Orlando, Florida, USA, December 2006. Google ScholarDigital Library
M. Ronsse, B. Stougie, J. Maebe, F. Cornelis, and K. De Bosschere. An efficient data race detector backend for DIOTA. In Parallel Computing: Software Technology, Algorithms, Architectures & Applications, volume~13, pages 39--46. Elsevier, February 2004.Google Scholar
S. Savage, M. Burrows, G. Nelson, P. Sobalvarro, and T. Anderson. Eraser: A dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems, 15(4):391--411, November 1997. Google ScholarDigital Library
J. Seward and N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision. In Proceedings of the USENIX'05 Annual Technical Conference, Anaheim, California, USA, April 2005. Google ScholarDigital Library
The Valgrind Developers. Valgrind. url http://www.valgrind.org/.Google Scholar

Index Terms

Recommendations

Valgrind: a framework for heavyweight dynamic binary instrumentation
Proceedings of the 2007 PLDI conference

Dynamic binary instrumentation (DBI) frameworks make it easy to build dynamic binary analysis (DBA) tools such as checkers and profilers. Much of the focus on DBI frameworks has been on performance; little attention has been paid to their capabilities. ...
Read More
Valgrind: a framework for heavyweight dynamic binary instrumentation
PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation

Dynamic binary instrumentation (DBI) frameworks make it easy to build dynamic binary analysis (DBA) tools such as checkers and profilers. Much of the focus on DBI frameworks has been on performance; little attention has been paid to their capabilities. ...
Read More
Architectural support for shadow memory in multiprocessors
VEE '09: Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Runtime monitoring support serves as a foundation for the important tasks of providing security, performing debugging, and improving performance of applications. Often runtime monitoring requires the maintenance of information associated with each of ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
VEE '07: Proceedings of the 3rd international conference on Virtual execution environments
June 2007
210 pages
ISBN:9781595936301
DOI:10.1145/1254810
General Chair:
Chandra Krintz
University of California, Santa Barbara
,
Program Chairs:
Steven Hand
University of Cambridge
,
David Tarditi
Microsoft Research
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 June 2007
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
dynamic binary analysis
dynamic binary instrumentation
memcheck
shadow memory
valgrind
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate80of235submissions,34%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 185
  Total Citations
  View Citations
- 1,271
  Total Downloads
- Downloads (Last 12 months)68
- Downloads (Last 6 weeks)9
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.