Secure Low-Level Programming via Hardware-Assisted Memory-Safe C

Transcription

1 Secure Low-Level Programming via Hardware-Assisted Memory-Safe C Prof. Milo Martin Santosh Nagarakatte, Joe Devietti, Jianzhou Zhao, Colin Blundell Prof. Steve Zdancewic University of Pennsylvania Please feel free to ask questions!

2 Two Long-Term Research Goals Easier multicore programming Multicore revolution parallel programs ubiquitous Programming is hard, parallel programming more so Safer and secure low-level programming C s lack of memory safety: root cause of vulnerabilities Goal: legacy C code as safe and secure as Java Unfortunately, C makes such checking a challenge This talk: hardware/compiler for spatial safety of C Using hardware and/or compiler techniques 2

3 Talk Overview & Project Evolution Hardware bounded pointer primitive New hardware/software contract for pointers Work in progress ~10% overhead Memory layout unchanged HardBound [ASPLOS 08] Seminar on Hardware Support for Security 05 Efficiency & Compatibility Spatial safety (J&K, SafeC/CCured/Cyclone) SoftBound [PLDI 2009] Hardware Software Today s hardware Compiler-based transformation, < 2x overhead 3

4 Why Care About Spatial Safety, Anyway? June 2, 2009: itunes-8.2 Open URL, stack overflow May 12, 2009: libxml, Safari Visit website, heap overflow Feb 20, 2009: Acrobat Reader Open PDF, overflow Jan 22, 2009: Windows RPC packet, overflow (Conficker worm) Buffer overflows are security vulnerabilities 4

5 struct BankAccount { char acctid[3]; int balance; a } b; acctid b p 0x12 0x13 0x10 0x17 0x11 b.balance = 0; Vulnerability c of the decade char* id = &(b.acctid); [Cowan et al] Variants (stack-, heap-, pointer-smashing, jump-to-libc) bal id memory memory 0x10 Spatial Violation Example registers reg Facilitated by integer overflow/underflow char* p = id; Can happen anywhere in the code Attackers are clever, highly motivated do { char ch = readchar(); *p = ch; p++; } while(ch); 5

6 Preventing Spatial Violations treat the symptoms use static analysis address space randomization add bounds use a safe language non-executable stack/heap what about false positives? checking to write perfect code protect return addresses existing C code all incomplete what about (existing) C code? SoftBound Santosh Nagarakatte PLDI

7 The Cockroach of Programming Languages Ubiquitous Is there any mainstream system without some C code? Relevant Sometimes the right tool for a task Gold standard for performance Evolving Research philosophy: English vs. Esperanto (1887) What if you can t wipe the slate clean? Modify the language? Or modify the hardware? 7

8 Modernizing Legacy C Code Can we provide unmodified C source code with key safety features of modern languages? Key feature: memory safety Spatial memory safety (bounds errors) What is this? Temporal memory safety (dangling pointers) char *c; Alas, such retrofitting challenging Pointer arithmetic, pointers to middle of objects, arrays in structs, legal out-of-bounds pointers, confluence of arrays and singleton pointers, visible memory layout, arbitrary type casts, Lack of bounds information key challenge today s talk 8

9 Taxonomy of Bounds Checking for C Prior work: [Hastings92, Austin94, Jones97, Jim02, Necula02, Yong03, Eigler03, Ruwase04, Nethercote04, Xu04, Dhurjati06, Criswell07, ] Tripwires e.g., Purify, Valgrind Few bits of state for each byte in memory A red-zone block between objects Pointer based e.g., SafeC, Cyclone, CCured, MSCC, Pointer becomes a fat pointer (ptr, base, bound) Pointer dereferences are checked Object based e.g., Jones & Kelly, CRED, SafeCode, SVA, Checks pointer manipulations Must point within same object All have one or more challenges: High runtime overheads Incompleteness (sub-objects, handling arbitrary casts) Incompatibilities (language changes, pointer representations) 9

10 The Tao of Dynamically Checking C Compatibility Completeness Continuous (fast enough) 10

11 memory acctid bal id Background: Fat Pointer Approach memory a b c 0 id_bse 0x10 0x10 id_bnd 0x13 registers p_bse 0x10 p reg 0x11 0x10 0x12 p_bnd 0x13 0x13 struct BankAccount { } b; char acctid[3]; int balance; b.balance = 0; char* id = &(b.acctid); char* id_bse = &(b.acctid); char* id_bnd = &(b.acctid) + 3; char* p = id; char* p_bse = id_bse; char* p_bnd = id_bnd; do { char ch = readchar(); check(p, p_bse, p_bnd);*p = ch; p++; } while(ch); 11

12 Background: Object Based Approach memory acctid bal memory a b c p table registers reg 0x12 0x17 0x16 0x10 0x13 0x11 object table 10,11 11,12 12,13 16,17 Obj id 0x10 10 to 16 struct BankAccount { } b; char acctid[3]; int balance; insert(b, &b, &b+sizeof(b)); b.balance = 0; char* id = &(b.acctid); char* p = id; do { char ch = readchar(); *p = ch; p++; p = lookup(p, p + 1); } while(ch); 12

13 Analysis: Comparison of Approaches Object based + Disjoint metadata memory layout unchanged high source compatibility Problem detecting sub-object overflows Range lookup overhead Fat pointers + Can detect sub-objects overflows Inline metadata memory layout changes low source compatibility Both Fail to protect against arbitrary casts (unless augmented, such as CCured s WILD pointers) 13

14 Our Approach: Disjoint Pointer Metadata memory acctid bal id memory a b c 0 registers p_bse 0x10 p reg data 0x13 0x10 0x12 0x11 p_bnd 0x13 metadata Meta 0x13 0x10 struct BankAccount { } b; char acctid[3]; int balance; b.balance = 0; char* id = &(b.acctid); lookup(&id)->bse = &(b.acctid); lookup(&id)->bnd = &(b.acctid) + 3; char* p = id; char* p_bse = lookup(&id)->bse; char* p_bnd = lookup(&id)->bnd; do { char ch = readchar(); check(p, p_bse, p_bnd);*p=ch; p++; } while(ch); 14

15 Our Approach: Disjoint Pointer Metadata memory acctid bal id memory a b c 0 registers p_bse 0x10 p reg metadata data 0x13 p_bnd 0x13 Meta 0x13 0x10 Compatibility Unchanged memory layout Completeness Sub-object bounds Arbitrary casts Continuous (fast) Direct lookup Hardware-assisted 15

16 Rest of Talk: HardBound & SoftBound HardBound: Hardware/software impl. [ASPLOS 08] How does it work? (pointer propagation & checking) How do we make HardBound fast? Dedicated datapaths, compressing metadata SoftBound: Compiler-only prototype [PLDI 09] What changes without hardware support? Experiments 16

17 HardBound Overview Bounded-pointer hardware primitive datatype All registers and memory have base/bound metadata Implemented via shadow memory and shadow registers Rewrite hardware/software contract for pointers Software identifies where pointers are created Examples: malloc, &variable (inserted by compiler) Using new setbound instruction Hardware checks and propagates the pointers + Fat pointer representation hidden by hardware + Compatibility (memory layout unchanged) + Enables optimized metadata encoding 17

18 Hardware Propagates & Checks Metadata All registers and memory have metadata Example operations: add R1 < R2 + imm R1.value < R2.value + imm R1.base < R2.base R1.bound < R2.bound load R1 < Memory[R2] insn propagation assert(r2.base <= R2.value < R2.bound) R1.value < Memory[R2.value].value insn R1.base < Memory[R2.value].base R1.bound < Memory[R2.value].bound propagation Performed in parallel (replicate datapath) bounds check 18

19 Software Identifies Pointer Creation Heap Objects p = malloc(size); Even without recompilation Modified runtime system p = setbound(malloc(size), size) Hardware executes p = malloc(size) p_base = p p_bound = p + size Allocation-granularity checking for heap 19

20 Software Identifies Pointer Creation Stack and Global Objects int array[100]; p = &array; Compiler p = setbound(&array, sizeof(array)); Hardware executes p = &array p_base = p p_bound = p + sizeof(array) Recompilation protects stack & globals Easy for compiler to identify 20

21 Bounding Pointers to Structure Fields option #1 struct { Entire Structure char acctid[3]; int balance; } *ptr; char* id = &(ptr->acctid);? #1 #2 option #2 Shrink to Field acctid bal id_base = ptr_base; id_bound = ptr_bound; id_base = &(ptr->acctid); id_bound = &(ptr->acctid) + 3; Programmer intent ambiguous; optional shrinking of bounds 21

22 memory acctid bal id memory a b c 0 HardBound Example registers p reg bnd data bse metadata Meta 0x13 0x10 struct BankAccount { } b; char acctid[3]; int balance; b.balance = 0; char* id = &(b.acctid); setbound(&b.acctid,3) char* p = id; do { char ch = readchar(); *p=ch; p++; } while(ch); Hdw. propagation Hdw. propagation Hdw. check 22

23 struct { int* ptr; int i; } s; HardBound Memory Layout Virtual Memory standard C layout ptr i base bound regular space (layout unchanged) enables compatibility how do we make it efficient? metadata shadow space 23

24 Eliminating Metadata for Non-Pointers Most data are not pointers tag pointer base bound 1 non-pointer 0 Add 1-bit tag to act as a filter Prevents an expensive base/bound lookup Lives in virtual memory (1 bit per word, 3% overhead) Add tag cache, accessed in parallel 24

25 Compressing In-Memory Metadata 1. Many pointers point to the beginning of an object 2. Many pointers point to small objects size pointer: 1000 base: 1000 bound: tag:1 + pointer: 1000 base: 1000 bound: 1003 used opportunistically (on each store) 25

26 Metadata Lookup and Tag Cache Processor Core tag$ TLB data$ TLB insn$ TLB L2$ Memory 26

27 Why Not Just Do HardBound in Software? SoftBound Compiler inserts code for propagation and checking Similarities Same disjoint pointer-based metadata approach Differences Memory: access metadata only on pointer load/store No need for tag space Doesn t (yet) use metadata compression Registers: base/bound just temporaries in compiler IR Bounds checks: compiler can elide redundant checks Works on today s hardware 27

28 SoftBound Checking & Propagation All pointer/array dereferences checked if ((p < p_base) (p + size > p_bound)) abort(); Five x86 instructions: cmp, br, add, cmp, br Loading/storing a pointer from memory Loads/stores base and bound from metadata space Five x86 instructions: shift, mask, add, two loads Pointer assignments, arithmetic, and casts Just propagate pointer base and bound (share register) Pointer arguments to a function Bounds passed as extra arguments (in registers) int f(char* p) { } int _f(char* p, void* p_base, void* p_bound) { } 28

29 More in the Papers Proof of spatial safety guarantees Region delineated by pointer metadata is always valid Formalized a rich subset of C Includes arbitrary casts, recursive structures, etc Mechanized proof in Coq Hashtable-based metadata storage Handling various aspects of C Separate compilation and library code memcpy() Function pointers Variable argument functions 29

30 Experiments Four questions Effective in detecting overflows? Compatible with existing C code? Reasonable overheads? Hardware support justified? 30

31 HardBound Prototypes Source-to-source compiler based on CIL Simulator: FeS 2 x86 + Simics Simple in-order core model + caches SoftBound prototype ~7K lines LLVM as its foundation of code Typed IR helps in pointer identification Bounds check elimination not focus Intra-procedural dominator based Existing techniques would help a lot Runtime results on Core 2 Duo Source Typed IR Optimize SoftBound Optimize Binary 31

32 Spatial Violation Detection Effective in detecting overflows? Suite of 286 spatial violations [Kratkiewicz 05] Synthetic attacks [Wilander et al] Prevented all these attacks Bugbench [Lu05]: overflows from real applications Benchmark SoftBound Mudflap Valgrind Go Yes No No Compress Yes Yes Yes Polymorph Yes Yes No Gzip Yes Yes Yes Detected all known violations 32

33 Source Compatibility Experiments Compatible with existing C code? 272K lines of code total 23 benchmarks from Spec, Olden BugBench Multithreaded HTTP Server with CGI support FTP server No spurious runtime violations encountered 33

34 25% 20% 15% 10% HardBound Runtime Results additional memory latency stalling on pointer metadata µops for loading/storing bounds setbound instructions 10% average overhead 5% 0% extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 extern-4 intern-4 intern-11 bh bisort em3d health mst perim power treeadd tsp avg 34

35 Percent SoftBound Runtime Results Full Checking Store Only Checking 67% 21% Check only stores [Yong03, Castro06] Full Checking: default for development & testing Attacks predominantly use stores Store-only: for security critical apps, production code 35

36 Softbound: Runtime vs Dynamic Instructions Percent 132% Runtime overhead Instruction overhead % 82% 67% Processor exploits Instruction Level Parallelism (ILP) Bounds checking & propagation off the critical path 36

37 Experiments Recap Effective in detecting overflows? Yes Compatible with existing C code? Yes Reasonable overheads? You decide SoftBound: Full checking 67%, store-only 21% HardBound: Full checking ~10% Hardware support justified? Maybe Impact of simple versus sophisticated cores Cost/benefit tradeoff can we lower the cost? 37

38 Future Work: Hardware/Software Continuum High HardBound Hardware Modifications None Ideal None SoftBound Runtime Overhead High Hardware-accelerated temporal safety (without GC) Check freshness of each allocation with a capability 38

39 Conclusions HardBound/SoftBound provide spatial safety for C Pointer-based approach, but with disjoint metadata Compatible (no source code changes) Effective (catches know vulnerabilities) Software-only: fast enough for Debugging & testing: full checking Security-critical software: store only checking Hardware-assisted: even lower overhead 39

40 Want to try SoftBound out?