ABSTRACT
The C programming language is at least as well known for its absence of spatial memory safety guarantees (i.e., lack of bounds checking) as it is for its high performance. C's unchecked pointer arithmetic and array indexing allow simple programming mistakes to lead to erroneous executions, silent data corruption, and security vulnerabilities. Many prior proposals have tackled enforcing spatial safety in C programs by checking pointer and array accesses. However, existing software-only proposals have significant drawbacks that may prevent wide adoption, including: unacceptably high run-time overheads, lack of completeness, incompatible pointer representations, or need for non-trivial changes to existing C source code and compiler infrastructure.
Inspired by the promise of these software-only approaches, this paper proposes a hardware bounded pointer architectural primitive that supports cooperative hardware/software enforcement of spatial memory safety for C programs. This bounded pointer is a new hardware primitive datatype for pointers that leaves the standard C pointer representation intact, but augments it with bounds information maintained separately and invisibly by the hardware. The bounds are initialized by the software, and they are then propagated and enforced transparently by the hardware, which automatically checks a pointer's bounds before it is dereferenced. One mode of use requires instrumenting only malloc, which enables enforcement of perallocation spatial safety for heap-allocated objects for existing binaries. When combined with simple intraprocedural compiler instrumentation, hardware bounded pointers enable a low-overhead approach for enforcing complete spatial memory safety in unmodified C programs.
Supplemental Material
Available for Download
Slides from the presentation
Supplemental material for Hardbound: architectural support for spatial safety of the C programming language
- D. Arora, A. Raghunathan, S. Ravi, and N.K. Jha. Architectural Support for Safe Software Execution on Embedded Processors. In Proceedings of the International Conference on Hardware Software Co-design and System Synthesis, Oct. 2006. Google ScholarDigital Library
- T.M. Austin, S.E. Breach, and G.S. Sohi. Efficient Detection of All Pointer and Array Access Errors. In Proceedings of the SIGPLAN 1994 Conference on Programming Language Design and Implementation, June 1994. Google ScholarDigital Library
- E.D. Berger and B.G. Zorn. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the SIGPLAN 2006 Conference on Programming Language Design and Implementation, June 2006. Google ScholarDigital Library
- H.-J. Boehm and M. Weiser. Garbage Collection in an Uncooperative Environment. Software -- Practice & Experience, 18(9):807--820, Sept. 1988. Google ScholarDigital Library
- W. Chuang, S. Narayanasamy, and B. Calder. Accelerating Meta Data Checks for Software Correctness and Security. Journal of Instruction-Level Parallelism, 9, June 2007.Google Scholar
- W. Chuang, S. Narayanasamy, and B. Calder. Bounds Checking with Taint-Based Analysis. In Proceedings of the International Conference on High Performance Embedded Architectures & Compilers (HiPEAC), Jan. 2007. Google ScholarDigital Library
- J. Condit, M. Harren, Z. Anderson, D. Gay, and G.C. Necula. Dependent Types for Low-Level Programming. In Proceedings of the 16th European Symposium on Programming, Apr. 2007. Google ScholarDigital Library
- C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities. In Proceedings of the 12th USENIX Security Conference, 2003. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Conference, Jan. 1998. Google ScholarDigital Library
- J.R. Crandall and F.T. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google ScholarDigital Library
- J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, Oct. 2007. Google ScholarDigital Library
- M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A Flexible Information Flow Architecture for Software Security. In Proceedings of the 34th Annual International Symposium on Computer Architecture, June 2007. Google ScholarDigital Library
- J.B. Dennis and E.C.V. Horn. Programming Semantics for Multiprogrammed Computations. Communications of the ACM, 9(3):143--155, 1966. Google ScholarDigital Library
- D. Dhurjati and V. Adve. Backwards-Compatible Array Bounds Checking for C with Very Low Overhead. In Proceeding of the 28th International Conference on Software Engineering, May 2006. Google ScholarDigital Library
- D. Dhurjati and V. Adve. Efficiently Detecting All Dangling Pointer Uses in Production Servers. In Proceedings of the International Conference on Dependable Systems and Networks, June 2006. Google ScholarDigital Library
- D. Dhurjati, S. Kowshik, and V. Adve. SAFECode: Enforcing Alias Analysis for Weakly Typed Languages. In Proceedings of the SIGPLAN 2006 Conference on Programming Language Design and Implementation, June 2006. Google ScholarDigital Library
- D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory Safety Without Runtime Checks or Garbage Collection. In Proceedings of the 2003 ACM SIGPLAN Conference on Language, Compiler, and Tool for Embedded Systems (LCTES), 2003. Google ScholarDigital Library
- M. Drinic and D. Kirovski. A Hardware-Software Platform for Intrusion Prevention. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google ScholarDigital Library
- F.C. Eigler. Mudflap: Pointer Use Checking for C/C++. In GCC Developer's Summit, 2003.Google Scholar
- A.M. Fiskiran and R.B. Lee. Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution. In Proceedings of the International Conference on Computer Design, Oct. 2004. Google ScholarDigital Library
- D. Gay, R. Ennals, and E. Brewer. Safe Manual Memory Management. In Proceedings of the 2007 International Symposium on Memory Management, Oct. 2007. Google ScholarDigital Library
- D. Grossman. Type-Safe Multithreading in Cyclone. In Proceedings of the SIGPLAN Workshop on Types in Languages Design and Implementation, Jan. 2003. Google ScholarDigital Library
- D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y. Wang, and J. Cheney. Region-Based Memory Management in Cyclone. In Proceedings of the SIGPLAN 2002 Conference on Programming Language Design and Implementation, June 2002. Google ScholarDigital Library
- R. Hastings and B. Joyce. Purify: Fast Detection of Memory Leaks and Access Errors. In Proceedings of the Winter Usenix Conference, 1992.Google Scholar
- M. Herlihy and J.E.B. Moss. Transactional Memory: Architectural Support for Lock-Free Data Structures. In Proceedings of the 20th Annual International Symposium on Computer Architecture, May 1993. Google ScholarDigital Library
- M. Hicks, G. Morrisett, D. Grossman, and T. Jim. Experience With Safe Manual Memory Management in Cyclone. In Proceedings of the 2004 International Symposium on Memory Management, Oct. 2004. Google ScholarDigital Library
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect of C. In Proceedings of the 2002 USENIX Annual Technical Conference, June 2002. Google ScholarDigital Library
- R.W.M. Jones and P.H.J. Kelly. Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs. In Third International Workshop on Automated Debugging, Nov. 1997.Google Scholar
- M. Kharbutli, X. Jiang, Y. Solihin, G. Venkataramani, and M. Prvulovic. Comprehensively and Efficiently Protecting the Heap. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2006. Google ScholarDigital Library
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution via Program Shepherding. In Proceedings of the 11th USENIX Security Symposium, Aug. 2002. Google ScholarDigital Library
- K. Kratkiewicz and R. Lippmann. Using a Diagnostic Corpus of C Programs to Evaluate Buffer Overflow Detection by Static Analysis Tools. In Workshop on the Evaluation of Software Defect Detection Tools, 2005.Google Scholar
- L. Lam and T. Chiueh. Checking Array Bound Violation Using Segmentation Hardware. In Proceedings of the International Conference on Dependable Systems and Networks, June 2005. Google ScholarDigital Library
- J.R. Larus and R. Rajwar. Transactional Memory. Morgan and Claypool, 2007.Google Scholar
- R.B. Lee, D.K. Karig, J.P. McGregor, and Z. Shi. Enlisting Hardware Architecture to Thwart Malicious Code Injection. In Proceedings of the International Conference on Security in Pervasive Computing, Mar. 2003.Google Scholar
- R.B. Lee, P.C.S. Kwan, J.P. McGregor, J. Dwoskin, and Z. Wang. Architecture for Protecting Critical Secrets in Microprocessors. In Proceedings of the 32nd Annual International Symposium on Computer Architecture, June 2005. Google ScholarDigital Library
- D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural Support for Copy and Tamper Resistant Software. In Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, Nov. 2000. Google ScholarDigital Library
- T.A. Linden. Operating System Structures to Support Security and Reliable Software. ACM Computing Surveys, 8(4):409--445, 1976. Google ScholarDigital Library
- P.S. Magnusson et al. Simics: A Full System Simulation Platform. IEEE Computer, 35(2):50--58, Feb. 2002. Google ScholarDigital Library
- J.P. McGregor, D.K. Karig, Z. Shi, and R.B. Lee. A Processor Architecture Defense against Buffer Overflow Attacks. In Proceedings of the IEEE International Conference on Information Technology: Research and Education, Aug. 2003.Google ScholarCross Ref
- G.C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-Safe Retrofitting of Legacy Software. ACM Transactions on Programming Languages and Systems, 27(3), May 2005. Google ScholarDigital Library
- G.C. Necula, S. McPeak, S.P. Rahul, and W. Weimer. CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs. In 11th International Conference on Compiler Construction, 2002. Google ScholarDigital Library
- N. Nethercote and J. Fitzhardinge. Bounds-Checking Entire Programs Without Recompiling. In Proceedings of the Second Workshop on Semantics, Program Analysis, and Computing Environments for Memory Management, 2004.Google Scholar
- N. Nethercote and J. Seward. Valgrind: A Framework for Heavy-weight Dynamic Binary Instrumentation. In Proceedings of the SIGPLAN 2007 Conference on Programming Language Design and Implementation, June 2007. Google ScholarDigital Library
- G. Novark, E.D. Berger, and B.G. Zorn. Exterminator: Automatically Correcting Memory Errors with High Probability. In Proceedings of the SIGPLAN 2007 Conference on Programming Language Design and Implementation, June 2007. Google ScholarDigital Library
- H. Patil and C.N. Fischer. Efficient Run-time Monitoring Using Shadow Processing. In Second International Workshop on Automated Debugging, May 1997.Google Scholar
- F. Qin, Z. Li, Y. Zhou, C. Wang, H. Kim, and Y. Wu. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting General Security Attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2006. Google ScholarDigital Library
- F. Qin, S. Lu, and Y. Zhou. SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs. In Proceedings of the 11th Symposium on High-Performance Computer Architecture, Feb. 2005. Google ScholarDigital Library
- A. Rogers, M.C. Carlisle, J.H. Reppy, and L.J. Hendren. Supporting Dynamic Data Structures on Distributed-Memory Machines. ACM Transactions on Programming Languages and Systems, 17(2):233--263, 1995. Google ScholarDigital Library
- O. Ruwase and M.S. Lam. A Practical Dynamic Buffer Overflow Detector. In Proceedings of the Network and Distributed System Security (NDSS) Symposium, Feb 2004.Google Scholar
- R. Shetty, M. Kharbutli, Y. Solihin, and M. Prvulovic. HeapMon: A Helper-Thread Approach to Programmable, Automatic, and Low-Overhead Memory Bug Detection. IBM Journal of Research and Development, 50(2/3):261--275, 2006. Google ScholarDigital Library
- W. Shi, J. Fryman, G. Gu, H.-H. Lee, Y. Zhang, and J. Yang. InfoShield: A Security Architecture for Protecting Information Usage in Memory. In Proceedings of the 12th Symposium on High-Performance Computer Architecture, Feb. 2006.Google Scholar
- W. Shi and H.-H.S. Lee. Authentication Control Point and its Implications for Secure Processor Design. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2006. Google ScholarDigital Library
- F.G. Soltis. Inside the AS/400. Duke Press, 2nd edition, 1997. Google ScholarDigital Library
- G.E. Suh, D. Clarke, B. Gassend, M. van Dijk, and S. Devadas. AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing. In Proceedings of the 17th International Conference on Supercomputing, June 2003. Google ScholarDigital Library
- G.E. Suh, J.W. Lee, D. Zhang, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking. In Proceedings of the 31st Annual International Symposium on Computer Architecture, June 2004.Google ScholarDigital Library
- G.E. Suh, C.W. O'Donnell, I. Sachdev, and S. Devadas. Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions. In Proceedings of the 32nd Annual International Symposium on Computer Architecture, June 2005. Google ScholarDigital Library
- N. Tuck, B. Calder, and G. Varghese. Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google ScholarDigital Library
- N. Vachharajani, M.J. Bridges, J. Chang, R. Rangan, G. Ottoni, J.A. Blome, G.A. Reis, M. Vachharajani, and D.I. August. RIFLE: An Architectural Framework for User-Centric Information-Flow Security. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google ScholarDigital Library
- G. Venkataramani, B. Roemer, M. Prvulovic, and Y. Solihin. Mem-Tracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging. In Proceedings of the 13th Symposium on High-Performance Computer Architecture, Feb. 2007. Google ScholarDigital Library
- E. Witchel, J. Cates, and K. Asanovic. Mondrian Memory Protection. In Proceedings of the Tenth International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2002. Google ScholarDigital Library
- W. Xu, D.C. DuVarney, and R. Sekar. An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2004. Google ScholarDigital Library
- S.H. Yong and S. Horwitz. Protecting C Programs From Attacks via Invalid Pointer Dereferences. In Proceedings of the 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2003. Google ScholarDigital Library
- M.T. Yourst. PTLsim: A Cycle Accurate Full System x86-64 Microarchitectural Simulator. In Proceedings of the 2007 IEEE International Symposium on Performance Analysis of Systems and Software, Apr 2007.Google ScholarCross Ref
- F. Zhou, J. Condit, Z. Anderson, I. Bagrak, R. Ennals, M. Harren, G. Necula, and E. Brewer. SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, Nov. 2006. Google ScholarDigital Library
- P. Zhou, F. Qin, W. Liu, Y. Zhou, and J. Torrellas. iWatcher: Efficient Architectural Support for Software Debugging. In Proceedings of the 31st Annual International Symposium on Computer Architecture, June 2004. Google ScholarDigital Library
- X. Zhuang, T. Zhang, and S. Pande. Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2006. Google ScholarDigital Library
Index Terms
- Hardbound: architectural support for spatial safety of the C programming language
Recommendations
SoftBound: highly compatible and complete spatial memory safety for c
PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and ImplementationThe serious bugs and security vulnerabilities facilitated by C/C++'s lack of bounds checking are well known, yet C and C++ remain in widespread use. Unfortunately, C's arbitrary pointer arithmetic, conflation of pointers and arrays, and programmer-...
SoftBound: highly compatible and complete spatial memory safety for c
PLDI '09The serious bugs and security vulnerabilities facilitated by C/C++'s lack of bounds checking are well known, yet C and C++ remain in widespread use. Unfortunately, C's arbitrary pointer arithmetic, conflation of pointers and arrays, and programmer-...
Hardbound: architectural support for spatial safety of the C programming language
ASPLOS '08The C programming language is at least as well known for its absence of spatial memory safety guarantees (i.e., lack of bounds checking) as it is for its high performance. C's unchecked pointer arithmetic and array indexing allow simple programming ...
Comments