GWP-ASan: Sampling-Based Detection of Memory-Safety Bugs in Production (arxiv.org)
from tedu@inks.tedunangst.com to inks@inks.tedunangst.com on 19 Apr 2024 20:11
https://inks.tedunangst.com/l/5107

Despite the recent advances in pre-production bug detection, heap-use-after-free and heap-buffer-overflow bugs remain the primary problem for security, reliability, and developer productivity for applications written in C or C++, across all major software ecosystems. Memory-safe languages solve this problem when they are used, but the existing code bases consisting of billions of lines of C and C++ continue to grow, and we need additional bug detection mechanisms.

This paper describes a family of tools that detect these two classes of memory-safety bugs, while running in production, at near-zero overhead. These tools combine page-granular guarded allocation and low-rate sampling. In other words, we added an “if” statement to a 36-year-old idea and made it work at scale.

#c #development #fuzzing #malloc #paper #pdf #programming #systems

#c #development #fuzzing #inks #malloc #paper #pdf #programming #systems

threaded - newest