The Meaning of Memory Safety

We give a rigorous characterization of what it means for a programming language to be memory safe, capturing the intuition that memory safety supports local reasoning about state. We formalize this principle in two ways. First, we show how a small memory-safe language validates a noninterference property: a program can neither affect nor be affected by unreachable parts of the state. Second, we extend separation logic, a proof system for heap-manipulating programs, with a memory-safe variant of its frame rule. The new rule is stronger because it applies even when parts of the program are buggy or malicious, but also weaker because it demands a stricter form of separation between parts of the program state. We also consider a number of pragmatically motivated variations on memory safety and the reasoning principles they support. As an application of our characterization, we evaluate the security of a previously proposed dynamic monitor for memory safety of heap-allocated data.

[1]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[2]  Matthias Felleisen,et al.  Abstract models of memory management , 1995, FPCA '95.

[3]  Andrew M. Pitts,et al.  A First Order Theory of Names and Binding , 2001 .

[4]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[5]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[6]  Peter W. O'Hearn,et al.  A Semantic Basis for Local Reasoning , 2002, FoSSaCS.

[7]  J. Gregory Morrisett,et al.  L3: A Linear Language with Locations , 2007, Fundam. Informaticae.

[8]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[9]  Dan Grossman,et al.  Safe manual memory management in Cyclone , 2006, Sci. Comput. Program..

[10]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[11]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[12]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[13]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[14]  Nicolas Tabareau,et al.  Compiling functional types to relational specifications for low level imperative code , 2009, TLDI '09.

[15]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[16]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[17]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[18]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[19]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[20]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[21]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[22]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[23]  Laurent Lefèvre,et al.  Energy Consumption Side-Channel Attack at Virtual Machines in a Cloud , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[24]  David Walker,et al.  Modular Protections against Non-control Data Attacks , 2011, CSF.

[25]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[26]  Vitaly Shmatikov,et al.  Memento: Learning Secrets from Process Footprints , 2012, 2012 IEEE Symposium on Security and Privacy.

[27]  Karthikeyan Bhargavan,et al.  Defensive JavaScript - Building and Verifying Secure Web Components , 2013, FOSAD.

[28]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[29]  Deian Stefan,et al.  Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling , 2013, ESORICS.

[30]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[31]  Jonathan Protzenko,et al.  Programming with permissions in Mezzo , 2013, ICFP.

[32]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[33]  Andrew M. Pitts,et al.  Nominal Sets: Names and Symmetry in Computer Science , 2013 .

[34]  Frank Piessens,et al.  Sound Modular Verification of C Code Executing in an Unverified Context , 2014, POPL.

[35]  David Mazières,et al.  Dynamic space limits for Haskell , 2014, PLDI.

[36]  Jonathan Protzenko,et al.  Type Soundness and Race Freedom for Mezzo , 2014, FLOPS.

[37]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[38]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[39]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[40]  John Launchbury,et al.  Guilt free ivory , 2015, Haskell.

[41]  Robbert Krebbers,et al.  The C standard formalized in Coq , 2015 .

[42]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[43]  Jeehoon Kang,et al.  A formal C memory model supporting integer-pointer casts , 2015, PLDI.

[44]  Cǎtǎlin Hriţcu,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, PLAS@ECOOP.

[45]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[46]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[47]  Robert N. M. Watson,et al.  Into the depths of C: elaborating the de facto standards , 2016, PLDI.

[48]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[49]  Deepak Garg,et al.  On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[50]  Aaron Turon Rust: from POPL to practice (keynote) , 2017, POPL.

[51]  Derek Dreyer,et al.  Robust and compositional verification of object capability patterns , 2017, Proc. ACM Program. Lang..