HARDBOUND: ARCHITECURAL SUPPORT FOR SPATIAL

SAFETY OF THE C PROGRAMMING LANGUAGE

Kyle YanYu Xing2014/10/15

SPATIAL SAFETY IN C PROGRAMMING C is the standard systems programming language: control over data representation, memory management, performance… widespread uses makes it the source of software vulnerabilities

C is lack of spatial memory safety guarantees: such as unchecked pointer arithmetic, array indexing… occurs when a variable tries to access memory outside its object bound

SOLUTIONS TO SPATIAL SAFETY Many special-purpose techniques (SW/HW) proposed

such as protecting return address/data pointers/code pointers/heap metadata… do not provide complete spatial memory safety focus on specific attacks or symptoms instead of the root cause

Other software approaches touch the root Type-safe languages like Java and C# Implementation of C that enforces full spatial safety not widely used because of high runtime overheads, incomplete detection or etc.

HardBound: new hardware design Provides full spatial safety, maintains data structure layout compatibility by placing the bound information in a shadow space and reduces runtime overhead to 10-20%

EXISTING APPROACHES AND ANALYSIS Red-Zone Tripwire

Object Lookup

Fat Pointer

RED-ZONE TRIPWIRE0 valid

4 valid

8 invalid

12 invalid

16 valid

20 valid

1

2 1. Mem[4] -> Mem[8]hit red-zone tripwirespatial safety violation detected

2. Mem[0] -> Mem[16]jump over tripwirespatial safety violation not detected

Cannot guarantee the detection of all spatial violations

OBJECT LOOKUP Track size of each object in a lookup table implemented as a splay tree

+Memory layout unchanged

-High runtime overheads

-Weak in detecting the bounds of arrays inside structs

(multiple pointers to the same address can have different bounds)

FAT POINTER• Multi-word pointer/base/bound

triples+ Enforce complete spatial safety- Propagating and checking results runtime overhead 2x or more- Incompatibility due to memory layout and pointer representation• Extension: Cyclone, CCured

Actual value

0x00000008

Base addr 0x00000004

Bound addr

0x00000010

HARDBOUND

Provide a hardware primitive to enforce complete spatial safety of the fat pointer retain binary compatibility of the object-table Incur lower overhead than approaches above

ISA support for first-class bounded pointers Completeness Performance binary compatibility source compatibility minimal compiler support

COMPILER AND RUNTIME SUPPORT•Protect heap-allocated objects

•Protect local and global variables

int i;

int* ptr = &i;

int *ptr = setbound(&i,4);

•Protect sub-objectsstruct {char str[5]; int x;} nodechar *ptr = node.strchar *ptr = setbound(node.str, 5);

•Programmer-specified sub-bounding

•Programmer-specified (un)checked pointers

HARDWARE IMPLEMENTATION Place metadata into virtual memory space

Adding tag to metadata identifying if a word is a pointer/non-pointer

Compression of bits

METADATA IN VIRTUAL MEMORYBase(addr) = SHADOW_SPACE_BASE + (addr * 2)

Bound(addr) = SHADOW_SPACE_BASE + (addr*2) + 1;

TAG METADATA

Single bit to mark whether a word is a pointerReduce memory overhead of non-pointers

Most variables in C code are non-pointers

TLB + Caching in parallel with L1 cache

COMPRESSION

Decrease memory/runtime overhead through compression.

External Compressed EncodingAdditional bits in the tag space

Internal Compressed EncodingUsing redundant bits from the pointer

EXTERNAL COMPRESSION ENCODING Most c-pointers are:Small, Pointer = Base, Size is multiple of 4

Extend tag meta data to 4 bitsCan encode 14 compressed patterns Compressed/non-compressed pointerPointer/not pointer

RestrictionsSize must be multiple of four bytesObject cannot be larger than 56 bytesPointer must equal base

Pointer = Base

0x1000 Tag Size * 4

Bound

INTERNAL COMPRESSION ENCODING Uses n-1 upper bits as metadata.

Still requires tag to signify if word is a pointer

More flexible with larger n

Restrictions Objects beyond the first 264-n bytes cannot be encoded.

N bits for metadata

Pointer Tag

PERFORMANCE OVERHEAD

All violations detected. No false positives.

Average runtime overhead: 5%

Average number of additional pages: 10%

FUTURE CONSIDERATION

Type Safety

Temporal Errors

DISCUSSION POINTS

Performance benchmarks don’t include pthread, fork, UNIX shared memory segments or timers

Power overhead/Layout overhead

Worst case of memory overhead can reach as high as 200%

Intel has a version of base+bound - Intel® SGX