内存泄漏对象检测与度量方法

程序运行过程中一些不再被使用的对象未及时释放会引发内存泄漏问题,泄漏对象经过长期累积会降低系统性能,甚至导致系统崩溃。针对Java程序中的内存泄漏问题,提出了一种内存泄漏对象检测与度量方法。通过动态跟踪源程序的执行过程,周期性记录堆栈信息,并分析堆中可疑的泄漏对象。定义内存泄漏度计算方法,度量不同对象对程序泄漏的影响程度,从而确定产生泄漏的对象。最后选取两个开源程序进行验证,并与两种现有方法进行对比,结果表明该方法的泄漏检测率较高。     

Compiler Techniques for the Superthreaded Architectures1, 2

Several useful compiler and program transformation techniques for the superthreaded architectures are presented in this paper. The superthreaded architecture adopts a thread pipelining execution model to facilitate runtime data dependence checking between threads, and to maximize thread overlap to enhance concurrency. In this paper, we present some important program transformation techniques to facilitate concurrent execution among threads, and to manage critical system resources such as the memory buffers effectively. We evaluate the effectiveness of those program transformation techniques by applying them manually on several benchmark programs, and using a trace-driven, cycle-by-cycle superthreaded processor simulator. The simulation results show that a superthreaded processor can achieve promising speedup for most of the benchmark programs.     

A transformation system for concurrent processes

Program transformation techniques have been extensively studied in the framework of functional and logic languages, where they were applied mainly to obtain more efficient and readable programs. All these works are based on the Unfold/Fold program transformation method developed by Burstall and Darlington in the context of their recursive equational language. The use of Unfold/Fold based transformations for concurrent languages is a relevant issue that has not yet received an adequate attention. In this paper we define a transformation methodology for CCS. We give a set of general rules which are a specialization of classical program transformation rules, such as Fold and Unfold. Moreover, we define the general form of other rules, “oriented” to the goal of a transformation strategy, and we give conditions for the correctness of these rules. We prove that a strategy using the general rules and a set of goal oriented rules is sound, i.e. it transforms CCS programs into equivalent ones. We show an example of application of our method. We define a strategy to transform, if possible, a full CCS program into an equivalent program whose semantics is a finite transition system. We show that, by means of our methodology, we are able to a find finite representations for a class of CCS programs which is larger than the ones handled by the other existing methods. Our transformational approach can be seen as unifying in a common framework a set of different techniques of program analysis. A further advantage of our approach is that it is based only on syntactic transformations, thus it does not requires any semantic information. Received: 24 April 1997 / 19 November 1997     

A trusted subject architecture for multilevel secureobject-oriented databases

We address security in object-oriented database systems for multilevel secure environments. Such an environment consists of users cleared to various security levels, accessing information labeled with varying classifications. Our purpose is three-fold. First, we show how security can be naturally incorporated into the object model of computing so as to form a foundation for building multilevel secure object-oriented database management systems. Next, we show how such an abstract security model can be realized under a cost-effective, viable, and popular security architecture. Finally, we give security arguments based on trusted subjects and a formal proof to demonstrate the confidentiality of our architecture and approach. A notable feature of our solution is the support for secure synchronous write-up operations. This is useful when low level users want to send information to higher level users. In the object-oriented context, this is naturally modeled and efficiently accomplished through write-up messages sent by low level subjects. However, such write-up messages can pose confidentiality leaks (through timing and signaling channels) if the timing of the receipt and processing of the messages is observable to lower level senders. Such covert channels are a formidable obstacle in building high-assurance secure systems. Further, solutions to problems such as these have been known to involve various tradeoffs between confidentiality, integrity, and performance. We present a concurrent computation model that closes such channels while preserving the conflicting goals of confidentiality, integrity, and performance. Finally, we give a confidentiality proof for a trusted subject architecture and implementation and demonstrate that the trusted subject (process) cannot leak information in violation of multilevel security     

An execution profiler for modular programs

In modular programs, groups of routines constitute conceptual abstractions. A method for providing execution profiles for such programs is presented. The central idea is that the execution time for a routine is charged to the routines that call it. The implementation of this method by a profiler called gprof is described. The techniques used to gather the necessary information about the timing and structure of the program are given, as is the processing used to propagate routine execution times along arcs of the call graph of the program. The method for displaying the profile to the user is discussed. Experience using the profiles for hand-tuning large programs is summarized. Additional uses for the profiles are suggested.     

Derivation of Efficient Logic Programs by Specialization and Reduction of Nondeterminism

Program specialization is a program transformation methodology which improves program efficiency by exploiting the information about the input data which are available at compile time. We show that current techniques for program specialization based on partial evaluation do not perform well on nondeterministic logic programs. We then consider a set of transformation rules which extend the ones used for partial evaluation, and we propose a strategy for guiding the application of these extended rules so to derive very efficient specialized programs. The efficiency improvements which sometimes are exponential, are due to the reduction of nondeterminism and to the fact that the computations which are performed by the initial programs in different branches of the computation trees, are performed by the specialized programs within single branches. In order to reduce nondeterminism we also make use of mode information for guiding the unfolding process. To exemplify our technique, we show that we can automatically derive very efficient matching programs and parsers for regular languages. The derivations we have performed could not have been done by previously known partial evaluation techniques.A preliminary version of this paper appears as: Reducing Nondeterminism while Specializing Logic Programs. Proceedings of the 24th Annual ACM Symposium on Principles of Programming Languages, Paris, France, January 15–17, 1997, ACM Press, 1997, pp. 414–427.     

The sliding-window protocol revisited

We give a correctness proof of the sliding-window protocol. Both safety and liveness properties are addressed. We show how faulty channels can be represented as nondeterministic programs. The correctness proof is given as a sequence of correctness-preserving transformations of a sequential program that satisfies the original specification, with the exception that it does not have any faulty channels. We work as long as possible with a sequential program, although the transformation steps are guided by the aim of going to a distributed program. The final transformation steps consist in distributing the actions of the sequential program over a number of processes.     

Advanced chopping of sequential and concurrent programs

A chop for a source statement s and a target statement t reveals the program parts involved in conveying effects from s to t. While precise chopping algorithms for sequential programs are known, no chopping algorithm for concurrent programs has been reported at all. This work introduces six chopping algorithms for concurrent programs, which offer different degrees of precision, ranging from imprecise over context-sensitive to time-sensitive. Our evaluation on concurrent Java programs shows that context-sensitive and time-sensitive chopping reduces chop sizes significantly. We further present an extensive evaluation of chopping algorithms for sequential programs and describe a new, easy-to-implement chopping technique for sequential programs that computes fast and almost context-sensitive chops.     

操作系统安全机制复合行为模型掘取技术研究*

以信息安全理论和软件逆向工程技术为依托,研究了操作系统安全机制复合行为模型掘取技术及其实现方法和技术路线。通过结合操作系统的多尺度软件逆向理解技术,对操作系统安全机制的相关程序进行逆向分析、模型掘取和形式化描述,从而发现潜在漏洞、后门、隐通道等操作系统高层安全机制存在的安全问题,为实施修补、反制及利用等相应安全措施提供有力依据。在该技术基础上实现了一套原型系统,实验验证该系统的程序理解和模型掘取结果满足要求。     

Predicting program execution times by analyzing static and dynamic program paths

This paper describes a method to predict guaranteed and tight deterministic execution time bounds of a sequential program. The basic prediction technique is a static analysis based on simple timing schema for source-level language constructs, which gives accurate predictions in many cases. Using powerful user-provided information, dynamic path analysis refines looser predictions by eliminating infeasible paths and decomposing the possible execution behaviors in a pathwise manner. Overall prediction cost is scalable with respect to desired precision, controlling the amount of information provided. We introduce a formal path model for dynamic path analysis, where user execution information is represented by a set of program paths. With a well-defined practical high-level interface language, user information can be used in an easy and efficient way. We also introduce a method to verify given user information with known program verification techniques. Initial experiments with a timing tool show that safe and tight predictions are possible for a wide range of programs. The tool can also provide predictions for interesting subsets of program executions.This research was supported in part by the Office of Naval Research under grant number N00014-89-J-1040.     

Predictive Mitigation of Timing Channels - Threat Defense for Machine Codes

The security of software systems can be threatened by many internal and external threats, including data leakages due to timing channels. Even if developers manage to avoid security threats in the source code or bytecode during development and testing, new threats can arise as the compiler generates machine codes from representations at the binary code level during execution on the processor or due to operating system specifics. Current approaches either do not allow the neutralization of timing channels to be achieved comprehensively with a sufficient degree of security or require an unjustifiable amount of time and/or resources. Herein, a method is demonstrated for the protected execution of software based on a secure virtual execution environment (VEE) that combines the results from dynamic and static analyses to find timing channels through the application of code transformations. This solution complements other available techniques to prevent timing channels from being exploited. This approach helps control the appearance and neutralization of timing channels via just-in-time code modifications during all stages of program development and usage. This work demonstrates the identification of threats using timing channels as an example. The approach presented herein can be expanded to the neutralization of other types of threats.     

The Cetus Source-to-Source Compiler Infrastructure: Overview and Evaluation

This paper provides an overview and an evaluation of the Cetus source-to-source compiler infrastructure. The original goal of the Cetus project was to create an easy-to-use compiler for research in automatic parallelization of C programs. In meantime, Cetus has been used for many additional program transformation tasks. It serves as a compiler infrastructure for many projects in the US and internationally. Recently, Cetus has been supported by the National Science Foundation to build a community resource. The compiler has gone through several iterations of benchmark studies and implementations of those techniques that could improve the parallel performance of these programs. These efforts have resulted in a system that favorably compares with state-of-the-art parallelizers, such as Intel’s ICC. A key limitation of advanced optimizing compilers is their lack of runtime information, such as the program input data. We will discuss and evaluate several techniques that support dynamic optimization decisions. Finally, as there is an extensive body of proposed compiler analyses and transformations for parallelization, the question of the importance of the techniques arises. This paper evaluates the impact of the individual Cetus techniques on overall program performance.     

内存泄漏故障静态分析研究

目前研究人员主要采用静态测试技术实施对内存泄漏故障的检测,其基本思想就是依据待测程序的控制流图来设计特定的算法以检测内存泄漏问题,但这些方法的不足之处主要是控制流图的表示方式上未含有进一步可用信息,因此所设计的算法不能很好地执行该故障的检测任务.为此,定义了一种用于内存泄漏故障检测的控制流图,提出控制流图可达路径生成算法,然后根据生成的路径进行内存泄漏故障的检测与分析.实验证实,该方法取得了理想的效果.     

Visualizing program dependencies: An experimental study

This paper addresses the problem of visualizing program dependencies (i.e. entities and their relations). A code visualization tool that maintains a repository of structural and functional dependencies for C programs is described. Visualization of such dependencies is accomplished by using a presentation model which combines data and control flow information. Moreover, transformation mechanisms and partitioning techniques used by the tool provide the means for managing large graphical representations. The quantitative results from an experimental study using this tool indicate that the productivity of its users was increased and that the quality of changes made during a program modification exercise was improved. Furthermore, the qualitative results have shown that its presentation model, transformation mechanisms and partitioning techniques constitute a promising platform for the comprehension and maintenance of C programs. Finally, the outcome of an empirical evaluation of the tool and the enhancement of its functionality and user interface are also discussed in this paper.     

Criticality: static profiling for real-time programs

With the increasing performance demand in real-time systems it becomes more and more important to provide feedback to programmers and software development tools on the performance-relevant code parts of a real-time program. So far, this information was limited to an estimation of the worst-case execution time (WCET) and its associated worst-case execution path (WCEP) only. However, both, the WCET and the WCEP, only provide partial information. Only code parts that are on one of the WCEPs are indicated to the programmer. No information is provided for all other code parts. To give a comprehensive view covering the entire code base, tools in the spirit of program profiling are required. This work proposes an efficient approach to compute worst-case timing information for all code parts of a program using a complementary metric, called criticality. Every statement of a program is assigned a criticality value, expressing how critical the code is with respect to the global WCET. This gives valuable information how close the worst execution path passing through a specific program part is to the global WCEP. We formally define the criticality metric and investigate some of its properties with respect to dominance in control-flow graphs. Exploiting some of those properties, we propose an algorithm that reduces the overhead of computing the metric to cover complete programs. We also investigate ways to efficiently find only those code parts whose criticality is above a given threshold. Experiments using well-established real-time benchmark programs show an interesting distribution of the criticality values, revealing considerable amounts of highly critical as well as uncritical code. The metric thus provides ideal information to programmers and software development tools to optimize the worst-case execution time of these programs.     

Code optimization across procedures

Procedure calls can be a major obstacle to the analysis of computer programs, preventing significant improvements in program speed. A broad range of techniques, each of which is in some sense interprocedural by nature, is considered to overcome this obstacle. Some techniques rely on interprocedural dataflow in their analysis. Others require interprocedural information in the form of detailed profile data or information concerning the scope of a given procedure in relation to other procedures. These include procedure integration, interprocedural register allocation, pointer and alias tracking, and dependency analysis     

On covert channels between virtual machines

Virtualization technology has become very popular because of better hardware utilization and easy maintenance. However, there are chances for information leakage and possibilities of several covert channels for information flow between the virtual machines. Our work focuses on the experimental study of security threats in virtualization, especially due to covert channels and other forms of information leakage. The existence of data leakage during migration shutdown and destruction of virtual machines, is tested on different hypervisors. For empirically showing the possibility of covert channels between virtual machines, three new network based covert channels are hypothesized and demonstrated through implementation, on different hypervisors. One of the covert channels hypothesized is a TCP/IP steganography based covert channel. Other covert channels are a timing covert channel and a new network covert channel having two pairs of socket programs. We propose a VMM (Virtual Machine Monitor) based network covert channel avoidance mechanism, tackling detection resistant covert channel problems. We also address issue of reducing the possibilities of network based covert channels using VMM-level firewalls. In order to emphasize the importance of addressing the issue of information leakage through virtual machines, we illustrate the simplicity of launching network covert channel based attacks, by demonstrating an attack on a virtual machine using covert channels through implementation.     

隐蔽信道新型分类方法与威胁限制策略

隐蔽信道是指恶意通信双方通过修改共享资源的数值、特性或状态等属性,来编码和传递信息的信道.共享资源的选取,由隐蔽信道的类型与具体通信场景所决定.早期,存储隐蔽信道和时间隐蔽信道主要存在于传统操作系统、网络和数据库等信息系统中.近年来,研究重点逐渐拓展到了3类新型隐蔽信道,分别为混合隐蔽信道、行为隐蔽信道和气隙隐蔽信道.对近年来国内外隐蔽信道研究工作进行了系统的梳理、分析和总结.首先,阐述隐蔽信道的相关定义、发展历史、关键要素和分析工作.然后,根据隐蔽信道共享资源的类型以及信道特征,提出新的隐蔽信道分类体系.首次从发送方、接收方、共享资源、编码机制、同步机制、评价指标和限制方法这7个方面,对近年来新型隐蔽信道攻击技术进行系统的分析和归纳,旨在为后续隐蔽信道分析和限制等研究工作提供有益的参考.进而,讨论了面向隐蔽信道类型的威胁限制技术,为设计面向一类隐蔽信道的限制策略提供研究思路.最后,总结了隐蔽信道中存在的问题和挑战.