Add a prototype of security benchmark

bench.sh

@@ -1,14 +1,6 @@
 #!/bin/bash
 # Copyright 2018-2022, Microsoft Research, Daan Leijen, Julien Voisin, Matthew Parkinson
 
-if grep -q -e 'ID=debian' -e 'ID=ubuntu' /etc/os-release 2>/dev/null; then
-  echo "Running on Debian or Ubuntu: errors are considered fatal"
-  set -eo pipefail
-elif brew --version 2> /dev/null >/dev/null; then
-  echo "Running on OSX: errors are considered fatal"
-  set -eo pipefail
-fi
-
 
 # --------------------------------------------------------------------
 # Allocators and tests
@@ -23,7 +15,7 @@ alloc_libs="sys="      # mapping from allocator to its .so as "<allocator>=<sofi
 readonly tests_all1="cfrac espresso barnes redis lean larson-sized mstress rptest gs"
 readonly tests_all2="alloc-test sh6bench sh8bench xmalloc-test cscratch glibc-simple glibc-thread rocksdb"
 readonly tests_all3="larson lean-mathlib malloc-large mleak rbstress cthrash"
-readonly tests_all4="z3 spec spec-bench"
+readonly tests_all4="z3 spec spec-bench security"
 
 readonly tests_all="$tests_all1 $tests_all2 $tests_all3 $tests_all4"
 readonly tests_allt="$tests_all1 $tests_all2"  # run with 'allt' command option
@@ -529,6 +521,18 @@ function run_test_env_cmd { # <test name> <allocator name> <environment args> <c
        $redis_dir/redis-cli shutdown
        sleep 1s
        ;;
+    security)
+       echo $2 >> $outfile
+       for file in security/*.c
+       do
+          binary=${file%.*}
+          if /usr/bin/env $3 ./$binary 2>/dev/null | grep --text -q 'NOT_CAUGHT'; then
+                  echo "[-] $binary" >> "$outfile"
+          else
+                  echo "[+] $binary" >> "$outfile"
+          fi
+       done
+       ;;
     *)
        $timecmd -a -o "$benchres.line" -f "$1${benchfill:${#1}} $2${allocfill:${#2}} %E %M %U %S %F %R" /usr/bin/env $3 $4 < "$infile" > "$outfile";;
   esac
@@ -561,11 +565,10 @@ function run_test_env_cmd { # <test name> <allocator name> <environment args> <c
     spec-*)
       popd;;
   esac
-  cat "$benchres.line" | tee -a $benchres
+  test -f "$benchres.line" && cat "$benchres.line" | tee -a $benchres
 }
 
 function run_test_cmd {  # <test name> <command>
-  echo "      " >> $benchres
   echo ""
   echo "---- $repeat: $1"  
   for alloc in $alloc_run; do     # use order as given on the command line
@@ -685,6 +688,8 @@ function run_test {  # <test>
         648) run_test_cmd "spec-648.exchange2_s" "./exchange2_s_base.malloc-test-m64 6";;
         *) echo "error: unknown spec benchmark";;
       esac;;
+    security)
+      run_test_cmd "security";;
     *)
       warning "skipping unknown test: $1";;
   esac
@@ -694,6 +699,7 @@ function run_test {  # <test>
 if [ -f "$benchres" ]; then
   rm "$benchres"
 fi
+rm -f ./security-*-out.txt
 
 for ((repeat=1; repeat<=$repeats; repeat++)); do
   for tst in $tests_run; do
@@ -705,13 +711,19 @@ done
 # --------------------------------------------------------------------
 # Wrap up
 # --------------------------------------------------------------------
+if test -f "$benchres"; then
+  sed -i.bak "s/ 0:/ /" $benchres
+  echo ""
+  echo "results written to: $benchres"
+  echo ""
+  echo "#------------------------------------------------------------------"
+  echo "# test    alloc   time  rss    user  sys  page-faults page-reclaims"
 
-sed -i.bak "s/ 0:/ /" $benchres
-echo ""
-echo "results written to: $benchres"
-echo ""
-echo "#------------------------------------------------------------------"
-echo "# test    alloc   time  rss    user  sys  page-faults page-reclaims"
-
-cat $benchres 
-echo ""
+  cat $benchres
+  echo ""
+fi
+for file in security-*-out.txt
+do
+  cat "$file"
+  echo ""
+done

bench/CMakeLists.txt

@@ -110,3 +110,8 @@ target_link_libraries(glibc-simple pthread)
 
 add_executable(glibc-thread glibc-bench/bench-malloc-thread.c)
 target_link_libraries(glibc-thread pthread)
+
+file(GLOB MY_SECURITY_BINARIES
+  "security/*"
+)
+file(COPY ${MY_SECURITY_BINARIES} DESTINATION security/)

bench/security/Makefile

@@ -0,0 +1,12 @@
+CFLAGS := -Wno-free-nonheap-object
+
+SRCS = $(wildcard *.c)
+PROGS = $(patsubst %.c,%,$(SRCS))
+
+%: %.c
+	$(CC) $(CFLAGS)  -o $@ $<
+
+all: $(PROGS)
+
+clean:
+	rm -rf $(PROGS)

bench/security/double_free_large.c

@@ -0,0 +1,11 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+    void *p = malloc(256 * 1024);
+    free(p);
+    free(p);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/double_free_large_delayed.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+    void *p = malloc(256 * 1024);
+    free(p);
+
+    for(int i=0; i<1024; i++)
+        free(malloc(256 * 1024));
+
+    free(p);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/double_free_large_interleaved.c

@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+    void *p = malloc(256 * 1024);
+    void *q = malloc(256 * 1024);
+    free(p);
+    free(q);
+    free(p);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/double_free_small.c

@@ -0,0 +1,11 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+    void *p = malloc(8);
+    free(p);
+    free(p);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/double_free_small_delayed.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+    void *p = malloc(8);
+    free(p);
+
+    for(int i=0; i<1024; i++)
+        free(malloc(8));
+
+    free(p);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/double_free_small_interleaved.c

@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+    void *p = malloc(8);
+    void *q = malloc(8);
+    free(p);
+    free(q);
+    free(p);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/executable_heap.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+const char* shellcode = "\x90\x90\x90\x90\xc3";  // nop, ..., ret on x86
+
+int main(void) {
+    char *p = malloc(8);
+    memcpy(p, shellcode, sizeof(shellcode));
+    void(*fptr)(void) = (void(*)(void))p;
+    fptr();
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/invalid_free.c

@@ -0,0 +1,9 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(void) {
+    free((void *)1);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/invalid_free_alloca.c

@@ -0,0 +1,9 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(void) {
+    free(alloca(8));
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/invalid_free_stack.c

@@ -0,0 +1,10 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(void) {
+    char p[8];
+    free(p);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/malloc_reuse.c

@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+/* This test checks that pointers aren't immediately re-used between
+ * allocations. */
+
+int main(void) {
+    void *p = malloc(8);
+    void *q = p;
+    free(p);
+
+    p = malloc(8);
+
+    if (p == q)
+	    puts("NOT_CAUGHT");
+
+    return 0;
+}

bench/security/one_byte_underflow_big.c

@@ -0,0 +1,12 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(void) {
+    char *p = malloc(256 * 1024);
+    p[-1] ^= 'A'; // XOR is used to avoid the test having a 1/256 chance to fail
+    free(p);
+
+    puts("NOT_CAUGHT");
+
+    return 0;
+}

bench/security/one_byte_underflow_small.c

@@ -0,0 +1,12 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(void) {
+    char *p = malloc(8);
+    p[-1] ^= 'A'; // XOR is used to avoid the test having a 1/256 chance to fail
+    free(p);
+
+    puts("NOT_CAUGHT");
+
+    return 0;
+}

bench/security/read_zero_size.c

@@ -0,0 +1,13 @@
+#include <stdlib.h>
+#include <stdio.h>
+
+int main() {
+    char *p = malloc(0);
+    if (!p) {
+        return 1;
+    }
+    putchar(*p);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/unaligned_free_large.c

@@ -0,0 +1,10 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main() {
+    char *p = malloc(256 * 1024);
+    free(p + 1);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/unaligned_free_small.c

@@ -0,0 +1,10 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(void) {
+    char *p = malloc(8);
+    free(p + 1);
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/write_after_free_large.c

@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main(void) {
+    char *p = malloc(256 * 1024);
+    free(p);
+    memset(p, 'A', 256 * 1024);
+
+    puts("NOT_CAUGHT");
+
+    return 0;
+}

bench/security/write_after_free_small.c

@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main(void) {
+    char *p = malloc(8);
+    free(p);
+    memset(p, 'A', 8);
+
+    puts("NOT_CAUGHT");
+
+    return 0;
+}

bench/security/write_zero_size.c

@@ -0,0 +1,13 @@
+#include <stdlib.h>
+#include <stdio.h>
+
+int main() {
+    char *p = malloc(0);
+    if (!p) {
+        return 1;
+    }
+    *p = 'A';
+
+    puts("NOT_CAUGHT");
+    return 0;
+}

bench/security/zero_after_free_large.c

@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main(void) {
+    char *p = malloc(256 * 1024);
+    memset(p, 'A', 256 * 1024);
+    free(p);
+
+    for (int i=0; i<256 * 1024; i++) {
+        if (p[i] != 0) {
+            puts("NOT_CAUGHT");
+            return 0;
+        }
+    }
+
+    return 0;
+}