Everything You Want to Know About Pointer-Based Checking

Authors Santosh Nagarakatte, Milo M. K. Martin, Steve Zdancewic



PDF
Thumbnail PDF

File

LIPIcs.SNAPL.2015.190.pdf
  • Filesize: 0.58 MB
  • 19 pages

Document Identifiers

Author Details

Santosh Nagarakatte
Milo M. K. Martin
Steve Zdancewic

Cite AsGet BibTex

Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. Everything You Want to Know About Pointer-Based Checking. In 1st Summit on Advances in Programming Languages (SNAPL 2015). Leibniz International Proceedings in Informatics (LIPIcs), Volume 32, pp. 190-208, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2015)
https://doi.org/10.4230/LIPIcs.SNAPL.2015.190

Abstract

Lack of memory safety in C/C++ has resulted in numerous security vulnerabilities and serious bugs in large software systems. This paper highlights the challenges in enforcing memory safety for C/C++ programs and progress made as part of the SoftBoundCETS project. We have been exploring memory safety enforcement at various levels - in hardware, in the compiler, and as a hardware-compiler hybrid - in this project. Our research has identified that maintaining metadata with pointers in a disjoint metadata space and performing bounds and use-after-free checking can provide comprehensive memory safety. We describe the rationale behind the design decisions and its ramifications on various dimensions, our experience with the various variants that we explored in this project, and the lessons learned in the process. We also describe and analyze the forthcoming Intel Memory Protection Extensions (MPX) that provides hardware acceleration for disjoint metadata and pointer checking in mainstream hardware, which is expected to be available later this year.
Keywords
  • Memory safety
  • Buffer overflows
  • Dangling pointers
  • Pointer-based checking
  • SoftBoundCETS

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In Proceedings of the 18th USENIX Security Symposium, August 2009. Google Scholar
  2. Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. Efficient detection of all pointer and array access errors. In Proceedings of the SIGPLAN 1994 Conference on Programming Language Design and Implementation, 1994. Google Scholar
  3. Stephen Bradshaw. Heap spray exploit tutorial: Internet explorer use after free aurora vulnerability. URL: http://www.thegreycorner.com/2010/01/heap-spray-exploit-tutorial-internet.html.
  4. David Chisnall, Colin Rothwell, Robert N.M. Watson, Jonathan Woodruff, Munraj Vadera, Simon W. Moore, Michael Roe, Brooks Davis, and Peter G. Neumann. Beyond the pdp-11: Architectural support for a memory-safe c abstract machine. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, 2015. Google Scholar
  5. Weihaw Chuang, Satish Narayanasamy, and Brad Calder. Accelerating meta data checks for software correctness and security. Journal of Instruction Level Parallelism, 9, June 2007. Google Scholar
  6. Jeremy Condit, Matthew Harren, Zachary Anderson, David Gay, and George C. Necula. Dependent types for low-level programming. In Proceedings of the 16th European Symposium on Programming, 2007. Google Scholar
  7. Jeremy Condit, Matthew Harren, Scott McPeak, George C. Necula, and Westley Weimer. Ccured in the real world. In Proceedings of the SIGPLAN 2003 Conference on Programming Language Design and Implementation, 2003. Google Scholar
  8. Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In Proceedings of the Foundations of Intrusion Tolerant Systems, pages 227-237, 2003. Google Scholar
  9. John Criswell, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve. Secure virtual architecture: A safe execution environment for commodity operating systems. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, 2007. Google Scholar
  10. Christian DeLozier, Richard Eisenberg, Santosh Nagarakatte, Peter-Michael Osera, Milo M.K. Martin, and Steve Zdancewic. IroncladC++: A Library-augmented Type-safe Subset of C++. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA'13, 2013. Google Scholar
  11. Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. Hardbound: Architectural support for spatial safety of the c programming language. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems, 2008. Google Scholar
  12. Dinakar Dhurjati and Vikram Adve. Backwards-compatible array bounds checking for c with very low overhead. In Proceedings of the 28th International Conference on Software Engineering (ICSE), pages 162-171, 2006. Google Scholar
  13. Yulei Sui Ding Ye, Yu Su and Jingling Xue. Wpbound: Enforcing spatial memory safety efficiently at runtime with weakest preconditions. In Proceedings of the 25th IEEE Symposium on Software Reliability Engineering, 2014. Google Scholar
  14. Frank Ch. Eigler. Mudflap: Pointer Use Checking for C/C++. In GCC Developer’s Summit, 2003. Google Scholar
  15. Isaac Evans, Samuel Fingeret, Julian Gonzalez, Ulziibayar Otgonbaatar, Tiffany Tang, Howard Shrobe, Stelios Sidiroglou-Douskos, Martin Rinard, and Hamed Okhravi. Missing the point: On the effectiveness of code pointer integrity. In 36th IEEE Symposium on Security and Privacy, 2015. Google Scholar
  16. Kittur Ganesh. Pointer Checker: Easily Catch Out-of-Bounds Memory Accesses. Intel Corporation, 2012. URL: http://software.intel.com/sites/products/parallelmag/singlearticles/issue11/7080_2_IN_ParallelMag_Issue11_Pointer_Checker.pdf.
  17. Saugata Ghose, Latoya Gilgeous, Polina Dudnik, Aneesh Aggarwal, and Corey Waxman. Architectural support for low overhead detection of memory viloations. In Proceedings of the Design, Automation and Test in Europe, 2009. Google Scholar
  18. Reed Hastings and Bob Joyce. Purify: Fast detection of memory leaks and access errors. In Proc. of the Winter Usenix Conference, 1992. Google Scholar
  19. Maurice Herlihy and J. Eliot B. Moss. Transactional memory: Architectural support for lock-free data structures. In Proceedings of the 20th Annual International Symposium on Computer Architecture, pages 289-300, 1993. Google Scholar
  20. Intel Corporation. Intel Architecture Instruction Set Extensions Programming Reference, 319433-022 edition, October 2014. URL: https://software.intel.com/sites/default/files/managed/0d/53/319433-022.pdf.
  21. Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and Yanling Wang. Cyclone: A safe dialect of c. In Proceedings of the 2002 USENIX Annual Technical Conference, 2002. Google Scholar
  22. R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Third International Workshop on Automated Debugging, 1997. Google Scholar
  23. Greg Kroah-Hartman. The linux kernel driver model: The benefits of working together. In Andy Oram and Greg Wilson, editors, Beautiful Code: Leading Programmers Explain How They Think. O'Reilly Media, Inc., June 2007. Google Scholar
  24. Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. Code-pointer integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation, 2014. Google Scholar
  25. James R. Larus and Ravi Rajwar. Transactional Memory. Morgan and Claypool, 2007. Google Scholar
  26. Chris Lattner and Vikram Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In Proceedings of the International Symposium on Code Generation and Optimization, page 75, 2004. Google Scholar
  27. Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. Preventing use-after-free with dangling pointers nullification. In Proceedings of the 2015 Internet Society Symposium on Network and Distributed Systems Security, 2015. Google Scholar
  28. Nuno Lopes, David Menendez, Santosh Nagarakatte, and John Regehr. Provably correct peephole optimizations with Alive. In Proceedings of the 36th Annual ACM SIGPLAN Conference on Programming Language Design and Implementation, 2015. Google Scholar
  29. Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation, 2005. Google Scholar
  30. Greg Morrisett. Compiling with Types. PhD thesis, Carnegie Mellon University, December 1995. Google Scholar
  31. Santosh Nagarakatte. Practical Low-Overhead Enforcement of Memory Safety for C Programs. PhD thesis, University of Pennsylvania, 2012. Google Scholar
  32. Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. Watchdog: Hardware for safe and secure manual memory management and full memory safety. In Proceedings of the 39th Annual International Symposium on Computer Architecture, 2012. Google Scholar
  33. Santosh Nagarakatte, Milo M K Martin, and Steve Zdancewic. Hardware-enforced comprehensive memory safety. In IEEE MICRO 33(3), May/June 2013. Google Scholar
  34. Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. Watchdoglite: Hardware-accelerated compiler-based pointer checking. In 12th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO'14, page 175, 2014. Google Scholar
  35. Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. Softbound: Highly compatible and complete spatial memory safety for c. In Proceedings of the SIGPLAN 2009 Conference on Programming Language Design and Implementation, 2009. Google Scholar
  36. Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. Cets: Compiler enforced temporal safety for c. In Proceedings of the 2010 International Symposium on Memory Management, 2010. Google Scholar
  37. George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. Ccured: Type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems, 27(3), May 2005. Google Scholar
  38. Nicholas Nethercote and Jeremy Fitzhardinge. Bounds-checking entire programs without recompiling. In Proceedings of the Second Workshop on Semantics, Program Analysis, and Computing Environments for Memory Management, 2004. Google Scholar
  39. Nicholas Nethercote and Julian Seward. How to shadow every byte of memory used by a program. In Proceedings of the 3rd ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pages 65-74, 2007. Google Scholar
  40. Nicholas Nethercote and Julian Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the SIGPLAN 2007 Conference on Programming Language Design and Implementation, pages 89-100, 2007. Google Scholar
  41. Harish Patil and Charles N. Fischer. Low-Cost, Concurrent Checking of Pointer and Array Accesses in C Programs. In Software Practice and Experience 27(1), pages 87-110, 1997. Google Scholar
  42. J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. In IEEE Security and Privacy 2(4), pages 20-27, 2004. Google Scholar
  43. Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. An analysis of conficker’s logic and rendezvous points. Technical report, SRI International, February 2009. Google Scholar
  44. Feng Qin, Shan Lu, and Yuanyuan Zhou. SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs. In Proceedings of the 11th Symposium on High-Performance Computer Architecture, pages 291-302, 2005. Google Scholar
  45. Olatunji Ruwase and Monica S. Lam. A practical dynamic buffer overflow detector. In Proceedings of the Network and Distributed Systems Security Symposium, pages 159-169, February 2004. Google Scholar
  46. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. Addresssanitizer: A fast address sanity checker. In Proceedings of the USENIX Annual Technical Conference, 2012. Google Scholar
  47. Matthew S. Simpson and Rajeev Barua. Memsafe: Ensuring the spatial and temporal memory safety of c at runtime. In Software Practice and Experience, 43(1), 2013. Google Scholar
  48. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. Sok: Eternal war in memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013. Google Scholar
  49. Guru Venkataramani, Brandyn Roemer, Milos Prvulovic, and Yan Solihin. Memtracker: Efficient and programmable support for memory access monitoring and debugging. In Proceedings of the 13th Symposium on High-Performance Computer Architecture, pages 273-284, 2007. Google Scholar
  50. David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of the Network and Distributed Systems Security Symposium, 2000. Google Scholar
  51. Xi Wang, Nickolai Zeldovich, M Frans Kaashoek, and Armando Solar-Lezama. Towards optimization-safe systems: Analyzing the impact of undefined behavior. In Proceedings of the 24th ACM Symposium on Operating System Principles, 2013. Google Scholar
  52. Wei Xu, Daniel C. DuVarney, and R. Sekar. An efficient and backwards-compatible transformation to ensure memory safety of C programs. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 117-126, 2004. Google Scholar
  53. Suan Hsi Yong and Susan Horwitz. Protecting C programs from attacks via invalid pointer dereferences. In Proceedings of the 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), pages 307-316, 2003. Google Scholar
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail