secure low-level programming via hardware-assisted memory-safe c prof. milo martin santosh...
TRANSCRIPT
Secure Low-Level Programming via Hardware-Assisted Memory-Safe C
Prof. Milo MartinSantosh Nagarakatte, Joe Devietti, Jianzhou Zhao, Colin Blundell
Prof. Steve Zdancewic
University of Pennsylvania
Please feel free to ask questions!
HardBound/SoftBound – Prof. Milo Martin - Fall 2009 2
Two Long-Term Research Goals
• Easier multicore programming• Multicore revolution parallel programs ubiquitous• Programming is hard, parallel programming more so
• Safer and secure low-level programming• C’s lack of memory safety: root cause of vulnerabilities• Goal: legacy C code as safe and secure as Java• Unfortunately, C makes such checking a challenge
• Using hardware and/or compiler techniquesThis talk: hardware/compiler for spatial safety of C
3
HardwareSoftware
Efficiency &Compatibility
Talk Overview & Project Evolution
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Seminar on “Hardware Support for Security” ‘05
Spatial safety (J&K,SafeC/CCured/Cyclone)
HardBound [ASPLOS 08]
SoftBound [PLDI 2009]
Work in progress…
Today’s hardware
Hardware bounded pointer primitiveNew hardware/software contract for pointers
Compiler-based transformation, < 2x overhead
Memory layoutunchanged
~10% overhead
HardBound/SoftBound – Prof. Milo Martin - Fall 2009 4
Why Care About Spatial Safety, Anyway?
June 2, 2009: iTunes-8.2Open URL, stack overflow
May 12, 2009: libxml, Safari-3.2.3 Visit website, heap overflow
Jan 22, 2009: WindowsRPC packet, overflow (Conficker worm)
Feb 20, 2009: Acrobat ReaderOpen PDF, overflow
Buffer overflows are security vulnerabilities
5
struct BankAccount {
char acctID[3]; int balance;
} b;
b.balance = 0;
char* id = &(b.acctID);
…
…
char* p = id;
…
…
do {
char ch = readchar();
*p = ch;
p++;
} while(ch);
mem
oryHardBound/SoftBound – Prof. Milo Martin - Fall 2009
Spatial Violation Example
acctID
reg
bal
101112
p
38
100000
0x100x110x120x13abc
id 0x10id 0x10
13
17
0x17
memory
registers
“Vulnerability of the decade” [Cowan et al]• Variants (stack-, heap-, pointer-smashing, jump-to-libc)• Facilitated by integer overflow/underflow• Can happen anywhere in the code• Attackers are clever, highly motivated
6
Preventing Spatial Violations
SoftBound – Santosh Nagarakatte – PLDI 2009
write perfect code
treat the symptomsaddress space randomization
non-executable stack/heapprotect return addresses
all incomplete
add bounds checking to
existing C code
use a safe language
what about (existing) C code?λ
use static analysiswhat about false positives?
HardBound/SoftBound – Prof. Milo Martin - Fall 2009 7
The Cockroach of Programming Languages
• Ubiquitous• Is there any mainstream system
without some C code?
• Relevant• Sometimes the right tool for a task• Gold standard for performance
• Evolving• Research philosophy: English vs. Esperanto (1887)
• What if you can’t wipe the slate clean?
Modify the language? Or modify the hardware?
HardBound/SoftBound – Prof. Milo Martin - Fall 2009 8
“Modernizing” Legacy C Code
• Can we provide unmodified C source code…• …with key safety features of modern languages?
• Key feature: memory safety• Spatial memory safety (bounds errors)• Temporal memory safety (dangling pointers)
• Alas, such retrofitting challenging• Pointer arithmetic, pointers to middle of objects,
arrays in structs, legal out-of-bounds pointers,confluence of arrays and singleton pointers,visible memory layout, arbitrary type casts, …
• Lack of bounds information
today’s talk
key challenge
What is this?
char *c;
9
Taxonomy of Bounds Checking for C
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
• Prior work: [Hastings92, Austin94, Jones97, Jim02, Necula02, Yong03, Eigler03, Ruwase04, Nethercote04, Xu04, Dhurjati06, Criswell07, …]
• Tripwires e.g., Purify, Valgrind …• Few bits of state for each byte in memory• A “red-zone” block between objects
• Pointer based e.g., SafeC, Cyclone, CCured, MSCC, …• Pointer becomes a fat pointer (ptr, base, bound)• Pointer dereferences are checked
• Object based e.g., Jones & Kelly, CRED, SafeCode, SVA, …• Checks pointer manipulations• Must point within same object
• All have one or more challenges:• High runtime overheads• Incompleteness (sub-objects, handling arbitrary casts)• Incompatibilities (language changes, pointer representations)
HardBound/SoftBound – Prof. Milo Martin - Fall 2009 10
The Tao of Dynamically Checking C
Compatibility
Completeness Continuous(fast enough)
11
struct BankAccount {
char acctID[3]; int balance;
} b;
b.balance = 0;
char* id = &(b.acctID);
char* id_bse = &(b.acctID);
char* id_bnd = &(b.acctID) + 3;
char* p = id;
char* p_bse = id_bse;
char* p_bnd = id_bnd;
do {
char ch = readchar();
check(p, p_bse, p_bnd);*p = ch;
p++;
} while(ch);
mem
oryHardBound/SoftBound – Prof. Milo Martin - Fall 2009
Background: Fat Pointer Approach
acctID
reg
bal
id 0x10
p
38
0
0x100x110x12
0x13
id_bse 0x10
id_bnd 0x13
p_bse 0x10
p_bnd 0x13
id_bse 0x10
id_bnd 0x13
id 0x10
abc
101112
13
17
memory
registers
12
struct BankAccount {
char acctID[3]; int balance;
} b;
insert(b, &b, &b+sizeof(b));
b.balance = 0;
char* id = &(b.acctID);
…
char* p = id;
…
…
do {
char ch = readchar();
*p = ch;
p++; p = lookup(p, p + 1);
} while(ch);
Obj
tablem
emory
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Background: Object Based Approach
acctID
reg
bal
p
38
100000
0x100x110x120x13abc
id 0x10id 0x10
10 to 16
0x17101112
13
17
memory
registers
object table
10,1111,1212,1316,17
0x16
13
Analysis: Comparison of Approaches
• Object based+ Disjoint metadata memory layout unchanged
high source compatibility– Problem detecting sub-object overflows– Range lookup overhead
• Fat pointers+ Can detect sub-objects overflows– Inline metadata memory layout changes
low source compatibility
• Both– Fail to protect against arbitrary casts
(unless augmented, such as CCured’s WILD pointers)
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
14
struct BankAccount {
char acctID[3]; int balance;
} b;
b.balance = 0;
char* id = &(b.acctID);
lookup(&id)->bse = &(b.acctID);
lookup(&id)->bnd = &(b.acctID) + 3;
char* p = id;
char* p_bse = lookup(&id)->bse;
char* p_bnd = lookup(&id)->bnd;
do {
char ch = readchar();
check(p, p_bse, p_bnd);*p=ch;
p++;
} while(ch);
Meta
data
mem
oryHardBound/SoftBound – Prof. Milo Martin - Fall 2009
Our Approach: Disjoint Pointer Metadata
acctID
reg
bal
id
p
38
0
0x100x110x120x13
p_bse 0x10
p_bnd 0x13
0x13 0x10id 0x13 0x10
abc
101112
13
17
memory registers
metadata
HardBound/SoftBound – Prof. Milo Martin - Fall 2009 15
Meta
data
metadata
mem
ory
• Compatibility• Unchanged memory
layout
• Completeness• Sub-object bounds• Arbitrary casts
• Continuous (fast)• Direct lookup• Hardware-assisted
Our Approach: Disjoint Pointer Metadata
acctID
reg
bal
id
p
38
0
0x13
p_bse 0x10
p_bnd 0x13
0x13 0x10id 0x13 0x10
abc
101112
13
17
memory registers
16
Rest of Talk: HardBound & SoftBound
• HardBound: Hardware/software impl. [ASPLOS ‘08]
• How does it work? (pointer propagation & checking)• How do we make HardBound fast?
• Dedicated datapaths, compressing metadata
• SoftBound: Compiler-only prototype [PLDI ‘09]
• What changes without hardware support?
• Experiments
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
17
HardBound Overview• Bounded-pointer hardware primitive datatype
• All registers and memory have base/bound metadata• Implemented via shadow memory and shadow registers
• Rewrite hardware/software contract for pointers• Software identifies where pointers are created
• Examples: malloc, &variable (inserted by compiler)• Using new setbound instruction
• Hardware checks and propagates the pointers+Fat pointer representation hidden by hardware
+ Compatibility (memory layout unchanged)+ Enables optimized metadata encoding
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
18
Hardware Propagates & Checks Metadata
• All registers and memory have metadata• Example operations:
• add R1 <− R2 + immR1.value <− R2.value + immR1.base <− R2.baseR1.bound <− R2.bound
• load R1 <− Memory[R2]assert(R2.base <= R2.value < R2.bound)R1.value <− Memory[R2.value].valueR1.base <− Memory[R2.value].baseR1.bound <− Memory[R2.value].bound
• Performed in parallel (replicate datapath)HardBound/SoftBound – Prof. Milo Martin - Fall 2009
propagation
bounds check
propagation
insn
insn
19
Software Identifies Pointer Creation
• Even without recompilation…• Allocation-granularity checking for heap
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Heap Objects
Modified runtime system
Hardware executesp = setbound(malloc(size), size)
p = malloc(size)
p_base = p
p_bound = p + size
p = malloc(size);
20
Software Identifies Pointer Creation
• Recompilation protects stack & globals• Easy for compiler to identify
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Stack and Global Objects
Compiler
Hardware executes
int array[100];
p = &array;
p = setbound(&array, sizeof(array));
p = &array
p_base = p
p_bound = p + sizeof(array)
21
Bounding Pointers to Structure Fields
struct {
char acctID[3];
int balance;
} *ptr;
char* id = &(ptr->acctID);
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
option #1
Entire Structure
id_base = &(ptr->acctID);
id_bound = &(ptr->acctID) + 3;
id_base = ptr_base;id_bound = ptr_bound;
option #2
Shrink to Field
Programmer intent ambiguous; optional shrinking of bounds
acctID
bal
?
#1 #2
22
struct BankAccount {
char acctID[3]; int balance;
} b;
b.balance = 0;
char* id =
char* p = id;
do {
char ch = readchar();
*p=ch;
p++;
} while(ch);
Meta
data
mem
oryHardBound/SoftBound – Prof. Milo Martin - Fall 2009
HardBound Example
acctID
reg
bal
id
p
38
0
bsebnd
0x13 0x10id 0x13 0x10
abc
101112
13
17
memory registers
metadata
setbound(&b.acctID,3) &(b.acctID);
Hdw. propagation
Hdw. propagation
Hdw. check
23
HardBound Memory Layout
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
standard C layoutstruct {
int* ptr; int i;} s;
ptr
i
boundbase
metadata shadowspace
regular space(layout unchanged)
enables compatibility……how do we
make it efficient?
Virtual Memory
24
Eliminating Metadata for Non-Pointers
• Most data are not pointers
• Add 1-bit tag to act as a filter• Prevents an expensive base/bound lookup
• Lives in virtual memory (1 bit per word, 3% overhead)• Add tag cache, accessed in parallel
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
non-pointer 0
pointer base bound 1
tag
25
Compressing In-Memory Metadata
1. Many pointers point to the beginning of an object
2. Many pointers point to small objects
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
pointer: 1000 base: 1000 bound: 1003 3
tag:1
bound: 1003
used opportunistically (on each store)
base: 1000
+
size
pointer: 1000
26
Metadata Lookup and Tag Cache
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Processor Core
L2$
data$ insn$tag$
TLB
TLB
TLB
Memory
27
Why Not Just Do HardBound in Software?
• “SoftBound”• Compiler inserts code for propagation and checking
• Similarities• Same disjoint pointer-based metadata approach
• Differences• Memory: access metadata only on pointer load/store
• No need for “tag” space• Doesn’t (yet) use metadata compression
• Registers: base/bound just temporaries in compiler IR• Bounds checks: compiler can elide redundant checks• Works on today’s hardware
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
28
SoftBound Checking & Propagation
• All pointer/array dereferences checkedif ((p < p_base) || (p + size > p_bound)) abort();
• Five x86 instructions: cmp, br, add, cmp, br
• Loading/storing a pointer from memory• Loads/stores base and bound from metadata space• Five x86 instructions: shift, mask, add, two loads
• Pointer assignments, arithmetic, and casts• Just propagate pointer base and bound (share register)
• Pointer arguments to a function• Bounds passed as extra arguments (in registers)
int f(char* p) {…}
int _f(char* p, void* p_base, void* p_bound) {…}HardBound/SoftBound – Prof. Milo Martin - Fall 2009
29
More in the Papers…
• Proof of spatial safety guarantees• Region delineated by pointer metadata is always valid• Formalized a rich subset of C
• Includes arbitrary casts, recursive structures, etc…• Mechanized proof in Coq
• Hashtable-based metadata storage• Handling various aspects of C
• Separate compilation and library code • memcpy()• Function pointers• Variable argument functions
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
30
Experiments
• Four questions• Effective in detecting overflows?• Compatible with existing C code?• Reasonable overheads?• Hardware support justified?
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
HardBound/SoftBound – Prof. Milo Martin - Fall 2009 31
Typed IR
Optimize
Source
Binary
Prototypes
• HardBound• Source-to-source compiler based on CIL
• Simulator: FeS2 x86 + Simics
• Simple in-order core model + caches
• SoftBound prototype• LLVM as its foundation• Typed IR helps in pointer identification• Bounds check elimination not focus
• Intra-procedural dominator based• Existing techniques would help a lot
• Runtime results on Core 2 Duo
SoftBound
Optimize
~7K lines of code
32
Spatial Violation Detection
• Effective in detecting overflows?• Suite of 286 spatial violations [Kratkiewicz ‘05]
• Synthetic attacks [Wilander et al]
• Prevented all these attacks• Bugbench [Lu05]: overflows from real applications
Detected all known violations
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Benchmark SoftBound Mudflap Valgrind
Go Yes No No
Compress Yes Yes Yes
Polymorph Yes Yes No
Gzip Yes Yes Yes
33
Source Compatibility Experiments
• Compatible with existing C code?
• 272K lines of code total• 23 benchmarks from Spec, Olden• BugBench• Multithreaded HTTP Server with CGI support• FTP server
No spurious runtime violations encountered
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
34
HardBound Runtime Results
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
0%
5%
10%
15%
20%
25% additional memory latencystalling on pointer metadataμops for loading/storing boundssetbound instructions
bh bisort em3d health mst perim power treeadd tsp avg
10% averageoverhead
35
SoftBound Runtime Results
go lbm
com
pres
scr
afty
sphin
xvp
rar
t
libqu
ant
mst
em3d
mea
n0
20
40
60
80
100
120
Full Checking Store Only Checking
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Percent
67%
Full Checking: default for development & testing• Check only stores [Yong03, Castro06]
• Attacks predominantly use stores
Store-only: for security critical apps, production code
21%
36
Softbound: Runtime vs Dynamic Instructions
go lbm
com
pres
scr
afty
sphin
xvp
rar
t
libqu
ant
mst
em3d
mea
n0
50
100
150
200
250
Runtime overhead Instruction overhead
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Percent 132%
67%
Bounds checking & propagation off the critical path
Processor exploits Instruction Level Parallelism (ILP)
82%2%
37
Experiments Recap
• Effective in detecting overflows? Yes
• Compatible with existing C code? Yes
• Reasonable overheads? You decide• SoftBound: Full checking – 67%, store-only – 21%• HardBound: Full checking – ~10%
• Hardware support justified? Maybe• Impact of simple versus sophisticated cores• Cost/benefit tradeoff… can we lower the cost?
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
38
Future Work: Hardware/Software Continuum
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
HardBound
Runtime Overhead HighNone
HardwareModifications
High
None
Ideal
SoftBound
• Hardware-accelerated temporal safety (without GC)• Check freshness of each allocation with a “capability”
39
Conclusions
• HardBound/SoftBound provide spatial safety for C• Pointer-based approach, but with disjoint metadata
• Compatible (no source code changes)
• Effective (catches know vulnerabilities)
• Software-only: fast enough for… • Debugging & testing: full checking• Security-critical software: store only checking
• Hardware-assisted: even lower overhead
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
42
Multiprocessor Issues
• Prior schemes have multiprocessor issues
• Issue #1: Need thread-safe base/bound storage• Hash table: per bucket locking (or lock-free)• Shadow space: if race-free, implicitly synchronized
• Issue #2: Atomic pointer reads/writes• If race free, no problem• if not race free,
• Hash table: protect pointer ld/st with bucket lock• Shadow space: transactional memory?
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
43
Separate Compilation
• SoftBound instrumentation is intra-procedural• No whole program analysis
• No information required across different compilation units
• SoftBound uses procedure cloning• There are two version of each function, SoftBounded
version and the original version• Static or dynamic linker matches up callee and caller
as usual
• SoftBound can be used to cure libraries• Create safe versions of libraries• No wrappers required
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
44
Benchmark Characterization
go
gzip
com
pres
s
ijpeg
sjeng
sphin
x vp
r ts
p
perim
eter
bisor
t li
treea
dd
0
10
20
30
40
50
60
70
80
Memory references that load/store a pointer
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
InfrequentMetadata Accesses
FrequentMetadata Accesses
Percent
45
HardBound Memory Overhead Results
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
ext
ern
-4in
tern
-4in
tern
-11
0%
10%
20%
30%
40%
50%
60%
base/bound metadata
tag metadata
198% 189% 140% 132%
bh bisort em3d health mst perimeter power treeadd tsp
46
SoftBound Memory Overhead
go lbm
com
pres
scr
afty
sphin
xvp
rar
t
libqu
ant
mst
em3d
mea
n0
50100150200250300350
Hash table Shadow space
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Percent
87%
64%
47
Runtime Overhead: Store-only Checking
go lbm
com
pres
scr
afty
sphin
xvp
rar
t
libqu
ant
mst
em3d
mea
n0
50
100
150
200
250
Hash table Shadow space
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Percent
21%
For security-critical applications,useful for production code
54%
48
Runtime Overhead: Full Checking
go lbm
com
pres
scr
afty
sphin
xvp
rar
t
libqu
ant
mst
em3d
mea
n0
50
100
150
200
250
Hash table Shadow space
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
Percent 92%67%
On by default throughout development & testing
InfrequentMetadata Accesses
FrequentMetadata Accesses
Memory overhead:Hash table – 87%, Shadow space – 54%
50
Making Multicore Programming Easier
• Transactional memory (with Blundell, Devietti, Lewis)
• Semantics (e.g., weak vs strong atomicity) [CAL ‘06]
• Simple unbounded hardware transactions [ISCA ‘07]
• Faster data sharing (with Raghavan, Blundell)
• Predictive, adaptive cache coherence [MICRO ’08]
• Memory consistency (with Blundell, Wenisch)
• Eliminating memory ordering penalties [ISCA ’09]
• Multicore software verification (with Burckhardt, Alur)
• Reordering-aware checking of lock-free code [PLDI ’09]
• Improve uniprocessors (with Sha, Roth) [MICRO ’05, ‘06]
• Eliminate load/store queue via predictive forwarding
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
51
Future Work: Hardware/Software Continuum
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
HardBound
Runtime Overhead HighNone
HardwareModifications
High
None
• μop-only implementation• Reg-to-reg rename copy
elimination• Special “pointer load” instructions
• 128-bit base/bound registers (hijack SSE2 registers?)• Single instruction “check” operation
• Auto-mask/shift addressing mode• Hardware-accelerated “key lookup” (hash table)
• Static analysis for check elimination
Ideal
SoftBound
• Hardware-accelerated temporal safety (without GC)• Check freshness of each allocation with a “capability”
52
Analysis
• Why is the runtime overhead low?• Only pointer operations instrumented (typed IR)• Optimize – transform – re-optimize• Whole program analysis helps
• Why lower than dynamic instruction increase? • Processor exploits Instruction Level Parallelism (ILP)• Bounds checking & propagation off the critical path
• Could the overheads be even lower?• Simple check elimination (from 80% to 67% overhead)• More sophisticated techniques will help
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
53
Performance Experiments
• 23 benchmarks selected from• Olden pointer-intensive benchmark suite• Spec-95, Spec-2000, Spec-2006
• Prototype not robust enough for all benchmarks• Thus far always prototype bugs
• Experiments on Intel Core 2 Duo 2.66Ghz • Benchmarks classification
• Number of pointer load/stores per 100 memory ops• Low? bounds check overhead dominates• High? bounds check + meta-data overheads
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
54
Recent Related Work
• Object based• SafeCode [Dhurjati2006] – Reduces overhead
• Whole program analysis & pool allocation
• Pointer based• CCured [Necula2002]
• Uses pointer inference to reduce overhead• Cyclone [Jim2002]
• Uses programmer annotations with fat pointers• MSCC [Xu2004]
• Uses split metadata with fat pointers
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
55
SoftBound Guarantees
• Well formed memory• Every pointer in memory has metadata associated• Region delineated by the pointer metadata is valid
• Proves safety properties• Preservation: starting from a well formed state…
• Steps to a well formed state • Progress: system always makes progress (not stuck)
• Reaches a well formed state (no violations)• Or aborts
• Mechanized proof in Coq• Download - http://www.cis.upen.edu/acg/softbound/
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
56
HardBound Memory Layout
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
standard C layoutstruct {
int* ptr; int i;} s;
ptr
i
boundbase
metadata shadowspace
regular space(layout unchanged)
enables compatibility……how do we make it fast?
fat pointer layout
ptr
i
base
bound
i
ptr
Virtual Memory
HardBound/SoftBound – Prof. Milo Martin - Fall 2009 57
Meta
data
metadata
mem
ory
• Pointer based• Sub-object bounds
(complete)• Direct lookup (fast)
• Disjoint metadata• Unchanged memory
layout (compatible)• Safe with arbitrary
casts (complete)
• Hardware-assisted (fast)
Our Approach: Disjoint Pointer Metadata
acctID
reg
bal
id
p
38
0
0x13
p_bse 0x10
p_bnd 0x13
0x13 0x10id 0x13 0x10
abc
101112
13
17
memory registers
58
HardBound Experimental Configurations
encoding size of tag space tag cache encodes ptrs to objects up to…
external 4-bit 4 bits 8KB 56 B
internal 4-bit 1 bit 2KB 56 B
internal 11-bit 1 bit 2KB 4 KB
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
59
Compressing In-Memory Metadata
1. Many pointers point to the beginning of an object
2. Many pointers point to small objects
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
pointer: 1000 base: 1000 bound: 1003 3
tag:1
bound: 1003
used opportunistically on storesExternal encoding: fold size into tag
base: 1000
+
size
pointer: 1000
HardBound/SoftBound – Prof. Milo Martin - Fall 2009 60
Compressing Metadata for Pointers
• Most programs don’t use much of virtual memory• pointers contain more bits than are really needed
base: 1000
base: 1000 bound: 1003
tag: 1
bound: 1003
Internal encoding: hide offset in pointerall loads do decompression, so transparent
+
cmp
rsd?
size
pointer: 1000
pointer: 1000 3
61
Today’s Talk: Spatial Safety for C
• Detect and prevent attacks & memory corruption…• Caused by C’s lack of bounds checking• Unfortunately, C makes such checking a challenge
• Goal: Compatible – no C source modifications• Key: unchanged memory layout
• Approach #1: hardware bounded pointer primitive• New hardware/software contract for pointers
• Approach #2: compiler-based transformation• Experiments indicate:
• Effective• Compatible (with actual C codes)• Low overhead – compiler-only: <2x, w/ hardware: 10%
HardBound/SoftBound – Prof. Milo Martin - Fall 2009
62
Conclusions
• HardBound/SoftBound provide spatial safety for C• Pointer-based approach, but with disjoint metadata
• Compatible (no source code changes)• Effective (catches know vulnerabilities)• Software-only: fast enough for…
• Debugging & testing: full checking• Security-critical software: store only checking
• Hardware-assisted: even lower overhead• Future work
• Temporal safety (dangling pointers)• Hardbound ISA extensions Softbound
HardBound/SoftBound – Prof. Milo Martin - Fall 2009