The serious bugs and security vulnerabilities that result from C's lack of bounds checking and unsafe manual memory management are well known, yet C remains in widespread use. Unfortunately, C's arbitrary pointer arithmetic, conflation of pointers and arrays, and programmer-visible memory layout make retrofitting C with memory safety guarantees challenging. Existing approaches suffer from incompleteness, have high runtime overhead, or require non-trivial changes to the C source code. Thus far, these deficiencies have prevented widespread adoption of such techniques.This dissertation proposes mechanisms to provide comprehensive memory safety that works with mostly unmodified C code with a low performance overhead. We use a pointer-based approach where we maintain metadata with pointers and check every pointer dereference. To enable compatibility with existing code, we maintain the metadata for the pointers in memory in a disjoint metadata space leaving the memory layout of the program intact. For detecting spatial violations, we maintain bounds metadata with every pointer. For detecting temporal violations, we also maintain a unique identifier metadata with each pointer. This pointer metadata is propagated with pointer operations and checked on pointer dereferences. Coupling disjoint metadata with a pointer-based approach enables comprehensive detection of all memory safety violations in unmodified C programs. This dissertation demonstrates the compatibility of this approach by hardening legacy C/C++ code with minimal source code changes. Further, this dissertation shows the effectiveness of the approach by detecting new memory safety errors and previously known memory safety errors in large code bases. To attain low performance overheads, this dissertation proposes efficient instantiations of this approach (1) within a compiler, (2) within hardware, and (3) with a hybrid hardware accelerated compiler instrumentation that reduces the overhead of enforcing memory safety, and thereby enabling their use in deployed systems.
Cited By
- Duck G and Yap R Heap bounds protection with low fat pointers Proceedings of the 25th International Conference on Compiler Construction, (132-142)
- Nagarakatte S, Martin M and Zdancewic S WatchdogLite Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization, (175-184)
- Nagarakatte S, Martin M and Zdancewic S WatchdogLite Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization, (175-184)
- Kwon A, Dhawan U, Smith J, Knight T and DeHon A Low-fat pointers Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, (721-732)
Catamaran: Low-Overhead Memory Safety Enforcement via Parallel Acceleration
ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and AnalysisMemory safety issues are the intrinsic diseases of C/C++ programs. Dynamic memory safety enforcement as the dominant approach has an advantage in high effectiveness, yet suffers from prohibitively high runtime overhead. Existing attempts to reduce ...
Practical memory safety with REST
ISCA '18: Proceedings of the 45th Annual International Symposium on Computer ArchitectureIn this paper, we propose Random Embedded Secret Tokens (REST), a simple hardware primitive to provide content-based checks, and show how it can be used to mitigate common types of spatial and temporal memory errors at very low cost. REST is simply a ...
Deciding memory safety for single-pass heap-manipulating programs
We investigate the decidability of automatic program verification for programs that manipulate heaps, and in particular, decision procedures for proving memory safety for them. We extend recent work that identified a decidable subclass of uninterpreted ...