secure low-level programming via hardware-assisted memory-safe c prof. milo martin santosh...

Secure Low-Level Programming via Hardware-Assisted Memory-Safe C

Prof. Milo MartinSantosh Nagarakatte, Joe Devietti, Jianzhou Zhao, Colin Blundell

Prof. Steve Zdancewic

University of Pennsylvania

Please feel free to ask questions!

HardBound/SoftBound – Prof. Milo Martin - Fall 2009 2

Two Long-Term Research Goals

• Easier multicore programming• Multicore revolution parallel programs ubiquitous• Programming is hard, parallel programming more so

• Safer and secure low-level programming• C’s lack of memory safety: root cause of vulnerabilities• Goal: legacy C code as safe and secure as Java• Unfortunately, C makes such checking a challenge

• Using hardware and/or compiler techniquesThis talk: hardware/compiler for spatial safety of C

3

HardwareSoftware

Efficiency &Compatibility

Talk Overview & Project Evolution

HardBound/SoftBound – Prof. Milo Martin - Fall 2009

Seminar on “Hardware Support for Security” ‘05

Spatial safety (J&K,SafeC/CCured/Cyclone)

HardBound [ASPLOS 08]

SoftBound [PLDI 2009]

Work in progress…

Today’s hardware

Hardware bounded pointer primitiveNew hardware/software contract for pointers

Compiler-based transformation, < 2x overhead

Memory layoutunchanged

~10% overhead


Why Care About Spatial Safety, Anyway?

June 2, 2009: iTunes-8.2Open URL, stack overflow

May 12, 2009: libxml, Safari-3.2.3 Visit website, heap overflow

Jan 22, 2009: WindowsRPC packet, overflow (Conficker worm)

Feb 20, 2009: Acrobat ReaderOpen PDF, overflow

Buffer overflows are security vulnerabilities

5

struct BankAccount {

char acctID[3]; int balance;

} b;

b.balance = 0;

char* id = &(b.acctID);

…

…

char* p = id;

…

…

do {

char ch = readchar();

*p = ch;

p++;

} while(ch);

mem

oryHardBound/SoftBound – Prof. Milo Martin - Fall 2009

Spatial Violation Example

acctID

reg

bal

101112

p

38

100000

0x100x110x120x13abc

id 0x10id 0x10

13

17

0x17

memory

registers

“Vulnerability of the decade” [Cowan et al]• Variants (stack-, heap-, pointer-smashing, jump-to-libc)• Facilitated by integer overflow/underflow• Can happen anywhere in the code• Attackers are clever, highly motivated

6

Preventing Spatial Violations

SoftBound – Santosh Nagarakatte – PLDI 2009

write perfect code

treat the symptomsaddress space randomization

non-executable stack/heapprotect return addresses

all incomplete

add bounds checking to

existing C code

use a safe language

what about (existing) C code?λ

use static analysiswhat about false positives?


The Cockroach of Programming Languages

• Ubiquitous• Is there any mainstream system

without some C code?

• Relevant• Sometimes the right tool for a task• Gold standard for performance

• Evolving• Research philosophy: English vs. Esperanto (1887)

• What if you can’t wipe the slate clean?

Modify the language? Or modify the hardware?


“Modernizing” Legacy C Code

• Can we provide unmodified C source code…• …with key safety features of modern languages?

• Key feature: memory safety• Spatial memory safety (bounds errors)• Temporal memory safety (dangling pointers)

• Alas, such retrofitting challenging• Pointer arithmetic, pointers to middle of objects,

arrays in structs, legal out-of-bounds pointers,confluence of arrays and singleton pointers,visible memory layout, arbitrary type casts, …

• Lack of bounds information

today’s talk

key challenge

What is this?

char *c;

9

Taxonomy of Bounds Checking for C


• Prior work: [Hastings92, Austin94, Jones97, Jim02, Necula02, Yong03, Eigler03, Ruwase04, Nethercote04, Xu04, Dhurjati06, Criswell07, …]

• Tripwires e.g., Purify, Valgrind …• Few bits of state for each byte in memory• A “red-zone” block between objects

• Pointer based e.g., SafeC, Cyclone, CCured, MSCC, …• Pointer becomes a fat pointer (ptr, base, bound)• Pointer dereferences are checked

• Object based e.g., Jones & Kelly, CRED, SafeCode, SVA, …• Checks pointer manipulations• Must point within same object

• All have one or more challenges:• High runtime overheads• Incompleteness (sub-objects, handling arbitrary casts)• Incompatibilities (language changes, pointer representations)


The Tao of Dynamically Checking C

Compatibility

Completeness Continuous(fast enough)

11



} b;

b.balance = 0;


char* id_bse = &(b.acctID);

char* id_bnd = &(b.acctID) + 3;

char* p = id;

char* p_bse = id_bse;

char* p_bnd = id_bnd;

do {


check(p, p_bse, p_bnd);*p = ch;

p++;

} while(ch);

mem


Background: Fat Pointer Approach

acctID

reg

bal

id 0x10

p

38

0

0x100x110x12

0x13

id_bse 0x10

id_bnd 0x13

p_bse 0x10

p_bnd 0x13

id_bse 0x10

id_bnd 0x13

id 0x10

abc

101112

13

17

memory

registers

12



} b;

insert(b, &b, &b+sizeof(b));

b.balance = 0;


…

char* p = id;

…

…

do {


*p = ch;

p++; p = lookup(p, p + 1);

} while(ch);

Obj

tablem

emory


Background: Object Based Approach

acctID

reg

bal

p

38

100000

0x100x110x120x13abc

id 0x10id 0x10

10 to 16

0x17101112

13

17

memory

registers

object table

10,1111,1212,1316,17

0x16

13

Analysis: Comparison of Approaches

• Object based+ Disjoint metadata memory layout unchanged

high source compatibility– Problem detecting sub-object overflows– Range lookup overhead

• Fat pointers+ Can detect sub-objects overflows– Inline metadata memory layout changes

low source compatibility

• Both– Fail to protect against arbitrary casts

(unless augmented, such as CCured’s WILD pointers)


14



} b;

b.balance = 0;


lookup(&id)->bse = &(b.acctID);

lookup(&id)->bnd = &(b.acctID) + 3;

char* p = id;

char* p_bse = lookup(&id)->bse;

char* p_bnd = lookup(&id)->bnd;

do {


check(p, p_bse, p_bnd);*p=ch;

p++;

} while(ch);

Meta

data

mem


Our Approach: Disjoint Pointer Metadata

acctID

reg

bal

id

p

38

0

0x100x110x120x13

p_bse 0x10

p_bnd 0x13

0x13 0x10id 0x13 0x10

abc

101112

13

17

memory registers

metadata


Meta

data

metadata

mem

ory

• Compatibility• Unchanged memory

layout

• Completeness• Sub-object bounds• Arbitrary casts

• Continuous (fast)• Direct lookup• Hardware-assisted


acctID

reg

bal

id

p

38

0

0x13

p_bse 0x10

p_bnd 0x13

0x13 0x10id 0x13 0x10

abc

101112

13

17

memory registers

16

Rest of Talk: HardBound & SoftBound

• HardBound: Hardware/software impl. [ASPLOS ‘08]

• How does it work? (pointer propagation & checking)• How do we make HardBound fast?

• Dedicated datapaths, compressing metadata

• SoftBound: Compiler-only prototype [PLDI ‘09]

• What changes without hardware support?

• Experiments


17

HardBound Overview• Bounded-pointer hardware primitive datatype

• All registers and memory have base/bound metadata• Implemented via shadow memory and shadow registers

• Rewrite hardware/software contract for pointers• Software identifies where pointers are created

• Examples: malloc, &variable (inserted by compiler)• Using new setbound instruction

• Hardware checks and propagates the pointers+Fat pointer representation hidden by hardware

+ Compatibility (memory layout unchanged)+ Enables optimized metadata encoding


18

Hardware Propagates & Checks Metadata

• All registers and memory have metadata• Example operations:

• add R1 <− R2 + immR1.value <− R2.value + immR1.base <− R2.baseR1.bound <− R2.bound

• load R1 <− Memory[R2]assert(R2.base <= R2.value < R2.bound)R1.value <− Memory[R2.value].valueR1.base <− Memory[R2.value].baseR1.bound <− Memory[R2.value].bound

• Performed in parallel (replicate datapath)HardBound/SoftBound – Prof. Milo Martin - Fall 2009

propagation

bounds check

propagation

insn

insn

19

Software Identifies Pointer Creation

• Even without recompilation…• Allocation-granularity checking for heap


Heap Objects

Modified runtime system

Hardware executesp = setbound(malloc(size), size)

p = malloc(size)

p_base = p

p_bound = p + size

p = malloc(size);

20

Software Identifies Pointer Creation

• Recompilation protects stack & globals• Easy for compiler to identify


Stack and Global Objects

Compiler

Hardware executes

int array[100];

p = &array;

p = setbound(&array, sizeof(array));

p = &array

p_base = p

p_bound = p + sizeof(array)

21

Bounding Pointers to Structure Fields

struct {

char acctID[3];

int balance;

} *ptr;

char* id = &(ptr->acctID);


option #1

Entire Structure

id_base = &(ptr->acctID);

id_bound = &(ptr->acctID) + 3;

id_base = ptr_base;id_bound = ptr_bound;

option #2

Shrink to Field

Programmer intent ambiguous; optional shrinking of bounds

acctID

bal

?

#1 #2

22



} b;

b.balance = 0;

char* id =

char* p = id;

do {


*p=ch;

p++;

} while(ch);

Meta

data

mem


HardBound Example

acctID

reg

bal

id

p

38

0

bsebnd

0x13 0x10id 0x13 0x10

abc

101112

13

17

memory registers

metadata

setbound(&b.acctID,3) &(b.acctID);

Hdw. propagation

Hdw. propagation

Hdw. check

23

HardBound Memory Layout


standard C layoutstruct {

int* ptr; int i;} s;

ptr

i

boundbase

metadata shadowspace

regular space(layout unchanged)

enables compatibility……how do we

make it efficient?

Virtual Memory

24

Eliminating Metadata for Non-Pointers

• Most data are not pointers

• Add 1-bit tag to act as a filter• Prevents an expensive base/bound lookup

• Lives in virtual memory (1 bit per word, 3% overhead)• Add tag cache, accessed in parallel


non-pointer 0

pointer base bound 1

tag

25

Compressing In-Memory Metadata

1. Many pointers point to the beginning of an object

2. Many pointers point to small objects


pointer: 1000 base: 1000 bound: 1003 3

tag:1

bound: 1003

used opportunistically (on each store)

base: 1000

+

size

pointer: 1000

26

Metadata Lookup and Tag Cache


Processor Core

L2$

data$ insn$tag$

TLB

TLB

TLB

Memory

27

Why Not Just Do HardBound in Software?

• “SoftBound”• Compiler inserts code for propagation and checking

• Similarities• Same disjoint pointer-based metadata approach

• Differences• Memory: access metadata only on pointer load/store

• No need for “tag” space• Doesn’t (yet) use metadata compression

• Registers: base/bound just temporaries in compiler IR• Bounds checks: compiler can elide redundant checks• Works on today’s hardware


28

SoftBound Checking & Propagation

• All pointer/array dereferences checkedif ((p < p_base) || (p + size > p_bound)) abort();

• Five x86 instructions: cmp, br, add, cmp, br

• Loading/storing a pointer from memory• Loads/stores base and bound from metadata space• Five x86 instructions: shift, mask, add, two loads

• Pointer assignments, arithmetic, and casts• Just propagate pointer base and bound (share register)

• Pointer arguments to a function• Bounds passed as extra arguments (in registers)

int f(char* p) {…}

int _f(char* p, void* p_base, void* p_bound) {…}HardBound/SoftBound – Prof. Milo Martin - Fall 2009

29

More in the Papers…

• Proof of spatial safety guarantees• Region delineated by pointer metadata is always valid• Formalized a rich subset of C

• Includes arbitrary casts, recursive structures, etc…• Mechanized proof in Coq

• Hashtable-based metadata storage• Handling various aspects of C

• Separate compilation and library code • memcpy()• Function pointers• Variable argument functions


30

Experiments

• Four questions• Effective in detecting overflows?• Compatible with existing C code?• Reasonable overheads?• Hardware support justified?



Typed IR

Optimize

Source

Binary

Prototypes

• HardBound• Source-to-source compiler based on CIL

• Simulator: FeS2 x86 + Simics

• Simple in-order core model + caches

• SoftBound prototype• LLVM as its foundation• Typed IR helps in pointer identification• Bounds check elimination not focus

• Intra-procedural dominator based• Existing techniques would help a lot

• Runtime results on Core 2 Duo

SoftBound

Optimize

~7K lines of code

32

Spatial Violation Detection

• Effective in detecting overflows?• Suite of 286 spatial violations [Kratkiewicz ‘05]

• Synthetic attacks [Wilander et al]

• Prevented all these attacks• Bugbench [Lu05]: overflows from real applications

Detected all known violations


Benchmark SoftBound Mudflap Valgrind

Go Yes No No

Compress Yes Yes Yes

Polymorph Yes Yes No

Gzip Yes Yes Yes

33

Source Compatibility Experiments

• Compatible with existing C code?

• 272K lines of code total• 23 benchmarks from Spec, Olden• BugBench• Multithreaded HTTP Server with CGI support• FTP server

No spurious runtime violations encountered


34

HardBound Runtime Results


ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

0%

5%

10%

15%

20%

25% additional memory latencystalling on pointer metadataμops for loading/storing boundssetbound instructions

bh bisort em3d health mst perim power treeadd tsp avg

10% averageoverhead

35

SoftBound Runtime Results

go lbm

com

pres

scr

afty

sphin

xvp

rar

t

libqu

ant

mst

em3d

mea

n0

20

40

60

80

100

120

Full Checking Store Only Checking


Percent

67%

Full Checking: default for development & testing• Check only stores [Yong03, Castro06]

• Attacks predominantly use stores

Store-only: for security critical apps, production code

21%

36

Softbound: Runtime vs Dynamic Instructions

go lbm

com

pres

scr

afty

sphin

xvp

rar

t

libqu

ant

mst

em3d

mea

n0

50

100

150

200

250

Runtime overhead Instruction overhead


Percent 132%

67%

Bounds checking & propagation off the critical path

Processor exploits Instruction Level Parallelism (ILP)

82%2%

37

Experiments Recap

• Effective in detecting overflows? Yes

• Compatible with existing C code? Yes

• Reasonable overheads? You decide• SoftBound: Full checking – 67%, store-only – 21%• HardBound: Full checking – ~10%

• Hardware support justified? Maybe• Impact of simple versus sophisticated cores• Cost/benefit tradeoff… can we lower the cost?


38

Future Work: Hardware/Software Continuum


HardBound

Runtime Overhead HighNone

HardwareModifications

High

None

Ideal

SoftBound

• Hardware-accelerated temporal safety (without GC)• Check freshness of each allocation with a “capability”

39

Conclusions

• HardBound/SoftBound provide spatial safety for C• Pointer-based approach, but with disjoint metadata

• Compatible (no source code changes)

• Effective (catches know vulnerabilities)

• Software-only: fast enough for… • Debugging & testing: full checking• Security-critical software: store only checking

• Hardware-assisted: even lower overhead


Want to try SoftBound out?http://www.cis.upenn.edu/acg/softbound/

41HardBound/SoftBound – Prof. Milo Martin - Fall 2009

42

Multiprocessor Issues

• Prior schemes have multiprocessor issues

• Issue #1: Need thread-safe base/bound storage• Hash table: per bucket locking (or lock-free)• Shadow space: if race-free, implicitly synchronized

• Issue #2: Atomic pointer reads/writes• If race free, no problem• if not race free,

• Hash table: protect pointer ld/st with bucket lock• Shadow space: transactional memory?


43

Separate Compilation

• SoftBound instrumentation is intra-procedural• No whole program analysis

• No information required across different compilation units

• SoftBound uses procedure cloning• There are two version of each function, SoftBounded

version and the original version• Static or dynamic linker matches up callee and caller

as usual

• SoftBound can be used to cure libraries• Create safe versions of libraries• No wrappers required


44

Benchmark Characterization

go

gzip

com

pres

s

ijpeg

sjeng

sphin

x vp

r ts

p

perim

eter

bisor

t li

treea

dd

0

10

20

30

40

50

60

70

80

Memory references that load/store a pointer


InfrequentMetadata Accesses

FrequentMetadata Accesses

Percent

45

HardBound Memory Overhead Results


ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

ext

ern

-4in

tern

-4in

tern

-11

0%

10%

20%

30%

40%

50%

60%

base/bound metadata

tag metadata

198% 189% 140% 132%

bh bisort em3d health mst perimeter power treeadd tsp

46

SoftBound Memory Overhead

go lbm

com

pres

scr

afty

sphin

xvp

rar

t

libqu

ant

mst

em3d

mea

n0

50100150200250300350

Hash table Shadow space


Percent

87%

64%

47

Runtime Overhead: Store-only Checking

go lbm

com

pres

scr

afty

sphin

xvp

rar

t

libqu

ant

mst

em3d

mea

n0

50

100

150

200

250



Percent

21%

For security-critical applications,useful for production code

54%

48

Runtime Overhead: Full Checking

go lbm

com

pres

scr

afty

sphin

xvp

rar

t

libqu

ant

mst

em3d

mea

n0

50

100

150

200

250



Percent 92%67%

On by default throughout development & testing

InfrequentMetadata Accesses

FrequentMetadata Accesses

Memory overhead:Hash table – 87%, Shadow space – 54%

49HardBound/SoftBound – Prof. Milo Martin - Fall 2009

50

Making Multicore Programming Easier

• Transactional memory (with Blundell, Devietti, Lewis)

• Semantics (e.g., weak vs strong atomicity) [CAL ‘06]

• Simple unbounded hardware transactions [ISCA ‘07]

• Faster data sharing (with Raghavan, Blundell)

• Predictive, adaptive cache coherence [MICRO ’08]

• Memory consistency (with Blundell, Wenisch)

• Eliminating memory ordering penalties [ISCA ’09]

• Multicore software verification (with Burckhardt, Alur)

• Reordering-aware checking of lock-free code [PLDI ’09]

• Improve uniprocessors (with Sha, Roth) [MICRO ’05, ‘06]

• Eliminate load/store queue via predictive forwarding


51

Future Work: Hardware/Software Continuum


HardBound

Runtime Overhead HighNone

HardwareModifications

High

None

• μop-only implementation• Reg-to-reg rename copy

elimination• Special “pointer load” instructions

• 128-bit base/bound registers (hijack SSE2 registers?)• Single instruction “check” operation

• Auto-mask/shift addressing mode• Hardware-accelerated “key lookup” (hash table)

• Static analysis for check elimination

Ideal

SoftBound

• Hardware-accelerated temporal safety (without GC)• Check freshness of each allocation with a “capability”

52

Analysis

• Why is the runtime overhead low?• Only pointer operations instrumented (typed IR)• Optimize – transform – re-optimize• Whole program analysis helps

• Why lower than dynamic instruction increase? • Processor exploits Instruction Level Parallelism (ILP)• Bounds checking & propagation off the critical path

• Could the overheads be even lower?• Simple check elimination (from 80% to 67% overhead)• More sophisticated techniques will help


53

Performance Experiments

• 23 benchmarks selected from• Olden pointer-intensive benchmark suite• Spec-95, Spec-2000, Spec-2006

• Prototype not robust enough for all benchmarks• Thus far always prototype bugs

• Experiments on Intel Core 2 Duo 2.66Ghz • Benchmarks classification

• Number of pointer load/stores per 100 memory ops• Low? bounds check overhead dominates• High? bounds check + meta-data overheads


54

Recent Related Work

• Object based• SafeCode [Dhurjati2006] – Reduces overhead

• Whole program analysis & pool allocation

• Pointer based• CCured [Necula2002]

• Uses pointer inference to reduce overhead• Cyclone [Jim2002]

• Uses programmer annotations with fat pointers• MSCC [Xu2004]

• Uses split metadata with fat pointers


55

SoftBound Guarantees

• Well formed memory• Every pointer in memory has metadata associated• Region delineated by the pointer metadata is valid

• Proves safety properties• Preservation: starting from a well formed state…

• Steps to a well formed state • Progress: system always makes progress (not stuck)

• Reaches a well formed state (no violations)• Or aborts

• Mechanized proof in Coq• Download - http://www.cis.upen.edu/acg/softbound/


56

HardBound Memory Layout


standard C layoutstruct {

int* ptr; int i;} s;

ptr

i

boundbase

metadata shadowspace

regular space(layout unchanged)

enables compatibility……how do we make it fast?

fat pointer layout

ptr

i

base

bound

i

ptr

Virtual Memory


Meta

data

metadata

mem

ory

• Pointer based• Sub-object bounds

(complete)• Direct lookup (fast)

• Disjoint metadata• Unchanged memory

layout (compatible)• Safe with arbitrary

casts (complete)

• Hardware-assisted (fast)


acctID

reg

bal

id

p

38

0

0x13

p_bse 0x10

p_bnd 0x13

0x13 0x10id 0x13 0x10

abc

101112

13

17

memory registers

58

HardBound Experimental Configurations

encoding size of tag space tag cache encodes ptrs to objects up to…

external 4-bit 4 bits 8KB 56 B

internal 4-bit 1 bit 2KB 56 B

internal 11-bit 1 bit 2KB 4 KB


59

Compressing In-Memory Metadata

1. Many pointers point to the beginning of an object

2. Many pointers point to small objects


pointer: 1000 base: 1000 bound: 1003 3

tag:1

bound: 1003

used opportunistically on storesExternal encoding: fold size into tag

base: 1000

+

size

pointer: 1000


Compressing Metadata for Pointers

• Most programs don’t use much of virtual memory• pointers contain more bits than are really needed

base: 1000

base: 1000 bound: 1003

tag: 1

bound: 1003

Internal encoding: hide offset in pointerall loads do decompression, so transparent

+

cmp

rsd?

size

pointer: 1000

pointer: 1000 3

61

Today’s Talk: Spatial Safety for C

• Detect and prevent attacks & memory corruption…• Caused by C’s lack of bounds checking• Unfortunately, C makes such checking a challenge

• Goal: Compatible – no C source modifications• Key: unchanged memory layout

• Approach #1: hardware bounded pointer primitive• New hardware/software contract for pointers

• Approach #2: compiler-based transformation• Experiments indicate:

• Effective• Compatible (with actual C codes)• Low overhead – compiler-only: <2x, w/ hardware: 10%


62

Conclusions

• HardBound/SoftBound provide spatial safety for C• Pointer-based approach, but with disjoint metadata

• Compatible (no source code changes)• Effective (catches know vulnerabilities)• Software-only: fast enough for…

• Debugging & testing: full checking• Security-critical software: store only checking

• Hardware-assisted: even lower overhead• Future work

• Temporal safety (dangling pointers)• Hardbound ISA extensions Softbound


secure low-level programming via hardware-assisted memory-safe c prof. milo martin santosh...

Documents

spatial safety of c

memorysafe c

existing c code

modernizing legacy c

spatial safety jk

unmodified c source

overhead slide

hardware support