Making Software Robust in Deployed Systems

Despite extensive in-house testing and analysis, deployed software is imperfect. These imperfections lead to failures and attacks that waste billions of dollars and sometimes cause injury or death. Bugs in deployed software are hard to diagnose and fix because they are environment dependent and difficult for developers to reproduce. Furthermore, users will not tolerate heavyweight approaches that degrade online performance. This talk demonstrates approaches for helping programmers and users diagnose and tolerate errors in the deployed setting. These approaches achieve performance that is qualitatively better than prior work by being fast enough to run alongside deployed systems, while diagnosing and tolerating rare faults that occur in a single deployed instance. I first present a context-sensitive anomaly detector that identifies real attacks caused by semantic bugs. The detector attains low overhead and high accuracy by representing and maintaining calling context in a probabilistically unique value that program instrumentation computes incrementally at each call site. Next I present leak pruning, an approach that keeps real, growing memory leaks running much longer or even indefinitely — without changing program semantics. Leak pruning identifies likely leaked objects and reclaims them automatically when the program is about to run out of memory. It preserves semantics by intercepting future attempts to access reclaimed objects. The efficiency and effectiveness of these approaches demonstrate the potential for drastically reducing uncertainty in modern software with widespread techniques for making deployed software more robust as it runs. The talk concludes with future directions for improving reliability and security, with a focus on concurrent software, semantic bugs, and detecting and preventing malicious behavior.