PICO: A Presburger In-bounds Check Optimization for Compiler-based Memory Safety Instrumentations

Memory safety violations such as buffer overflows are a threat to security to this day. A common solution to ensure memory safety for C is code instrumentation. However, this often causes high execution-time overhead and is therefore rarely used in production. Static analyses can reduce this overhead by proving some memory accesses in bounds at compile time. In practice, however, static analyses may fail to verify in-bounds accesses due to over-approximation. Therefore, it is important to additionally optimize the checks that reside in the program. In this article, we present PICO, an approach to eliminate and replace in-bounds checks. PICO exactly captures the spatial memory safety of accesses using Presburger formulas to either verify them statically or substitute existing checks with more efficient ones. Thereby, PICO can generate checks of which each covers multiple accesses and place them at infrequently executed locations. We evaluate our LLVM-based PICO prototype with the well-known SoftBound instrumentation on SPEC benchmarks commonly used in related work. PICO reduces the execution-time overhead introduced by SoftBound by 36% on average (and the code-size overhead by 24%). Our evaluation shows that the impact of substituting checks dominates that of removing provably redundant checks.

[1]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[2]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[3]  Vivek Sarkar,et al.  ABCD: eliminating array bounds checks on demand , 2000, PLDI '00.

[4]  Bernhard Scholz,et al.  Progressive spill code placement , 2009, CASES '09.

[5]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[6]  T. Jung A Hybrid Approach for Parametric Memory Dependence Analysis , 2015 .

[7]  Albert Cohen,et al.  Polyhedral AST Generation Is More Than Scanning Polyhedra , 2015, ACM Trans. Program. Lang. Syst..

[8]  Albert Cohen,et al.  Induction Variable Analysis with Delayed Abstractions , 2005, HiPEAC.

[9]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[10]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[11]  Jens Knoop,et al.  A Fresh Look at PRE as a Maximum Flow Problem , 2006, CC.

[12]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[13]  William Pugh,et al.  Counting solutions to Presburger formulas: how and why , 1994, PLDI '94.

[14]  Taddeus Kroes,et al.  Delta pointers: buffer overflow checks without the checks , 2018, EuroSys.

[15]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[16]  SPEC CPU 2006 Benchmark Descriptions , 2006 .

[17]  Fernando Magno Quintão Pereira,et al.  Validation of memory accesses through symbolic analyses , 2014, OOPSLA.

[18]  M. Fischer,et al.  SUPER-EXPONENTIAL COMPLEXITY OF PRESBURGER ARITHMETIC , 1974 .

[19]  Qin Zhao,et al.  Practical memory checking with Dr. Memory , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[20]  Jingling Xue,et al.  WPBOUND: Enforcing Spatial Memory Safety Efficiently at Runtime with Weakest Preconditions , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[21]  E. Bell,et al.  The Iterated Exponential Integers , 1938 .

[22]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[23]  Isil Dillig,et al.  Optimal Guard Synthesis for Memory Safety , 2014, CAV.

[24]  Robert A. van Engelen,et al.  Efficient Symbolic Analysis for Optimizing Compilers , 2001, CC.

[25]  Wei-Ngan Chin,et al.  A practical and precise inference and specializer for array bound checks elimination , 2008, PEPM '08.

[26]  Sebastian Hack,et al.  Optimistic loop optimization , 2017, 2017 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[27]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[28]  Paul S. Wang,et al.  Chains of recurrences—a method to expedite the evaluation of closed-form functions , 1994, ISSAC '94.

[29]  Per Larsen,et al.  SoK: Sanitizing for Security , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[30]  Sven Verdoolaege,et al.  isl: An Integer Set Library for the Polyhedral Model , 2010, ICMS.

[31]  Manuel Fähndrich,et al.  Static Contract Checking with Abstract Interpretation , 2010, FoVeOOS.

[32]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[33]  Sid Ahmed Ali Touati,et al.  The Speedup‐Test: a statistical methodology for programme speedup analysis and computation , 2013, Concurr. Comput. Pract. Exp..

[34]  Alain Finkel,et al.  How to Compose Presburger-Accelerations: Applications to Broadcast Protocols , 2002, FSTTCS.

[35]  G. Morrisett,et al.  Cyclone : A Type-Safe Dialect of C ∗ , 2004 .

[36]  Fan Long,et al.  Sound input filter generation for integer overflow errors , 2014, POPL.

[37]  Andrew Ruef,et al.  Checked C: Making C Safe by Extension , 2018, 2018 IEEE Cybersecurity Development (SecDev).

[38]  Manuel Fähndrich,et al.  Pentagons: a weakly relational abstract domain for the efficient validation of array accesses , 2008, SAC '08.

[39]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[40]  Milo M. K. Martin,et al.  Everything You Want to Know About Pointer-Based Checking , 2015, SNAPL.

[41]  Christian Lengauer,et al.  Polly - Performing Polyhedral Optimizations on a Low-Level Intermediate Representation , 2012, Parallel Process. Lett..