OSDI '04 Abstract
Pp. 303316 of the Proceedings
Enhancing Server Availability and Security Through Failure-Oblivious Computing
Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel M. Roy, Tudor Leu, and William S. Beebee, Jr., Massachusetts Institute of Technology
Abstract
We present a new technique, failure-oblivious computing,
that enables servers to execute through memory errors
without memory corruption. Our safe compiler for
C inserts checks that dynamically detect invalid memory
accesses. Instead of terminating or throwing an exception,
the generated code simply discards invalid writes
and manufactures values to return for invalid reads, enabling
the server to continue its normal execution path.
We have applied failure-oblivious computing to a
set of widely-used servers from the Linux-based open-source
computing environment. Our results show that
our techniques 1) make these servers invulnerable to
known security attacks that exploit memory errors, and
2) enable the servers to continue to operate successfully
to service legitimate requests and satisfy the needs of
their users even after attacks trigger their memory errors.
We observed several reasons for this successful continued
execution. When the memory errors occur in irrelevant
computations, failure-oblivious computing enables
the server to execute through the memory errors to
continue on to execute the relevant computation. Even
when the memory errors occur in relevant computations,
failure-oblivious computing converts requests that trigger
unanticipated and dangerous execution paths into anticipated
invalid inputs, which the error-handling logic
in the server rejects. Because servers tend to have small
error propagation distances (localized errors in the computation
for one request tend to have little or no effect
on the computations for subsequent requests), redirecting
reads that would otherwise cause addressing errors
and discarding writes that would otherwise corrupt critical
data structures (such as the call stack) localizes the
effect of the memory errors, prevents addressing exceptions
from terminating the computation, and enables the
server to continue on to successfully process subsequent
requests. The overall result is a substantial extension of
the range of requests that the server can successfully process.
- View the full text of this paper in HTML and
PDF.
Until December 2005, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2004 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
|