Date post: | 21-Dec-2015 |
Category: |
Documents |
Upload: | ralph-hood |
View: | 216 times |
Download: | 0 times |
HARDBOUND: ARCHITECURAL SUPPORT FOR SPATIAL
SAFETY OF THE C PROGRAMMING LANGUAGE
Kyle YanYu Xing2014/10/15
SPATIAL SAFETY IN C PROGRAMMING C is the standard systems programming language: control over data representation, memory management, performance… widespread uses makes it the source of software vulnerabilities
C is lack of spatial memory safety guarantees: such as unchecked pointer arithmetic, array indexing… occurs when a variable tries to access memory outside its object bound
SOLUTIONS TO SPATIAL SAFETY Many special-purpose techniques (SW/HW) proposed
such as protecting return address/data pointers/code pointers/heap metadata… do not provide complete spatial memory safety focus on specific attacks or symptoms instead of the root cause
Other software approaches touch the root Type-safe languages like Java and C# Implementation of C that enforces full spatial safety not widely used because of high runtime overheads, incomplete detection or etc.
HardBound: new hardware design Provides full spatial safety, maintains data structure layout compatibility by placing the bound information in a shadow space and reduces runtime overhead to 10-20%
RED-ZONE TRIPWIRE0 valid
4 valid
8 invalid
12 invalid
16 valid
20 valid
1
2 1. Mem[4] -> Mem[8]hit red-zone tripwirespatial safety violation detected
2. Mem[0] -> Mem[16]jump over tripwirespatial safety violation not detected
Cannot guarantee the detection of all spatial violations
OBJECT LOOKUP Track size of each object in a lookup table implemented as a splay tree
+Memory layout unchanged
-High runtime overheads
-Weak in detecting the bounds of arrays inside structs
(multiple pointers to the same address can have different bounds)
FAT POINTER• Multi-word pointer/base/bound
triples+ Enforce complete spatial safety- Propagating and checking results runtime overhead 2x or more- Incompatibility due to memory layout and pointer representation• Extension: Cyclone, CCured
Actual value
0x00000008
Base addr 0x00000004
Bound addr
0x00000010
HARDBOUND
Provide a hardware primitive to enforce complete spatial safety of the fat pointer retain binary compatibility of the object-table Incur lower overhead than approaches above
ISA support for first-class bounded pointers Completeness Performance binary compatibility source compatibility minimal compiler support
COMPILER AND RUNTIME SUPPORT•Protect heap-allocated objects
•Protect local and global variables
int i;
int* ptr = &i;
int *ptr = setbound(&i,4);
•Protect sub-objectsstruct {char str[5]; int x;} nodechar *ptr = node.strchar *ptr = setbound(node.str, 5);
•Programmer-specified sub-bounding
•Programmer-specified (un)checked pointers
HARDWARE IMPLEMENTATION Place metadata into virtual memory space
Adding tag to metadata identifying if a word is a pointer/non-pointer
Compression of bits
METADATA IN VIRTUAL MEMORYBase(addr) = SHADOW_SPACE_BASE + (addr * 2)
Bound(addr) = SHADOW_SPACE_BASE + (addr*2) + 1;
TAG METADATA
Single bit to mark whether a word is a pointerReduce memory overhead of non-pointers
Most variables in C code are non-pointers
TLB + Caching in parallel with L1 cache
COMPRESSION
Decrease memory/runtime overhead through compression.
External Compressed EncodingAdditional bits in the tag space
Internal Compressed EncodingUsing redundant bits from the pointer
EXTERNAL COMPRESSION ENCODING Most c-pointers are:Small, Pointer = Base, Size is multiple of 4
Extend tag meta data to 4 bitsCan encode 14 compressed patterns Compressed/non-compressed pointerPointer/not pointer
RestrictionsSize must be multiple of four bytesObject cannot be larger than 56 bytesPointer must equal base
Pointer = Base
0x1000 Tag Size * 4
Bound
INTERNAL COMPRESSION ENCODING Uses n-1 upper bits as metadata.
Still requires tag to signify if word is a pointer
More flexible with larger n
Restrictions Objects beyond the first 264-n bytes cannot be encoded.
N bits for metadata
Pointer Tag
PERFORMANCE OVERHEAD
All violations detected. No false positives.
Average runtime overhead: 5%
Average number of additional pages: 10%