A program execution is memory safe so long as memory access errors never occur:

Similar documents
Runtime Defenses against Memory Corruption

CS-527 Software Security

CS527 Software Security

DieHard: Probabilistic Memory Safety for Unsafe Programming Languages

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

Preventing Use-after-free with Dangling Pointers Nullification

Goals of Memory Management

Pointers. Memory. void foo() { }//return

Computer Systems A Programmer s Perspective 1 (Beta Draft)

HA2lloc: Hardware-Assisted Secure Allocator

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

SoK: Eternal War in Memory

C Programming. Course Outline. C Programming. Code: MBD101. Duration: 10 Hours. Prerequisites:

Run-time Environments - 3

[0569] p 0318 garbage

6.172 Performance Engineering of Software Systems Spring Lecture 9. P after. Figure 1: A diagram of the stack (Image by MIT OpenCourseWare.

Binding and Storage. COMP 524: Programming Language Concepts Björn B. Brandenburg. The University of North Carolina at Chapel Hill

Buffer overflow prevention, and other attacks

SoftBound: Highly Compatible and Complete Spatial Safety for C

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

Lecture 4 September Required reading materials for this class

Today: Segmentation. Last Class: Paging. Costs of Using The TLB. The Translation Look-aside Buffer (TLB)

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

CPSC 3740 Programming Languages University of Lethbridge. Data Types

Segmentation with Paging. Review. Segmentation with Page (MULTICS) Segmentation with Page (MULTICS) Segmentation with Page (MULTICS)

Understanding Undefined Behavior

Chapter 8 Memory Management

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Dynamic Dispatch and Duck Typing. L25: Modern Compiler Design

Memory Management. Minsoo Ryu. Real-Time Computing and Communications Lab. Hanyang University.

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Name, Scope, and Binding. Outline [1]

CS 536 Introduction to Programming Languages and Compilers Charles N. Fischer Lecture 11

Baggy bounds with LLVM

Memory Management Minsoo Ryu Real-Time Computing and Communications Lab. Hanyang University

Ironclad C++ A Library-Augmented Type-Safe Subset of C++

SoftBound: Highly Compatible and Complete Spatial Memory Safety for C

Heap Bounds Protection with Low Fat Pointers

CS252 S05. Main memory management. Memory hardware. The scale of things. Memory hardware (cont.) Bottleneck

JamaicaVM Java for Embedded Realtime Systems

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Lecture Notes on Memory Layout

A JVM for Soft-Error-Prone Embedded Systems

HardBound: Architectural Support for Spatial Safety of the C Programming Language

In Java we have the keyword null, which is the value of an uninitialized reference type

Dynamic Memory Allocation. Zhaoguo Wang

Undefined Behaviour in C

Heriot-Watt University

Lecture 14. No in-class files today. Homework 7 (due on Wednesday) and Project 3 (due in 10 days) posted. Questions?

CS2141 Software Development using C/C++ Debugging

Dynamic Memory Allocation: Advanced Concepts

Code Injection Attacks Buffer Overflows

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin

Run-time Environments -Part 3

Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack

CS399 New Beginnings. Jonathan Walpole

System Assertions. Andreas Zeller

Lecture Notes on Garbage Collection

Operating Systems. 09. Memory Management Part 1. Paul Krzyzanowski. Rutgers University. Spring 2015

Defeating Code Reuse Attacks with Minimal Tagged Architecture. Samuel Fingeret. B.S., Massachusetts Institute of Technology (2014)

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Dynamic Memory Management! Goals of this Lecture!

memory management Vaibhav Bajpai

Verification & Validation of Open Source

Dnmaloc: a more secure memory allocator

Memory Management Basics

Pointers II. Class 31

Memory Safety for Embedded Devices with nescheck

CS 430 Spring Mike Lam, Professor. Data Types and Type Checking

CS 261 Fall Caching. Mike Lam, Professor. (get it??)

Performance of Various Levels of Storage. Movement between levels of storage hierarchy can be explicit or implicit

Dynamic Memory Management

CS162 - Operating Systems and Systems Programming. Address Translation => Paging"

CMSC 330: Organization of Programming Languages

Data Types. Outline. In Text: Chapter 6. What is a type? Primitives Strings Ordinals Arrays Records Sets Pointers 5-1. Chapter 6: Data Types 2

ECE 2035 Programming HW/SW Systems Fall problems, 5 pages Exam Three 28 November 2012

Dynamic Memory Management

Inheritance, Polymorphism and the Object Memory Model

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Dynamic Memory Allocation. Basic Concepts. Computer Organization 4/3/2012. CSC252 - Spring The malloc Package. Kai Shen

Memory management. Johan Montelius KTH

Limitations of the stack

CMPSC 497 Execution Integrity

New features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany

18-642: Code Style for Compilers

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

Pick a time window size w. In time span w, are there, Multiple References, to nearby addresses: Spatial Locality

A new Mono GC. Paolo Molaro October 25, 2006

Short Notes of CS201

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

CSCI-1200 Data Structures Fall 2017 Lecture 5 Pointers, Arrays, & Pointer Arithmetic

Dynamic Storage Allocation

Data Types and Computer Storage Arrays and Pointers. K&R, chapter 5

File Systems. CSE 2431: Introduction to Operating Systems Reading: Chap. 11, , 18.7, [OSC]

CS201 - Introduction to Programming Glossary By

Chapter 8 Main Memory

CSE 509: Computer Security

Data Types In Text: Ch C apter 6 1

Programming in C. Lecture 9: Tooling. Dr Neel Krishnaswami. Michaelmas Term

Transcription:

A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories Spatial memory safety Stops out-of-bounds pointers. (buffer overflows) Temporal memory safety Stops dangling pointers (use-after-free, double-free)

Base Limit Object_1 object 1 object 2 Memory pointer: A pointer to be dereferenced at run-time is in-bound?

Memory Disjoint metadata table Fragmentation Object_1 Fragmentation Object_2 entry_1 entry_2 entry_3 Base address, limit, Base address, limit, Base address, limit, Choice of data structure Zillions of objects (pointers) to track?

Object allocation Pointer arithmetic, type casts Memory access Check memory corruption Time Halt right before out-of-bound pointers are dereferenced.

2 of the original run-time Un-instrumented Instrumented (inline) Tight loop Metadata update # dynamic instruction # cache misses High and unpredictable overhead

Storage object base: pointer: limit: Fat pointer FAST (high locality of references) Low compatibility with precompiled libs Metadata overwritten by unsafe typecast

&p Memory Fragmentation Object_1 Fragmentation Object_2 pointer (p) Disjoint metadata table &p &p &p Base address, limit, Base address, limit, Base address, limit, Disjoint metadata Better compatibility Safer metadata management Expensive lookup Space overheads

Runtime overheads Complete checking Precise checking Better compatibility Space overheads (shadow space, padding) Incomplete checking (e.g. internal overflows) Approximate checking Less compatibility

High locality of references Having an object carry its own metadata Using a supplementary table Streamlined metadata lookup in the data structure The worst case: O(1) Compatibility Avoiding internal memory layout change or superfluous padding Scalability Extending its usage to type safety, thread safety or garbage collection using per-object information

Source Source Source Code Code Code Static Library Generate LLVM IR Analyse Transform Framer is Implemented as a LLVM LTO Pass for whole program analysis Source Source Binary Libraries Code Code Link Generate Code Hardened Executable

Base address Limit Header Object_1 object Header Memory pointer For the higher locality of references, we attach a header.

Base address Limit Header Object_1 object Header Memory tagged pointer 48 bits 15 1 Base Tag Flag The address of a header is derived from a tagged pointer.

Header aligned by 2^n Object_1 object Header Memory Object s wrapper frame 2^n An object s wrapper frame is defined as the smallest frame.

Header Object_1 object p Header Memory offset Object s wrapper frame (2^n) 48 bits 15 1 Base offset Flag The base of the wrapper frame= p & (( 0)<<n)

Header Object_1 object Header offset Memory Slot: (2^15)-sized frame 48 bits 15 1 Base offset Flag

Header Object_1 object p1 p2 Slot 1 Slot 2 Offset cannot be used as relative location information.

Address Space Application memory Shadow memory Heap Heap libc stack libc stack

Process Address Space Application memory Shadow memory Heap libc stack N : 1 Heap libc stack

Process Address Space Application memory Shadow memory Heap libc Heap libc stack stack 48 bits 15 1 Base N Flag

Base Limit Base Limit object_1 Object pointer: A B C Memory entry_1 entry_2 Base, limit, Base, limit, A C Tracking objects requires checks at pointer arithmetic to keep track of intended referents.

int *p; int *a= (int*)malloc(100*sizeof(int)); for (p=a; p<&a[100];++p) *p=0; /* p == &a[100] */ Should we check bounds at pointer arithmetic AND memory read/write??

pointer: Base Array Obje Limit Memory addr 1. Pad an off-by-one byte. Base Limit Array Obje Memory pointer: mark=1 2. Mark out-of-bound pointer at pointer arithmetic.

Header Object_1 object Object s wrapper frame Header Memory pointer: Check only in-frame at pointer arithmetic.

Framer ensures compatibility with un-instrumented libs Strip-off tagged pointers passed to pre-compiled libs Header attached does not damage compatibility

int myarray [10]; /* object allocation*/ int * p= myarray; /* pointer creation && assignment */ p= p+4; /* pointer arithmetic */ *p=10; /* pointer dereference */ object allocation Replace it with a padded one. Update metadata and replace uses with a tagged pointer. Pointer arithmetic Memory access Time Check in-frame. Check bounds, and strip-off a tag.

Reduce objects to be tracked. Use the compiler s variable range analysis Minimise the penalty of using tagged pointers Reduce run-time checks Hoist runtime checks outside loops Remove redundant checks due to a previous check Remove checks for pointers statically determined safe

High locality of references Storing per-object metadata in the header Supplementary table in the form of a contiguous array. Low, stable cache misses compared to other approaches Streamlined metadata lookup Direct access to the corresponding header or entry < hash table management Low space overhead Compact encoding of addresses 4 bytes of size information < 1 word (the base) + alpha

Losing high locality for big-sized arrays Vulnerable to overwrites on metadata by user program s unsafe type casts like fat pointers More compact encoding for supplementary metadata table Reducing dynamic instruction counts using static analysis

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback