Wenowboundthefalsepositiverate.Becausebufferoverowscanbediscontiguous - PDF document

Wenowboundthefalsepositiverate.Becausebufferoverowscanbediscontiguous,everyobjectintheheapthatprecedesanoverowisapotentialculprit.However,eachadditionalheapdra-maticallylowersthisnumber: Theorem3. Theexpectednumberofobjects(possibleculprits)thesamedistancedfromanygivenvictimobjectacrosskheapsis:E(possibleculprits)=1 (H�1)k�2: Proof. Withoutlossofgenerality,assumethatthevictimobjectoccupiesthelastslotineveryheap.Anobjectcanthusbeinanyoftheremainingn=H�1slots.Theoddsofitbeinginthesameslotinkheapsisp=1=(H�1)k�1.Thisisabinomialdistribution,soE(possibleculprits)=np=1=(H�1)k�2. Withonlyoneheapimage,all(H�1)objectsarepotentialculprits,butoneadditionalimagereducestheexpectednumberofculpritsforanyvictimtojust1(1=(H�1)0),effectivelyeliminatingtheriskoffalsepositives.OnceExterminatoridentiesaculprit-victimpair,itrecordstheoverowsizeforthatculpritasthemaximumofanyobserveddtoavictim.Exterminatoralsoassignseachculprit-victimpairascorethatcorrespondstoitscondencethatitisanactualoverow.Thisscoreis1�(1=256)S,whereSisthesumofthelengthofdetectedoverowstringsacrossallpairs.Intuitively,smalloverowstrings(e.g.,onebyte)detectedinonlyafewheapimagesaregivenlowerscores,andlargeoverowstringspresentinmanyheapimagesgethigherscores.Afteroverowprocessingcompletesandatleastoneculprithasanon-zeroscore,Exterminatorgeneratesaruntimepatchforanoverowfromthemosthighly-rankedculprit.4.2DanglingPointerIsolationIsolatingdanglingpointererrorsfallsintotwocases:aprogrammayreadandwritetothedangledobject,leavingitpartiallyorcompletelyoverwritten,oritmayonlyreadthroughthedanglingpointer.Exterminatordoesnothandleread-onlydanglingpointererrorsiniterativeorreplicatedmodebecauseitwouldrequiretoomanyreplicas(e.g.,around20;seeSection 7.2 ).However,ithandlesoverwrittendanglingobjectsstraightforwardly.Whenafreedobjectisoverwrittenwithidenticalvaluesacrossmultipleheapimages,Exterminatorclassiestheerrorasadan-glingpointeroverwrite.AsTheorem 1 shows,thissituationishighlyunlikelytooccurforabufferoverow.Exterminatorthengeneratesanappropriateruntimepatch,asSection 6.2 describes.5.CumulativeErrorIsolationWhenoperatingincumulativemode,Exterminatorisolatesmem-oryerrorsbycomputingsummaryinformationaccumulatedovermultipleexecutions,ratherthanbyoperatingovermultipleheapimages.ThismodeletsExterminatorisolatememoryerrorswith-outtheneedforreplication,identicalinputs,ordeterministicexe-cution.5.1BufferOverowDetectionExterminator'sbufferoverowisolationalgorithmproceedsinthreephases.First,itidentiesheapcorruptionbylookingforover-writtencanaryvalues.Second,foreachallocationsite,itcomputesanestimateoftheprobabilitythatanobjectfromthatsitecouldbethesourceofthecorruption.Third,itcombinestheseindepen-dentestimatesfrommultiplerunstoidentifysitesthatconsistentlyappearascandidatesforcausingthecorruption. Aftercomputingthesetofcorruptobjectslots,Exterminatorexaminesallocationsitesandndspossibleculprits.Toreasonaboutanindividualallocationsite,Exterminatormustconsiderallobservedobjectsfromthatsite.Anobjectthatcausescorruptionbyaforwardoverow(i.e.,itcorruptsmemoryathigheraddresses)mustsatisfytwocrite-ria.First,itmustlieonthesameminiheapasthecorruption.Be-causeminiheapsarerandomlylocatedthroughoutthewholead-dressspace,weassumethattheprobabilitythatanoverowcrossesminiheapboundariestocausecorruptionwithoutrstcausingasegmentationviolationisnegligible.Second,theoverowedobjectmustlieataloweraddressthanthecorruption.Foreachobject,theerrorisolationalgorithmcomputestheprob-abilitythattheobjectsatisesthesecriteria.Thetotalprobabilityistheproductoftheprobabilitiesofbeingallocatedinthesamemini-heap(theleft-handtermbelow),timestheprobabilityofitfallingontheleftsideofthecorruption(theright-handterm).Thersttermisthesizeofthecorruptminiheap,dividedbythesumofthesizesofallminiheapsavailableinthesizeclassatthetimetheob-jectwasallocated.LetMcbethecorruptedminiheap,ktheindexofthecorruptedslotinMc,t(i)andt(Mj)theallocationtimeofobjectiorminiheapMj,respectively,andsize(Mi)thenumberofobjectslotsinminiheapMi.TheprobabilityP(Ci)thatobjectisat-isesthecriteriaisthen:P(Ci)=size0(i;Mc) åMjsize0(i;Mj)
k size(Mc)wheresize0(i;Mj)=(0t(Mj)�t(i)size(Mj)t(Mj)t(i):ForeachallocationsiteA,ExterminatorthencomputestheprobabilityP(CA)thatatleastoneobjectfromthesitesatisedthecriteria(1minustheprobabilityofallobjectsnotsatisfying)asP(CA)=1�ÕifromA�1�P(Ci)
:ThisvalueP(CA),combinedwiththeactualobservedvalueCA,isthecompletesummarythatExterminatorcomputesandstoresbetweenruns.Intuitively,eachruncanbethoughtofasacoinip,whereP(CA)istheprobabilityofheads,andCA=1ifthecoinipresultedinheads.Usingtheestimatesfrommultipleruns,Exterminatortheniden-tiesallocationsitesthatsatisfythecriteriamorethanexpectedbyrandomchance.Theseallocationsitesarethosethatgenerateover-owedobjects.LetqAbetheprobabilitythatanobservedcorruptedobjectwascausedbyanoverowfromanobjectallocatedfromsiteA.Forsiteswithnooverowerrors,qA=0.Forsiteswitherrors,qAissomevaluegreaterthanzero,dependingonthenumberofotherbugsintheprogram.Thealgorithmcomparesthelikelihoodsofthetwocompetinghypotheses:H0:qA=0(noerrors),andH1:qA�0(someerror).Exterminator'serrorclassiertakesasinputthesequenceofcomputedprobabilitiesXi=P(CA)andtheobservedvaluesYi=CAfromeachrun.UsingaBayesianmodel,ExterminatorrejectsH0andidentiesAasanerrorsourcewhenP(H1j¯X;¯Y)�P(H1j¯X;¯Y).Thisconditionisequivalent(usingBayes'rule)toP(¯X;¯YjH1) P(¯X;¯YjH0)�P(H0) P(H1):Becausethetruepriorprobabilitiesofthehypothesesareun-known,Exterminatorestimatesthem.Differentestimatestradeoffbetweenfalsepositiverateandthenumberofrunsrequiredtoiden-tifytrueerrors.UsingapriorprobabilityP(H1)=1=cN,whereNisthetotalnumberofallocationsitesandcasmallconstant(currently, Itisimportanttonotethatthisdeallocationdeferraldoesnotmultiplyitslifetimebutratheritsdrag[ 39 ].Toillustrate,anobjectmightlivefor1000allocationsandthenbefreedjust10allocationstoosoon.Iftheprogramimmediatelycrashes,Exterminatorwillextenditslifetimeby21allocations,increasingitslifetimebylessthan1%(1021=1010).Section 7.3 evaluatestheimpactofbothoverowanddanglingpointercorrectiononspaceconsumption.6.3TheCorrectingMemoryAllocatorThecorrectingmemoryallocatorincorporatestheruntimepatchesdescribedaboveandappliesthemwhenappropriate.Figure 6 presentspseudo-codefortheallocationanddeallocationfunctions.Atstart-up,oruponreceivingareloadsignal(Section 3.4 ),thecorrectingallocatorloadstheruntimepatchesfromaspeciedle.Itbuildstwohashtables:apadtablemappingallocationsitestopadsizes,andadeferraltable,mappingpairsofallocationanddeallocationsitestoadeferralvalue.Becauseitcanreloadtherun-timepatchleandrebuildthesetableson-the-y,Exterminatorcanapplypatchestorunningprogramswithoutinterruptingtheirexe-cution.ThisaspectofExterminator'soperationmaybeespeciallyusefulforsystemsthatmustbekeptrunningcontinuously.Oneverydeallocation,thecorrectingallocatorcheckstoseeiftheobjecttobefreedneedstobedeferred.Ifitndsadeferralvaluefortheobject'sallocationanddeallocationsite,itpushesontothedeferralpriorityqueuethepointerandthetimetoactuallyfreeit(thecurrentallocationtimeplusthedeferralvalue).Thecorrectingallocatorthenchecksthedeferralqueueoneveryallocationtoseeifanobjectshouldnowbefreed.Itthencheckswhetherthecurrentallocationsitehasanassociatedpadvalue.Ifso,itaddsthepadvaluetotheallocationrequest,andforwardstheallocationrequesttotheunderlyingallocator.6.4CollaborativeCorrectionEachindividualuserofanapplicationislikelytoexperiencedif-ferenterrors.Toallowanentireusercommunitytoautomaticallyimprovesoftwarereliability,Exterminatorprovidesasimpleutil-itythatsupportscollaborativecorrection.Thisutilitytakesasinputanumberofruntimepatchles.Itthencombinesthesepatchesbycomputingthemaximumbufferpadrequiredforanyallocationsite,andthemaximaldeferralamountforanygivenallocationsite.Theresultisanewruntimepatchlethatcoversallobservederrors.Becausethesizeofpatchlesislimitedbythenumberofalloca-tionsitesinaprogram,weexpecttheselestobecompactandpracticaltotransmit.Forexample,thesizeoftheruntimepatchesthatExterminatorgeneratesforinjectederrorsinespressowasjust130K,andshrinksto17Kwhencompressedwithgzip.7.ResultsOurevaluationanswersthefollowingquestions:(1)WhatistheruntimeoverheadofusingExterminator?(2)HoweffectiveisEx-terminatoratndingandcorrectingmemoryerrors,bothforin-jectedandrealfaults?(3)WhatistheoverheadofExterminator'sruntimepatches?7.1ExterminatorRuntimeOverheadWeevaluateExterminator'sperformancewiththeSPECint2000suite[ 43 ]runningreferenceworkloads,aswellasasuiteofallocation-intensivebenchmarks.Weusethelattersuiteofbench-marksbothbecausetheyarewidelyusedinmemorymanagementstudies[ 3 , 19 , 22 ],andbecausetheirhighallocation-intensitystressesmemorymanagementperformance.Forallexperiments,wexExterminator'sheapmultiplier(valueofM)at2.Allresultsaretheaverageofverunsonaquiescent,dual-processorLinuxsystemwith3GBofRAM,witheach3.06GHz Figure7.RuntimeoverheadforExterminatoracrossasuiteofbenchmarks,normalizedtotheperformanceofGNUlibc(Linux)allocator. IntelXeonprocessor(hyperthreadingactive)equippedwith512KL2caches.Ourobservedexperimentalvarianceisbelow1%.Wefocusonthenon-replicatedmode(iterative/cumulative),whichweexpecttobeakeylimitingfactorforExterminator'sperformanceandthemostcommonusagescenario.WecomparetheruntimeofExterminator(DieFastplusthecor-rectingallocator)totheGNUlibcallocator.ThisallocatorisbasedontheLeaallocator[ 24 ],whichisamongthefastestavailable[ 5 ].Figure 7 showsthat,versusthisallocator,Exterminatordegradesperformancebyfrom0%(186.crafty)to132%(cfrac),withageometricmeanof25.1%.WhileExterminator'soverheadissub-stantialfortheallocation-intensivesuite(geometricmean:81.2%),wherethecostofcomputingallocationanddeallocationcontextsdominates,itsoverheadissignicantlylesspronouncedacrosstheSPECbenchmarks(geometricmean:7.2%).7.2MemoryErrorCorrectionInjectedFaultsTomeasureExterminator'seffectivenessatisolatingandcorrectingbugs,weusedthefaultinjectorthataccompaniestheDieHarddistributiontoinjectbufferoverowsanddanglingpointererrors.Foreachdatapoint,weruntheinjectorusingarandomseeduntilittriggersanerrorordivergentoutput.WenextusethisseedtodeterministicallytriggerasingleerrorinExterminator,whichweruniniterativemode.Wethenmeasurethenumberofiterationsrequiredtoisolateandgenerateanappropriateruntimepatch.Thetotalnumberofimages(iterationsplustherstrun)correspondstothenumberofreplicasthatwouldberequiredwhenrunningExterminatorinreplicatedmode.Bufferoverows:Wetriggered10differentbufferoverowseachofthreedifferentsizes(4,20,and36bytes)byunderowingobjectsintheespressobenchmark.Thenumberofimagesre-quiredtoisolateandcorrecttheseerrorswas3ineverycase.Noticethatthisresultissubstantiallybetterthantheanalyticalworst-case.Forthreeimages,Theorem 2 boundstheworst-caselikelihoodofmissinganoverowto42%(Section 4.1 ),ratherthanthe0%falsenegativerateweobservehere.Danglingpointererrors:Wethentriggered10danglingpointerfaultsinespressowithExterminatorrunninginiter-ativeandincumulativemodes.Initerativemode,Exterminatorsucceedsinisolatingtheerrorinonly4runs.Inanother4runs,espressodoesnotwritethroughthedanglingpointer.Instead,it 8.4FaultToleranceRecently,therehasbeenanincreasingfocusonapproachesfortol-eratinghardwaretransienterrorsthatarebecomingmorecommonduetofabricationprocesslimitations.Workinthisarearangesfromproposedhardwaresupport[ 33 ]tosoftwarefaulttolerance[ 34 ].WhileExterminatoralsousesredundancyasamethodfordetect-ingandcorrectingerrors,Exterminatorgoesbeyondtoleratingsoft-wareerrors,whicharenottransient,tocorrectingthemperma-nently.LikeExterminator,othereffortsinthefaulttolerancecom-munityseektogatherdatafrommultipleprogramexecutionstoidentifypotentialerrors.Forexample,Guoetal.usestatisticaltech-niquesoninternalmonitoringdatatoprobabilisticallydetectfaults,includingmemoryleaksanddeadlocks[ 20 ].Exterminatorgoesbe-yondthispreviousworkbycharacterizingeachmemoryerrorsospecicallythatacorrectioncanbeautomaticallygeneratedforit.Rinardetal.presentacompiler-basedapproachcalledbound-lessbuffersthatcachesout-of-boundwritesinahashtableforlaterreuse[ 35 ].Thisapproacheliminatesbufferoverowerrors(thoughnotdanglingpointererrors),butrequiressourcecodeandimposeshigherperformanceoverheads(1.05xto8.9x).Rxoperatesbycheckpointingprogramexecutionandlogginginputs[ 32 ].Rxrollsbackcrashedapplicationsandreplaysinputstoitinanewenvironmentthatpadsallallocationsordefersalldeallocationsbysomeamount.Ifthisnewenvironmentdoesnotyieldsuccess,Rxrollsbacktheapplicationagainandincreasesthepadvalues,uptosomethreshold.UnlikeRx,Exterminatordoesnotrequirecheckpointingorrollback,andpreciselyisolatesandcorrectsmemoryerrors.8.5MemoryManagersConservativegarbagecollectionpreventsdanglingpointerer-rors[ 9 ],butdoesnotpreventbufferoverows.Exterminator'serrorisolationandcorrectionisorthogonaltogarbagecollection.Finally,therehavebeennumerousdebuggingmemoryalloca-tors;thedocumentationforoneofthem,mpatrol,includesalistofoverninetysuchsystems[ 38 ].Notablerecentallocatorswithde-buggingfeaturesincludednmalloc[ 47 ],HeapServer[ 23 ],andver-sion2.8oftheLeaallocator[ 24 , 37 ].Exterminatoreitherpreventsorcorrectserrorsthattheseallocatorscanonlydetect.9.FutureWorkWhileExterminatorcaneffectivelylocateandcorrectmemoryerrorsontheheap,itdoesnotyetaddressstackerrors.WeareinvestigatingapproachestoapplyExterminatortothestack.Inaddition,whileExterminator'sruntimepatchescontaininfor-mationthatdescribetheerrorlocationanditsextent,itisnotinahuman-readableform.Weplantodevelopatooltoprocessruntimepatchesintobugreportswithsuggestedxes.10.ConclusionThispaperpresentsExterminator,asystemthatautomaticallycor-rectsheap-basedmemoryerrorsinCandC++programswithhighprobability.Exterminatoroperatesentirelyattheruntimelevelonunalteredbinaries,andconsistsofthreekeycomponents:(1)DieFast,aprobabilisticdebuggingallocator,(2)aprobabilisticer-rorisolationalgorithm,and(3)acorrectingmemoryallocator.Ex-terminator'sprobabilisticerrorisolationisolatesthesourceandex-tentofmemoryerrorswithprovablylowfalsepositiveandfalsenegativerates.Itscorrectingmemoryallocatorincorporatesrun-timepatchesthattheerrorisolationalgorithmgeneratestocorrectmemoryerrors.Exterminatorisnotonlysuitableforuseduringtesting,butalsocanautomaticallycorrectdeployedprograms. AcknowledgmentsTheauthorswouldliketothankSamGuyer,MikeHicks,ErikLearned-Miller,SarahOsentoski,MartinRinard,andtheanony-mousreviewersfortheirvaluablefeedback.ThismaterialisbaseduponworksupportedbyIntel,MicrosoftResearch,andtheNa-tionalScienceFoundationunderCAREERAwardCNS-0347339andCNS-0615211.Anyopinions,ndings,andconclusionsorrec-ommendationsexpressedinthismaterialarethoseoftheauthor(s)anddonotnecessarilyreecttheviewsoftheNationalScienceFoundation.References [1] T.M.Austin,S.E.Breach,andG.S.Sohi.Efcientdetectionofallpointerandarrayaccesserrors.InProceedingsoftheACMSIGPLAN1994ConferenceonProgrammingLanguageDesignandImplementation,pages290–301,NewYork,NY,USA,1994.ACMPress. [2] D.Avots,M.Dalton,V.B.Livshits,andM.S.Lam.ImprovingsoftwaresecuritywithaCpointeranalysis.InProceedingsofthe27thInternationalConferenceonSoftwareEngineering,pages332–341,NewYork,NY,USA,2005.ACMPress. [3] E.D.BergerandB.G.Zorn.DieHard:Probabilisticmemorysafetyforunsafelanguages.InProceedingsofthe2006ACMSIGPLANConferenceonProgrammingLanguageDesignandImplementation,pages158–168,NewYork,NY,USA,2006.ACMPress. [4] E.D.BergerandB.G.Zorn.Efcientprobabilisticmemorysafety.TechnicalReportUMCSTR-2007-17,DepartmentofComputerScience,UniversityofMassachusettsAmherst,Mar.2007. [5] E.D.Berger,B.G.Zorn,andK.S.McKinley.Composinghigh-performancememoryallocators.InProceedingsofthe2001ACMSIGPLANConferenceonProgrammingLanguageDesignandImplementation,Snowbird,Utah,June2001. [6] D.Bernstein.Usenetposting, comp.lang.c . http://groups.google.com/group/comp.lang.c/msg/6b82e964887d73d9 ,Dec.1990. [7] S.Bhatkar,D.C.DuVarney,andR.Sekar.Addressobfuscation:Anefcientapproachtocombatabroadrangeofmemoryerrorexploits.InProceedingsofthe12thUSENIXSecuritySymposium,pages105–120.USENIX,Aug.2003. [8] S.Bhatkar,R.Sekar,andD.C.DuVarney.Efcienttechniquesforcomprehensiveprotectionfrommemoryerrorexploits.InProceedingsofthe14thUSENIXSecuritySymposium,pages271–286.USENIX,Aug.2005. [9] H.-J.BoehmandM.Weiser.Garbagecollectioninanuncooperativeenvironment.SoftwarePracticeandExperience,18(9):807–820,1988. [10] H.CleveandA.Zeller.Locatingcausesofprogramfailures.InProceedingsofthe27thInternationalConferenceonSoftwareEngineering,pages342–351,2005. [11] B.Demsky,M.D.Ernst,P.J.Guo,S.McCamant,J.H.Perkins,andM.Rinard.Inferenceandenforcementofdatastructureconsistencyspecications.InProceedingsofthe2006InternationalSymposiumonSoftwareTestingandAnalysis,pages233–244,NewYork,NY,USA,2006.ACMPress. [12] B.DemskyandM.Rinard.Automaticdetectionandrepairoferrorsindatastructures.InProceedingsofthe18thannualACMSIGPLANConferenceonObject-orientedPrograming,Systems,Languages,andApplications,pages78–95,NewYork,NY,USA,2003.ACMPress. [13] B.DemskyandM.Rinard.Datastructurerepairusinggoal-directedreasoning.InProceedingsofthe27thInternationalConferenceonSoftwareEngineering,pages176–185,2005. [14] D.DhurjatiandV.Adve.Backwards-CompatibleArrayBoundsCheckingforCwithVeryLowOverhead.InProceedingsofthe2006InternationalConferenceonSoftwareEngineering,Shanghai,China, May2006. [15] D.DhurjatiandV.Adve.EfcientlyDetectingAllDanglingPointerUsesinProductionServers.InInternationalConferenceonDependableSystemsandNetworks(DSN'06),pages269–280,2006. [16] D.Dhurjati,S.Kowshik,andV.Adve.SAFEcode:enforcingaliasanalysisforweaklytypedlanguages.InProceedingsofthe2006ACMSIGPLANConferenceonProgrammingLanguageDesignandImplementation,pages144–157,NewYork,NY,USA,2006.ACMPress. [17] D.Dhurjati,S.Kowshik,V.Adve,andC.Lattner.Memorysafetywithoutruntimechecksorgarbagecollection.InACMSIGPLAN2003ConferenceonLanguages,Compilers,andToolsforEmbeddedSystems(LCTES'2003),SanDiego,CA,June2003.ACMPress. [18] M.D.Ernst,A.Czeisler,W.G.Griswold,andD.Notkin.Quicklydetectingrelevantprograminvariants.InProceedingsofthe22ndInternationalConferenceonSoftwareEngineering,pages449–458,NewYork,NY,USA,2000.ACMPress. [19] D.Grunwald,B.Zorn,andR.Henderson.Improvingthecachelocal-ityofmemoryallocation.InProceedingsofSIGPLAN'93ConferenceonProgrammingLanguagesDesignandImplementation,volume28(6)ofACMSIGPLANNotices,pages177–186,Albuquerque,NM,June1993.ACMPress. [20] Z.Guo,G.Jiang,H.Chen,andK.Yoshihira.Trackingprobabilisticcorrelationofmonitoringdataforfaultdetectionincomplexsystems.InProceedingsofthe2006InternationalConferenceonDependableSystemsandNetworks,pages259–268,LosAlamitos,CA,USA,2006.IEEEComputerSociety. [21] R.HastingsandB.Joyce.Purify:Fastdetectionofmemoryleaksandaccesserrors.InProc.oftheWinter1992USENIXConference,pages125–138,SanFrancisco,California,1991. [22] M.S.JohnstoneandP.R.Wilson.Thememoryfragmentationproblem:Solved?InP.DickmanandP.R.Wilson,editors,OOPSLA'97WorkshoponGarbageCollectionandMemoryManagement,Oct.1997. [23] M.Kharbutli,X.Jiang,Y.Solihin,G.Venkataramani,andM.Prvulovic.Comprehensivelyandefcientlyprotectingtheheap.InProceedingsofthe12thInternationalConferenceonArchitecturalSupportforProgrammingLanguagesandOperatingSystems,pages207–218,NewYork,NY,USA,2006.ACMPress. [24] D.Lea.Amemoryallocator.http://gee.cs.oswego.edu/dl/html/malloc.html. [25] B.Liblit,A.Aiken,A.Zheng,andM.Jordan.Bugisolationviaremoteprogramsampling.InProceedingsoftheACMSIGPLAN2003ConferenceonProgrammingLanguageDesignandImplementation,2003. [26] B.Liblit,M.Naik,A.X.Zheng,A.Aiken,andM.I.Jordan.Scalablestatisticalbugisolation.InProceedingsoftheACMSIGPLAN2005ConferenceonProgrammingLanguageDesignandImplementation,pages15–26,NewYork,NY,USA,2005.ACMPress. [27] C.Liu,X.Yan,L.Fei,J.Han,andS.P.Midkiff.SOBER:statisticalmodel-basedbuglocalization.InProceedingsofthe10thEuropeanSoftwareEngineeringConferenceheldjointlywith13thACMSIGSOFTInternationalSymposiumonFoundationsofSoftwareEngineering,pages286–295,NewYork,NY,USA,2005.ACMPress. [28] G.MisherghiandZ.Su.HDD:Hierarchicaldeltadebugging.InProceedingsofthe28thInternationalConferenceonSoftwareEngineering,pages142–151,NewYork,NY,USA,2006.ACMPress. [29] G.C.Necula,S.McPeak,andW.Weimer.CCured:type-saferetrottingoflegacycode.InProceedingsofthe29thACMSIGPLAN-SIGACTsymposiumonPrinciplesofProgrammingLanguages,pages128–139,NewYork,NY,USA,2002.ACMPress. [30] N.NethercoteandJ.Fitzhardinge.Bounds-checkingentireprogramswithoutrecompiling.InSPACE2004,Venice,Italy,Jan.2004. [31] PaXTeam.PaXaddressspacelayoutrandomization(ASLR). http://pax.grsecurity.net/docs/aslr.txt . [32] F.Qin,J.Tucek,J.Sundaresan,andY.Zhou.Rx:Treatingbugsasallergies:Asafemethodtosurvivesoftwarefailures.InProceedingsoftheTwentiethSymposiumonOperatingSystemsPrinciples,volumeXXofOperatingSystemsReview,Brighton,UK,Oct.2005.ACM. [33] M.K.Qureshi,O.Mutlu,andY.N.Patt.Microarchitecture-basedintrospection:atechniquefortransient-faulttoleranceinmicropro-cessors.InProceedingsofthe2005InternationalConferenceonDependableSystemsandNetworks(DSN2005),pages434–443,2005. [34] G.A.Reis,J.Chang,N.Vachharajani,R.Rangan,andD.I.August.SWIFT:SoftwareImplementedFaultTolerance.InProceedingsoftheInternationalSymposiumonCodeGenerationandOptimization,pages243–254,Washington,DC,USA,2005.IEEEComputerSociety. [35] M.Rinard,C.Cadar,D.Dumitran,D.M.Roy,andT.Leu.Adynamictechniqueforeliminatingbufferoverowvulnerabilities(andothermemoryerrors).InProceedingsofthe2004AnnualComputerSecurityApplicationsConference,Dec.2004. [36] M.Rinard,C.Cadar,D.Dumitran,D.M.Roy,T.Leu,andJ.WilliamS.Beebee.Enhancingserveravailabilityandsecuritythroughfailure-obliviouscomputing.InSixthSymposiumonOperatingSystemsDesignandImplementation,SanFrancisco,CA,Dec.2004.USENIX. [37] W.Robertson,C.Kruegel,D.Mutz,andF.Valeur.Run-timedetectionofheap-basedoverows.InProceedingsofthe17thLargeInstallationSystemsAdministrationConference,pages51–60.USENIX,2003. [38] G.S.Roy.mpatrol:Relatedsoftware. http://www.cbmamiga.demon.co.uk/mpatrol/mpatrol 83.html ,Nov.2006. [39] C.RuncimanandN.Rojemo.Lag,dragandpostmortemheapproling.InImplementationofFunctionalLanguagesWorkshop,Bastad,Sweden,Sept.1995. [40] J.SewardandN.Nethercote.UsingValgrindtodetectundenedvalueerrorswithbit-precision.InProceedingsoftheUSENIX'05AnnualTechnicalConference,Anaheim,California,USA,Apr.2005. [41] S.Sidiroglou,M.E.Locasto,S.W.Boyd,andA.D.Keromytis.Buildingareactiveimmunesystemforsoftwareservices.InUSENIXAnnualTechnicalConference,pages149–161.USENIX,2005. [42] S.Sidiroglou,M.E.Locasto,S.W.Boyd,andA.D.Keromytis.FromSTEMtoSEAD:Speculativeexecutionforautomateddefense.InUSENIXAnnualTechnicalConference.USENIX,2007. [43] StandardPerformanceEvaluationCorporation.SPEC2000.http://www.spec.org. [44] Symantec.Internetsecuritythreatreport. http://www.symantec.com/enterprise/threatreport/index.jsp ,Sept.2006. [45] W.Xu,D.C.DuVarney,andR.Sekar.Anefcientandbackwards-compatibletransformationtoensurememorysafetyofCprograms.InProceedingsofthe12thACMSIGSOFTTwelfthInternationalSymposiumonFoundationsofSoftwareEngineering,pages117–126,NewYork,NY,USA,2004.ACMPress. [46] S.H.YongandS.Horwitz.ProtectingCprogramsfromattacksviainvalidpointerdereferences.In11thACMSIGSOFTInternationalSymposiumonFoundationsofSoftwareEngineering,pages307–316,NewYork,NY,USA,2003.ACMPress. [47] Y.Younan,W.Joosen,F.Piessens,andH.V.denEynden.SecurityofmemoryallocatorsforCandC++.TechnicalReportCW419,DepartmentofComputerScience,KatholiekeUniversiteitLeuven,Belgium,July2005. [48] A.Zeller.Yesterday,myprogramworked.Today,itdoesnot.Why?InProceedingsofthe7thEuropeanSoftwareEngineeringConferenceheldjointlywiththe7thACMSIGSOFTInternationalSymposiumonFoundationsofSoftwareEngineering,pages253–267,London,UK,1999.Springer-Verlag.