MEDS: Enhancing Memory Error Detection for Large-Scale Applications

Related tags

Deep Learning MEDS
Overview

MEDS: Enhancing Memory Error Detection for Large-Scale Applications

Prerequisites

  • cmake and clang

Build MEDS supporting compiler

$ make

Build Using Docker

# build docker image
$ docker build -t meds .

# run docker image
$ docker run --cap-add=SYS_PTRACE -it meds /bin/bash

Testing MEDS

  • MEDS's testing runs original ASAN's testcases as well as MEDS specific testcases.

    • Copied ASAN's testcases in llvm/projects/compiler-rt/test/meds/TestCases/ASan
    • MEDS specific testcases in llvm/projects/compiler-rt/test/meds/TestCases/Meds
  • To run the test,

$ make test

Testing Time: 30.70s
 Expected Passes    : 183
 Expected Failures  : 1
 Unsupported Tests  : 50

Build applications with MEDS heap allocation and ASan stack and global

  • Given a test program test.cc,
$ cat > test.cc

int main(int argc, char **argv) {
  int *a = new int[10];
  a[argc * 10] = 1;
  return 0;
}
  • test.cc can be built using the option, -fsanitize=meds.
$ build/bin/clang++ -fsanitize=meds test.cc -o test
$ ./test

==90589==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x43fff67eb078 at pc 0x0000004f926d bp 0x7fffffffe440 sp 0x7fffffffe438
WRITE of size 4 at 0x43fff67eb078 thread T0
    #0 0x4f926c in main (/home/wookhyun/release/meds-release/a.out+0x4f926c)
    #1 0x7ffff6b5c82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #2 0x419cb8 in _start (/home/wookhyun/release/meds-release/a.out+0x419cb8)

Address 0x43fff67eb078 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/wookhyun/release/meds-release/a.out+0x4f926c) in main
Shadow bytes around the buggy address:
  0x08807ecf55b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x08807ecf55c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x08807ecf55d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x08807ecf55e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x08807ecf55f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x08807ecf5600: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00[fa]
  0x08807ecf5610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x08807ecf5620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x08807ecf5630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x08807ecf5640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x08807ecf5650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==90589==ABORTING

Options

  • -fsanitize=meds: Enable heap protection using MEDS (stack and global are protected using ASAN)

  • -mllvm -meds-stack=1: Enable stack protection using MEDS

  • -mllvm -meds-global=1 -mcmodel=large: Enable global protection using MEDS

    • This also requires --emit-relocs in LDFLAGS
  • Example: to protect heap/stack using MEDS and global using ASAN

$ clang -fsanitize=meds -mllvm -meds-stack=1 test.c -o test
  • Example: to protect heap/global using MEDS and stack using ASAN
$ clang -fsanitize=meds -mllvm -meds-global=1 -mcmodel=large -Wl,-emit-relocs test.c -o test
  • Example: to protect heap/stack/global using MEDS
$ clang -fsanitize=meds -mllvm -meds-stack=1 -mllvm -meds-global=1 -mcmodel=large -Wl,--emit-relocs

Contributors

You might also like...
Enhancing Knowledge Tracing via Adversarial Training

Enhancing Knowledge Tracing via Adversarial Training This repository contains source code for the paper "Enhancing Knowledge Tracing via Adversarial T

[AAAI2021] The source code for our paper 《Enhancing Unsupervised Video Representation Learning by Decoupling the Scene and the Motion》.
[AAAI2021] The source code for our paper 《Enhancing Unsupervised Video Representation Learning by Decoupling the Scene and the Motion》.

DSM The source code for paper Enhancing Unsupervised Video Representation Learning by Decoupling the Scene and the Motion Project Website; Datasets li

 Enhancing Aspect-Based Sentiment Analysis with Supervised Contrastive Learning.
Enhancing Aspect-Based Sentiment Analysis with Supervised Contrastive Learning.

Enhancing Aspect-Based Sentiment Analysis with Supervised Contrastive Learning. Enhancing Aspect-Based Sentiment Analysis with Supervised Contrastive

Pytorch implementation of the paper "Enhancing Content Preservation in Text Style Transfer Using Reverse Attention and Conditional Layer Normalization"

Pytorch implementation of the paper "Enhancing Content Preservation in Text Style Transfer Using Reverse Attention and Conditional Layer Normalization"

Source code for paper
Source code for paper "ATP: AMRize Than Parse! Enhancing AMR Parsing with PseudoAMRs" @NAACL-2022

ATP: AMRize Then Parse! Enhancing AMR Parsing with PseudoAMRs Hi this is the source code of our paper "ATP: AMRize Then Parse! Enhancing AMR Parsing w

Open-AI's DALL-E for large scale training in mesh-tensorflow.

DALL-E in Mesh-Tensorflow [WIP] Open-AI's DALL-E in Mesh-Tensorflow. If this is similarly efficient to GPT-Neo, this repo should be able to train mode

Apache Spark - A unified analytics engine for large-scale data processing

Apache Spark Spark is a unified analytics engine for large-scale data processing. It provides high-level APIs in Scala, Java, Python, and R, and an op

This is a Pytorch implementation of the paper: Self-Supervised Graph Transformer on Large-Scale Molecular Data.

This is a Pytorch implementation of the paper: Self-Supervised Graph Transformer on Large-Scale Molecular Data.

[ICLR 2021, Spotlight] Large Scale Image Completion via Co-Modulated Generative Adversarial Networks
[ICLR 2021, Spotlight] Large Scale Image Completion via Co-Modulated Generative Adversarial Networks

Large Scale Image Completion via Co-Modulated Generative Adversarial Networks, ICLR 2021 (Spotlight) Demo | Paper [NEW!] Time to play with our interac

Comments
  • Failed to detect use-after-free when malloc more than 2MB buffer

    Failed to detect use-after-free when malloc more than 2MB buffer

    MEDS fails to detect UAF error of the following malloc-free-malloc-use code with 2MB or larger buffer size:

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    int main(){
        char *a = malloc(0x200000); // 2MB
        // char *a = malloc(0x10000); // 64KB
        printf("a = %p\n", a);
        free(a);
        
        char *b;
        for(int i = 0; ; i++){
            b = malloc(0x200000);
            printf("i = %d, a = %p, b = %p\n", i, a, b);
            if(a == b)
                break;
            free(b);
        }
        
        int offset = 0x10;
        printf("writing in %p\n", (a+offset));
        a[offset] = 'a';
    
        free(b);
        return 0;
    }
    

    I compile and run this code in the docker with MEDS

    $ docker run -v ~/MEDS/sample:/data --cap-add=SYS_PTRACE -it --rm meds /bin/bash
    $ clang -fsanitize=meds -g -mllvm -meds-stack=1 -mllvm -meds-global=1 -mcmodel=large -Wl,--emit-relocs uaf-3.c -o uaf-3-meds
    $ ./uaf-3-meds
    

    Theoretically it should not break the for loop since the quarantine zone is 80T. But the address of 'b' is equal to the address of 'a' during the first malloc.

    But if the buffer is small (like 64KB), the 80T quarantine zone mechanism works fine.

    opened by Marsman1996 2
  • Question about the redzone size.

    Question about the redzone size.

    Hi,

    If I do not misunderstand the paper, the size of the MEDS redzone should be 4MB. But in the example below the redzone size seems much smaller than 4MB.

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    int main(){
        char *a = malloc(0x20);
        char *b = malloc(0x20);
        // char *a = malloc(0x1000000);
        // char *b = malloc(0x1000000);
        int offset = 0x4030;
        printf("a = %p, b = %p\n", a, b);
        printf("writing in %p\n", &a[offset]);
        a[offset] = 'a';
        free(a);
        free(b);
        return 0;
    }
    

    And the outout is:

    a = 0x42e90657d010, b = 0x42e906581040
    

    So the redzone size is about 16KB(0x42e906581040 - 0x42e90657d010 - 0x20 = 0x4010).

    Thanks for any reply!

    opened by Marsman1996 3
Owner
Secomp Lab at Purdue University
Secomp Lab at Purdue University
Prevent `CUDA error: out of memory` in just 1 line of code.

?? Koila Koila solves CUDA error: out of memory error painlessly. Fix it with just one line of code, and forget it. ?? Features ?? Prevents CUDA error

RenChu Wang 1.7k Jan 2, 2023
Segcache: a memory-efficient and scalable in-memory key-value cache for small objects

Segcache: a memory-efficient and scalable in-memory key-value cache for small objects This repo contains the code of Segcache described in the followi

TheSys Group @ CMU CS 78 Jan 7, 2023
PyTorch Code of "Memory In Memory: A Predictive Neural Network for Learning Higher-Order Non-Stationarity from Spatiotemporal Dynamics"

Memory In Memory Networks It is based on the paper Memory In Memory: A Predictive Neural Network for Learning Higher-Order Non-Stationarity from Spati

Yang Li 12 May 30, 2022
Episodic-memory - Ego4D Episodic Memory Benchmark

Ego4D Episodic Memory Benchmark EGO4D is the world's largest egocentric (first p

null 3 Feb 18, 2022
Implementation of a memory efficient multi-head attention as proposed in the paper, "Self-attention Does Not Need O(n²) Memory"

Memory Efficient Attention Pytorch Implementation of a memory efficient multi-head attention as proposed in the paper, Self-attention Does Not Need O(

Phil Wang 180 Jan 5, 2023
Propose a principled and practically effective framework for unsupervised accuracy estimation and error detection tasks with theoretical analysis and state-of-the-art performance.

Detecting Errors and Estimating Accuracy on Unlabeled Data with Self-training Ensembles This project is for the paper: Detecting Errors and Estimating

Jiefeng Chen 13 Nov 21, 2022
Run Effective Large Batch Contrastive Learning on Limited Memory GPU

Gradient Cache Gradient Cache is a simple technique for unlimitedly scaling contrastive learning batch far beyond GPU memory constraint. This means tr

Luyu Gao 198 Dec 29, 2022
Code & Data for Enhancing Photorealism Enhancement

Code & Data for Enhancing Photorealism Enhancement

Intel ISL (Intel Intelligent Systems Lab) 1.1k Jan 8, 2023
Implementation of the paper All Labels Are Not Created Equal: Enhancing Semi-supervision via Label Grouping and Co-training

SemCo The official pytorch implementation of the paper All Labels Are Not Created Equal: Enhancing Semi-supervision via Label Grouping and Co-training

null 42 Nov 14, 2022
ROSITA: Enhancing Vision-and-Language Semantic Alignments via Cross- and Intra-modal Knowledge Integration

ROSITA News & Updates (24/08/2021) Release the demo to perform fine-grained semantic alignments using the pretrained ROSITA model. (15/08/2021) Releas

Vision and Language Group@ MIL 48 Dec 23, 2022