MemSafe: Ensuring the Spatial and Temporal Memory Safety of C at Runtime

Memory access violations are a leading source of unreliability in C programs. As evidence of this problem, a variety of methods exist that retrofit C with software checks to detect memory errors at runtime. However, these methods generally suffer from one or more drawbacks including the inability to detect all errors, the use of incompatible metadata, the need for manual code modifications, and high runtime overheads. In this paper, we present a compiler analysis and transformation for ensuring the memory safety of C called MemSafe. MemSafe makes several novel contributions that improve upon previous work and lower the cost of safety. These include (1) a method for modeling temporal errors as spatial errors, (2) a metadata representation that combines features of both object - and pointer-based approaches, and (3) a dataflow representation that simplifies optimizations for removing unneeded checks. MemSafe is capable of detecting real errors with lower overheads than previous efforts. Experimental results show that MemSafe detects all memory errors in 6 programs with known violations and ensures complete safety with an average overhead of 87% on 30 large programs widely-used in evaluating error detection tools.

[1]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[2]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[3]  Harish Patil,et al.  Low‐cost, Concurrent Checking of Pointer and Array Accesses in C Programs , 1997 .

[4]  Hans-Juergen Boehm,et al.  Garbage collection in an uncooperative environment , 1988, Softw. Pract. Exp..

[5]  Ron Cytron,et al.  Efficient accommodation of may-alias information in SSA form , 1993, PLDI '93.

[6]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[7]  Wei Xu,et al.  An efficient and backwards-compatible transformation to ensure memory safety of C programs , 2004, SIGSOFT '04/FSE-12.

[8]  Benjamin G. Zorn,et al.  The measured cost of conservative garbage collection , 1993, Softw. Pract. Exp..

[9]  Vivek Sarkar,et al.  ABCD: eliminating array bounds checks on demand , 2000, PLDI '00.

[10]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[11]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[12]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[13]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[14]  David F. Bacon,et al.  Garbage collection for embedded systems , 2004, EMSOFT '04.

[15]  Rajeev Barua,et al.  Memory overflow protection for embedded systems using run-time checks, reuse, and compression , 2006, TECS.

[16]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[17]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[18]  Spiros Mancoridis,et al.  Using program transformation to secure C programs against buffer overflows , 2003, 10th Working Conference on Reverse Engineering, 2003. WCRE 2003. Proceedings..

[19]  George C. Necula,et al.  Dependent types for safe systems software , 2007 .

[20]  Lei Wang,et al.  Enhancing security using legality assertions , 2005, 12th Working Conference on Reverse Engineering (WCRE'05).

[21]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[22]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[23]  Arthur B. Maccabe,et al.  The program dependence web: a representation supporting control-, data-, and demand-driven interpretation of imperative languages , 1990, PLDI '90.

[24]  Yutaka Oiwa,et al.  Implementation of the memory-safe full ANSI-C compiler , 2009, PLDI '09.

[25]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[26]  Rajeev Barua,et al.  Segment protection for embedded systems using run-time checks , 2005, CASES '05.

[27]  Rajeev Barua,et al.  MTSS: Multitask stack sharing for embedded systems , 2008, ACM Trans. Embed. Comput. Syst..

[28]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[29]  David B. Wortman On Legality Assertions in Euclid , 1979, IEEE Transactions on Software Engineering.

[30]  Satish Chandra,et al.  Physical type checking for C , 1999, PASTE '99.

[31]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[32]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[33]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[34]  Anne Rogers,et al.  Supporting dynamic data structures on distributed-memory machines , 1995, TOPL.

[35]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[36]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[37]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[38]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[39]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[40]  Benjamin Livshits,et al.  Tracking pointers with path and context sensitivity for bug detection in C programs , 2003, ESEC/FSE-11.

[41]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[42]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[43]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[44]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[45]  Dinakar Dhurjati,et al.  Efficiently Detecting All Dangling Pointer Uses in Production Servers , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[46]  Isil Dillig,et al.  Static error detection using semantic inconsistency inference , 2007, PLDI '07.

[47]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[48]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[49]  Nicholas Nethercote,et al.  Using Valgrind to Detect Undefined Value Errors with Bit-Precision , 2005, USENIX Annual Technical Conference, General Track.

[50]  Susan Horwitz,et al.  Protecting C programs from attacks via invalid pointer dereferences , 2003, ESEC/FSE-11.

[51]  Raymond Lo,et al.  Effective Representation of Aliases and Indirect Memory Operations in SSA Form , 1996, CC.