Baggy Bounds with Accurate Checking

Baggy Bounds Checking is a backward-compatible defense against out-of-bounds errors. It is reported as being faster than any previous bounds checking tool. However, it enforces allocation bounds instead of object bounds and thus cannot detect memory errors that are in padding areas. In this paper, we present BBAC: a technique that extends Baggy Bounds Checking to enforce accurate bounds checking. The key insight behind our approach is to store the object size at the end of the padding area, making it efficient to lookup object bounds meta-data at runtime. We show experimentally that BBAC can detect more memory errors than Baggy Bounds Checking. Our experiments also show that BBAC only adds an additional 4.39% performance overhead over the original Baggy Bounds Checking technique for the Olden benchmarks and 2x overhead at most on the real-world applications we tested.

[1]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[2]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[3]  Wouter Joosen,et al.  RIPE: runtime intrusion prevention evaluator , 2011, ACSAC '11.

[4]  Wei Xu,et al.  An efficient and backwards-compatible transformation to ensure memory safety of C programs , 2004, SIGSOFT '04/FSE-12.

[5]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[6]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[7]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[8]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.

[9]  Yuanyuan Zhou,et al.  BugBench: Benchmarks for Evaluating Bug Detection Tools , 2005 .

[10]  Harish Patil,et al.  Low‐cost, Concurrent Checking of Pointer and Array Accesses in C Programs , 1997, Softw. Pract. Exp..

[11]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[12]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[13]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[14]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[15]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[16]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[17]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[18]  Qin Zhao,et al.  Practical memory checking with Dr. Memory , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[19]  Harish Patil,et al.  Low‐cost, Concurrent Checking of Pointer and Array Accesses in C Programs , 1997 .

[20]  Joseph L. Steffen Adding run‐time checking to the portable C compiler , 1992, Softw. Pract. Exp..

[21]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[22]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[23]  Christof Fetzer,et al.  Boundless memory allocations for memory safety and high availability , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[24]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[25]  Anne Rogers,et al.  Software caching and computation migration in Olden , 1995, PPOPP '95.

[26]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[27]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[28]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[29]  Niranjan Hasabnis,et al.  Light-weight bounds checking , 2012, CGO '12.