Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine

We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary implementations of C have converged on a memory model similar to the PDP-11, the original target for C. This model lacks support for memory safety despite well-documented impacts on security and reliability. Attempts to change this model are often hampered by assumptions embedded in a large body of existing C code, dating back to the memory model exposed by the original C compiler for the PDP-11. Our experience with attempting to implement a memory-safe variant of C on the CHERI experimental microprocessor led us to identify a number of problematic idioms. We describe these as well as their interaction with existing memory safety schemes and the assumptions that they make beyond the requirements of the C specification. Finally, we refine the CHERI ISA and abstract model for C, by combining elements of the CHERI capability model and fat pointers, and present a softcore CPU that implements a C abstract machine that can run legacy C code with strong memory protection guarantees.

[1]  Alon Zakai Emscripten: an LLVM-to-JavaScript compiler , 2011, OOPSLA Companion.

[2]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[3]  Martin Richards,et al.  BCPL, A Tool for Compiler Writing and System Programming , 1899 .

[4]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[5]  Xi Wang,et al.  Improving Integer Security for Systems with KINT , 2012, OSDI.

[6]  Jason Evans April A Scalable Concurrent malloc(3) Implementation for FreeBSD , 2006 .

[7]  Timothy Wilson,et al.  As-If Infinitely Ranged Integer Model , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[8]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[9]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[10]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture , 2014 .

[11]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[12]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[13]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[14]  M. E. Lesk,et al.  UNIX time-sharing system: The C programming language , 1978, The Bell System Technical Journal.

[15]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[16]  Ranveer Chandra,et al.  CRAWDAD dataset microsoft/osdi2006 (v.2007-05-23) , 2007 .

[17]  Armando Solar-Lezama,et al.  Towards optimization-safe systems: analyzing the impact of undefined behavior , 2013, SOSP.

[18]  Mohammad Zulkernine,et al.  Mitigating program security vulnerabilities: Approaches and challenges , 2012, CSUR.

[19]  Hans-Juergen Boehm,et al.  Garbage collection in an uncooperative environment , 1988, Softw. Pract. Exp..

[20]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[21]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.

[22]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[23]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[24]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[25]  T. Anderson,et al.  Eecient Software-based Fault Isolation , 1993 .

[26]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[27]  J. Gregory Morrisett,et al.  Bringing java's wild native world under control , 2013, TSEC.

[28]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[29]  Laurent Daynès,et al.  Automated and portable native code isolation , 2001, Proceedings 12th International Symposium on Software Reliability Engineering.

[30]  Vikram S. Adve,et al.  Memory Safety for Low-Level Software/Hardware Interactions , 2009, USENIX Security Symposium.

[31]  R. Sekar,et al.  Eternal War in Memory , 2014, IEEE Security & Privacy.