New version page

DELTA CS 11 - SoftBound: Highly Compatible and Complete Spatial Memory Safety for C

Upgrade to remove ads
Upgrade to remove ads
Unformatted text preview:

SoftBound: Highly Compatible and CompleteSpatial Memory Safety for CSantosh Nagarakatte Jianzhou Zhao Milo M. K. Martin Steve ZdancewicComputer and Information Sciences Department, University of [email protected] [email protected] [email protected] [email protected] serious bugs and security vulnerabilities facilitated by C/C++’slack of bounds checking are well known, yet C and C++ remainin widespread use. Unfortunately, C’s arbitrary pointer arithmetic,conflation of pointers and arrays, and programmer-visible memorylayout make retrofitting C/C++ with spatial safety guarantees ex-tremely challenging. Existing approaches suffer from incomplete-ness, have high runtime overhead, or require non-trivial changesto the C source code. Thus far, these deficiencies have preventedwidespread adoption of such techniques.This paper proposes SoftBound, a compile-time transformationfor enforcing spatial safety of C. Inspired by HardBound, a previ-ously proposed hardware-assisted approach, SoftBound similarlyrecords base and bound information for every pointer as disjointmetadata. This decoupling enables SoftBound to provide spatialsafety without requiring changes to C source code. Unlike Hard-Bound, SoftBound is a software-only approach and performs meta-data manipulation only when loading or storing pointer values. Aformal proof shows that this is sufficient to provide spatial safetyeven in the presence of arbitrary casts. SoftBound’s full checkingmode provides complete spatial violation detection with 67% run-time overhead on average. To further reduce overheads, SoftBoundhas a store-only checking mode that successfully detects all the se-curity vulnerabilities in a test suite at the cost of only 22% runtimeoverhead on average.Categories and Subject Descriptors D.3.3.4 [Programming Lan-guages]: Processors; D.2.5 [Software Engineering]: Testing andDebuggingGeneral Terms Languages, Performance, Security, ReliabilityKeywords spatial memory safety, buffer overflows, C1. IntroductionThe serious bugs and security vulnerabilities facilitated by C/C++’slack of bounds checking are well known. The lack of spatial mem-ory safety leads to bugs that cause difficult-to-diagnose crashes,silent memory corruption, and incorrect results. Worse yet, it isthe underlying root cause of a multitude of security vulnerabili-ties [14, 38, 44]. Even though modern operating systems and com-pilers employ partial countermeasures (e.g., guarding the return ad-Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. To copy otherwise, to republish, to post on servers or to redistributeto lists, requires prior specific permission and/or a fee.PLDI’09, June 15–20, 2009, Dublin, Ireland.Copyrightc 2009 ACM 978-1-60558-392-1/09/06. . . $5.00dress on the stack, address space randomization, non-executablestack), vulnerabilities persist. For one example, in November 2008Adobe released a security update that fixed several serious bufferoverflows [2]. Attackers have reportedly exploited these buffer-overflow vulnerabilities by using banner ads on websites to redi-rect users to a malicious PDF document crafted to take completecontrol of the victim’s machine [1]. For another example, as ofMarch 2009, millions of computers worldwide were infected withthe Conficker worm, which spreads primarily via a buffer-overflowvulnerability [39].Safe languages, such as Java and C#, enforce memory safetyand thus completely prevent this entire class of bugs and securityvulnerabilities [14]. Such languages have thankfully become main-stream, however C and C++ are still widely used. C provides low-level control of memory layout, proximity to the underlying hard-ware, requires minimal runtime support, and is the gold standardfor performance. Today’s operating systems, virtual machine mon-itors, language runtimes, enterprise database management systems,embedded software, and web browsers are all generally written inC/C++. Furthermore, altogether such systems comprise millions oflines of C/C++ code, preventing the complete transition away fromC/C++ anytime soon.As a recognition to the importance of this problem, many pro-posals have pursued techniques for retrofitting C (or close vari-ants) to provide complete or near-complete spatial memory safety[4, 5, 10, 11, 17, 28, 29, 32, 35, 37, 41, 47, 48].1Unfortunately,several aspects of C, such as its conflation of arrays and singletonpointers, unchecked array indexing, pointer arithmetic, pointers tothe middle of objects, arbitrary casts, user-visible memory layout,and structures with internal arrays all interact to greatly increasethe difficulty of retrofitting C with spatial memory safety guaran-tees. As a result, prior proposals suffer from one or more practicaldifficulties that may prevent wide adoption, such as: high runtimeoverheads, incomplete detection of spatial violations, incompatiblepointer representations (by changing memory layout), or requiringnon-trivial changes to existing C source code. Moreover, the pro-posals with the lowest performance overheads generally employwhole-program compiler analyses (e.g., [4, 17, 35]) which compli-cates separate compilation and use of dynamically linked libraries.Section 2 provides additional background on these proposals.Hardware-assisted techniques have been proposed for mitigat-ing the runtime overheads and other limitations of these software-1Although temporal safety violations are also a source of bugs (i.e., dan-gling pointers) and vulnerabilities (i.e., use-after-free vulnerabilities), Soft-Bound focuses exclusively on the spatial safety issues of C. Other previ-ously proposed complementary techniques such as conservative garbagecollection [9], reference-counted smart pointers, probabilistic approxima-tions of an infinite-sized heap [6], temporal capabilities [5, 47], or region-based memory management [19, 23, 25] may be employed to detect or pre-vent temporal violations.245only schemes. One such proposal is HardBound [16], which de-scribes extensive hardware support for bounded pointers, includingautomatically propagating pointer bounds information, efficientlychecking every memory access, and transparently recording pointerbounds metadata in a hardware-managed shadow space. This

View Full Document
Download SoftBound: Highly Compatible and Complete Spatial Memory Safety for C
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...

Join to view SoftBound: Highly Compatible and Complete Spatial Memory Safety for C and access 3M+ class-specific study document.

We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view SoftBound: Highly Compatible and Complete Spatial Memory Safety for C 2 2 and access 3M+ class-specific study document.


By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?