Upload
phamkhue
View
214
Download
0
Embed Size (px)
Citation preview
Inocula(ngSo,ware,Boos(ngQualityOracle&SASExperiencewithSiliconSecuredMemory[CON8216]
AngeloRajadurai,SeniorPrincipalSo,wareEngineer,OracleSheldonLobo,PrincipalSo,wareEngineer,OracleChandrashekharGarud,PrincipalSo,wareEngineer,Oracle
OracleConfiden(al–Internal/Restricted/HighlyRestrictedCopyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
October 25-29, 2015 San Francisco
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirec(on.Itisintendedforinforma(onpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunc(onality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,and(mingofanyfeaturesorfunc(onalitydescribedforOracle’sproductsremainsatthesolediscre(onofOracle.
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
Topics• Memorycorrup(onsourceofSecurityproblem• SecurityinthenewSPARCM7systems• SiliconSecuredMemory–UsageExamples• HowYouCanBuildMoreSecureApplica(ons
3
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
MemoryCorrup(on–TheProblem• Applica(onsarevulnerabletomemorycorrup(ondueto
– So,wareerrorsandmaliciousabacks(thatexploitso,wareerrors)
317millionnewmaliciousprogramsand24"zerodayvulnerability"in2014[Symantec]
• Memorycorrup(oncausesunpredictableapplica(onbehaviorandcrashes– Vic(mthreadencountersincorrectdatasome(mea,ertherun(meerroroccurredmakingthesebugsextremelyhardtolocateandfix
• Bufferoverflowsareamajorsourceofsecurityexploits– In-memorydatabaseincreasesexposure–terabytesofcri(caldatain-memory
• DatabasesandOS’shavetensofmillionsoflinesofcode,developedbydistributedteamsofthousandsofdevelopers,soerrorsintroducedbyasubsystemcouldadverselyaffectoneormoresubsystems.
• In-memorydatabaseincreasesexposure–terabytesofcri(caldatain-memory
5May5-7,2015
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
WhyMemoryCorrup(onMabers…• SecurityVulnerabili(es
– MakeHeadlines– IncreaseRisk– CreateUnexpectedCOSTBurden
• Memorycorrup(on:ASERIOUS&EXPONENTIALLYGROWINGproblem– Hurtsdeveloperproduc(vity,createsprojectdelays– Fuelsmajorproductqualityissues– SurfacesmajorSECURITYvulnerabili(es,exHeartBleed
6
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
Inocula(on
libdiscoverADI.so$LD_PRELOAD_64= libadimalloc
7
DEV DEV/TEST PROD
{
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
Stopsmaliciousprogramsfromaccessingotherapplica(onmemory
Firsteverhardwarebasedmemory
protec(on
Canbealwayson:Hardwareapproachhasnegligibleperformanceimpact
Resultsinimproveddeveloperefficiencyandmoresecureandhigheravailabiltyapplica(ons
SecurityinSilicon:SiliconSecuredMemoryImprovedSecurity&ReliabilityinHardware
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
WhatisSiliconSecuredMemory?• SSM(SiliconSecuredMemory)isahardwarefeatureoftheT7/M7thatdetectsinvaliddataaccessesbasedonmemorytagging
• Aversionnumberisstoredbyso:wareinsparebitsofmemoryandcaches(4-bitatthegranularityof64-bytecachelines)andinthe4upperbitsofthepointers– Dedicatednon-privilegedload/storeinstruc(onsprovidetheabilitytoassigna4-bitversiontoeach64-bytecacheline
– MetadatastoredinmemoryismaintainedthroughouttheCachehierarchyandallInterconnects
• Onload/storeops,theprocessorcomparestheversionsetinthepointerwiththeversionassignedinthetargetmemoryandgeneratesanexcep(onifthereisamismatch
May5-7,2015 9
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
SiliconSecuredMemory
• H/Wcomparespointerversionwithmemoryversion
• Trapsiftheydon’tmatch– SendsSEGVorutraptoprocess
• H/WmasksversionbeforeithitstheMMU
64Bytes version 64Bytes version
64Bytes version
64Bytes version 64Bytes version 64Bytes version 64Bytes version 64Bytes version
ld …!st …! version address
ld …!st …! version address
Pointers
(dbx) run signal SEGV (ADP version 13 mismatch for VA 0x4a900) in main at 0x10988 (dbx) where …stack trace…
May5-7,2015 10
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
SiliconSecuredMemory–Implementa(onDetails
11
Studio’sADILib+discover
M7Hardware(Always-onADIchecking)
SolarisKernel(Providessys-callsforuser-levelapps)
Solaris’ADILib
UseSSMindeploymentformoresecureapplica(onsandtolimitmaliciousabacksinreal-(me
Applica?on
UseSSMindevelopmenttoiden(fyandeliminateapplica(onmemory
accesserrors
SolarisStudioCodeAnalyzer
Solaris’adimalloc
UseSSMtodevelopcodesecureapplica(ons
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
OracleRDBMS• Memorycorrup(onahugeissue;in-memorydataraisesthestakes• Usedopensourceso,wareemula(ontes(ngsolu(on,but:
– Longrun(me;Smallsubsetofinternaltests
• Studioteamimplementedanefficientfatpointerso,waresolu(on• Revolu4onaryinsight,doitinhardware–SiliconSecuredMemory
13
So:wareCheckingld…st…
SavecontextNormalizepointerCheckpointerRestorecontext
HardwareCheckingld…st…
FullSpeed!!!SEGVoncolormismatch
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
BusinessTransforma(onforOracleRDBMSDevelopers
• Disbelief:1stbugcaught;basicsanitytests• Denial:Developerinsists:“Notmybug”;Discoverprovesstalepointeruse.• Dismay:“Thenumberofbufferoverruns...muchhigherthanearlierindicated.Itoccurs8454mes...Yikes!”
• Disambigua(on:Freedmemoryaccess.“Itisatrickyissue…nicecatchbythistool!”
• “Discoverhasprac4callyeliminatedtheseMechaGodzilla,insidious,hardtofindcorrup4ons.We’rejustnothavingtodealwiththatnow.”
14
Upto250xfaster;alloca?on/freecontext;sourcelinemapping
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
UsingDiscover:CatchingInvalidMemoryReferencesinSGA
15
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
AtSAS….
• Largeenterprise,memoryintensiveapp• 31+MillionLinesofC• TimetovalueforSPARCM7
– 4crossplaKormbugstaggedin2days– 180xfasterbugiden(fica(on
• Othermemoryvalida(ontool:3hours• SiliconSecuredMemoryandDiscovertool:1minute
16
SAS9.4&StudioDiscoverADIProofofConcept
SiliconSecuredMemory
OracleSolarisStudio
+
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
SASCaseStudy:BugFind,Fix,Putback:~2hoursDiscoverADITagsReadBeyondArrayBoundsMemoryViola?on
17
ArrayBoundsErrorTaggedbyDiscoverADI/export/home/sas/adisas-fulls(mer-s(mefmts-WORK/d0/saswork-UTILLOC/d0/u(lloc-memsize200G-CPUCOUNT256-sysparm128XXXX.sas
ERROR1(ABR):[t@13]readingmemorybeyondarrayboundsataddress0x7fffffff7142d078{memoryversion:6}:LevelizeEffectsObs()+0x90LevelizeEffectsTh()+0x518ThreadMain()+0x1e8….wasallocatedat(0x7fffffff70c2d080,16bytes):valMemAlloc()+0x138FinishModels()+0x200LoadFromStore()+0xb3c……DISCOVERSUMMARY:uniqueerrors:1(1total)
BugFixedbyCodeOwner
From:[email protected]:RE:possibleABRline890of/sas/dev/XXXX/XXXX/src/XXXX.cDate:February20,2015at3:31:48PMESTTo:[email protected],Itisfixedandpushed.Thanks,XXXXXXXX
BugTriagedbySASHostGroup
From:TomTxxxxxxxSent:Thursday,February19,201512:52PMTo:XXXXXXSubject:possibleABRline890of/sas/dev/XXXX/XXXX/src/XXXX.cHi,wearegeZngareportofanout-of-boundsread(ABR)forline890of/sas/dev/XXXX/XXXX/src/XXXX.c875TKStatusLevelizeEffectsObs(tkmixContextPtrctx,…890tkEffectPtrsubef=(str->XXXX)?str->XXXX[str->XXXX]:NULL;
Inthisscenarioitappearsthatstr->XXXXisnon-NULLandstr->XXXXis-1.Isthatplausible?Thanksmuchforconsideringthis,TomTxxxxxx
BugTag->BugTriage->BugFix&Integra(on:ElapsedTime:~2days,UserTime:~2hours
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
Discover+SiliconSecuredMemory:OracleProductTeams
• AdvSupplyChainPlanning(DoubleFree)• OracleLDAP(FreedMemoryRead)• PeopleSo,(FreedMemoryRead)• SolarisAssembler–(BufferOverflowRead)
– “…that*was*28yearsago…*Congratula4ons*,Waytogo”– OtherOracleApps:OBIEE,FusionMiddlewareOID,HFM,EBS,ASCP
18
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
Discover+SiliconSecuredMemoryFindsSecurityIssuesinNon-OracleAppsaswell• OpenSSL(BufferOverflow)–Heartbleed• OpenVPN(FreedMemoryRead)• Python(FreedMemoryRead)• SeveralotherappstestedwithDiscover+SiliconSecuredMemory
– OracleApps• OBIEE,PeopleSo,HR,FusionMiddlewareOID,HFM,EBS,ASCP
– ThirdPartyApps• SAP,Sybase,MSCNASTRAN,CapitekAAA,AsiainfoISMG,EMCNetworker,IBMDB2
19
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
DevelopingSecureSo,wareusingOracleSolarisStudio
CompilerSuite
C,C++Compiler
VisualDebugger
PerformanceLibrary
FortranCompiler
AnalysisSuite
PerformanceAnalyzer
CodeAnalyzer
ThreadAnalyzer
IDE
21
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
DevelopingSecureSo,wareusingOracleSolarisStudio
Studio12.4downloadlink:hep://www.oracle.com/technetwork/server-storage/solarisstudio
CodeAnalyzer
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
DevelopingSecureSo,wareusingOracleSolarisStudioDiscoverADICodeSecurityCheckingToolforSiliconSecuredMemory
MemoryViola(onsCaughtbyDiscoverADI
q BufferOverflows-ArrayBoundsRead/Write-ABR/ABW
q FreeMemoryRead/Write-FMR/FMW
q StalePointerAccess–SpecialcaseofFMR/FMW
q DoubleFreeMemory-DFM
q UnallocatedRead/Write-UAR/UAW
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
DevelopingSecureSo,wareusingOracleSolarisStudioHowtorunyourapplica(onswithDiscoverADIØ SystemRequirements: SPARC-M7hardware,Solaris11.3OS,Studio12.4Discover
Ø UsingDiscoverdriver$ discover -i adi a.out
$ a.out
Ø UsingLD_PRELOAD_64 $ LD_PRELOAD_64=<compiler>/lib/compilers/sparcv9-S2/libdiscoverADI.so a.out
Ø Resultscanbeviewedinvariousformats:HTML,Text,GUI
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
DevelopingSecureSo,wareusingOracleSolarisStudio• ABR/ABW–BufferOverflowExample
25
#include <stdio.h> #include <stdlib.h> char *arr; void foo() { for (int i = 0; i<= 64; i++) printf("%c\n", arr[i]); } int main() { arr = (char*)malloc(64); foo(); return 0; }
ERROR 1 (ABR): reading memory beyond array bounds at address 0x2fffffff7d47e040 {memory: v8}: foo() + 0x2c <test-abr.c:7> 6: for (int i = 0; i<= 64; i++) 7:=> printf("%c\n", arr[i]); main() + 0x24 <test-abr.c:12> 11: arr = (char*)malloc(64); 12:=> foo(); .. _start() + 0x108 was allocated at (0x2fffffff7d47e000, 64 bytes): main() + 0x8 <test-abr.c:11> 10: { 11:=> arr = (char*)malloc(64); _start() + 0x108 DISCOVER SUMMARY: unique errors : 1 (1 total)
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
DevelopingSecureSo,wareusingOracleSolarisStudioHowDiscoverADIworksØ Interposesonmemoryalloca(onrou(nes.
Ø Assignsversions/colorstopointersØ CatchestheSEGVtrapswhenillegalaccess(i.e.versionmismatch)occurs.
Ø Reportsexactsourceline/stacktraceoferrorsandalloca(on/freesourceline/stacktraces
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
DevelopingSecureSo,wareusingOracleSolarisStudioHowDiscoverADIworksØ Nocodeinstrumenta(on.Hardwaredoesallaccesschecks.
Ø Accesscheckisfast.(~1%slowdown)Ø Fulldebuggingmodes(llfast(~10%slowdown)
Ø Norebuildrequired.NodebugbuildrequiredØ WorksonStudiobuiltorgccbinaries
Ø Runen(retestsuitewithDiscoverADI
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
SiliconSecuredMemory-inDevelopmentandDeployment
28
MemoryErrorCheckinginSilicon
SSMinDevelopmentIntegratedHWandDeveloperTools
Applica?on
OracleSolarisStudioCodeAnalyzer
Findandfixmemorycorrup(onerrors
SSMinDeploymentReal-?meDataProtec?on
EnsureDataIntegrity
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
DeployingSecureApplica(onsOracleSolaris
Usage$LD_PRELOAD_64=/lib/sparcv9/libadimalloc.so
$a.out
SSMwillensureDataIntegritybystoppingtheapplica(onatthefirstinstanceofmemorycorrup(on
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
DEVSo,wareADI
DEV/TESTSW+SiliconSecuredMemory
PRODSiliconSecuredMemory
30
SiliconSecuredMemory–Inocula(ngEveryStepSo:wareOnly SSM@Development SSM@Deployment DIYSSM
Studio12.4discover Studio12.4Discover+SSM Malloc+SSMlibadimalloc DirectlyprogramSSMlibc
Intel&AnySPARC SPARCM7 SPARCM7 SPARCM7
NoCodeChange NoCodeChange NoCodeChange IntegrateSSMintocode
Norecompileofcode Norecompileofcode Norecompileofcode CompileSSMintocode
discovera.out discover–iadia.out LD_PRELOAD_64=libadimalloc.so Useadi_*func(onsincode
HTMLbasedreportonerrorandrootcause
HTMLbasedreportonerrorandrootcause
Stopatfirstoccurrenceofsecurityviola(on Youdecide
HigherOverheadbutfasterthanotherso,warebased
tools
Lowoverheadbecauseofhardwareassist
Closetonooverhead–justhardwarebasedprotec(on
Youdecide.Hardwareassists.Aslowasyouneed
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
CalltoAc(on–BoostSo,wareQuality&Security
31
3Op?onstoInoculateandImmunizeYourCodeagainstMemoryViola?ons
DEVSo,wareADIDiscover
DEV/TEST/PRODSW+SiliconSecuredMemoryDiscoverADI,libmallocADI
TEST/PRODSiliconSecuredMemory
Na(veADI
MustRead:UsingApplica(onDataIntegrityandOracleSolarisStudiotoFindandFixMemoryAccessErrors
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|
HelpMeGetInoculated!!
• SeeSiliconSecuredMemoryinAc(on– VisitOracle’sSo,wareinSilicon(SWiS)Cloud
• hbp://swisdev.oracle.com
• TrySo,wareADI:– GetOracleSolaris11.3andStudio12.4
• Getinfo:JustAsk!– [email protected]– CodeDoctorswithoutBordersonhandtohelp
32
CalltoAc?on:IncreaseSo:wareQuality&Security
Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.| 33
Ques([email protected]
• GetInfo:[email protected]• OtherSessions:
– CON6083:SiliconSecuredMemoryinSPARC:UnparalleledSecurityandPerformanceforOracleDatabase
– HOL5447:LearningtoUseSPARCM7SiliconSecuredMemorytoDetectBufferOverflowAbacks– HOL6011:SpeedingupOracleDatabaseUsingSPARCM7HardwareAccelera(on– CON8337:DeveloperCloudMadeSimple:HowtoBuildanOpenStackDeveloperCloud