research-article

Hardbound: architectural support for spatial safety of the C programming language

Authors:
Joe Devietti

University of Washington, Seattle, WA

University of Washington, Seattle, WA
View Profile

,
Colin Blundell

University of Pennsylvania, Philadelphia, PA

University of Pennsylvania, Philadelphia, PA
View Profile

,
Milo M. K. Martin

University of Pennsylvania, Philadelphia, PA

University of Pennsylvania, Philadelphia, PA
View Profile

,
Steve Zdancewic

University of Pennsylvania, Philadelphia, PA

University of Pennsylvania, Philadelphia, PA
View Profile

ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systemsMarch 2008Pages 103–114https://doi.org/10.1145/1346281.1346295

Published:01 March 2008Publication History

ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systems

Pages 103–114

ABSTRACT

The C programming language is at least as well known for its absence of spatial memory safety guarantees (i.e., lack of bounds checking) as it is for its high performance. C's unchecked pointer arithmetic and array indexing allow simple programming mistakes to lead to erroneous executions, silent data corruption, and security vulnerabilities. Many prior proposals have tackled enforcing spatial safety in C programs by checking pointer and array accesses. However, existing software-only proposals have significant drawbacks that may prevent wide adoption, including: unacceptably high run-time overheads, lack of completeness, incompatible pointer representations, or need for non-trivial changes to existing C source code and compiler infrastructure.

Inspired by the promise of these software-only approaches, this paper proposes a hardware bounded pointer architectural primitive that supports cooperative hardware/software enforcement of spatial memory safety for C programs. This bounded pointer is a new hardware primitive datatype for pointers that leaves the standard C pointer representation intact, but augments it with bounds information maintained separately and invisibly by the hardware. The bounds are initialized by the software, and they are then propagated and enforced transparently by the hardware, which automatically checks a pointer's bounds before it is dereferenced. One mode of use requires instrumenting only malloc, which enables enforcement of perallocation spatial safety for heap-allocated objects for existing binaries. When combined with simple intraprocedural compiler instrumentation, hardware bounded pointers enable a low-overhead approach for enforcing complete spatial memory safety in unmodified C programs.

Supplemental Material

1346295.mp4

mp4

140.7 MB

Download

Available for Download

other

Slides from the presentation

zip

p103-devietti-slides.zip (36.9 MB)

Supplemental material for Hardbound: architectural support for spatial safety of the C programming language

mp3

1346295.mp3 (10.2 MB)

References

D. Arora, A. Raghunathan, S. Ravi, and N.K. Jha. Architectural Support for Safe Software Execution on Embedded Processors. In Proceedings of the International Conference on Hardware Software Co-design and System Synthesis, Oct. 2006. Google ScholarDigital Library
T.M. Austin, S.E. Breach, and G.S. Sohi. Efficient Detection of All Pointer and Array Access Errors. In Proceedings of the SIGPLAN 1994 Conference on Programming Language Design and Implementation, June 1994. Google ScholarDigital Library
E.D. Berger and B.G. Zorn. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the SIGPLAN 2006 Conference on Programming Language Design and Implementation, June 2006. Google ScholarDigital Library
H.-J. Boehm and M. Weiser. Garbage Collection in an Uncooperative Environment. Software -- Practice & Experience, 18(9):807--820, Sept. 1988. Google ScholarDigital Library
W. Chuang, S. Narayanasamy, and B. Calder. Accelerating Meta Data Checks for Software Correctness and Security. Journal of Instruction-Level Parallelism, 9, June 2007.Google Scholar
W. Chuang, S. Narayanasamy, and B. Calder. Bounds Checking with Taint-Based Analysis. In Proceedings of the International Conference on High Performance Embedded Architectures & Compilers (HiPEAC), Jan. 2007. Google ScholarDigital Library
J. Condit, M. Harren, Z. Anderson, D. Gay, and G.C. Necula. Dependent Types for Low-Level Programming. In Proceedings of the 16th European Symposium on Programming, Apr. 2007. Google ScholarDigital Library
C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities. In Proceedings of the 12th USENIX Security Conference, 2003. Google ScholarDigital Library
C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Conference, Jan. 1998. Google ScholarDigital Library
J.R. Crandall and F.T. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google ScholarDigital Library
J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, Oct. 2007. Google ScholarDigital Library
M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A Flexible Information Flow Architecture for Software Security. In Proceedings of the 34th Annual International Symposium on Computer Architecture, June 2007. Google ScholarDigital Library
J.B. Dennis and E.C.V. Horn. Programming Semantics for Multiprogrammed Computations. Communications of the ACM, 9(3):143--155, 1966. Google ScholarDigital Library
D. Dhurjati and V. Adve. Backwards-Compatible Array Bounds Checking for C with Very Low Overhead. In Proceeding of the 28th International Conference on Software Engineering, May 2006. Google ScholarDigital Library
D. Dhurjati and V. Adve. Efficiently Detecting All Dangling Pointer Uses in Production Servers. In Proceedings of the International Conference on Dependable Systems and Networks, June 2006. Google ScholarDigital Library
D. Dhurjati, S. Kowshik, and V. Adve. SAFECode: Enforcing Alias Analysis for Weakly Typed Languages. In Proceedings of the SIGPLAN 2006 Conference on Programming Language Design and Implementation, June 2006. Google ScholarDigital Library
D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory Safety Without Runtime Checks or Garbage Collection. In Proceedings of the 2003 ACM SIGPLAN Conference on Language, Compiler, and Tool for Embedded Systems (LCTES), 2003. Google ScholarDigital Library
M. Drinic and D. Kirovski. A Hardware-Software Platform for Intrusion Prevention. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google ScholarDigital Library
F.C. Eigler. Mudflap: Pointer Use Checking for C/C++. In GCC Developer's Summit, 2003.Google Scholar
A.M. Fiskiran and R.B. Lee. Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution. In Proceedings of the International Conference on Computer Design, Oct. 2004. Google ScholarDigital Library
D. Gay, R. Ennals, and E. Brewer. Safe Manual Memory Management. In Proceedings of the 2007 International Symposium on Memory Management, Oct. 2007. Google ScholarDigital Library
D. Grossman. Type-Safe Multithreading in Cyclone. In Proceedings of the SIGPLAN Workshop on Types in Languages Design and Implementation, Jan. 2003. Google ScholarDigital Library
D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y. Wang, and J. Cheney. Region-Based Memory Management in Cyclone. In Proceedings of the SIGPLAN 2002 Conference on Programming Language Design and Implementation, June 2002. Google ScholarDigital Library
R. Hastings and B. Joyce. Purify: Fast Detection of Memory Leaks and Access Errors. In Proceedings of the Winter Usenix Conference, 1992.Google Scholar
M. Herlihy and J.E.B. Moss. Transactional Memory: Architectural Support for Lock-Free Data Structures. In Proceedings of the 20th Annual International Symposium on Computer Architecture, May 1993. Google ScholarDigital Library
M. Hicks, G. Morrisett, D. Grossman, and T. Jim. Experience With Safe Manual Memory Management in Cyclone. In Proceedings of the 2004 International Symposium on Memory Management, Oct. 2004. Google ScholarDigital Library
T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect of C. In Proceedings of the 2002 USENIX Annual Technical Conference, June 2002. Google ScholarDigital Library
R.W.M. Jones and P.H.J. Kelly. Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs. In Third International Workshop on Automated Debugging, Nov. 1997.Google Scholar
M. Kharbutli, X. Jiang, Y. Solihin, G. Venkataramani, and M. Prvulovic. Comprehensively and Efficiently Protecting the Heap. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2006. Google ScholarDigital Library
V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution via Program Shepherding. In Proceedings of the 11th USENIX Security Symposium, Aug. 2002. Google ScholarDigital Library
K. Kratkiewicz and R. Lippmann. Using a Diagnostic Corpus of C Programs to Evaluate Buffer Overflow Detection by Static Analysis Tools. In Workshop on the Evaluation of Software Defect Detection Tools, 2005.Google Scholar
L. Lam and T. Chiueh. Checking Array Bound Violation Using Segmentation Hardware. In Proceedings of the International Conference on Dependable Systems and Networks, June 2005. Google ScholarDigital Library
J.R. Larus and R. Rajwar. Transactional Memory. Morgan and Claypool, 2007.Google Scholar
R.B. Lee, D.K. Karig, J.P. McGregor, and Z. Shi. Enlisting Hardware Architecture to Thwart Malicious Code Injection. In Proceedings of the International Conference on Security in Pervasive Computing, Mar. 2003.Google Scholar
R.B. Lee, P.C.S. Kwan, J.P. McGregor, J. Dwoskin, and Z. Wang. Architecture for Protecting Critical Secrets in Microprocessors. In Proceedings of the 32nd Annual International Symposium on Computer Architecture, June 2005. Google ScholarDigital Library
D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural Support for Copy and Tamper Resistant Software. In Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, Nov. 2000. Google ScholarDigital Library
T.A. Linden. Operating System Structures to Support Security and Reliable Software. ACM Computing Surveys, 8(4):409--445, 1976. Google ScholarDigital Library
P.S. Magnusson et al. Simics: A Full System Simulation Platform. IEEE Computer, 35(2):50--58, Feb. 2002. Google ScholarDigital Library
J.P. McGregor, D.K. Karig, Z. Shi, and R.B. Lee. A Processor Architecture Defense against Buffer Overflow Attacks. In Proceedings of the IEEE International Conference on Information Technology: Research and Education, Aug. 2003.Google ScholarCross Ref
G.C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-Safe Retrofitting of Legacy Software. ACM Transactions on Programming Languages and Systems, 27(3), May 2005. Google ScholarDigital Library
G.C. Necula, S. McPeak, S.P. Rahul, and W. Weimer. CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs. In 11th International Conference on Compiler Construction, 2002. Google ScholarDigital Library
N. Nethercote and J. Fitzhardinge. Bounds-Checking Entire Programs Without Recompiling. In Proceedings of the Second Workshop on Semantics, Program Analysis, and Computing Environments for Memory Management, 2004.Google Scholar
N. Nethercote and J. Seward. Valgrind: A Framework for Heavy-weight Dynamic Binary Instrumentation. In Proceedings of the SIGPLAN 2007 Conference on Programming Language Design and Implementation, June 2007. Google ScholarDigital Library
G. Novark, E.D. Berger, and B.G. Zorn. Exterminator: Automatically Correcting Memory Errors with High Probability. In Proceedings of the SIGPLAN 2007 Conference on Programming Language Design and Implementation, June 2007. Google ScholarDigital Library
H. Patil and C.N. Fischer. Efficient Run-time Monitoring Using Shadow Processing. In Second International Workshop on Automated Debugging, May 1997.Google Scholar
F. Qin, Z. Li, Y. Zhou, C. Wang, H. Kim, and Y. Wu. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting General Security Attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2006. Google ScholarDigital Library
F. Qin, S. Lu, and Y. Zhou. SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs. In Proceedings of the 11th Symposium on High-Performance Computer Architecture, Feb. 2005. Google ScholarDigital Library
A. Rogers, M.C. Carlisle, J.H. Reppy, and L.J. Hendren. Supporting Dynamic Data Structures on Distributed-Memory Machines. ACM Transactions on Programming Languages and Systems, 17(2):233--263, 1995. Google ScholarDigital Library
O. Ruwase and M.S. Lam. A Practical Dynamic Buffer Overflow Detector. In Proceedings of the Network and Distributed System Security (NDSS) Symposium, Feb 2004.Google Scholar
R. Shetty, M. Kharbutli, Y. Solihin, and M. Prvulovic. HeapMon: A Helper-Thread Approach to Programmable, Automatic, and Low-Overhead Memory Bug Detection. IBM Journal of Research and Development, 50(2/3):261--275, 2006. Google ScholarDigital Library
W. Shi, J. Fryman, G. Gu, H.-H. Lee, Y. Zhang, and J. Yang. InfoShield: A Security Architecture for Protecting Information Usage in Memory. In Proceedings of the 12th Symposium on High-Performance Computer Architecture, Feb. 2006.Google Scholar
W. Shi and H.-H.S. Lee. Authentication Control Point and its Implications for Secure Processor Design. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2006. Google ScholarDigital Library
F.G. Soltis. Inside the AS/400. Duke Press, 2nd edition, 1997. Google ScholarDigital Library
G.E. Suh, D. Clarke, B. Gassend, M. van Dijk, and S. Devadas. AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing. In Proceedings of the 17th International Conference on Supercomputing, June 2003. Google ScholarDigital Library
G.E. Suh, J.W. Lee, D. Zhang, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking. In Proceedings of the 31st Annual International Symposium on Computer Architecture, June 2004.Google ScholarDigital Library
G.E. Suh, C.W. O'Donnell, I. Sachdev, and S. Devadas. Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions. In Proceedings of the 32nd Annual International Symposium on Computer Architecture, June 2005. Google ScholarDigital Library
N. Tuck, B. Calder, and G. Varghese. Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google ScholarDigital Library
N. Vachharajani, M.J. Bridges, J. Chang, R. Rangan, G. Ottoni, J.A. Blome, G.A. Reis, M. Vachharajani, and D.I. August. RIFLE: An Architectural Framework for User-Centric Information-Flow Security. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google ScholarDigital Library
G. Venkataramani, B. Roemer, M. Prvulovic, and Y. Solihin. Mem-Tracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging. In Proceedings of the 13th Symposium on High-Performance Computer Architecture, Feb. 2007. Google ScholarDigital Library
E. Witchel, J. Cates, and K. Asanovic. Mondrian Memory Protection. In Proceedings of the Tenth International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2002. Google ScholarDigital Library
W. Xu, D.C. DuVarney, and R. Sekar. An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2004. Google ScholarDigital Library
S.H. Yong and S. Horwitz. Protecting C Programs From Attacks via Invalid Pointer Dereferences. In Proceedings of the 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2003. Google ScholarDigital Library
M.T. Yourst. PTLsim: A Cycle Accurate Full System x86-64 Microarchitectural Simulator. In Proceedings of the 2007 IEEE International Symposium on Performance Analysis of Systems and Software, Apr 2007.Google ScholarCross Ref
F. Zhou, J. Condit, Z. Anderson, I. Bagrak, R. Ennals, M. Harren, G. Necula, and E. Brewer. SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, Nov. 2006. Google ScholarDigital Library
P. Zhou, F. Qin, W. Liu, Y. Zhou, and J. Torrellas. iWatcher: Efficient Architectural Support for Software Debugging. In Proceedings of the 31st Annual International Symposium on Computer Architecture, June 2004. Google ScholarDigital Library
X. Zhuang, T. Zhang, and S. Pande. Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2006. Google ScholarDigital Library

Index Terms

Hardbound: architectural support for spatial safety of the C programming language

Recommendations

SoftBound: highly compatible and complete spatial memory safety for c
PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation

The serious bugs and security vulnerabilities facilitated by C/C++'s lack of bounds checking are well known, yet C and C++ remain in widespread use. Unfortunately, C's arbitrary pointer arithmetic, conflation of pointers and arrays, and programmer-...
Read More
SoftBound: highly compatible and complete spatial memory safety for c
PLDI '09

The serious bugs and security vulnerabilities facilitated by C/C++'s lack of bounds checking are well known, yet C and C++ remain in widespread use. Unfortunately, C's arbitrary pointer arithmetic, conflation of pointers and arrays, and programmer-...
Read More
Hardbound: architectural support for spatial safety of the C programming language
ASPLOS '08

The C programming language is at least as well known for its absence of spatial memory safety guarantees (i.e., lack of bounds checking) as it is for its high performance. C's unchecked pointer arithmetic and array indexing allow simple programming ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
March 2008
352 pages
ISBN:9781595939586
DOI:10.1145/1346281
General Chair:
Susan Eggers
University of Washington, USA
,
Program Chair:
James Larus
Microsoft Research, USA
ACM SIGOPS Operating Systems Review Volume 42, Issue 2
ASPLOS '08
March 2008
339 pages
ISSN:0163-5980
DOI:10.1145/1353535
Issue’s Table of Contents
ACM SIGARCH Computer Architecture News Volume 36, Issue 1
ASPLOS '08
March 2008
339 pages
ISSN:0163-5964
DOI:10.1145/1353534
Issue’s Table of Contents
ACM SIGPLAN Notices Volume 43, Issue 3
ASPLOS '08
March 2008
339 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1353536
Issue’s Table of Contents
Copyright © 2008 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 March 2008
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
C programming language
spatial memory safety
Qualifiers
- research-article
Conference

Acceptance Rates
ASPLOS XIII Paper Acceptance Rate31of127submissions,24%Overall Acceptance Rate535of2,713submissions,20%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 193
  Total Citations
  View Citations
- 2,336
  Total Downloads
- Downloads (Last 12 months)112
- Downloads (Last 6 weeks)10
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Hardbound: architectural support for spatial safety of the C programming language

ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systems

ABSTRACT

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

SoftBound: highly compatible and complete spatial memory safety for c

SoftBound: highly compatible and complete spatial memory safety for c

Hardbound: architectural support for spatial safety of the C programming language