research-article

PAriCheck: an efficient pointer arithmetic checker for C programs

Authors:

Pieter Philippaerts,

Lorenzo Cavallaro,

Frank Piessens, and

Wouter JoosenAuthors Info & Claims

ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security

April 2010

Pages 145 - 156

https://doi.org/10.1145/1755688.1755707

Published: 13 April 2010 Publication History

Abstract

Buffer overflows are still a significant problem in programs written in C and C++. In this paper we present a bounds checker, called PAriCheck, that inserts dynamic runtime checks to ensure that attackers are not able to abuse buffer overflow vulnerabilities. The main approach is based on checking pointer arithmetic rather than pointer dereferences when performing bounds checks. The checks are performed by assigning a unique label to each object and ensuring that the label is associated with each memory location that the object inhabits. Whenever pointer arithmetic occurs, the label of the base location is compared to the label of the resulting arithmetic. If the labels differ, an out-of-bounds calculation has occurred. Benchmarks show that PAriCheck has a very low performance overhead compared to similar bounds checkers. This paper demonstrates that using bounds checkers for programs or parts of programs running on high-security production systems is a realistic possibility.

References

[1]

Martin Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security, pages 340--353, Alexandria, VA, November 2005.

Digital Library

[2]

Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Castro. Preventing memory error exploits with WIT. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, Oakland, CA, May 2008.

Digital Library

[3]

Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In Proceedings of the 18th USENIX Security Symposium, Montreal, QC, August 2009.

Digital Library

[4]

Aleph1. Smashing the stack for fun and profit. Phrack, 49, 1996.

[5]

Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. Efficient detection of all pointer and array access errors. In Proceedings of the Conference on Programming Language Design and Implementation, pages 290--301, Orlando, FL, June 1994.

Digital Library

[6]

Elena Gabriela Barrantes, David H. Ackley, Stephanie Forrest, Trek S. Palmer, Darko Stefanović, and Dino Dai Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 281--289, Washington, D.C., October 2003.

Digital Library

[7]

Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium, pages 105--120, Washington, D.C., August 2003.

Digital Library

[8]

Sandeep Bhatkar and R. Sekar. Data space randomization. In Proceedings of the 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, volume 5137 of Lecture Notes in Computer Science, Paris, France, July 2008.

Digital Library

[9]

Sandeep Bhatkar, R. Sekar, and Daniel C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In 14th USENIX Security Symposium, Baltimore, MD, August 2005.

Digital Library

[10]

blexim. Basic integer overflows. Phrack, 60, December 2002.

[11]

Ratislav Bodik, Rajiv Gupta, and Vivek Sarkar. ABCD: Eliminating array-bounds checks on demand. In Proceedings of the Conference on Programming Language Design and Implementation, pages 321--333, Vancouver, BC, June 2000.

Digital Library

[12]

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, August 2005.

Digital Library

[13]

T. Chiueh and Fu-Hau Hsu. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the 21st International Conference on Distributed Computing Systems, pages 409--420, Phoenix, AZ, April 2001.

Digital Library

[14]

James Clause, Ioannis Doudalis, Alessandro Orso, and Milos Prvulovic. Effective memory protection using dynamic tainting. In Proceedings of the 22nd IEEE and ACM International Conference on Automated Software Engineering (ASE 2007), pages 284--292, Atlanta, GA, November 2007.

Digital Library

[15]

Jeremy Condit, Matthew Harren, Scott McPeak, George C. Necula, and Westley Weimer. CCured in the real world. In Proceedings of the Conference on Programming Language Design and Implementation, pages 232--244, San Diego, CA, 2003.

Digital Library

[16]

Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. PointGuard: protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, pages 91--104, Washington, D.C., August 2003.

Digital Library

[17]

Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78, San Antonio, TX, January 1998.

Digital Library

[18]

Dinakar Dhurjati and Vikram Adve. Backwards-compatible array bounds checking for C with very low overhead. In Proceeding of the 28th international conference on Software engineering, pages 162--171, Shanghai, China, 2006.

Digital Library

[19]

Dinakar Dhurjati, Sumant Kowshik, Vikram Adve, and Chris Lattner. Memory safety without runtime checks or garbage collection. In Proceedings of the 2003 Conference on Language, Compiler, and Tool Support for Embedded Systems, pages 69--80, San Diego, CA, June 2003.

Digital Library

[20]

Úlfar Erlingsson, Yves Younan, and Frank Piessens. Low-level software security by example. In Handbook of Information and Communication Security. Springer, 2010.

[21]

Hiroaki Etoh and Kunikazu Yoda. Protecting from stack-smashing attacks. Technical report, IBM Research Tokyo, June 2000.

[22]

Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. Region-based memory management in Cyclone. In Proceedings of the Conference on Programming Language Design and Implementation, pages 282--293, Berlin, Germany, June 2002.

Digital Library

[23]

Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and Yanling Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, pages 275--288, Monterey, CA, June 2002.

Digital Library

[24]

Richard W. M. Jones and Paul H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the 3rd International Workshop on Automatic Debugging, pages 13--26, Linköping, Sweden, 1997.

[25]

JTC 1/SC 22/WG 14. ISO/IEC 9899:1999: Programming languages -- C. Technical report, International Organization for Standards, 1999.

[26]

Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 272--280, Washington, D.C., October 2003.

Digital Library

[27]

Sumant Kowshik, Dinakar Dhurjati, and Vikram Adve. Ensuring code safety without runtime checks for real-time control systems. In Proceedings of the International Conference on Compilers Architecture and Synthesis for Embedded Systems, pages 288--297, Grenoble, France, October 2002.

Digital Library

[28]

Andreas Krennmair. ContraPolice: a libc extension for protecting applications from heap-smashing attacks, November 2003.

[29]

James R. Larus, Thomas Ball, Manuvir Das, Robert DeLine, Manuel Fähndrich, Jon Pincus, Sriram K. Rajamani, and Ramanathan Venkatapathy. Righting software. IEEE Software, 21(3):92--100, May 2004.

Digital Library

[30]

Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. Softbound: Highly compatible and complete spatial memory safety for c. In Proceedings of the Conference on Programming Language Design and Implementation, pages 245--258, Dublin, Ireland, June 2009.

Digital Library

[31]

National Institute of Standards and Technology. National vulnerability database statistics. http://nvd.nist.gov/statistics.cfm.

[32]

George Necula, Scott McPeak, and Westley Weimer. CCured: Type-safe retrofitting of legacy code. In Conference Record of POPL 2002: The 29th SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 128--139, Portland, OR, January 2002.

Digital Library

[33]

George C. Necula, Scott McPeak, S. P. Rahul, and Westley Weimer. Cil: Intermediate language and tools for analysis and transformation of c programs. In Proceedings of the Conference on Compiler Construction (CC'02), volume 2304 of Lecture Notes in Computer Science, pages 213--228, Grenoble, France, March 2002.

Digital Library

[34]

Yutaka Oiwa. Implementation of the memory-safe full ansi-c compiler. In Proceedings of the Conference on Programming Language Design and Implementation, pages 259--269, Dublin, Ireland, June 2009.

Digital Library

[35]

William Robertson, Christopher Kruegel, Darren Mutz, and Frederik Valeur. Run-time detection of heap-based overflows. In Proceedings of the 17th Large Installation Systems Administrators Conference, pages 51--60, San Diego, CA, October 2003.

Digital Library

[36]

Olatunji Ruwase and Monica S. Lam. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2004.

[37]

Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security, pages 552--561, Washington, D.C., October 2007.

Digital Library

[38]

Joseph L. Steffen. Adding run-time checking to the portable C compiler. Software: Practice and Experience, 22(4):305--316, April 1992.

Digital Library

[39]

Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter. Breaking the memory secrecy assumption. In Proceedings of the Second European Workshop on System Security, Nuremburg, Germany, 2009.

Digital Library

[40]

The PaX Team. Documentation for the PaX project.

[41]

Vendicator. Documentation for stackshield.

[42]

Jun Xu, Zbigniew Kalbarczyk, and Ravishankar K. Iyer. Transparent runtime randomization for security. In 22nd International Symposium on Reliable Distributed Systems (SRDS'03), pages 260--269, Florence, Italy, October 2003. IEEE Press.

[43]

Wei Xu, Daniel C. DuVarney, and R. Sekar. An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 117--126, Newport Beach, CA, October 2004.

Digital Library

[44]

Yves Younan, Wouter Joosen, and Frank Piessens. Code injection in C and C++: A survey of vulnerabilities and countermeasures. Technical Report CW386, Departement Computerwetenschappen, Katholieke Universiteit Leuven, July 2004.

[45]

Yves Younan, Wouter Joosen, and Frank Piessens. Efficient protection against heap-based buffer overflows without resorting to magic. In Proceedings of the International Conference on Information and Communication Security, Raleigh, NC, December 2006.

Digital Library

[46]

Yves Younan, Davide Pozza, Frank Piessens, and Wouter Joosen. Extended protection against stack smashing attacks without performance loss. In Proceedings of the Twenty-Second Annual Computer Security Applications Conference, Miami, FL, December 2006.

Digital Library

Cited By

Kedia PPurandare RAgarwal URishabh Just RFraser G(2023)CGuard: Scalable and Precise Object Bounds Protection for CProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598137(1307-1318)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598137
Hohentanner KKasten FAuer LFerrara PHadarean L(2023)HWASanIO: Detecting C/C++ Intra-object Overflows with Memory ShadingProceedings of the 12th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis10.1145/3589250.3596139(27-33)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1145/3589250.3596139
Rong WXu TSun ZSun ZOuyang YXiong Z(2023)An Object Tuple Model for Understanding Pointer and Array in C LanguageIEEE Transactions on Education10.1109/TE.2023.323602766:4(318-329)Online publication date: Aug-2023
https://doi.org/10.1109/TE.2023.3236027
Show More Cited By

Index Terms

PAriCheck: an efficient pointer arithmetic checker for C programs
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Heap bounds protection with low fat pointers
CC 2016: Proceedings of the 25th International Conference on Compiler Construction

Heap buffer overflow (underflow) errors are a common source of security vulnerabilities. One prevention mechanism is to add object bounds meta information and to instrument the program with explicit bounds checks for all memory access. The so-called "...
Read More
Delta pointers: buffer overflow checks without the checks
EuroSys '18: Proceedings of the Thirteenth EuroSys Conference

Despite decades of research, buffer overflows still rank among the most dangerous vulnerabilities in unsafe languages such as C and C++. Compared to other memory corruption vulnerabilities, buffer overflows are both common and typically easy to exploit. ...
Read More
Baggy Bounds with Accurate Checking
ISSREW '12: Proceedings of the 2012 IEEE 23rd International Symposium on Software Reliability Engineering Workshops

Baggy Bounds Checking is a backward-compatible defense against out-of-bounds errors. It is reported as being faster than any previous bounds checking tool. However, it enforces allocation bounds instead of object bounds and thus cannot detect memory ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security

April 2010

363 pages

ISBN:9781605589367

DOI:10.1145/1755688

General Chair:
Dengguo Feng
Chinese Academy of Sciences, China
,
Program Chairs:
David Basin
ETH Zurich, Switzerland
,
Peng Liu
Pennsylvania State University

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASIA CCS '10

Sponsor:

SIGSAC

ASIA CCS '10: 5th ACM Symposium on Information, Computer and Communications Security

April 13 - 16, 2010

Beijing, China

Acceptance Rates

ASIACCS '10 Paper Acceptance Rate 25 of 166 submissions, 15%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

57
Total Citations
View Citations
475
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)2

Other Metrics

View Author Metrics

Citations

Cited By

Kedia PPurandare RAgarwal URishabh Just RFraser G(2023)CGuard: Scalable and Precise Object Bounds Protection for CProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598137(1307-1318)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598137
Hohentanner KKasten FAuer LFerrara PHadarean L(2023)HWASanIO: Detecting C/C++ Intra-object Overflows with Memory ShadingProceedings of the 12th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis10.1145/3589250.3596139(27-33)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1145/3589250.3596139
Rong WXu TSun ZSun ZOuyang YXiong Z(2023)An Object Tuple Model for Understanding Pointer and Array in C LanguageIEEE Transactions on Education10.1109/TE.2023.323602766:4(318-329)Online publication date: Aug-2023
https://doi.org/10.1109/TE.2023.3236027
Hafkemeyer LStarink JContinella A(2023)Divak: Non-invasive Characterization of Out-of-Bounds Write VulnerabilitiesDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-35504-2_11(211-232)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-35504-2_11
Saileshwar GBoivie RChen TSegal BBuyuktosunoglu A(2022)HeapCheck: Low-cost Hardware Support for Memory SafetyACM Transactions on Architecture and Code Optimization10.1145/349515219:1(1-24)Online publication date: 23-Jan-2022
https://dl.acm.org/doi/10.1145/3495152
Seo JBang ICho YShin JHwang DKwon DCho YPaek Y(2022)Exploring effective uses of the tagged memory for reducing bounds checking overheadsThe Journal of Supercomputing10.1007/s11227-022-04694-y79:1(1032-1064)Online publication date: 20-Jul-2022
https://doi.org/10.1007/s11227-022-04694-y
Xu SHuang WLie DSherwood TBerger EKozyrakis C(2021)In-fat pointer: hardware-assisted tagged-pointer spatial memory safety defense with subobject granularity protectionProceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3445814.3446761(224-240)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3445814.3446761
Krishnakumar GREDDY KRebeiro C(2019)ALEXIAACM Transactions on Embedded Computing Systems10.1145/336206418:6(1-27)Online publication date: 15-Nov-2019
https://dl.acm.org/doi/10.1145/3362064
Nam MAkritidis PGreaves DBalenson D(2019)FRAMERProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359799(612-626)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359799
Woodruff JJoannou AXia HFox ANorton RChisnall DDavis BGudka KFilardo NMarkettos ARoe MNeumann PWatson RMoore S(2019)CHERI Concentrate: Practical Compressed CapabilitiesIEEE Transactions on Computers10.1109/TC.2019.291403768:10(1455-1469)Online publication date: 1-Oct-2019
https://doi.org/10.1109/TC.2019.2914037
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents