Delta pointers: buffer overflow checks without the checks

Despite decades of research, buffer overflows still rank among the most dangerous vulnerabilities in unsafe languages such as C and C++. Compared to other memory corruption vulnerabilities, buffer overflows are both common and typically easy to exploit. Yet, they have proven so challenging to detect in real-world programs that existing solutions either yield very poor performance, or introduce incompatibilities with the C/C++ language standard. We present Delta Pointers, a new solution for buffer overflow detection based on efficient pointer tagging. By carefully altering the pointer representation, without violating language specifications, Delta Pointers use existing hardware features to detect both contiguous and non-contiguous overflows on dereferences, without a single check incurring extra branch or memory access operations. By focusing on buffer overflows rather than other vulnerabilities (e.g., underflows), Delta Pointers offer a unique checkless design to provide high performance while still maintaining compatibility. We show that Delta Pointers are effective in detecting arbitrary buffer overflows and, at 35% overhead on SPEC, offer much better performance than competing solutions.

[1]  Wouter Joosen,et al.  PAriCheck: an efficient pointer arithmetic checker for C programs , 2010, ASIACCS '10.

[2]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[3]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[4]  Herbert Bos,et al.  ASLR on the Line: Practical Cache Attacks on the MMU , 2017, NDSS.

[5]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[6]  Roland H. C. Yap,et al.  Stack Bounds Protection with Low Fat Pointers , 2017, NDSS.

[7]  Stephen Phillips,et al.  M7: Next generation SPARC , 2014, IEEE Hot Chips Symposium.

[8]  Herbert Bos,et al.  Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[9]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[10]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[11]  Robert A. van Engelen,et al.  Efficient Symbolic Analysis for Optimizing Compilers , 2001, CC.

[12]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[13]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[14]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[15]  Christof Fetzer,et al.  Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches , 2017, ArXiv.

[16]  Thorsten Holz,et al.  Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding , 2016, NDSS.

[17]  Edward A. Feustel,et al.  On The Advantages of Tagged Architecture , 1973, IEEE Transactions on Computers.

[18]  Christof Fetzer,et al.  Boundless memory allocations for memory safety and high availability , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[19]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[20]  Herbert Bos,et al.  Undermining Information Hiding (and What to Do about It) , 2016, USENIX Security Symposium.

[21]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[22]  Taddeus Kroes,et al.  Fast and Generic Metadata Management with Mid-Fat Pointers , 2017, EUROSEC.

[23]  Christof Fetzer,et al.  Intel MPX Explained , 2018, PERV.

[24]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[25]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[26]  Herbert Bos,et al.  Poking Holes in Information Hiding , 2016, USENIX Security Symposium.

[27]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[28]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[29]  Amer Diwan,et al.  Type-based alias analysis , 1998, PLDI.

[30]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[31]  Christof Fetzer,et al.  SGXBOUNDS: Memory Safety for Shielded Execution , 2017, EuroSys.

[32]  Niranjan Hasabnis,et al.  Light-weight bounds checking , 2012, CGO '12.