Emery Blogger

I was just at POPL and got a very nice compliment on a talk I gave on Grace from someone who watched it on-line (!). That talk was the first in my on-going efforts to eliminate all text from my slides. My latest talk has no text whatsoever, except for the titles (not here, though – haven’t given it at MSR!). Anyway, thanks to Microsoft, you can watch the evolution (talks ordered from most recent to oldest).

Sheriff: Detecting and Eliminating False Sharing

Grace: Safe Multithreaded Programming for C/C++ (paper)

Exploiting Multiple Cores Today: Scalability and Reliability For Off-the-shelf Software (Flux, DieHard)

Garbage Collection without Paging (paper)

I am shepherding a paper for ASPLOS, and the authors kindly sent me a PDF highlighting all changes between the previous version and the next. They used latexdiff. I just used it to see some updates made by a student to a paper, and it is fantastic.

Here’s a sample of what the results look like:

(and no, this is not my paper or the ASPLOS paper).

If you are using a Mac, you can easily install it with MacPorts (just sudo port install latexdiff).

Generally, you will want to invoke latexdiff as follows (assuming you are in the directory with the latest version):

latexdiff --flatten /path/to/old/version/main.tex main.tex > diffs.tex

(the –flatten argument makes latexdiff recursively operate on any included .tex files.)

One trick: if, like me, you break your LaTeX documents into separate files, you need to put the preamble into your main document (it’s also automatically generated by latexdiff, but only for a main document). Reproduced here for your cut-n-paste convenience.


%DIF PREAMBLE EXTENSION ADDED BY LATEXDIFF
%DIF UNDERLINE PREAMBLE
\RequirePackage[normalem]{ulem}
\RequirePackage{color}\definecolor{RED}{rgb}{1,0,0}\definecolor{BLUE}{rgb}{0,0,1}
\providecommand{\DIFadd}[1]{{\protect\color{blue}\uwave{#1}}}
\providecommand{\DIFdel}[1]{{\protect\color{red}\sout{#1}}}
%DIF SAFE PREAMBLE
\providecommand{\DIFaddbegin}{}
\providecommand{\DIFaddend}{}
\providecommand{\DIFdelbegin}{}
\providecommand{\DIFdelend}{}
%DIF FLOATSAFE PREAMBLE
\providecommand{\DIFaddFL}[1]{\DIFadd{#1}}
\providecommand{\DIFdelFL}[1]{\DIFdel{#1}}
\providecommand{\DIFaddbeginFL}{}
\providecommand{\DIFaddendFL}{}
\providecommand{\DIFdelbeginFL}{}
\providecommand{\DIFdelendFL}{}
%DIF END PREAMBLE EXTENSION ADDED BY LATEXDIFF


Photos of the actual signs deployed in the rally, courtesy of Kevin Fu and Dan Wallach!

Sadly, I am not going to attend the Rally to Restore Sanity and/or Fear in DC tomorrow. I have seen some pretty good sign ideas: here are some CS-themed ones I came up with. Keep your eyes peeled: you might see one of my colleagues holding one of these up.

• P and NP: Equality Now!
• Hello World Peace!\n
• Repeal Moore’s Law!
• (or) Renew Moore’s Law!
• End Race Conditions!
• Free malloc!

I'm a Mac (though I prefer John Hodgman)

I used to be a PC guy, but have completely gone Mac (MacBook Air, Mac Mini, iPhone, iPad, Jobs Distortion Field Glasses, etc.). But Mac went Emery before Emery went Mac! Proof below:

From http://www.opensource.apple.com/source/Libc/Libc-594.9.1/gen/magazine_malloc.c:

/*
Multithread enhancements for “tiny” allocations introduced February 2008.
These are in the spirit of “Hoard”. See:
Berger, E.D.; McKinley, K.S.; Blumofe, R.D.; Wilson, P.R. (2000).
“Hoard: a scalable memory allocator for multithreaded applications”.
ACM SIGPLAN Notices 35 (11): 117-128. Berger2000.

Retrieved on 2008-02-22.
*/

My student Charlie Curtsinger pointed out a better alternative to Cinch: BetterTouchTool. The name is not as nice, but unlike Cinch, BetterTouchTool lets you snap windows to corners. By default, these occupy 1/4th of the screen, but the proportions are adjustable. I have only been using it for ten minutes, but it works great – and Charlie says he has been using it for a while without any issues.

Since making the move to Mac, I have discovered and installed some programs that I’ve found quite useful. Here’s one I use every day.

Cinch is a window manager that emulates a feature from Windows 7, which has some nice UI innovations (!). With Cinch installed, you can drag a window to the top of the screen, and it zooms it to fill the screen. The nicest part (which I don’t think Windows does) is that if you drag a window to one side of the screen, it fills exactly that half. Tremendously useful on laptops. Seven bucks, totally worth it.

The Times of London has just released its latest ranking of the top Universities in the World. The list is behind a paywall, but here are some fun data points.

* Harvard is #1, CalTech (?!) is #2
* The University of Massachusetts is ranked #56.
* The University of  Cincinnati is ranked #190.

Why mention the University of Cincinnati? Just to point out that my alma mater, the University of Texas at Austin, is not even on the list. making it clearly worse than the University of Cincinnati. Though I think the Times just forgot to put UT-Austin on their giant dartboard.

Not to single out the Times. For years, UT-Austin was ranked #5 in Databases on the US News rankings, with exactly one faculty member doing database research. US News also currently has a separate ranking category for “Programming Language” (sic). Cornell is high on that list, but the two big guns in PL (Pingali & Morrisett) decamped years ago, and another failed to get tenure, so there’s only one PL faculty member left standing.

It now occurs to me that UWashington is also high on the list, and also had exactly one faculty member in PL…the trick, apparently, is to be the last guy standing.

But Mike Ernst has now joined UW, so obviously it will fall out of the rankings, and I’ve got my eyes on that spot.

Hey, Eliot and Yannis, sorry guys, but it’s either you or the rankings — I’m sure your families will understand…

My student Gene and I have just submitted a paper on the Most. Secure. Heap. Ever. We plan to release the code soon, initially for Linux platforms. It’s a variant of the DieHard allocator, but with a number of key improvements that make it far more secure – better than all allocators we know of (something the analytical framework in this paper lets us actually evaluate). Missing are some new benchmark results showing that DieHarder performs about as well as or better than the OpenBSD allocator for a number of insanely allocation-intensive programs. Feedback welcome.

DieHarder: Securing the Heap
Gene Novark and Emery D. Berger

Heap-based attacks depend on a combination of memory management errors and an exploitable memory allocator. We analyze a range of widely-deployed memory allocators, including those used in Windows, Linux, FreeBSD, and OpenBSD. We show that despite numerous efforts to improve their security, they remain vulnerable to attack. We present the design and security analysis of DieHarder, a memory allocator that provides the highest degree of security from heap-based attacks of any practical allocator.

UMass CS Tech Report 2010-033

This is a draft version of an article to appear in our departmental newsletter, Significant Bits (with links added).

Nearly all software ships with known bugs, and others are just lurking in the code waiting to be discovered. Some bugs are benign; for example, a page might not display correctly in a browser. But more serious bugs cause programs to crash unexpectedly or leave them vulnerable to attack by hackers. These bugs are difficult for programmers to find and fix. Even when the bugs are critical and security-sensitive, it takes an average of one month between initial bug reports and the delivery of a patch.

Rather than waiting for programmers to fix their bugs, or for hackers to find and exploit them, Professor Emery Berger’s group is designing systems to make software bug-proof. These systems allow buggy programs to run correctly, make them resistant to attack, and even automatically find and fix certain bugs. This work, developed jointly with Ben Zorn at Microsoft Research, was an important influence on the design of the Fault-Tolerant Heap that today makes Windows 7 more resistant to errors.

Defending Against Bugs

Berger and Zorn first developed an error-resistant system called DieHard, inspired by the film featuring Bruce Willis as an unstoppable cop.

DieHard attacks the widespread problem of memory errors. Programs written in the C and C++ programming languages – the vast majority of desktop, mobile, and server applications – are susceptible to memory errors. These bugs can lead to crashes, erroneous execution, and security vulnerabilities, and are notoriously costly to repair.

Berger uses a real-estate analogy to explain the problem of memory errors. Almost everything done on a computer uses some amount of memory—each graphic on an open Web page, for example—and when a program is running, it is constantly “renting houses” (chunks of memory) to hold each item, and putting them back on the market when they are no longer needed. Each “house” has only enough square footage for a certain number of bytes.

Programmers can make a wide variety of mistakes when managing their memory. They can unwittingly rent out houses that are still occupied (a dangling pointer error). They can ask for less space than they need, so items will spill over into another “house” (a buffer overflow). A program can even place a house up for rent multiple times (a double free), or even try to rent out a house that doesn’t exist (an invalid free), leading to havoc when the renter shows up. These mistakes can make programs suddenly crash, or worse: they can make a computer exploitable by hackers.

The way “addresses” are assigned also makes computers vulnerable. Houses (memory locations) with especially desirable valuables, like passwords, will always be on the same lot on the same street. If hackers can locate a password once, they can easily locate the password’s address on anyone’s version of the same program.

DieHard attacks these problems in several ways. First, it completely prevents certain memory errors, like double and invalid frees, from having any effect. DieHard keeps important information, like which houses are rented and which are not (heap metadata), out of a hacker’s reach. Most importantly, DieHard randomly assigns addresses—a password that has a downtown address in one session may be in the suburbs next time around. This randomization not only adds security but also increases resilience to errors, reducing the odds that dangling pointer errors or small or moderate overflows will have any effect.

Exterminating the Bugs

While Professor Berger is more than pleased that the DieHard work has influenced the Windows 7 Fault-Tolerant Heap, he hopes that Microsoft will adopt the technology that Zorn, Berger, and his Ph.D. student Gene Novark designed next, called Exterminator. Exterminator not only finds errors but also automatically fixes them. Exterminator uses a variant of DieHard (called DieFast) that constantly scans memory looking for signs of errors. DieFast places “canaries” – specific random numbers – in unused memory. Just like in a coalmine, a “dead” canary means trouble. When DieFast discovers a dead canary, it triggers a report containing the state of memory.

Exterminator next applies forensic analysis to these reports. With information gleaned from several users running a buggy program, Exterminator can pinpoint the source and location of memory errors. From that point on, Exterminator protects the program from that error by “padding” buggy memory requests to prevent overflows, and delaying premature relinquishing of memory to prevent dangling pointer errors.

Berger notes that since Microsoft already gathers information when programs crash, using techniques similar to those in Exterminator would be a natural next step to quickly find and fix memory errors.

Professor Berger is now tackling the problem of concurrency errors – bugs that are becoming more common with the widespread adoption of multicore CPUs. His group recently developed Grace, a system that prevents concurrency errors in C and C++ programs, and Berger hopes that some version of it will also gain widespread adoption as part of an arsenal to protect programs from bugs.