Software Bugs Bite!

1. Software Bugs Bite! Yuanyuan (YY) Zhou Associate Professor Dept. of Computer Science Univ. of Illinois, Urbana-Champaign yyzhou@cs.uiuc.edu

2. My Story: Zig-zag my way to System • When young--------------------parents want me to be a business woman • College application-----------Applied for BioChemistry • But changed unknowingly to CS (Reason: parents were chemistry teachers) • 1st graduate school----------Mathematics at Univ. of Virginia • 1st research area at Princeton-------------Theory • 1st year as a system student --------------Negative • Felt that system is trivial----you can actually understand system talks • 2nd year at Princeton---Wanted to quit to go to medical school • 1st job after Ph.D • Co-founded a startup for 2 years (realize that I am probably not a business woman) • 1st year at UIUC ------- in the architecture group • Now-----try to be a doctor to cure software “diseases” University of Illinois, Urbana-Champaign Slide 2

3. Family & Fun • A supportive husband + 2 girls • Husband is my motivation to work on software bugs • My daughters inspired several research ideas (e.g Rx) and help me realize life is much more than my career • Hobby • Skiing, hiking .... but Illinois? • Switched to ice skating and growing vegetables • Computer games (a Civilization fan) University of Illinois, Urbana-Champaign Slide 3

4. Health of Computers • We want computers to be dependable • Aircraft control systems • Hospital monitor systems • Financial transactions systems • Internet services • Cell phones, PDAs,smart home appliances, cars University of Illinois, Urbana-Champaign Slide 4

5. Bad News: Software Bugs • Software bug is a major concern • Counts for 40% system failure [Marcus2000] • Costs $59.5 billion annually [NIST] University of Illinois, Urbana-Champaign Slide 5

6. Severe Software Clinical Cases • Therac-25 (radiation therapy machine ) accidents (1985-1987) • the injured patients died from lethal dosage of radiation caused by a software bug • Code Red worm exploited a buffer overflow in Microsoft’s IIS server • Cost over $2.6 billion and Infected 350,000 servers in <14 hours • 2003 North America blackout • Caused by a race condition in GE Energy's XA/21 monitoring software University of Illinois, Urbana-Champaign Slide 6

7. Why Software Bugs? • Why do we get ill? • Nature • Answer: human nature • On average, programmers inject 10 bugs per thousand lines of code University of Illinois, Urbana-Champaign Slide 7

8. Debugging is Hard for large software • Cure/diagnose a disease is hard… • Impossible to test every cases • Many bugs are hidden, “latent bugs” • Some bugs are hard to reproduce • Configuration, timing and running environment dependent • Hard to find root causes • Root causes may be far away from the symptom University of Illinois, Urbana-Champaign Slide 8

9. Type of Software Defects • Specification bugs • Even the specification is wrong • Design bugs • The design is erroneous • Implementation bugs • Buffer overflow, memory leak, memory corruption, etc. University of Illinois, Urbana-Champaign Slide 9

10. Classification of Implementation Bugs • Deterministic vs. non-deterministic • Root causes • Memory bugs • Memory leaks ?? • Memory corruption • Buffer overflow ?? • Dangling pointer ?? • .. • Semantics • Unhandled exceptions • Copy-paste bugs • … • Concurrency • Data races ?? • Atomicity violations ?? • Deadlocks ?? • … University of Illinois, Urbana-Champaign Slide 10

11. Bugs and Security Attacks? • Why are we in the same session? • Software bug is a major source of security vulnerabilities • Bouncer (Tuesday) • Memory safety (Wednesday) • Example: Buffer overflow • Stack smashing attack • Started from November 1996 • Still the basis for many attacks • Who knows this attack? University of Illinois, Urbana-Champaign Slide 11

12. The Stack University of Illinois, Urbana-Champaign Slide 12

13. Buggy Program void buggy(char * in){ int i; char buffer[4]; for(i=0; in[i]!=0; i++) buffer[i] = in[i]; } Where is the bug? What happens if in is “Aleph One”? University of Illinois, Urbana-Champaign Slide 13

14. Buggy Code’s Stack A l e p h _ O n e \0 41 6C 65 70 68 20 4F 6E 65 00 • Program will start copying… University of Illinois, Urbana-Champaign Slide 14

15. Buggy Code’s Stack A l e p h _ O n e \0 41 6C 65 70 68 20 4F 6E 65 00 • Program will start copying… University of Illinois, Urbana-Champaign Slide 15

16. Buggy Code’s Stack A l e p h _ O n e \0 41 6C 65 70 68 20 4F 6E 65 00 • Program will start copying… University of Illinois, Urbana-Champaign Slide 16

17. Buggy Code’s Stack A l e p h _ O n e \0 41 6C 65 70 68 20 4F 6E 65 00 • Program will start copying… University of Illinois, Urbana-Champaign Slide 17

18. Buggy Code’s Stack A l e p h _ O n e \0 41 6C 65 70 68 20 4F 6E 65 00 • Program will start copying… and continue. University of Illinois, Urbana-Champaign Slide 18

19. Buggy Code’s Stack A l e p h _ O n e \0 41 6C 65 70 68 20 4F 6E 65 00 • C isn’t bounds checked… University of Illinois, Urbana-Champaign Slide 19

20. Buggy Code’s Stack A l e p h _ O n e \0 41 6C 65 70 68 20 4F 6E 65 00 • What happens next? University of Illinois, Urbana-Champaign Slide 20

21. Buggy Code’s Stack A l e p h _ O n e \0 41 6C 65 70 68 20 4F 6E 65 00 • We’ve overwritten the return address! University of Illinois, Urbana-Champaign Slide 21

22. Buggy Code’s Stack A l e p h _ O n e \0 41 6C 65 70 68 20 4F 6E 65 00 • How to use it to hijack the program to do whatever you want? University of Illinois, Urbana-Champaign Slide 22

23. So How to Deal with Bugs? Safe Language Design time • Example: • Java • Transactional Memory (Mon) • Analogy: • Eat healthy, exercise… • Pro: can prevent some bugs • Cons: • Other types of bugs still occur • May be inefficient for some apps: server, OS. Compile time Run time Off-line On-line Debugging Recovery Diagnosis University of Illinois, Urbana-Champaign Slide 23

24. So How to Deal with Bugs? Design time Static Checking • Program analysis & Model checking • Example: • Engler’s group • iComment [Tuesday] • Analogy: • CAT Scan • Pros: • No run time overhead • Good Coverage • Cons: • No accurate information • Need specification, annotation Compile time Run time Off-line On-line Debugging Recovery Diagnosis University of Illinois, Urbana-Champaign Slide 24

25. So How to Deal with Bugs? Design time Dynamic Checking • Check during execution • Example: • MUVI [Monday] • Analogy: • Heart monitor • Pros: • Accurate run-time information • Cons: • Large overhead • Coverage limitation Compile time Run time Off-line On-line Debugging Recovery Diagnosis University of Illinois, Urbana-Champaign Slide 25

26. So How to Deal with Bugs? Design time Interactive Debugging • Example: • gdb • Time travel machine • Analogy: • Doctor’s appointment • Pros: • Program-specific • Cons: • Time and effort-consuming Compile time Run time Off-line On-line debugging Recovery Diagnosis University of Illinois, Urbana-Champaign Slide 26

27. So How to Deal with Bugs? Design time Generic Recovery • Example: • simple restart • rollback and reexecute • Analogy: • Electric shock • Advantage: • Simple and general • Limitation: • Cannot recover from all failures • Output commit problem Compile time Run time Off-line On-line Debugging Recovery Diagnosis University of Illinois, Urbana-Champaign Slide 27

28. So How to Deal with Bugs? Online Diagnosis Design time • Example: • Core dump • Execution traces • Triage (Tuesday) • Analogy: • Triage (self-diagnosis) • Advantage: • Simple and general • Limitation: • Require significant offline manual efforts • Privacy concerns Compile time Run time Off-line On-line Debugging Recovery Diagnosis University of Illinois, Urbana-Champaign Slide 28

29. Evaluation Methodology • Benchmarks • Siemens benchmark • Too small • Bug injection • May not be representative • Find new bugs in open source code • Better to be confirmed by developers • Use existing bugs • Especially dynamic checking----need bugs to manifest University of Illinois, Urbana-Champaign Slide 29

30. Evaluation Metrics for Bug Detection • Soundness: No false negatives • Prove there is no such violation • May report many false bugs • Completeness: No false positives • All violations detected are true • May not find all the bugs • Scalability: scalable to real programs • Very hard to achieve all • Always need to tradeoff one for the others University of Illinois, Urbana-Champaign Slide 30

31. Open Problems • Bug Detection • Detecting semantic and concurrency bugs • Reduce false positives • Bug diagnosis • On-site diagnosis • Distributed systems diagnosis • Deterministic replay on multicore /multiprocessors • Bug recovery • Automatic bug fixing • Bug survival with reduced functionality University of Illinois, Urbana-Champaign Slide 31

32. Conclusions • Software bugs have existed for decades and will continue to exist • Fighting bugs is important • Fighting bugs is a fun and interdisciplinary • Compiler, software engineering, systems, hardware, data mining, machine learning, statistics, … University of Illinois, Urbana-Champaign Slide 32

33. Thanks! University of Illinois, Urbana-Champaign Slide 33

34. More Bug’s Cartoon University of Illinois, Urbana-Champaign Slide 34