SMA: Eliminate Memory Spatial Errors via Saturation Memory Access

Memory spatial errors, i.e., buffer overflow vulnerabilities, have been a well-known issue in computer security for a long time and remain one of the root causes of exploitable vulnerabilities. Most of the existing mitigation tools adopt a fail-stop strategy to protect programs from intrusions, which means the victim program will be terminated upon detecting a memory safety violation. Unfortunately, the fail-stop strategy harms the availability of software. In this paper, we propose Saturation Memory Access (SMA), a memory spatial error mitigation mechanism that prevents out-of-bounds access without terminating a program. SMA is based on a key observation that developers generally do not rely on out-of-bounds accesses to implement program logic. SMA modifies dynamic memory allocators and adds paddings to objects to form an enlarged object boundary. By dynamically correcting all the out-of-bounds accesses to operate on the enlarged protecting boundaries, SMA can tolerate out-of-bounds accesses. For the sake of compatibility, we chose tagged pointers to record the boundary metadata of a memory object in the pointer itself, and correct the address upon detecting out-of-bounds access. We have implemented the prototype of SMA on LLVM 10.0. Our results show that our compiler enables the programs to execute successfully through buffer overflow attacks. Experiments on MiBench show that our prototype incurs an overhead of 78\%. Further optimizations would require ISA supports.

[1]  Christof Fetzer,et al.  SGXBOUNDS: Memory Safety for Shielded Execution , 2017, EuroSys.

[2]  Peter G. Neumann,et al.  CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment , 2019, ASPLOS.

[3]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[4]  Yuval Tamir,et al.  Fast Hypervisor Recovery Without Reboot , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[5]  Herbert Bos,et al.  Memory Errors: The Past, the Present, and the Future , 2012, RAID.

[6]  Jingling Xue,et al.  WPBOUND: Enforcing Spatial Memory Safety Efficiently at Runtime with Weakest Preconditions , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[7]  Wouter Joosen,et al.  RIPE: runtime intrusion prevention evaluator , 2011, ACSAC '11.

[8]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[9]  Roland H. C. Yap,et al.  EffectiveSan: type and memory error detection using dynamically typed C/C++ , 2017, PLDI.

[10]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[11]  Taddeus Kroes,et al.  Delta pointers: buffer overflow checks without the checks , 2018, EuroSys.

[12]  Christof Fetzer,et al.  Boundless memory allocations for memory safety and high availability , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[13]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[14]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[15]  Muhammad Shafique,et al.  RASTER: Runtime adaptive spatial/temporal error resiliency for embedded processors , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[16]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[17]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[18]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[19]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[20]  Roland H. C. Yap,et al.  Stack Bounds Protection with Low Fat Pointers , 2017, NDSS.

[21]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[22]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[23]  Zhenkai Liang,et al.  Automatic Generation of Data-Oriented Exploits , 2015, USENIX Security Symposium.

[24]  Wouter Joosen,et al.  PAriCheck: an efficient pointer arithmetic checker for C programs , 2010, ASIACCS '10.

[25]  Martin Monperrus,et al.  Automatic Software Repair , 2018, ACM Comput. Surv..

[26]  Per Larsen,et al.  SoK: Sanitizing for Security , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[27]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[28]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[29]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[30]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[31]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[32]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[33]  Mahmoud Ammar,et al.  Journal of Information Security and Applications , 2022 .

[34]  Stephen Phillips,et al.  M7: Next generation SPARC , 2014, IEEE Hot Chips Symposium.

[35]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[36]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[37]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[38]  Vivek Sarkar,et al.  ABCD: eliminating array bounds checks on demand , 2000, PLDI '00.

[39]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[40]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.