DieHard: probabilistic memory safety for unsafe languages

Applications written in unsafe languages like C and C++ are vulnerable to memory errors such as buffer overflows, dangling pointers, and reads of uninitialized data. Such errors can lead to program crashes, security vulnerabilities, and unpredictable behavior. We present DieHard, a runtime system that tolerates these errors while probabilistically maintaining soundness. DieHard uses randomization and replication to achieve probabilistic memory safety by approximating an infinite-sized heap. DieHard's memory manager randomizes the location of objects in a heap that is at least twice as large as required. This algorithm prevents heap corruption and provides a probabilistic guarantee of avoiding memory errors. For additional safety, DieHard can operate in a replicated mode where multiple replicas of the same application are run simultaneously. By initializing each replica with a different random seed and requiring agreement on output, the replicated version of Die-Hard increases the likelihood of correct execution because errors are unlikely to have the same effect across all replicas. We present analytical and experimental results that show DieHard's resilience to a wide range of memory errors, including a heap-based buffer overflow in an actual application.

[1]  Benjamin G. Zorn,et al.  The measured cost of conservative garbage collection , 1993, Softw. Pract. Exp..

[2]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[3]  Paul R. Wilson,et al.  The memory fragmentation problem: solved? , 1998, ISMM '98.

[4]  Dan Grossman,et al.  Experience with safe manual memory-management in cyclone , 2004, ISMM '04.

[5]  Hans-Juergen Boehm,et al.  Garbage collection in an uncooperative environment , 1988, Softw. Pract. Exp..

[6]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[7]  Emery D. Berger,et al.  Quantifying the performance of garbage collection vs. explicit memory management , 2005, OOPSLA '05.

[8]  Emery D. Berger,et al.  A locality-improving dynamic memory allocator , 2005, MSP '05.

[9]  David R. Hanson A portable storage management system for the icon programming language , 1980, Softw. Pract. Exp..

[10]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1985, JACM.

[11]  Sriram K. Rajamani,et al.  The SLAM Toolkit , 2001, CAV.

[12]  Kathryn S. McKinley,et al.  Hoard: a scalable memory allocator for multithreaded applications , 2000, SIGP.

[13]  Kathryn S. McKinley,et al.  Building HighPerformance Custom and GeneralPurpose Memory Allocators , 2001 .

[14]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[15]  Sagar Chaki,et al.  Parameterized Verification of Multithreaded Software Libraries , 2001, TACAS.

[16]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[17]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[18]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[19]  John Michael Robson,et al.  Bounds for Some Functions Concerning Dynamic Storage Allocation , 1974, JACM.

[20]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[21]  Susan Horwitz,et al.  Protecting C programs from attacks via invalid pointer dereferences , 2003, ESEC/FSE-11.

[22]  Daniel M. Roy,et al.  A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors) , 2004, 20th Annual Computer Security Applications Conference.

[23]  Christopher Krügel,et al.  Run-time Detection of Heap-based Overflows , 2003, LISA.

[24]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[25]  N. Nethercote Bounds-Checking Entire Programs without Recompiling [ Extended , 2004 .

[26]  D. Avots,et al.  Improving software security with a C pointer analysis , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[27]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[28]  Poul-Henning Kamp malloc(3) Revisited , 1998, USENIX Annual Technical Conference.

[29]  Wei Xu,et al.  An efficient and backwards-compatible transformation to ensure memory safety of C programs , 2004, SIGSOFT '04/FSE-12.

[30]  Dinakar Dhurjati,et al.  Memory safety without runtime checks or garbage collection , 2003 .

[31]  Dirk Grunwald,et al.  Improving the cache locality of memory allocation , 1993, PLDI '93.

[32]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[33]  Nicholas Nethercote,et al.  Using Valgrind to Detect Undefined Value Errors with Bit-Precision , 2005, USENIX Annual Technical Conference, General Track.

[34]  Paul R. Wilson,et al.  Dynamic Storage Allocation: A Survey and Critical Review , 1995, IWMM.

[35]  Kathryn S. McKinley,et al.  Composing high-performance memory allocators , 2001, PLDI '01.

[36]  Wouter Joosen,et al.  Security of memory allocators for C and C , 2005 .

[37]  Algirdas Avizienis,et al.  The N-Version Approach to Fault-Tolerant Software , 1985, IEEE Transactions on Software Engineering.

[38]  James R. Larus,et al.  Cache-conscious structure layout , 1999, PLDI '99.

[39]  Fred B. Schneider,et al.  Hypervisor-based fault tolerance , 1996, TOCS.

[40]  Matthias Hauswirth,et al.  Low-overhead memory leak detection using adaptive statistical profiling , 2004, ASPLOS XI.