Thread Creation Research Articles

Machine learning or behaviour heuristics? The synergy of approaches to defeat advanced ransomware threats

This paper focuses on a successful and fruitful combination of machine learning (ML)-based approach and heuristics-based approach in the case of Advanced Ransomware Defence, where the advanced ransomware is the ransomware that maliciously exploits the trusted context of execution, so it is the case of ransomware injection into well-known trusted processes, system services, that are used for the disguise of the malicious encryption. ML is used for malicious or benign classification of call stacks that match injections into trusted processes. The heuristics-based technique is based in our case on just one of the examples of injections, using such API as CreateRemoteThread and WriteProcessMemory. This approach has been used with good results to the case of Ryuk ransomware, one of the deadliest malware weapons. We show how the ML helps to find those call stacks which match malicious injections with high probability. Then we augment the results of the ML classifier with the special detection of threads, created in the trusted process, using other sensors, including kernel drivers. This combination provides the maximum accuracy and the ability to remediate the attack. This paper also presents the architectural materials as well as the links and references to the hands-on demonstration of collecting suspicious stacks. We also show how to use ML decisions and pair these decisions with the thread creation events as the sensor examples. The links with demonstrations use the execution of the real-world Ryuk malware strain. The analysis of the events flow is also shown in the kernel debugger coupled with the case analysis with the help of other tools like Process monitor.

IRePf: An Instruction Reorganization Virtual Platform for Kernel Stack Overflow Detection

Stack overflow vulnerabilities are among the most common security issues. However, the existing stack overflow detection solutions only protect the return address and ignore the imbalance between function calls and returns in the system, which will lead to a higher false-positive rate. In this paper, we propose an instruction reorganization virtual platform technique for kernel stack overflow detection, named IRePf. It can dynamically monitor the kernel stack when the system is running through dynamic reorganization instructions, thread creation and termination, call instructions, and RET instructions. IRePf uses backup stack creation and destruction technology to back up the return address and the address of the return address at the same time. IRePf determines whether the stack overflow occurs in the system when the function call and return are unbalanced to realize the kernel stack overflow detection. The experimental results show that IRePf can effectively detect stack overflow attacks, has low system resource occupancy and high real-time performance, and effectively improves the ability and security of defense stack attacks.

A Recursive and Parallelized Dynamic Programming Implementation of Hard Merkle-Hellman Knapsack System for Public Key Cryptography

Abstract Merkle-Hellman public key cryptosystem is a long-age old algorithm used in cryptography. Despite being computationally fast, for very large input sizes it may operate slower due to thread creation overhead or reaching a deadlock situation. In this paper, we discuss the working principles of the Traditional Merkle-Hellman knapsack cryptosystem, which is an Easy knapsack. The challenges of Hard Knapsack and how it overcomes the shortcomings of the Traditional Easy Knapsack, are also discussed. The Hard knapsack variant of Merkle-Hellman is solved first using plain recursion and then improvised using a dynamic programming approach to the problem. Parallelism and Concurrency has been achieved on the dynamic programming implementation using OpenMP API which further has enhanced the performance time. A comparative study of both variants of Hard Knapsack for messages of different lengths has shown that the latter is faster.

Thread Evolution Kit for Optimizing Thread Operations on CE/IoT Devices

Most modern operating systems have adopted the one-to-one thread model to support fast execution of threads in both multi-core and single-core systems. This thread model, which maps the kernel-space and user-space threads in a one-to-one manner, supports quick thread creation and termination in high-performance server environments. However, the performance of time-critical threads is degraded when multiple threads are being run in low-end CE devices with limited system resources. When a CE device runs many threads to support diverse application functionalities, low-level hardware specifications often lead to significant resource contention among the threads trying to obtain system resources. As a result, the operating system encounters challenges, such as excessive thread context switching overhead, execution delay of time-critical threads, and a lack of virtual memory for thread stacks. This paper proposes a state-of-the-art Thread Evolution Kit (TEK) that consists of three primary components: a CPU Mediator, Stack Tuner, and Enhanced Thread Identifier. From the experiment, we can see that the proposed scheme significantly improves user responsiveness (7x faster) under high CPU contention compared to the traditional thread model. Also, TEK solves the segmentation fault problem that frequently occurs when a CE application increases the number of threads during its execution.

Tracking runtime concurrent dependences in java threads using thread control profiling

More than 75% of recent Java projects include some form of concurrent programming. Due to complex interactions between multi-threads, concurrent programs are often harder to understand and test than single threaded programs. To facilitate understanding and testing of concurrent programs, we developed a new profiling method called TCP (Thread Control Profiling). Outputs of TCP presents frequencies of control dependence, which includes thread creation, thread synchronization, interruption, and so on, of the executed thread. TCP first performs static analysis of detailed concurrency syntax and semantics of Java to construct the profiling graph model TCDG (Thread Control Dependence Graph). TCDG is then used for instrumentation and for generating profiles. We have evaluated TCP using a case study and a few experiments. The case study shows that TCP method can effectively prioritize test cases for testing concurrent programs. One experiment shows that outputs from TCP facilitate developers’ understanding of concurrent code. Other experiments evaluate various possible overheads introduced by the TCP method. Results show that TCP can provide rich and useful information with reasonable costs.

Reachability Analysis of Asynchronous Dynamic Pushdown Networks Based on Tree Semantics Approach

<em>ADPN (Asynchronous Dynamic Pushdown Networks) are an abstract model for concurrent programs with recursive procedures and dynamic thread creation. Usually, asynchronous dynamic pushdown networks are described with interleaving semantics, in which the backward analysis is not effective. In order to improve interleaving semantics, tree semantics approach was introduced. This paper extends the tree semantics to ADPN. Because the reachability problem of ADPN is also undecidable, we address the context-bounded reachability problem and provide an algorithm for backward reachability analysis with tree-based semantics Approach.</em>

Decidable models of integer-manipulating programs with recursive parallelism

We study safety verification for multithreaded programs with recursive parallelism (i.e. unbounded thread creation and recursion) as well as unbounded integer variables. Since the threads in each program configuration are structured in a hierarchical fashion, our model is state-extended ground-tree rewrite systems equipped with shared unbounded integer counters that can be incremented, decremented, and compared against an integer constant. Since the model is Turing-complete, we propose a decidable underapproximation. First, using a restriction similar to context-bounding, we underapproximate the global control by a weak global control (i.e. DAGs possibly with self-loops), thereby limiting the number of synchronisations between different threads. Second, we bound the number of reversals between non-decrementing and non-incrementing modes of the counters. Under this restriction, we show that reachability becomes NP-complete. In fact, it is poly-time reducible to satisfaction over existential Presburger formulas, which allows one to tap into highly optimised SMT solvers. Our decidable approximation strictly generalises known decidable models including (i) weakly-synchronised ground-tree rewrite systems, and (ii) synchronisation/reversal-bounded concurrent pushdown systems with counters. Finally, we show that, when equipped with reversal-bounded counters, relaxing the weak control restriction by the notion of senescence results in undecidability.

A Comparison of Sorting Times between Java 8 and Parallel Colt

An exploratory experiment found that sorting arrays of random integers using Java 8's parallel sort required only 50%-70% of the time taken using the parallel sort of the Parallel Colt library. Factors considered responsible for the performance advantage include the use of a dual-pivot quicksort on locally held data at certain phases of execution and work-stealing by threads, a feature of the fork-join framework. The default performance of Parallel Colt's parallel sort was found to degrade dramatically for small array sizes due to unnecessary thread creation.

Automated Image Mosaicing System With Analysis Over Various Image Noise

The Cell Broadband Engine (BE) is a heterogeneous 9-core microprocessor which initially saw the light in the Sony PlayStation 3. This paper describes the parallelization of a video processing application on the Cell BE, and the programming model chosen for this application. Serial implementations on PPE only and parallel implementations on PPE-SPE with 8 SPEs are described. This is followed by the presentation of the speedup comparisons with and without DMA and thread creation overhead times. The results presented in this paper demonstrate that the Cell BE processor can achieve a speedup of 10x on this application and shows good scalability with number of SPEs. When the input data size is at least 512x512, we showed that the speedup becomes limited by the number of memory transfer.

基于多核DSP的OpenMp研究与实现

针对目前在实际应用场景中多核模型的复杂性，本文在分析了数据流、主从、OpenMp三大多核模型后，选取其中更易实现的OpenMp模型作为主要研究对象。本文研究了OpenMp模型的实现原理，对多核模型OpenMp在嵌套循环中的线程创建以及任务划分所消耗的时间进行了分析，然后研究了OpenMp模型的核数和线程数之间的关系，最终以TI公司的多核DSP TMS320C6678为核心处理器，使用典型的图像处理算法对在以上研究中得出的结论进行了验证。经测试，OpenMp模型在线程数等于核数时执行时间最短。 Aiming at the complexity of multicore model in practical application, the three major models of data flow, master-slave and OpenMp are analyzed in this paper. Because the OpenMp model is easier to be implemented, it is taken as the major research object. Firstly, the implementation principle of OpenMp model is studied; the time consumed by the thread creation and task parti-tioning in the nested loop of the OpenMp model is analyzed in this paper. Then, the relationship between the core number and the number of threads in the OpenMp model is also studied. Finally, taking TMS320C6678 multi-core DSP of TI Company as the core processor, a simple image processing algorithm is used to verify the conclusions drawn from the above research. The results of test have proved OpenMp model when the number of threads is equal to the core number shortest execution time.

Oracle-guided scheduling for controlling granularity in implicitly parallel languages

AbstractA classic problem in parallel computing is determining whether to execute a thread in parallel or sequentially. If small threads are executed in parallel, the overheads due to thread creation can overwhelm the benefits of parallelism, resulting in suboptimal efficiency and performance. If large threads are executed sequentially, processors may spin idle, resulting again in sub-optimal efficiency and performance. This “granularity problem” is especially important in implicitly parallel languages, where the programmer expresses all potential for parallelism, leaving it to the system to exploit parallelism by creating threads as necessary. Although this problem has been identified as an important problem, it is not well understood—broadly applicable solutions remain elusive. In this paper, we propose techniques for automatically controlling granularity in implicitly parallel programming languages to achieve parallel efficiency and performance. To this end, we first extend a classic result, Brent's theorem (a.k.a. the work-time principle) to include thread-creation overheads. Using a cost semantics for a general-purpose language in the style of lambda calculus with parallel tuples, we then present a precise accounting of thread-creation overheads and bound their impact on efficiency and performance. To reduce such overheads, we propose an oracle-guided semantics by using estimates of the sizes of parallel threads. We show that, if the oracle provides accurate estimates in constant time, then the oracle-guided semantics reduces the thread-creation overheads for a reasonably large class of parallel computations. We describe how to approximate the oracle-guided semantics in practice by combining static and dynamic techniques. We require the programmer to provide the asymptotic complexity cost for each parallel thread and use runtime profiling to determine hardware-specific constant factors. We present an implementation of the proposed approach as an extension of the Manticore compiler for Parallel ML. Our empirical evaluation shows that our techniques can reduce thread-creation overheads, leading to good efficiency and performance.

Regression verification for multi-threaded programs (with extensions to locks and dynamic thread creation)

Regression verification is the problem of deciding whether two similar programs are equivalent under an arbitrary yet equal context, given some definition of equivalence. So far this problem has only been studied for the case of single-threaded deterministic programs. We present a method for regression verification of multi-threaded programs. Specifically, we develop a proof-rule whose premise requires only to verify equivalence between sequential functions, whereas their consequents are equivalence of concurrent programs. This ability to avoid composing threads altogether when discharging premises, in a fully automatic way and for general programs, uniquely distinguishes our proof rule from others used for classical verification of concurrent programs. We also consider the effect of dynamic thread creation and synchronization primitives.

Permission-Based Separation Logic for Multithreaded Java Programs

This paper presents a program logic for reasoning about multithreaded Java-like programs with dynamic thread creation, thread joining and reentrant object monitors. The logic is based on concurrent separation logic. It is the first detailed adaptation of concurrent separation logic to a multithreaded Java-like language. The program logic associates a unique static access permission with each heap location, ensuring exclusive write accesses and ruling out data races. Concurrent reads are supported through fractional permissions. Permissions can be transferred between threads upon thread starting, thread joining, initial monitor entrancies and final monitor exits. In order to distinguish between initial monitor entrancies and monitor reentrancies, auxiliary variables keep track of multisets of currently held monitors. Data abstraction and behavioral subtyping are facilitated through abstract predicates, which are also used to represent monitor invariants, preconditions for thread starting and postconditions for thread joining. Value-parametrized types allow to conveniently capture common strong global invariants, like static object ownership relations. The program logic is presented for a model language with Java-like classes and interfaces, the soundness of the program logic is proven, and a number of illustrative examples are presented.

Model checking dynamic pushdown networks

Abstract A dynamic pushdown network (DPN) is a set of pushdown systems (PDSs) where each process can dynamically create new instances of PDSs. DPNs are a natural model of multi-threaded programs with (possibly recursive) procedure calls and thread creation. Thus, it is important to have model checking algorithms for DPNs. We consider in this work model checking DPNs against single-indexed LTL and CTL properties of the form ⋀ f i such that f i is a LTL/CTL formula over the PDS i . We consider the model checking problems w.r.t. simple valuations (i.e., whether a configuration satisfies an atomic proposition depends only on its control location) and w.r.t. regular valuations (i.e., the set of the configurations satisfying an atomic proposition is a regular set of configurations). We show that these model checking problems are decidable. We propose automata-based approaches for computing the set of configurations of a DPN that satisfy the corresponding single-indexed LTL/CTL formula.

ω-Petri Nets: Algorithms and Complexity

We introduce ω-Petri nets ωPN, an extension of plain Petri nets with ω-labeled input and output arcs, that is well-suited to analyse parametric concurrent systems with dynamic thread creation. Most techniques such as the Karp and Miller tree or the Rackoff technique that have been proposed in the setting of plain Petri nets do not apply directly to ωPN because ωPN define transition systems that have infinite branching. This motivates a thorough analysis of the computational aspects of ωPN. We show that an ωPN can be turned into a plain Petri net that allows us to recover the reachability set of the ωPN, but that does not preserve termination an ωPN terminates iff it admits no infinitely long execution. This yields complexity bounds for the reachability, boundedness, place boundedness and coverability problems on ωPN. We provide a practical algorithm to compute a coverability set of the ωPN and to decide termination by adapting the classical Karp and Miller tree construction. We also adapt the Rackoff technique to ωPN, to obtain the exact complexity of the termination problem. Finally, we consider the extension of ωPN with reset and transfer arcs, and show how this extension impacts the decidability and complexity of the aforementioned problems.

Understanding energy behaviors of thread management constructs

Java programmers are faced with numerous choices in managing concurrent execution on multicore platforms. These choices often have different trade-offs (e.g., performance, scalability, and correctness guarantees). This paper analyzes an additional dimension, energy consumption. It presents an empirical study aiming to illuminate the relationship between the choices and settings of thread management constructs and energy consumption. We consider three important thread management constructs in concurrent programming: explicit thread creation, fixed-size thread pooling, and work stealing. We further shed light on the energy/performance trade-off of three ``tuning knobs'' of these constructs: the number of threads, the task division strategy, and the characteristics of processed data. Through an extensive experimental space exploration over real-world Java programs, we produce a list of findings about the energy behaviors of concurrent programs, which are not always obvious. The study serves as a first step toward improving energy efficiency of concurrent programs on parallel architectures.

A Programmable Graphics Processor based on Partial Stream Rewriting

Current graphics processing units (GPU) typically offer only a limited number of programmable pipeline stages, whose usage, data flow and topology are mostly fixed. Although a more flexible, custom rendering pipeline can be emulated using the compute functionality of existing GPUs, this approach requires to manage work queues, synchronization, and scheduling in software. In this paper, we present a hardware architecture for a novel, programmable rendering pipeline, which is based on a circulating stream of data and control tokens that are iteratively modified via pattern matching. Our architecture provides light-weight mechanisms for dynamic thread creation, lock-free synchronization, and scheduling to support recursion, dynamic shader linkage and custom primitive types. A hardware prototype, running complex examples, demonstrates the improved reconfigurability also the scalability of our graphics architecture.

Iterable Forward Reachability Analysis of Monitor-DPNs

There is a close connection between data-flow analysis and model checking as observed and studied in the nineties by Steffen and Schmidt. This indicates that automata-based analysis techniques developed in the realm of infinite-state model checking can be applied as data-flow analyzers that interpret complex control structures, which motivates the development of such analysis techniques for ever more complex models. One approach proposed by Esparza and Knoop is based on computation of predecessor or successor sets for sets of automata configurations. Our goal is to adapt and exploit this approach for analysis of multi-threaded Java programs. Specifically, we consider the model of Monitor-DPNs for concurrent programs. Monitor-DPNs precisely model unbounded recursion, dynamic thread creation, and synchronization via well-nested locks with finite abstractions of procedure- and thread-local state. Previous work on this model showed how to compute regular predecessor sets of regular configurations and tree-regular successor sets of a fixed initial configuration. By combining and extending different previously developed techniques we show how to compute tree-regular successor sets of tree-regular sets. Thereby we obtain an iterable, lock-sensitive forward reachability analysis. We implemented the analysis for Java programs and applied it to information flow control and data race detection.

스레드 생성 및 삭제 오버헤드를 줄이기 위한 히스토리 기반의 동적 스레드풀 방법

In an environment with frequent job requests and short job processing times, thread pool methods are frequently used to increase throughput by reducing overheads due to thread creation and removal. A watermark method normally reduces unnecessary uses of resources by keeping the number of threads less than those needed in the maximum. In the absence of available threads, however, it processes jobs by creating additional threads up to a specified limit so that the system overhead increases due to creation of threads, which results in throughput degradation. This paper presents a history-based dynamic method that alleviates throughput degradation. By estimating and maintaining the number of threads needed for jobs, it reduces overheads due to thread creation and removal. According to experiments, compared to the watermark thread pool method, it shows average 33% increase in the number of threads kept and average 62% reduction in the number of threads created, which results in 6% increase in terms of system throughput.

A generic static analyzer for multithreaded Java programs

SUMMARYIn this paper, we present heckmate, the first generic static analyzer of multithreaded Java programs based on abstract interpretation. heckmate can be tuned at different levels of precision and efficiency in order to prove various properties (e.g., absence of divisions by zero and data races), and it is sound for multithreaded programs. It supports all the most relevant features of Java multithreading, such as dynamic thread creation, runtime creation of monitors, and dynamic allocation of memory. The experimental results demonstrate that heckmate is accurate and efficient enough to analyze programs with some thousands of statements and a potentially infinite number of threads. Copyright © 2012 John Wiley & Sons, Ltd.