PoMP: Postmortem program analysis with hardware-enhanced post-crash artifacts

Jun Xu, Dongliang Mu, Xinyu Xing, Peng Liu, Ping Chen, Bing Mao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Citations (Scopus)

Abstract

While a core dump carries a large amount of information, it barely serves as informative debugging aids in locating software faults because it carries information that indicates only a partial chronology of how program reached a crash site. Recently, this situation has been significantly improved. With the emergence of hardware-assisted processor tracing, software developers and security analysts can trace program execution and integrate them into a core dump. In comparison with an ordinary core dump, the new post-crash artifact provides software developers and security analysts with more clues as to a program crash. To use it for failure diagnosis, however, it still requires strenuous manual efforts. In this work, we propose POMP, an automated tool to facilitate the analysis of post-crash artifacts. More specifically, POMP introduces a new reverse execution mechanism to construct the data flow that a program followed prior to its crash. By using the data flow, POMP then performs backward taint analysis and highlights those program statements that actually contribute to the crash. To demonstrate its effectiveness in pinpointing program statements truly pertaining to a program crash, we have implemented POMP for Linux system on x86-32 platform, and tested it against various program crashes resulting from 31 distinct real-world security vulnerabilities. We show that, POMP can accurately and efficiently pinpoint program statements that truly pertain to the crashes, making failure diagnosis significantly convenient.

Original languageEnglish (US)
Title of host publicationProceedings of the 26th USENIX Security Symposium
PublisherUSENIX Association
Pages17-32
Number of pages16
ISBN (Electronic)9781931971409
StatePublished - Jan 1 2017
Event26th USENIX Security Symposium - Vancouver, Canada
Duration: Aug 16 2017Aug 18 2017

Publication series

NameProceedings of the 26th USENIX Security Symposium

Conference

Conference26th USENIX Security Symposium
CountryCanada
CityVancouver
Period8/16/178/18/17

Fingerprint

Hardware
Linux

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Cite this

Xu, J., Mu, D., Xing, X., Liu, P., Chen, P., & Mao, B. (2017). PoMP: Postmortem program analysis with hardware-enhanced post-crash artifacts. In Proceedings of the 26th USENIX Security Symposium (pp. 17-32). (Proceedings of the 26th USENIX Security Symposium). USENIX Association.
Xu, Jun ; Mu, Dongliang ; Xing, Xinyu ; Liu, Peng ; Chen, Ping ; Mao, Bing. / PoMP : Postmortem program analysis with hardware-enhanced post-crash artifacts. Proceedings of the 26th USENIX Security Symposium. USENIX Association, 2017. pp. 17-32 (Proceedings of the 26th USENIX Security Symposium).
@inproceedings{de3b051127e4441e8ff32a2035a6c370,
title = "PoMP: Postmortem program analysis with hardware-enhanced post-crash artifacts",
abstract = "While a core dump carries a large amount of information, it barely serves as informative debugging aids in locating software faults because it carries information that indicates only a partial chronology of how program reached a crash site. Recently, this situation has been significantly improved. With the emergence of hardware-assisted processor tracing, software developers and security analysts can trace program execution and integrate them into a core dump. In comparison with an ordinary core dump, the new post-crash artifact provides software developers and security analysts with more clues as to a program crash. To use it for failure diagnosis, however, it still requires strenuous manual efforts. In this work, we propose POMP, an automated tool to facilitate the analysis of post-crash artifacts. More specifically, POMP introduces a new reverse execution mechanism to construct the data flow that a program followed prior to its crash. By using the data flow, POMP then performs backward taint analysis and highlights those program statements that actually contribute to the crash. To demonstrate its effectiveness in pinpointing program statements truly pertaining to a program crash, we have implemented POMP for Linux system on x86-32 platform, and tested it against various program crashes resulting from 31 distinct real-world security vulnerabilities. We show that, POMP can accurately and efficiently pinpoint program statements that truly pertain to the crashes, making failure diagnosis significantly convenient.",
author = "Jun Xu and Dongliang Mu and Xinyu Xing and Peng Liu and Ping Chen and Bing Mao",
year = "2017",
month = "1",
day = "1",
language = "English (US)",
series = "Proceedings of the 26th USENIX Security Symposium",
publisher = "USENIX Association",
pages = "17--32",
booktitle = "Proceedings of the 26th USENIX Security Symposium",

}

Xu, J, Mu, D, Xing, X, Liu, P, Chen, P & Mao, B 2017, PoMP: Postmortem program analysis with hardware-enhanced post-crash artifacts. in Proceedings of the 26th USENIX Security Symposium. Proceedings of the 26th USENIX Security Symposium, USENIX Association, pp. 17-32, 26th USENIX Security Symposium, Vancouver, Canada, 8/16/17.

PoMP : Postmortem program analysis with hardware-enhanced post-crash artifacts. / Xu, Jun; Mu, Dongliang; Xing, Xinyu; Liu, Peng; Chen, Ping; Mao, Bing.

Proceedings of the 26th USENIX Security Symposium. USENIX Association, 2017. p. 17-32 (Proceedings of the 26th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - PoMP

T2 - Postmortem program analysis with hardware-enhanced post-crash artifacts

AU - Xu, Jun

AU - Mu, Dongliang

AU - Xing, Xinyu

AU - Liu, Peng

AU - Chen, Ping

AU - Mao, Bing

PY - 2017/1/1

Y1 - 2017/1/1

N2 - While a core dump carries a large amount of information, it barely serves as informative debugging aids in locating software faults because it carries information that indicates only a partial chronology of how program reached a crash site. Recently, this situation has been significantly improved. With the emergence of hardware-assisted processor tracing, software developers and security analysts can trace program execution and integrate them into a core dump. In comparison with an ordinary core dump, the new post-crash artifact provides software developers and security analysts with more clues as to a program crash. To use it for failure diagnosis, however, it still requires strenuous manual efforts. In this work, we propose POMP, an automated tool to facilitate the analysis of post-crash artifacts. More specifically, POMP introduces a new reverse execution mechanism to construct the data flow that a program followed prior to its crash. By using the data flow, POMP then performs backward taint analysis and highlights those program statements that actually contribute to the crash. To demonstrate its effectiveness in pinpointing program statements truly pertaining to a program crash, we have implemented POMP for Linux system on x86-32 platform, and tested it against various program crashes resulting from 31 distinct real-world security vulnerabilities. We show that, POMP can accurately and efficiently pinpoint program statements that truly pertain to the crashes, making failure diagnosis significantly convenient.

AB - While a core dump carries a large amount of information, it barely serves as informative debugging aids in locating software faults because it carries information that indicates only a partial chronology of how program reached a crash site. Recently, this situation has been significantly improved. With the emergence of hardware-assisted processor tracing, software developers and security analysts can trace program execution and integrate them into a core dump. In comparison with an ordinary core dump, the new post-crash artifact provides software developers and security analysts with more clues as to a program crash. To use it for failure diagnosis, however, it still requires strenuous manual efforts. In this work, we propose POMP, an automated tool to facilitate the analysis of post-crash artifacts. More specifically, POMP introduces a new reverse execution mechanism to construct the data flow that a program followed prior to its crash. By using the data flow, POMP then performs backward taint analysis and highlights those program statements that actually contribute to the crash. To demonstrate its effectiveness in pinpointing program statements truly pertaining to a program crash, we have implemented POMP for Linux system on x86-32 platform, and tested it against various program crashes resulting from 31 distinct real-world security vulnerabilities. We show that, POMP can accurately and efficiently pinpoint program statements that truly pertain to the crashes, making failure diagnosis significantly convenient.

UR - http://www.scopus.com/inward/record.url?scp=85072924231&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85072924231&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85072924231

T3 - Proceedings of the 26th USENIX Security Symposium

SP - 17

EP - 32

BT - Proceedings of the 26th USENIX Security Symposium

PB - USENIX Association

ER -

Xu J, Mu D, Xing X, Liu P, Chen P, Mao B. PoMP: Postmortem program analysis with hardware-enhanced post-crash artifacts. In Proceedings of the 26th USENIX Security Symposium. USENIX Association. 2017. p. 17-32. (Proceedings of the 26th USENIX Security Symposium).