Rust for Morello: Always-On Memory Safety, Even in Unsafe Code (Experience Paper)

Authors Sarah Harris, Simon Cooksey , Michael Vollmer , Mark Batty



PDF
Thumbnail PDF

File

LIPIcs.ECOOP.2023.39.pdf
  • Filesize: 0.94 MB
  • 27 pages

Document Identifiers

Author Details

Sarah Harris
  • University of Kent, Canterbury, UK
Simon Cooksey
  • University of Kent, Canterbury, UK
Michael Vollmer
  • University of Kent, Canterbury, UK
Mark Batty
  • University of Kent, Canterbury, UK

Acknowledgements

This paper was greatly improved thanks to the responses of anonymous reviewers. We extend our thanks to Jessica Clarke for her invaluable help with CHERI LLVM.

Cite AsGet BibTex

Sarah Harris, Simon Cooksey, Michael Vollmer, and Mark Batty. Rust for Morello: Always-On Memory Safety, Even in Unsafe Code (Experience Paper). In 37th European Conference on Object-Oriented Programming (ECOOP 2023). Leibniz International Proceedings in Informatics (LIPIcs), Volume 263, pp. 39:1-39:27, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2023)
https://doi.org/10.4230/LIPIcs.ECOOP.2023.39

Abstract

Memory safety issues are a serious concern in systems programming. Rust is a systems language that provides memory safety through a combination of a static checks embodied in the type system and ad hoc dynamic checks inserted where this analysis becomes impractical. The Morello prototype architecture from ARM uses capabilities, fat pointers augmented with object bounds information, to catch failures of memory safety. This paper presents a compiler from Rust to the Morello architecture, together with a comparison of the performance of Rust’s runtime safety checks and the hardware-supported checks of Morello. The cost of Morello’s always-on memory safety guarantees is 39% in our 19 benchmark suites from the Rust crates repository (comprising 870 total benchmarks). For this cost, Morello’s capabilities ensure that even unsafe Rust code benefits from memory safety guarantees.

Subject Classification

ACM Subject Classification
  • Software and its engineering → Compilers
  • Software and its engineering → Software safety
  • Software and its engineering → Object oriented languages
Keywords
  • Compilers
  • Rust
  • Memory Safety
  • CHERI

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. Arm. Arm® Architecture Reference Manual Supplement Morello for A-profile Architecture. Arm, 2020. Google Scholar
  2. ARM. Morello project - release notes, January 2022. last accessed: July 25, 2022. URL: https://git.morello-project.org/morello/docs/-/blob/morello/mainline/release-notes.rst.
  3. ARM and contributors. The android/morello release, April 2022. last accessed: September 28, 2022. URL: https://git.morello-project.org/morello/docs/-/blob/morello/mainline/android-readme.rst.
  4. ARM and contributors. Morello project - linux, August 2022. last accessed: September 28, 2022. URL: https://git.morello-project.org/morello/kernel/linux.
  5. Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. Efficient detection of all pointer and array access errors. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation, PLDI '94, pages 290-301, New York, NY, USA, 1994. Association for Computing Machinery. URL: https://doi.org/10.1145/178243.178446.
  6. Silviu Baranga. Don't replace a 96-bit memcpy with a capability load/store, September 2022. URL: https://git.morello-project.org/morello/llvm-project/-/merge_requests/205.
  7. Rastislav Bodík, Rajiv Gupta, and Vivek Sarkar. Abcd: Eliminating array bounds checks on demand. SIGPLAN Not., 35(5):321-333, May 2000. URL: https://doi.org/10.1145/358438.349342.
  8. Common Weakness Enumeration. 2022 CWE Top 25 Most Dangerous Software Weaknesses. Technical report, MITRE, August 2022. URL: https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html.
  9. CTSRD CHERI. cheribuild, 2022. last accessed: July 25, 2022. URL: https://github.com/CTSRD-CHERI/cheribuild.
  10. Dinakar Dhurjati and Vikram Adve. Backwards-Compatible Array Bounds Checking for C with Very Low Overhead. In Proceedings of the 2006 International Conference on Software Engineering (ICSE'06), Shanghai, China, May 2006. URL: http://llvm.org/pubs/2006-05-24-SAFECode-BoundsCheck.html.
  11. Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. Region-based memory management in cyclone. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, PLDI '02, pages 282-293, New York, NY, USA, 2002. Association for Computing Machinery. URL: https://doi.org/10.1145/512529.512563.
  12. Rajiv Gupta. Optimizing array bound checks using flow analysis. ACM Lett. Program. Lang. Syst., 2(1–4):135-150, March 1993. URL: https://doi.org/10.1145/176454.176507.
  13. Reed Hastings and Bob Joyce. Purify: Fast detection of memory leaks and access errors. In In Proc. of the Winter 1992 USENIX Conference, pages 125-138, 1991. Google Scholar
  14. Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim. Experience with safe manual memory-management in cyclone. In Proceedings of the 4th International Symposium on Memory Management, ISMM '04, pages 73-84, New York, NY, USA, 2004. Association for Computing Machinery. URL: https://doi.org/10.1145/1029873.1029883.
  15. Richard W. M. Jones and Paul H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in c programs. In Proceedings of the Third International Workshop on Automated Debugging, AADEBUG 1997, 1997. Google Scholar
  16. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. RustBelt: Securing the foundations of the Rust programming language. Proc. ACM Program. Lang., 2(POPL), 2017. URL: https://doi.org/10.1145/3158154.
  17. Ben Kimock. Remove ptr-int transmute in std::sync::mpsc, April 2022. URL: https://github.com/rust-lang/rust/commit/dec73f5.
  18. Steve Klabnik, Carol Nichols, et al. The Rust Programming Language. The Rust Project Developers, 2021. URL: https://doc.rust-lang.org/1.55.0/book/.
  19. Kevin Knapp. cargo-count, November 2017. URL: https://github.com/kbknapp/cargo-count.
  20. LLVM Project and CTSRD CHERI. CTSRD llvm-project, 2022. last accessed: July 25, 2022. URL: https://github.com/CTSRD-CHERI/llvm-project.
  21. Nicholas D. Matsakis and Felix S. Klock. The rust language. Ada Lett., 34(3):103-104, October 2014. URL: https://doi.org/10.1145/2692956.2663188.
  22. Kayvan Memarian, Victor B. F. Gomes, Brooks Davis, Stephen Kell, Alexander Richardson, Robert N. M. Watson, and Peter Sewell. Exploring c semantics and pointer provenance. Proc. ACM Program. Lang., 3(POPL), January 2019. URL: https://doi.org/10.1145/3290380.
  23. Matt Miller. Trends, challenges, and strategic shifts in the software vulnerability mitigation landscape. last accessed: July 25, 2022. URL: https://github.com/microsoft/MSRC-Security-Research/blob/master/presentations/2019_02_BlueHatIL/2019_01%20-%20BlueHatIL%20-%20Trends%2C%20challenge%2C%20and%20shifts%20in%20software%20vulnerability%20mitigation.pdf.
  24. Miguel Ojeda. [PATCH 00/13] [RFC] Rust support, April 2021. URL: https://lore.kernel.org/lkml/20210414184604.23473-1-ojeda@kernel.org/.
  25. Rust project contributors. [Pre-RFC] usize is not size_t, September 2021. URL: https://internals.rust-lang.org/t/pre-rfc-usize-is-not-size-t/15369.
  26. Rust project contributors. The Rust Standard Library - Primitive Type usize, 2021. URL: https://doc.rust-lang.org/1.55.0/std/primitive.usize.html.
  27. Rust project developers. Rust 0.1, 2012. URL: https://github.com/rust-lang/rust/releases/tag/0.1.
  28. Rust project developers. The Rust Reference. The Rust Project Developers, 2021. URL: https://doc.rust-lang.org/1.55.0/reference/.
  29. Rust project developers. usize - Rust. The Rust Project Developers, 2021. URL: https://doc.rust-lang.org/std/primitive.usize.html.
  30. Olatunji Ruwase and Monica S. Lam. A practical dynamic buffer overflow detector. In In Proceedings of the 11th Annual Network and Distributed System Security Symposium, pages 159-169, 2004. Google Scholar
  31. Nicholas Sim. Support index size != pointer width. https://github.com/rust-lang/rust/issues/65473, October 2019. last accessed: November 28, 2022.
  32. Nicholas Sim. Strengthening memory safety in Rust: exploring CHERI capabilities for a safe language. Master’s thesis, University of Cambridge, August 2020. URL: https://nw0.github.io/cheri-rust.pdf.
  33. The Chromium Projects. Memory Safety. last accessed: July 25, 2022. URL: https://www.chromium.org/Home/chromium-security/memory-safety/.
  34. The FreeBSD Projet and CTSRD CHERI. CTSRD-CHERI cheribsd, 2022. last accessed: March 4, 2021. URL: https://github.com/CTSRD-CHERI/cheribsd.
  35. Aaron Turon. Rust blog: Abstraction without overhead: Traits in rust, May 2015. URL: https://blog.rust-lang.org/2015/05/11/traits.html.
  36. Robert N. M. Watson, Simon W. Moore, Peter Sewell, and Peter G. Neumann. An Introduction to CHERI. Technical Report UCAM-CL-TR-941, University of Cambridge, Computer Laboratory, September 2019. URL: https://doi.org/10.48456/tr-941.
  37. Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Hesham Almatary, Jonathan Anderson, John Baldwin, Graeme Barnes, David Chisnall, Jessica Clarke, Brooks Davis, Lee Eisen, Nathaniel Wesley Filardo, Richard Grisenthwaite, Alexandre Joannou, Ben Laurie, A. Theodore Markettos, Simon W. Moore, Steven J. Murdoch, Kyndylan Nienhuis, Robert Norton, Alexander Richardson, Peter Rugg, Peter Sewell, Stacey Son, and Hongyan Xia. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture (Version 8). Technical Report UCAM-CL-TR-951, University of Cambridge, Computer Laboratory, October 2020. URL: https://doi.org/10.48456/tr-951.
  38. Aaron Weiss, Daniel Patterson, Nicholas D. Matsakis, and Amal Ahmed. Oxide: The essence of Rust. CoRR, 2019. URL: https://arxiv.org/abs/1903.00982.
  39. Nathaniel Wesley Filardo, Brett F. Gutstein, Jonathan Woodruff, Sam Ainsworth, Lucian Paul-Trifu, Brooks Davis, Hongyan Xia, Edward Tomasz Napierala, Alexander Richardson, John Baldwin, David Chisnall, Jessica Clarke, Khilan Gudka, Alexandre Joannou, A. Theodore Markettos, Alfredo Mazzinghi, Robert M. Norton, Michael Roe, Peter Sewell, Stacey Son, Timothy M. Jones, Simon W. Moore, Peter G. Neumann, and Robert N. M. Watson. Cornucopia: Temporal Safety for CHERI Heaps. In 2020 IEEE Symposium on Security and Privacy (SP), pages 608-625, May 2020. URL: https://doi.org/10.1109/SP40000.2020.00098.
  40. Hongwei Xi and Frank Pfenning. Eliminating array bound checking through dependent types. In Proceedings of the ACM SIGPLAN 1998 Conference on Programming Language Design and Implementation, PLDI '98, pages 249-257, New York, NY, USA, 1998. Association for Computing Machinery. URL: https://doi.org/10.1145/277650.277732.
  41. Hongyan Xia, Jonathan Woodruff, Sam Ainsworth, Nathaniel W. Filardo, Michael Roe, Alexander Richardson, Peter Rugg, Peter G. Neumann, Simon W. Moore, Robert N. M. Watson, and Timothy M. Jones. Cherivoke: Characterising pointer revocation using cheri capabilities for temporal memory safety. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO '52, pages 545-557, New York, NY, USA, 2019. Association for Computing Machinery. URL: https://doi.org/10.1145/3352460.3358288.
  42. Yuchen Zhang, Yunhang Zhang, Georgios Portokalidis, and Jun Xu. Towards understanding the runtime performance of rust. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, ASE '22, New York, NY, USA, 2023. Association for Computing Machinery. URL: https://doi.org/10.1145/3551349.3559494.