Cited By
View all- Chen ZZhu YWang Z(2024)Design and Implementation of an Aspect-Oriented C Programming LanguageProceedings of the ACM on Programming Languages10.1145/36498348:OOPSLA1(642-669)Online publication date: 29-Apr-2024
A Smart Status Based Monitoring Algorithm for the Dynamic Analysis of Memory Safety
Authors: 
Zhe Chen, 
Rui Yan, Yingzi Ma, Yulei Sui, 
Jingling XueAuthors Info & Claims
Zhe Chen, Rui Yan, Yingzi Ma, Yulei Sui, Jingling XueAuthors Info & ClaimsArticle No.: 89, Pages 1 - 47
Abstract
C is a dominant programming language for implementing system and low-level embedded software. Unfortunately, the unsafe nature of its low-level control of memory often leads to memory errors. Dynamic analysis has been widely used to detect memory errors at runtime. However, existing monitoring algorithms for dynamic analysis are not yet satisfactory, as they cannot deterministically and completely detect some types of errors, such as segment confusion errors, sub-object overflows, use-after-frees and memory leaks.
We propose a new monitoring algorithm, namely Smatus, short for smart status, that improves memory safety by performing comprehensive dynamic analysis. The key innovation is to maintain at runtime a small status node for each memory object. A status node records the status value and reference count of an object, where the status value denotes the liveness and segment type of this object, and the reference count tracks the number of pointer variables pointing to this object. Smatus maintains at runtime a pointer metadata for each pointer variable, to record not only the base and bound of a pointer’s referent but also the address of the referent’s status node. All the pointers pointing to the same referent share the same status node in their pointer metadata. A status node is smart in the sense that it is automatically deleted when it becomes useless (indicated by its reference count reaching zero). To the best of our knowledge, Smatus represents the most comprehensive approach of its kind.
We have evaluated Smatus by using a large set of programs including the NIST Software Assurance Reference Dataset, MSBench, MiBench, SPEC and stress testing benchmarks. In terms of effectiveness (detecting different types of memory errors), Smatus outperforms state-of-the-art tools, Google’s AddressSanitizer, SoftBoundCETS and Valgrind, as it is capable of detecting more errors. In terms of performance (the time and memory overheads), Smatus outperforms SoftBoundCETS and Valgrind in terms of both lower time and memory overheads incurred, and is on par with AddressSanitizer in terms of the time and memory overhead tradeoff made (with much lower memory overheads incurred).
References
[1]
Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. 2009. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In Proceedings of the 18th USENIX Security Symposium. 51–66.
[2]
Derek Bruening and Qin Zhao. 2011. Practical memory checking with Dr. Memory. In Proceedings of the 9th International Symposium on Code Generation and Optimication (CGO ’11). IEEE, Los Alamitos, CA, 213–223.
[3]
Nathan Burow, Derrick McKee, Scott A. Carr, and Mathias Payer. 2018. CUP: Comprehensive user-space protection for C/C++. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security (AsiaCCS ’18). ACM, New York, NY, 381–392.
[4]
Zhe Chen. 2021. The MiBench and SPEC Benchmark Suites. Retrieved December 17, 2023 from https://github.com/drzchen/movec-benchmarks
[5]
Zhe Chen. 2021. Movec: A Tool for the Monitoring and Verification of C Programs. Retrieved December 17, 2023 from https://github.com/drzchen/movec
[6]
Zhe Chen. 2021. Movec-MSBench: A Memory Safety Benchmark Suite, Version 2.0.1. Retrieved December 17, 2023 from https://github.com/drzchen/movec-msbench
[7]
Zhe Chen. 2022. A Formal Operational Semantics of the Smatus Approach. Retrieved December 17, 2023 from https://github.com/drzchen/movec-proof
[8]
Zhe Chen, Yi Gu, Zhiqiu Huang, Jun Zheng, Chang Liu, and Ziyi Liu. 2015. Model checking aircraft controller software: A case study. Software: Practice & Experience 45, 7 (2015), 989–1017.
[9]
Zhe Chen, Chuanqi Tao, Zhiyi Zhang, and Zhibin Yang. 2018. Beyond spatial and temporal memory safety. In Proceedings of the 40th International Conference on Software Engineering (ICSE ’18), Companion Volume. ACM, New York, NY, 189–190.
[10]
Zhe Chen, Chong Wang, Junqi Yan, Yulei Sui, and Jingling Xue. 2021. Runtime detection of memory errors with smart status. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA ’21). ACM, New York, NY, 296–308.
[11]
Zhe Chen, Zhemin Wang, Yunlong Zhu, Hongwei Xi, and Zhibin Yang. 2016. Parametric runtime verification of C programs. In Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, Vol. 9636. Springer, 299–315.
[12]
Zhe Chen, Junqi Yan, Shuanglong Kan, Ju Qian, and Jingling Xue. 2019. Detecting memory errors at runtime with source-level instrumentation. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA ’19). ACM, New York, NY, 341–351.
[13]
Zhe Chen, Junqi Yan, Wenming Li, Ju Qian, and Zhiqiu Huang. 2018. Runtime verification of memory safety via source transformation. In Proceedings of the 40th International Conference on Software Engineering (ICSE ’18), Companion Volume. ACM, New York, NY, 264–265.
[14]
Christian DeLozier, Richard A. Eisenberg, Santosh Nagarakatte, Peter-Michael Osera, Milo M. K. Martin, and Steve Zdancewic. 2013. Ironclad C++: A library-augmented type-safe subset of C++. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA ’13). ACM, New York, NY, 287–304.
[15]
Dinakar Dhurjati and Vikram S. Adve. 2006. Backwards-compatible array bounds checking for C with very low overhead. In Proceedings of the 28th International Conference on Software Engineering (ICSE ’06). ACM, New York, NY, 162–171.
[16]
Gregory J. Duck and Roland H. C. Yap. 2016. Heap bounds protection with low fat pointers. In Proceedings of the 25th International Conference on Compiler Construction (CC ’16). ACM, New York, NY, 132–142.
[17]
I. A. Dudina and A. A. Belevantsev. 2017. Using static symbolic execution to detect buffer overflows. Programming and Computer Software 43, 5 (2017), 277–288.
[18]
A. S. Elliott, A. Ruef, M. Hicks, and D. Tarditi. 2018. Checked C: Making C safe by extension. In Proceedings of the 2018 IEEE Cybersecurity Development Conference (SecDev ’18). IEEE, Los Alamitos, CA, 53–60.
[19]
Matthew R. Guthaus, Jeffrey S. Ringenberg, Dan Ernst, Todd M. Austin, Trevor Mudge, and Richard B. Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In Proceedings of the IEEE 4th Annual Workshop on Workload Characterization. IEEE, Los Alamitos, CA, 3–14.
[20]
Niranjan Hasabnis, Ashish Misra, and R. Sekar. 2012. Light-weight bounds checking. In Proceedings of the 10th Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO ’12). ACM, New York, NY, 135–144.
[21]
Reed Hastings and Bob Joyce. 1992. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter 1992 USENIX Conference. 125–138.
[22]
Trevor Jim, J. Gregory Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A safe dialect of C. In Proceedings of the 2002 USENIX Annual Technical Conference. 275–288.
[23]
Richard W. M. Jones and Paul H. J. Kelly. 1997. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the 3rd International Workshop on Automated Debugging (AADEBUG ’97). 13–26.
[24]
Taddeus Kroes, Koen Koning, Erik van der Kouwe, Herbert Bos, and Cristiano Giuffrida. 2018. Delta pointers: Buffer overflow checks without the checks. In Proceedings of the 13th EuroSys Conference (EuroSys ’18). ACM, New York, NY, Article 22, 14 pages.
[25]
Wei Le and Mary Lou Soffa. 2008. Marple: A demand-driven path-sensitive buffer overflow detector. In Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE ’08). ACM, New York, NY, 272–282.
[26]
Lian Li, Cristina Cifuentes, and Nathan Keynes. 2010. Practical and effective symbolic analysis for buffer overflow detection. In Proceedings of the 18th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE ’10). ACM, New York, NY, 317–326.
[27]
Tongping Liu, Charlie Curtsinger, and Emery D. Berger. 2016. DoubleTake: Fast and precise error detection via evidence-based dynamic analysis. In Proceedings of the 38th International Conference on Software Engineering (ICSE ’16). ACM, New York, NY, 911–922.
[28]
Alexey Loginov, Suan Hsi Yong, Susan Horwitz, and Thomas W. Reps. 2001. Debugging via run-time type checking. In Fundamental Approaches to Software Engineering. Lecture Notes in Computer Science, Vol. 2029. Springer, 217–232.
[29]
Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2015. Everything you want to know about pointer-based checking. In 1st Summit on Advances in Programming Languages, SNAPL 2015, LIPIcs, Vol. 32. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, 190–208.
[30]
Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’09). ACM, New York, NY, 245–258.
[31]
Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2010. CETS: Compiler enforced temporal safety for C. In Proceedings of the 9th International Symposium on Memory Management (ISMM ’10). ACM, New York, NY, 31–40.
[32]
George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. 2005. CCured: Type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems 27, 3 (2005), 477–526.
[33]
George C. Necula, Scott McPeak, and Westley Weimer. 2002. CCured: Type-safe retrofitting of legacy code. In Proceedings of the 29th SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’02). ACM, New York, NY, 128–139.
[34]
Nicholas Nethercote and Julian Seward. 2007. How to shadow every byte of memory used by a program. In Proceedings of the 3rd International Conference on Virtual Execution Environments (VEE ’07). ACM, New York, NY, 65–74.
[35]
Nicholas Nethercote and Julian Seward. 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI ’07). ACM, New York, NY, 89–100.
[36]
Yutaka Oiwa. 2009. Implementation of the memory-safe full ANSI-C compiler. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’09). ACM, New York, NY, 259–269.
[37]
Harish Patil and Charles N. Fischer. 1997. Low-cost, concurrent checking of pointer and array accesses in C programs. Software: Practice and Experience 27, 1 (1997), 87–110.
[38]
Andrew Ruef, Leonidas Lampropoulos, Ian Sweet, David Tarditi, and Michael Hicks. 2019. Achieving safety incrementally with checked C. In Principles of Security and Trust. Lecture Notes in Computer Science, Vol. 11426. Springer, 76–998.
[39]
Olatunji Ruwase and Monica S. Lam. 2004. A practical dynamic buffer overflow detector. In Proceedings of the Network and Distributed System Security Symposium (NDSS ’04). 159–169.
[40]
Kostya Serebryany. 2019. ARM memory tagging extension and how it improves C/C++ memory safety. USENIX Magazine 44, 2 (2019), 12–16.
[41]
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Annual Technical Conference. 309–318.
[42]
Julian Seward and Nicholas Nethercote. 2005. Using Valgrind to detect undefined value errors with bit-precision. In Proceedings of the 2005 USENIX Annual Technical Conference. 17–30.
[43]
Matthew S. Simpson and Rajeev Barua. 2010. MemSafe: Ensuring the spatial and temporal memory safety of C at runtime. In Proceedings of the 10th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM ’10). IEEE, Los Alamitos, CA, 199–208.
[44]
Matthew S. Simpson and Rajeev Barua. 2013. MemSafe: Ensuring the spatial and temporal memory safety of C at runtime. Software: Practice and Experience 43, 1 (2013), 93–128.
[45]
Yulei Sui and Jingling Xue. 2020. Value-flow-based demand-driven pointer analysis for C and C++. IEEE Transactions on Software Engineering 46, 8 (2020), 812–835.
[46]
Yulei Sui, Ding Ye, and Jingling Xue. 2012. Static memory leak detection using full-sparse value-flow analysis. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA ’12). ACM, New York, NY, 254–264.
[47]
Yulei Sui, Ding Ye, and Jingling Xue. 2014. Detecting memory leaks statically with full-sparse value-flow analysis. IEEE Transactions on Software Engineering 40, 2 (2014), 107–122.
[48]
Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal war in memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP ’13). IEEE, Los Alamitos, CA, 48–62.
[49]
The MITRE Corporation. 2009. CWE-762: Mismatched Memory Management Routines (May 8, 2009). Retrieved December 17, 2023 from https://cwe.mitre.org/data/definitions/762.html
[50]
The MITRE Corporation. 2020. CWE-590: Free of Memory Not on the Heap (February 24, 2020). Retrieved December 17, 2023 from https://cwe.mitre.org/data/definitions/590.html
[51]
Kostyantyn Vorobyov, Nikolai Kosmatov, Julien Signoles, and Arvid Jakobsson. 2017. Runtime detection of temporal memory errors. In Runtime Verification. Lecture Notes in Computer Science, Vol. 10548. Springer, 294–311.
[52]
Kostyantyn Vorobyov, Julien Signoles, and Nikolai Kosmatov. 2017. Shadow state encoding for efficient monitoring of block-level properties. In Proceedings of the 2017 ACM SIGPLAN International Symposium on Memory Management (ISMM ’17). ACM, New York, NY, 47–58.
[53]
Guoqing Xu and Atanas Rountev. 2013. Precise memory leak detection for Java software using container profiling. ACM Transactions on Software Engineering and Methodology 22, 3 (2013), Article 17, 28 pages.
[54]
Wei Xu, Daniel C. DuVarney, and R. Sekar. 2004. An efficient and backwards-compatible transformation to ensure memory safety of C programs. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE ’04). ACM, New York, NY, 117–126.
[55]
Ding Ye, Yu Su, Yulei Sui, and Jingling Xue. 2014. WPBOUND: Enforcing spatial memory safety efficiently at runtime with weakest preconditions. In Proceedings of the 25th IEEE International Symposium on Software Reliability Engineering (ISSRE ’14). IEEE, Los Alamitos, CA, 88–99.
[56]
Suan Hsi Yong and Susan Horwitz. 2003. Protecting C programs from attacks via invalid pointer dereferences. In Proceedings of the 11th ACM SIGSOFT Symposium on Foundations of Software Engineering and the 9th European Software Engineering Conference (ESEC/FSE ’03). ACM, New York, NY, 307–316.
[57]
Qiang Zeng, Dinghao Wu, and Peng Liu. 2011. Cruiser: Concurrent heap buffer overflow monitoring using lock-free data structures. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’11). ACM, New York, NY, 367–377.
[58]
Jianzhou Zhao, Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2012. Formalizing the LLVM intermediate representation for verified program transformations. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’12). ACM, New York, NY, 427–440.
Index Terms
- A Smart Status Based Monitoring Algorithm for the Dynamic Analysis of Memory Safety
Recommendations
Runtime detection of memory errors with smart status
ISSTA 2021: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and AnalysisC is a dominant language for implementing system software. Unfortunately, its support for low-level control of memory often leads to memory errors. Dynamic analysis tools, which have been widely used for detecting memory errors at runtime, are not yet ...
A dynamic analysis tool for memory safety based on smart status and source-level instrumentation
ICSE '22: Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Companion ProceedingsMemory errors may lead to program crashes and security vulnerabilities. In this paper, we present Movec, a dynamic analysis tool that can automatically detect memory errors at runtime. To address the three major challenges faced by existing tools in ...
Memory Leak Detection Based on Memory State Transition Graph
APSEC '11: Proceedings of the 2011 18th Asia-Pacific Software Engineering ConferenceMemory leak is a common type of defect that is hard to detect manually. Existing memory leak detection tools suffer from lack of precise interprocedural alias and path conditions. To address this problem, we present a static interprocedural analysis ...
Comments
Information & Contributors
Information
Published In
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 17 April 2024
Online AM: 11 December 2023
Accepted: 29 November 2023
Revised: 01 October 2023
Received: 11 December 2022
Published in TOSEM Volume 33, Issue 4
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Natural Science Foundation of China
- Joint Research Funds of the National Natural Science Foundation of China
- Civil Aviation Administration of China
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 238Total Downloads
- Downloads (Last 12 months)238
- Downloads (Last 6 weeks)9
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
Cited By
View all- Chen ZZhu YWang Z(2024)Design and Implementation of an Aspect-Oriented C Programming LanguageProceedings of the ACM on Programming Languages10.1145/36498348:OOPSLA1(642-669)Online publication date: 29-Apr-2024
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in