research-article

Light-weight bounds checking

Authors:

Niranjan Hasabnis,

R. SekarAuthors Info & Claims

CGO '12: Proceedings of the Tenth International Symposium on Code Generation and Optimization

Pages 135 - 144

https://doi.org/10.1145/2259016.2259034

Published: 31 March 2012 Publication History

Abstract

Memory errors in C and C++ programs continue to be one of the dominant sources of security problems, accounting for over a third of the high severity vulnerabilities reported in 2011. Wide-spread deployment of defenses such as address-space layout randomization (ASLR) have made memory exploit development more difficult, but recent trends indicate that attacks are evolving to overcome this defense. Techniques for systematic detection and blocking of memory errors can provide more comprehensive protection that can stand up to skilled adversaries, but unfortunately, these techniques introduce much higher overheads and provide significantly less compatibility than ASLR. We propose a new memory error detection technique that explores a part of the design space that trades off some ability to detect bounds errors in order to obtain good performance and excellent backwards compatibility. On the SPECINT 2000 benchmark, the runtime overheads of our technique is about half of that reported by the fastest previous bounds-checking technique. On the compatibility front, our technique has been tested on over 7 million lines of code, which is much larger than that reported for previous bounds-checking techniques.

References

[1]

Wheeler. SLOCCount. http://www.dwheeler.com/sloccount/.

[2]

Internet Explorer IFRAME src & name parameter BoF remote compromise. http://www.kb.cert.org/vuls/id/842160, 2004.

[3]

Akritidis. Cling: A memory allocator to mitigate dangling pointers. In USENIX Security, 2010.

Digital Library

[4]

Akritidis, Cadar, Raiciu, Costa, and Castro. Preventing memory error exploits with WIT. In IEEE S&P, 2008.

Digital Library

[5]

Akritidis, Costa, Castro, and Hand. Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In USENIX security, 2009.

Digital Library

[6]

Austin, Breach, and Sohi. Efficient detection of all pointer and array access errors. SIGPLAN, 1994.

Digital Library

[7]

Berger and Zorn. DieHard: Probabilistic memory safety for unsafe languages. In PLDI, 2006.

Digital Library

[8]

Bhatkar, DuVarney, and Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In USENIX Security, 2003.

Digital Library

[9]

Bhatkar and Sekar. Data space randomization. DIMVA, 2008.

Digital Library

[10]

Bhatkar, Sekar, and DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security, 2005.

Digital Library

[11]

Checkoway, Davi, Dmitrienko, Sadeghi, Shacham, and Winandy. Return-oriented programming without returns. In ACM CCS, 2010.

Digital Library

[12]

Dhurjati and Adve. Backwards-compatible array bounds checking for C with very low overhead. In ICSE, 2006.

Digital Library

[13]

Dhurjati and Adve. Efficiently detecting all dangling pointer uses in production servers. In DSN, 2006.

Digital Library

[14]

Eigler. Mudflap: Pointer Use Checking for C/C++. In GCC Developers Summit, 2003.

[15]

Hastings and Joyce. Purify: A tool for detecting memory leaks and access errors in C and C++ programs. In USENIX Winter Conference, 1992.

[16]

Jim, Morrisett, Grossman, Hicks, Cheney, and Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, 2002.

Digital Library

[17]

Jones and Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Workshop on Automated Debugging, 1997.

[18]

Kendall. Bcc: run--time checking for C programs. In USENIX Summer Conference, 1983.

[19]

Kil, Jun, Bookholt, Xu, and Ning. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In ACSAC, 2006.

Digital Library

[20]

Lu, Li, Qin, Tan, Zhou, and Zhou. Bugbench: Benchmarks for evaluating bug detection tools. In Workshop on the Evaluation of Software Defect Detection Tools, 2005.

[21]

McPeak, Necula, Rahul, and Weimer. CIL: Intermediate language and tools for C program analysis and transformation. In Compiler Construction, 2002.

Digital Library

[22]

Nagarakatte, Zhao, Martin, and Zdancewic. SoftBound: highly compatible and complete spatial memory safety for C. In ACM PLDI, 2009.

Digital Library

[23]

Nagarakatte, Zhao, Martin, and Zdancewic. CETS: compiler enforced temporal safety for C. In Symp. on Memory management, 2010.

Digital Library

[24]

Naraine. Adobe PDF exploits using signed certificates, bypasses ASLR/DEP. http://tinyurl.com/38kppsy, 2010.

[25]

Necula, Condit, Harren, McPeak, and Weimer. CCured: type-safe retrofitting of legacy software. ACM TOPLAS, 2005.

Digital Library

[26]

Nethercote and Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In ACM PLDI, 2007.

Digital Library

[27]

NIST. NVD. http://nvd.nist.gov/.

[28]

National Institute of Standards and Technology. SAMATE Reference Dataset Project. http://samate.nist.gov/SRD/.

[29]

Patil and Fischer. Low-cost, concurrent checking of pointer and array accesses in C programs. Software Practice & Experience, 1997.

Digital Library

[30]

PaX. Published on World-Wide Web at URL http://pax.grsecurity.net, 2001.

[31]

Roy. Mpatrol. http://mpatrol.sourceforge.net/.

[32]

Ruwase and Lam. A practical dynamic buffer overflow detector. In NDSS, 2004.

[33]

Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In ACM CCS, 2007.

Digital Library

[34]

Steffen. Adding run-time checking to the portable C compiler. Software --- Practice & Experience, 1992.

Digital Library

[35]

The MITRE Corporation. 2011 CWE/SANS Top 25 Most Dangerous Programming Errors. http://cwe.mitre.org/top25/.

[36]

Wilander, Nikiforakis, Younan, Kamkar, and Joosen. RIPE: runtime intrusion prevention evaluator. In ACSAC, 2011.

Digital Library

[37]

Xu, Bhatkar, and Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In USENIX Security, 2006.

Digital Library

[38]

Xu, DuVarney, and Sekar. An efficient and backwards-compatible transformation to ensure memory safety of C programs. In FSE, 2004.

Digital Library

[39]

Younan, Philippaerts, Cavallaro, Sekar, Piessens, and Joosen. PAriCheck: an efficient pointer arithmetic checker for C programs. In ASIACCS, 2010.

Digital Library

Cited By

Fink MStavrakakis DSprokholt DChakraborty SEkberg JBhatotia PDoerfert JGrosser TLeather HSadayappan P(2025)Cage: Hardware-Accelerated Safe WebAssemblyProceedings of the 23rd ACM/IEEE International Symposium on Code Generation and Optimization10.1145/3696443.3708920(538-552)Online publication date: 1-Mar-2025
https://dl.acm.org/doi/10.1145/3696443.3708920
Khan SChatterjee BPande STsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Pythia: Compiler-Guided Defense Against Non-Control Data AttacksProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651343(850-866)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651343
Ling HHuang HWang CCai YZhang CTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)GIANTSAN: Efficient Memory Sanitization with Segment FoldingProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640391(433-449)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640391
Show More Cited By

Recommendations

Prevention of DoS Attacks Based on Light Weight Dynamic Key Mechanism in Hierarchical Wireless Sensor Networks
FGCN '08: Proceedings of the 2008 Second International Conference on Future Generation Communication and Networking - Volume 01

Denial of service (DoS) attack is an impelling inside attack in the form of interference or collision at the receiver side, which can causes serious damage to the functions of wireless sensor networks (WSNs). In this paper, we propose a solution using ...
Light-weight primitive, feather-weight security: a cryptanalytic knock-out
WESS '13: Proceedings of the Workshop on Embedded Systems Security

In [12], the authors present a new light-weight cryptographic primitive which supports an associated RFID-based authentication protocol. The primitive has some structural similarities to AES, but is presented as a keyed one-way function using a 128-bit ...
Static secure page allocation for light-weight dynamic information flow tracking
CASES '12: Proceedings of the 2012 international conference on Compilers, architectures and synthesis for embedded systems

Dynamic information flow tracking (DIFT) is an effective security countermeasure for both low-level memory corruptions and high-level semantic attacks. However, many software approaches suffer large performance degradation, and hardware approaches have ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CGO '12: Proceedings of the Tenth International Symposium on Code Generation and Optimization

March 2012

285 pages

ISBN:9781450312066

DOI:10.1145/2259016

General Chairs:
Carol Eidt
Microsoft
,
Anne Holler
VMware
,
Program Chairs:
Uma Srinivasan
Intel
,
Saman Amarasinghe
MIT

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 March 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

CGO '12

Sponsor:

CGO '12: Annual IEEE/ACM International Symposium on Code Generation and Optimization

March 31 - April 4, 2012

California, San Jose

Acceptance Rates

CGO '12 Paper Acceptance Rate 26 of 90 submissions, 29%;

Overall Acceptance Rate 312 of 1,061 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

81
Total Citations
View Citations
468
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)3

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Fink MStavrakakis DSprokholt DChakraborty SEkberg JBhatotia PDoerfert JGrosser TLeather HSadayappan P(2025)Cage: Hardware-Accelerated Safe WebAssemblyProceedings of the 23rd ACM/IEEE International Symposium on Code Generation and Optimization10.1145/3696443.3708920(538-552)Online publication date: 1-Mar-2025
https://dl.acm.org/doi/10.1145/3696443.3708920
Khan SChatterjee BPande STsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Pythia: Compiler-Guided Defense Against Non-Control Data AttacksProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651343(850-866)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651343
Ling HHuang HWang CCai YZhang CTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)GIANTSAN: Efficient Memory Sanitization with Segment FoldingProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640391(433-449)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640391
Gorter FKroes TBos HGiuffrida C(2024)Sticky Tags: Efficient and Deterministic Spatial Memory Error Mitigation using Persistent Memory Tags2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00263(4239-4257)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00263
Stavrakakis DPanfil ANam MBhatotia P(2024)SPP: Safe Persistent Pointers for Memory Safety2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00019(37-52)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00019
Koschel JBorrello PD'Elia DBos HGiuffrida CCalandrino JTroncoso C(2023)UNCONTAINEDProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620520(5055-5072)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620520
Zhang YLiu TSun ZChen ZLi XZuo ZJust RFraser G(2023)Catamaran: Low-Overhead Memory Safety Enforcement via Parallel AccelerationProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598098(816-828)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598098
Ukegbu CNeupane RMehrpouyan H(2023)Ontology-based Framework for Boundary Verification of Safety and Security Properties in Industrial Control SystemsProceedings of the 2023 European Interdisciplinary Cybersecurity Conference10.1145/3590777.3590785(47-52)Online publication date: 14-Jun-2023
https://dl.acm.org/doi/10.1145/3590777.3590785
Hohentanner KKasten FAuer LFerrara PHadarean L(2023)HWASanIO: Detecting C/C++ Intra-object Overflows with Memory ShadingProceedings of the 12th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis10.1145/3589250.3596139(27-33)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1145/3589250.3596139
Lei HZhang ZZhang SJiang PZhong ZHe NLi DGuo YChen XMeng WJensen CCremers CKirda E(2023)Put Your Memory in Order: Efficient Domain-based Memory Isolation for WASM ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623205(904-918)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623205
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten