CGuard: Efficient Spatial Safety for C

Spatial safety violations are the root cause of many security attacks and unexpected behavior of applications. Existing techniques to enforce spatial safety work broadly at either object or pointer granularity. Object-based approaches tend to incur high CPU overheads, whereas pointer-based approaches incur both high CPU and memory overheads. SGXBounds, an object-based approach, is so far the most efficient technique that provides complete out-of-bounds protection for objects. However, a major drawback of this approach is that it restricts the application address space to 4GB. In this paper, we present CGuard, a tool that provides object-bounds protection for C applications with comparable overheads to SGXBounds without restricting the application address space. CGuard stores the bounds information just before the base address of an object and encodes the relative offset of the base address in the spare bits of the virtual address available in x86_64 architecture. For an object that can’t fit in the spare bits, CGuard uses a custom memory layout that enables it to find the base address of the object in just one memory access. Our study revealed spatial safety violations in the gcc and x264 benchmarks from the SPEC CPU2017 benchmark suite and the string_match benchmark from the Phoenix benchmark suite. The execution time overheads for the SPEC CPU2017 and Phoenix benchmark suites were 44% and 25% respectively, whereas the reduction in the throughput for the Apache webserver when the CPUs were fully saturated was 30%. These results indicate that CGuard can be highly effective while maintaining a reasonable degree of efficiency.

[1]  George C. Necula,et al.  CCured in the real world , 2003, PLDI '03.

[2]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[3]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[4]  Hovav Shacham,et al.  Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage , 2009, EVT/WOTE.

[5]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[6]  Christoforos E. Kozyrakis,et al.  Phoenix rebirth: Scalable MapReduce on a large-scale shared-memory system , 2009, 2009 IEEE International Symposium on Workload Characterization (IISWC).

[7]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[8]  Frank Piessens,et al.  Breaking the memory secrecy assumption , 2009, EUROSEC '09.

[9]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[10]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[11]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[12]  Jóakim von Kistowski,et al.  SPEC CPU2017: Next-Generation Compute Benchmark , 2018, ICPE Companion.

[13]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[14]  Yuanyuan Zhou,et al.  BugBench: Benchmarks for Evaluating Bug Detection Tools , 2005 .

[15]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[16]  Mauro Conti,et al.  The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel SGX , 2018, USENIX Security Symposium.

[17]  J. Gregory Morrisett,et al.  Combining control-flow integrity and static analysis for efficient and validated data sandboxing , 2011, CCS '11.

[18]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[19]  Christof Fetzer,et al.  Intel MPX Explained , 2018, PERV.

[20]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[21]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[22]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[23]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[24]  Hans-Juergen Boehm,et al.  Garbage collection in an uncooperative environment , 1988, Softw. Pract. Exp..

[25]  Christof Fetzer,et al.  SGXBOUNDS: Memory Safety for Shielded Execution , 2017, EuroSys.

[26]  Wouter Joosen,et al.  PAriCheck: an efficient pointer arithmetic checker for C programs , 2010, ASIACCS '10.

[27]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[28]  Taddeus Kroes,et al.  Delta pointers: buffer overflow checks without the checks , 2018, EuroSys.

[29]  Wei Xu,et al.  An efficient and backwards-compatible transformation to ensure memory safety of C programs , 2004, SIGSOFT '04/FSE-12.

[30]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[31]  Roland H. C. Yap,et al.  Stack Bounds Protection with Low Fat Pointers , 2017, NDSS.

[32]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[33]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[34]  Per Larsen,et al.  Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks , 2015, CCS.