Detection of reminiscence corruption bugs with HWASan

Posted by Evgenii Stepanov, Software program Engineer, Dynamic Instruments

Native code in insecure languages ​​like C and C ++ is usually susceptible to reminiscence corruption bugs. Our information present that points like post-release use, double launch, and buffer overflows sometimes make up greater than 65% of the excessive and important safety bugs in Chrome and Android.

In earlier years, our reminiscence bug detection efforts have been targeted on the tackle sanitizer (ASan). ASan catches these errors however forces your software to make use of extra 2x-3x reminiscence and to run slower.

To higher resolve these points, we have now developed a hardware-assisted tackle sanitizer (HWASan). HWASan typically solely requires 15% extra reminiscence. It is usually a lot quicker than ASan. The efficiency of HWASan makes it usable not just for unit testing, but in addition for interactive human-driven testing. We use it to seek out reminiscence issues within the Android working system itself, and now we have now made it simpler for software builders to make use of. HWASan is quick sufficient for some Android builders to apply it to their growth gadgets for on a regular basis duties.

Below the hood

HWASan relies on reminiscence tagging and is determined by the Ignore Higher Bytes function present in all 64-bit ARM processors and the related kernel assist. Every reminiscence allocation is assigned an eight bit random tag which is saved in probably the most important byte (MSB) of the tackle, however ignored by the CPU. Due to this fact, this tagged pointer can be utilized instead of a standard pointer with none code modifications.

Below the hood, HWASan makes use of phantom reminiscence – a sparse card that assigns a tag worth to every 16-byte block in program reminiscence. The timecode compilation instrumentation is used to insert checks that examine the pointer and reminiscence tags for every reminiscence entry, and lift an error if they don’t match.

This method permits us to detect each sorts of post-release use and buffer overflow bugs. The reminiscence tag within the shadow is changed by a random worth throughout allocation and deallocation. Due to this fact, making an attempt to entry deallocated reminiscence with a suspended pointer will nearly definitely fail attributable to a tag mismatch. The identical goes for an try and entry reminiscence outdoors the allotted area, which almost certainly has a distinct tag. The stack and the worldwide variables are protected in the identical means.

Detection of bugs after use with marking of the reminiscence.

This method will not be deterministic: because of the restricted variety of attainable tags, an invalid reminiscence entry has a 1 in 256 likelihood (about zero.four%) of passing with out being detected. We’ve not noticed this as an issue in apply, however, because of the randomness of the tags, operating this system the second time may be very more likely to discover bugs missed in the course of the first run.

One benefit of HWASan over ASan is its capacity to seek out bugs that happen removed from their level of origin – for instance, post-release use the place reminiscence is accessible lengthy after it’s deallocated, or a buffer overflow with a giant shift. This isn’t the case with ASan, which makes use of pink areas round reminiscence allocations and a quarantine for the short-term storage of just lately deallocated reminiscence blocks. Pink zones and quarantine are restricted in dimension and error detection is unlikely past this. HWASan makes use of a distinct method which doesn’t have these limitations.

Use

When a bug is found, the method is full and a crash dump is printed in logcat. The "Abandon message" discipline incorporates an HWASan report, which signifies the kind of entry (learn or write), entry tackle, thread ID and the unhealthy reminiscence entry stack hint. That is adopted by a stack hint for authentic allocation and, for post-release use bugs, a stack hint indicating the place deallocation passed off . Superior customers can discover extra debugging info beneath, together with a map of reminiscence tags for close by places.

sign 6 (SIGABRT), code -1 (SI_QUEUE), addr fault ——–
Abandonment message: & # 39; == 21586 == ERROR: HWAddressSanitizer: tag offset on tackle 0x0042a0807af0 on laptop 0x007b23b8786c
WRITE from dimension 1 to 0x0042a0807af0 tags: db / 19 (ptr / mem) in thread T0
# zero 0x7b23b87868 (/information/app/com.instance.myapp/lib/arm64/native.so+0x2868)
# 1 0x7b8f1e4ccc (/apex/com.android.artwork/lib64/libart.so+0x198ccc)
[…]

0x0042a0807af0 is situated zero bytes to the best of the 16 byte area [0x0042a0807ae0,0x0042a0807af0)
allotted right here:
# zero 0x7b92a322bc (/path/to/libclang_rt.hwasan-aarch64-android.so+0x212bc)
# 1 0x7b23b87840 (/information/app/com.instance.myapp/lib/arm64/native.so+0x2840)
[…]

An instance of an extract from a HWASan crash report.

Google makes use of HWASan extensively in Android growth, and now you may too. Study extra – together with particulars on methods to rebuild your app to be used with HWASan – at https://developer.android.com/ndk/guides/hwasan. Pre-built HWASan system photographs can be found on the AOSP era server (or you may create your individual). They are often simply flashed on a appropriate gadget utilizing the just lately introduced Flash internet device.