research-article

Preventing zero-day exploits of memory vulnerabilities with guard lines

Authors:

Sterling Vinson,

Rachel Stonehirsch,

Jim StevensAuthors Info & Claims

SSPREW9 '19: Proceedings of the 9th Workshop on Software Security, Protection, and Reverse Engineering

Article No.: 2, Pages 1 - 11

https://doi.org/10.1145/3371307.3371311

Published: 09 December 2019 Publication History

Abstract

Exploitable memory errors are pervasive due to the widespread use of unsafe programming languages, such as C and C++. Despite much research, techniques for detecting memory errors at runtime have seen limited adoption due to high performance overhead, incomplete memory safety, or non-trivial microarchitectural changes.

This paper describes Guard Lines, a hardware / software memory error detector that detects common types of spatial and temporal memory errors at runtime without imposing a significant performance penalty (on average only 4%). Guard Lines provides memory safety by defining certain regions of memory as inaccessible "guards," which are created in software during memory allocation. If a program ever accesses guarded memory, the hardware raises an exception indicating a memory safety violation. Guard Lines requires minimal microarchitectural changes, and it uses a novel metadata design to efficiently track the guard locations. This paper describes the design, implementation, security analysis, and performance evaluation of Guard Lines and demonstrates its feasibility to protect real-world applications against exploitable memory vulnerabilities.

References

[1]

James P. Anderson. 1972. Computer Security Technology Planning Study Volume II. Technical Report ESD-TR-73-51.

[2]

Krste Asanović, Rimas Avizienis, Jonathan Bachrach, Scott Beamer, David Biancolin, Christopher Celio, Henry Cook, Daniel Dabbelt, John Hauser, AdamIzraelevitz, Sagar Karandikar, Ben Keller, Donggyu Kim, John Koenig, Yunsup Lee, Eric Love, Martin Maas, Albert Magyar, Howard Mao, Miquel Moreto, Albert Ou, David A. Patterson, Brian Richards, Colin Schmidt, Stephen Twigg, Huy Vo, and Andrew Waterman. 2016. The Rocket Chip Generator. Technical Report UCB/EECS-2016-17. EECS Department, University of California, Berkeley. http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-17.html

[3]

Fabrice Bellard. 2005. QEMU, a Fast and Portable Dynamic Translator. In USENIX Annual Technical Conference, FREENIX Track. USENIX Association, Berkeley, CA, USA, 41--46. https://www.usenix.org/legacy/events/usenix05/tech/freenix/bellard.html

[4]

Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '06). ACM, New York, NY, USA, 158--168.

Digital Library

[5]

Christian Bienia. 2011. Benchmarking Modern Multiprocessors. Ph.D. Dissertation. Princeton University.

[6]

Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. 2011. Jump-oriented Programming: A New Class of Code-reuse Attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS '11). ACM, New York, NY, USA, 30--40.

Digital Library

[7]

Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In Proceedings of the 24th USENIX Security Symposium (USENIX Security '15). USENIX Association, Berkeley, CA, USA, 161--176. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/carlini

[8]

Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-oriented Programming Without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS '10). ACM, New York, NY, USA, 559--572.

Digital Library

[9]

Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. 1998. Stack-Guard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium. USENIX Association, Berkeley, CA, USA, 63--78. https://www.usenix.org/legacy/publications/library/proceedings/sec98/cowan.html

[10]

Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (SP '15). IEEE Computer Society, Washington, DC, USA, 763--780.

Digital Library

[11]

Stephen J. Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Bjorn De Sutter, and Michael Franz. 2015. It's a TRaP: Table Randomization and Protection Against Function-Reuse Attacks. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 243--255.

Digital Library

[12]

Joe Devietti, Colin Blundell, Milo M.K. Martin, and Steve Zdancewic. 2008. HardBound: Architectural Support for Spatial Safety of the C Programming Language. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '08). ACM, New York, NY, USA, 103--114.

Digital Library

[13]

Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 901--913.

Digital Library

[14]

Reed Hastings and Bob Joyce. 1992. Purify: Fast Detection of Memory Leaks and Access Errors. In Proceedings of the Winter 1992 USENIX Conference.

[15]

Michael Hicks. 2014. What is memory safety? Online: http://www.pl-enthusiast.net/2014/07/21/memory-safety/ (Accessed: 06 March 2018). http://www.pl-enthusiast.net/2014/07/21/memory-safety/

[16]

Lizy Kurian John. 2004. More on Finding a Single Number to Indicate Overall Performance of a Benchmark Suite. SIGARCH Computer Architecture News 32, 1 (March 2004), 3--8.

Digital Library

[17]

Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre Attacks: Exploiting Speculative Execution. ArXiv e-prints (January 2018), 16. arXiv:1801.01203

[18]

C. Lattner and V. Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In International Symposium on Code Generation and Optimization (CGO '04). IEEE Computer Society, Washington, DC, USA, 75--86.

[19]

David Lie, Chandramohan Thekkath, Mark Mitchell, Patrick Lincoln, Dan Boneh, John Mitchell, and Mark Horowitz. 2000. Architectural Support for Copy and Tamper Resistant Software. SIGPLAN Notices 35, 11 (November 2000), 168--177.

Digital Library

[20]

Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2012. Watchdog: Hardware for Safe and Secure Manual Memory Management and Full Memory Safety. In Proceedings of the 39th Annual International Symposium on Computer Architecture (ISCA '12). IEEE Computer Society, Washington, DC, USA, 189--200.

Digital Library

[21]

Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2014. Watch-dogLite: Hardware-Accelerated Compiler-Based Pointer Checking. In Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO '14). ACM, New York, NY, USA, 175:175--175:184.

Digital Library

[22]

George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. 2005. CCured: Type-safe Retrofitting of Legacy Software. ACM Transactions on Programming Language Systems 27, 3 (May 2005), 477--526.

Digital Library

[23]

Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2017. Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches. arXiv.org abs/1702.00719 (June 2017), 24. http://arxiv.org/abs/1702.00719

[24]

Marios Pomonis, Theofilos Petsios, Angelos D. Keromytis, Michalis Polychronakis, and Vasileios P. Kemerlis. 2017. kR^X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse. In Proceedings of the Twelfth European Conference on Computer Systems (EuroSys '17). ACM, New York, NY, USA, 420--436.

Digital Library

[25]

Feng Qin, Shan Lu, and Yuanyuan Zhou. 2005. SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs. In HPCA '05. IEEE Computer Society, Washington, DC, USA, 291--302.

Digital Library

[26]

Dennis M. Ritchie. 1993. The Development of the C Language. In The Second ACM SIGPLAN Conference on History of Programming Languages (HOPL-II). ACM, New York, NY, USA, 201--208.

Digital Library

[27]

Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. 2015. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications. In 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, USA, 745--762.

Digital Library

[28]

Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In Proceedings of the 2012 USENIX Annual Technical Conference (USENIX ATC '12). USENIX Association, Berkeley, CA, USA, 309--318. https://www.usenix.org/conference/atc12/technical-sessions/presentation/serebryany

[29]

Julian Seward and Nicholas Nethercote. 2005. Using Valgrind to Detect Undefined Value Errors with Bit-Precision. In USENIX Annual Technical Conference. USENIX Association, Berkeley, CA, USA, 17--30. http://static.usenix.org/events/usenix05/tech/general/seward.html

[30]

Hovav Shacham. 2007. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07). ACM, New York, NY, USA, 552--561.

Digital Library

[31]

Rithin Shetty, Mazen Kharbutli, Yan Solihin, and Milos Prvulovic. 2006. HeapMon: A Helper-thread Approach to Programmable, Automatic, and Low-overhead Memory Bug Detection. IBM J. Res. Dev. 50, 2/3 (March 2006), 261--275.

Digital Library

[32]

Kanad Sinha and Simha Sethumadhavan. 2018. Practical Memory Safety with REST. In Proceedings of the 45th International Symposium on Computer Architecture (ISCA '18). IEEE Press, Piscataway, NJ, 600--611.

Digital Library

[33]

Kevin Z Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, USA, 574--588.

[34]

László Szekeres, Mathais Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, USA, 48--62.

Digital Library

[35]

Victor van der Veen, Nitish dutt Sharma, Lorenzo Cavallaro, and Herbert Bos. 2011. Memory Errors: The Past, the Present, and the Future. Technical Report IR-CS-73.

[36]

Victor van der Veen, Nitish dutt Sharma, Lorenzo Cavallaro, and Herbert Bos. 2012. Memory Errors: The Past, the Present, and the Future. In Proceedings of the 15th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID '12), Davide Balzarotti, Salvatore J. Stolfo, and Marco Cova (Eds.). Springer, Berlin, Heidelberg, 86--106.

Digital Library

[37]

Guru Venkataramani, Brandyn Roemer, Yan Solihin, and Milos Prvulovic. 2007. MemTracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging. In Proceedings of the 2007 IEEE 13th International Symposium on High Performance Computer Architecture (HPCA '13). IEEE Computer Society, Washington, DC, USA, 273--284.

Digital Library

[38]

J. Wang, M. Zhao, Q. Zeng, D. Wu, and P. Liu. 2015. Risk Assessment of Buffer "Heartbleed" Over-Read Vulnerabilities. In 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE Computer Society, Washington, DC, USA, 555--562.

Digital Library

[39]

Andrew Waterman, Yunsup Lee, David A. Patterson, and Krste Asanović. 2014. The RISC-V Instruction Set Manual, Volume I: User-Level ISA, Version 2.0. Technical Report UCB/EECS-2014-54. EECS Department, University of California, Berkeley. http://www2.eecs.berkeley.edu/Pubs/TechRpts/2014/EECS-2014-54.html

[40]

Jianzhou Zhao, Santosh Nagarakatte, Milo M.K. Martin, and Steve Zdancewic. 2012. Formalizing the LLVM Intermediate Representation for Verified Program Transformations. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '12). ACM, New York, NY, USA, 427--440.

Digital Library

Cited By

Brohet MRegazzoni F(2023)A Survey on Thwarting Memory Corruption in RISC-VACM Computing Surveys10.1145/360490656:2(1-29)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3604906
Bhat SSofi IChi C(2020)Edge Computing and Its Convergence With Blockchain in 5G and Beyond: Security, Challenges, and OpportunitiesIEEE Access10.1109/ACCESS.2020.30371088(205340-205373)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3037108

Index Terms

Preventing zero-day exploits of memory vulnerabilities with guard lines

Recommendations

Practical memory safety with REST
ISCA '18: Proceedings of the 45th Annual International Symposium on Computer Architecture

In this paper, we propose Random Embedded Secret Tokens (REST), a simple hardware primitive to provide content-based checks, and show how it can be used to mitigate common types of spatial and temporal memory errors at very low cost. REST is simply a ...
CrypTag: Thwarting Physical and Logical Memory Vulnerabilities using Cryptographically Colored Memory
ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Memory vulnerabilities are a major threat to many computing systems. To effectively thwart spatial and temporal memory vulnerabilities, full logical memory safety is required. However, current mitigation techniques for memory safety are either too ...
CryptSan: Leveraging ARM Pointer Authentication for Memory Safety in C/C++
SAC '23: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing

Memory safety bugs remain in the top ranks of security vulnerabilities, even after decades of research on their detection and prevention. Various mitigations have been proposed for C/C++, ranging from language dialects to instrumentation. Among these, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SSPREW9 '19: Proceedings of the 9th Workshop on Software Security, Protection, and Reverse Engineering

December 2019

56 pages

ISBN:9781450377461

DOI:10.1145/3371307

General Chair:
J. Todd McDonald
University of South Alabama
,
Program Chairs:
Sébastien Bardin
The Atomic Energy Commission (CEA) LIST, France
,
Natalia Stakhanova
University of Saskatchewan, Canada

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SSPREW9

SSPREW9: Software Security, Protection, and Reverse Engineering Workshop 2019

December 9 - 10, 2019

Puerto Rico, San Juan, USA

Acceptance Rates

Overall Acceptance Rate 6 of 13 submissions, 46%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
167
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)5

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Brohet MRegazzoni F(2023)A Survey on Thwarting Memory Corruption in RISC-VACM Computing Surveys10.1145/360490656:2(1-29)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3604906
Bhat SSofi IChi C(2020)Edge Computing and Its Convergence With Blockchain in 5G and Beyond: Security, Challenges, and OpportunitiesIEEE Access10.1109/ACCESS.2020.30371088(205340-205373)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3037108

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents