research-article

Public Access

CHERIvoke: Characterising Pointer Revocation using CHERI Capabilities for Temporal Memory Safety

Authors:

Jonathan Woodruff,

Nathaniel W. Filardo,

Alexander Richardson,

Peter G. Neumann,

Simon W. Moore,

Robert N. M. Watson,

Timothy M. JonesAuthors Info & Claims

MICRO '52: Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture

Pages 545 - 557

https://doi.org/10.1145/3352460.3358288

Published: 12 October 2019 Publication History

Abstract

A lack of temporal safety in low-level languages has led to an epidemic of use-after-free exploits. These have surpassed in number and severity even the infamous buffer-overflow exploits violating spatial safety. Capability addressing can directly enforce spatial safety for the C language by enforcing bounds on pointers and by rendering pointers unforgeable. Nevertheless, an efficient solution for strong temporal memory safety remains elusive.

CHERI is an architectural extension to provide hardware capability addressing that is seeing significant commercial and open-source interest. We show that CHERI capabilities can be used as a foundation to enable low-cost heap temporal safety by facilitating out-of-date pointer revocation, as capabilities enable precise and efficient identification and invalidation of pointers, even when using unsafe languages such as C. We develop CHERIvoke, a technique for deterministic and fast sweeping revocation to enforce temporal safety on CHERI systems. CHERIvoke quarantines freed data before periodically using a small shadow map to revoke all dangling pointers in a single sweep of memory, and provides a tunable trade-off between performance and heap growth. We evaluate the performance of such a system using high-performance x86 processors, and further analytically examine its primary overheads. When configured with a heap-size overhead of 25%, we find that CHERIvoke achieves an average execution-time overhead of under 5%, far below the overheads associated with traditional garbage collection, revocation, or page-table systems.

References

[1]

2015. Electric Fence. https://elinux.org/index.php?title=Electric_Fence

[2]

Periklis Akritidis. 2010. Cling: A Memory Allocator to Mitigate Dangling Pointers. In USENIX Security.

Digital Library

[3]

Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic Memory Safety for Unsafe Languages. In PLDI.

[4]

Hans-J. Boehm. 1996. Simple Garbage-Collector-Safety. In PLDI.

[5]

Hans-J. Boehm and David Chase. 1992. A Proposal for Garbage-Collector-Safe C Compilation. Journal of C Language Translation 4, 2 (1992).

[6]

Hans-Juergen Boehm and Mark Weiser. 1988. Garbage Collection in an Uncooperative Environment. Softw. Pract. Exper. 18, 9 (1988).

[7]

Juan Caballero, Gustavo Grieco, Mark Marron, and Antonio Nappa. 2012. Undangle: Early Detection of Dangling Pointers in Use-after-free and Double-free Vulnerabilities. In ISSTA.

[8]

Oliver Chang. 2016. Racing MIDI messages in Chrome. https://googleprojectzero.blogspot.com/2016/02/racing-midi-messages-in-chrome.html

[9]

Oliver Chang. 2016. Racing MIDI messages in Chrome. https://googleprojectzero.blogspot.com/2016/02/racing-midi-messages-in-chrome.html.

[10]

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. 2005. Non-control-data Attacks Are Realistic Threats. In SSYM.

[11]

The MITRE Corporation. 2018. CWE-416: Use After Free. https://cwe.mitre.org/data/definitions/416.html

[12]

Thurston H.Y. Dang, Petros Maniatis, and David Wagner. 2017. Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers. In USENIX Security.

[13]

Brooks Davis, Robert N. M. Watson, Alexander Richardson, Peter G. Neumann, Simon W. Moore, John Baldwin, David Chisnall, James Clarke, Nathaniel Wesley Filardo, Khilan Gudka, Alexandre Joannou, Ben Laurie, A. Theodore Markettos, J. Edward Maste, Alfredo Mazzinghi, Edward Tomasz Napierala, Robert M. Norton, Michael Roe, Peter Sewell, Stacey Son, and Jonathan Woodruff. 2019. CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-Time Environment. In ASPLOS.

[14]

Jack B. Dennis and Earl C. Van Horn. 1966. Programming semantics for multi-programmed computations. Commun. ACM 9, 3 (1966).

[15]

Dinakar Dhurjati and Vikram Adve. 2006. Efficiently Detecting All Dangling Pointer Uses in Production Servers. In DSN.

[16]

R. Kent Dybvig, David Eby, and Carl Bruggeman. 1994. Don't stop the BIBOP: Flexible and Efficient Storage Management for Dynamically-Typed Languages. Technical Report 400. Indiana University School of Informatics, Computing, and Engineering.

[17]

John R. Ellis and David L. Detlefs. 1994. Safe, Efficient Garbage Collection for C++. In CTEC.

[18]

Matthew Gretton-Dann. 2018. Arm A-Profile Architecture Developments 2018: Armv8.5-A. https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/arm-a-profile-architecture-2018-developments-armv85a

[19]

Richard Grisenthwaite. 2019. Supporting the UK in becoming a leading global player in cybersecurity. https://community.arm.com/blog/company/b/blog/posts/supporting-the-uk-in-becoming-a-leading-global-player-in-cybersecurity

[20]

Richard H. Gumpertz. 1981. Error Detection with Memory Tags. Ph.D. Dissertation. Carnegie Mellon University.

[21]

John L. Henning. 2006. SPEC CPU2006 Benchmark Descriptions. SIGARCH Comput. Archit. News 34, 4 (2006).

Digital Library

[22]

A. Joannou, J. Woodruff, R. Kovacsics, S. W. Moore, A. Bradbury, H. Xia, R. N. M. Watson, D. Chisnall, M. Roe, B. Davis, E. Napierala, J. Baldwin, K. Gudka, P. G. Neumann, A. Mazzinghi, A. Richardson, S. Son, and A. T. Markettos. 2017. Efficient Tagged Memory. In ICCD.

[23]

Piyus Kedia, Manuel Costa, Matthew Parkinson, Kapil Vaswani, Dimitrios Vytiniotis, and Aaron Blankstein. 2017. Simple, Fast, and Safe Manual Memory Management. In PLDI.

[24]

G. K. Konstadinidis, H. P. Li, F. Schumacher, V. Krishnaswamy, H. Cho, S. Dash, R. P. Masleid, C. Zheng, Y. D. Lin, P. Loewenstein, H. Park, V. Srinivasan, D. Huang, C. Hwang, W. Hsu, C. McAllister, J. Brooks, H. Pham, S. Turullols, Y. Yanggong, R. Golla, A. P. Smith, and A. Vahidsafa. 2016. SPARC M7: A 20 nm 32-Core 64 MB L3 Cache Processor. IEEE J. of Solid-State Circuits 51, 1 (2016).

[25]

Doug Lea. 2000. A Memory Allocator. (2000). http://g.oswego.edu/dl/html/malloc.html

[26]

Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. 2015. Preventing Use-after-free with Dangling Pointers Nullification. In NDSS.

[27]

Daiping Liu, Mingwei Zhang, and Haining Wang. 2018. A Robust and Efficient Defense Against Use-after-Free Exploits via Concurrent Pointer Sweeping. In CCS.

[28]

Kangjie Lu, Marie-Therese Walter, David Pfaff, Stefan Nuernberger, Wenke Lee, and Michael Backes. 2017. Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying. In NDSS.

[29]

Alyssa Milburn, Herbert Bos, and Cristiano Giuffrida. 2017. SafeInit: Comprehensive and Practical Mitigation of Uninitialized Read Vulnerabilities. In NDSS.

[30]

S. S. Nagaraju, C. Craioveanu, E. Florio, and M. Miller. 2013. Software vulnerability exploitation trends. Technical Report. Microsoft.

[31]

Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2012. Watchdog: Hardware for Safe and Secure Manual Memory Management and Full Memory Safety. In ISCA.

Digital Library

[32]

Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. In ISMM.

Digital Library

[33]

George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. 2005. CCured: Type-safe Retrofitting of Legacy Software. ACM Trans. Program. Lang. Syst. 27, 3 (2005).

Digital Library

[34]

Gene Novark and Emery D. Berger. 2010. DieHarder: Securing the Heap. In CCS.

[35]

Yutaka Oiwa. 2009. Implementation of the Memory-safe Full ANSI-C Compiler. In PLDI.

[36]

Oracle 2016. Oracle's SPARC T7 and SPARC M7 Server Architecture. Oracle.

[37]

Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In USENIX ATC.

[38]

Kostya Serebryany, Evgenii Stepanov, Aleksey Shlyapnikov, Vlad Tsyrklevich, and Dmitry Vyukov. 2018. Memory Tagging and how it improves C/C++ memory safety. CoRR abs/1802.09517 (2018).

[39]

Sam Silvestro, Hongyu Liu, Corey Crosser, Zhiqiang Lin, and Tongping Liu. 2017. FreeGuard: A Faster Secure Heap Allocator. In CCS.

[40]

Jr. Steele, Guy Lewis. 1977. Data representations in PDP-10 MACLISP. Technical Report AIM-420. MIT.

[41]

Erik van der Kouwe, Vinod Nigade, and Cristiano Giuffrida. 2017. DangSan: Scalable Use-after-free Detection. In EuroSys.

[42]

Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brook s Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, and Munraj Vadera. 2015. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In IEEE S&P.

[43]

Thomas Willhalm, Roman Dementiev, and Patrick Fay. 2012. Intel Performance Counter Monitor - A Better Way to Measure CPU Utilization. Intel.

[44]

Jonathan Woodruff, Alexandre Joannou, Hongyan Xia, Brooks Davis, Peter G Neumann, Robert Nicholas Maxwell Watson, Simon Moore, Anthony Fox, Robert Norton, and David Chisnall. 2019. Cheri concentrate: Practical compressed capabilities. IEEE Trans. Comput. (2019).

[45]

Jonathan Woodruff, Robert N.M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI Capability Model: Revisiting RISC in an Age of Risk. In ISCA.

[46]

Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, and Dawu Gu. 2015. From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel. In CCS.

[47]

Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, and Dawu Gu. 2015. From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel. In CCS.

[48]

Yves Younan. 2015. FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In NDSS.

[49]

Tong Zhang, Dongyoon Lee, and Changhee Jung. 2019. BOGO: Buy Spatial Memory Safety, Get Temporal Memory Safety (Almost) Free. In ASPLOS.

Digital Library

Cited By

Chen YLi S(2024)HeMate: Enhancing Heap Security through Isolating Primitive Types with Arm Memory Tagging ExtensionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664492(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664492
Du YGuo YZhang YYang J(2024)RTT-UAF: Reuse Time Tracking for Use-After-Free DetectionProceedings of the 38th ACM International Conference on Supercomputing10.1145/3650200.3656606(376-387)Online publication date: 30-May-2024
https://dl.acm.org/doi/10.1145/3650200.3656606
Wang KKasatkin DAhlrichs VAuer LHohentanner KHorsch JEkberg J(2024)Cherifying LinuxProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652282(15-21)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652282
Show More Cited By

Index Terms

CHERIvoke: Characterising Pointer Revocation using CHERI Capabilities for Temporal Memory Safety
1. Computer systems organization
  1. Architectures
2. Security and privacy

Recommendations

MineSweeper: a “clean sweep” for drop-in use-after-free prevention
ASPLOS '22: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

Low-level languages, which require manual memory management from the programmer, remain in wide use for performance-critical applications. Memory-safety bugs are common, and now a major source of exploits. In particular, a use-after-free bug occurs when ...
Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Typestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, ...
SUDUTA: Script UAF Detection Using Taint Analysis
STM 2015: Proceedings of the 11th International Workshop on Security and Trust Management - Volume 9331

Use-after-free UAF vulnerabilities are caused by the use of dangling pointers. Their exploitation inside script engine-hosting applications, e.g. web browsers, can even bypass state-of-the-art countermeasures. This work proposes SUDUTA Script UAF ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MICRO '52: Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture

October 2019

1104 pages

ISBN:9781450369381

DOI:10.1145/3352460

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

MICRO '52

Sponsor:

SIGMICRO

MICRO '52: The 52nd Annual IEEE/ACM International Symposium on Microarchitecture

October 12 - 16, 2019

OH, Columbus, USA

Acceptance Rates

Overall Acceptance Rate 484 of 2,242 submissions, 22%

Upcoming Conference

MICRO '24

Sponsor:
sigmicro

57th Annual IEEE/ACM International Symposium on Microarchitecture

November 2 - 6, 2024

Austin , TX , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
1,195
Total Downloads

Downloads (Last 12 months)292
Downloads (Last 6 weeks)32

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chen YLi S(2024)HeMate: Enhancing Heap Security through Isolating Primitive Types with Arm Memory Tagging ExtensionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664492(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664492
Du YGuo YZhang YYang J(2024)RTT-UAF: Reuse Time Tracking for Use-After-Free DetectionProceedings of the 38th ACM International Conference on Supercomputing10.1145/3650200.3656606(376-387)Online publication date: 30-May-2024
https://dl.acm.org/doi/10.1145/3650200.3656606
Wang KKasatkin DAhlrichs VAuer LHohentanner KHorsch JEkberg J(2024)Cherifying LinuxProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652282(15-21)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652282
Georges AGuéneau AVan Strydonck TTimany ATrieu ADevriese DBirkedal L(2024)Cerise: Program Verification on a Capability Machine in the Presence of Untrusted CodeJournal of the ACM10.1145/362351071:1(1-59)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623510
Filardo NGutstein BWoodruff JClarke JRugg PDavis BJohnston MNorton RChisnall DMoore SNeumann PWatson RTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Cornucopia Reloaded: Load Barriers for CHERI Heap Temporal SafetyProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640416(251-268)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640416
Ackermann EMauthe NBugiel S(2024)Work-in-Progress: Northcape: Embedded Real-Time Capability-Based Addressing2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00083(683-690)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00083
Bang IKayondo MYou JKwon DCho YPaek Y(2024)Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-FreesIEEE Access10.1109/ACCESS.2023.334377712(5462-5476)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3343777
Yu JWatt CBadole ACarlson TSaxena PCalandrino JTroncoso C(2023)CAPSTONEProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620282(787-804)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620282
Patel SAgrawal SFedorova ASeltzer M(2023)CHERI-pickingProceedings of the 12th Workshop on Programming Languages and Operating Systems10.1145/3623759.3624553(58-65)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3623759.3624553
Stark SMarkettos AMoore S(2023)How Flexible Is CXL's Memory Protection?Communications of the ACM10.1145/361758066:12(46-51)Online publication date: 17-Nov-2023
https://dl.acm.org/doi/10.1145/3617580
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents