Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security

Referencing outside the bounds of an array or buffer is a common source of bugs and security vulnerabilities in today's software. We can enforce spatial safety and eliminate these violations by inseparably associating bounds with every pointer (fat pointer) and checking these bounds on every memory access. By further adding hardware-managed tags to the pointer, we make them unforgeable. This, in turn, allows the pointers to be used as capabilities to facilitate fine-grained access control and fast security domain crossing. Dedicated checking hardware runs in parallel with the processor's normal datapath so that the checks do not slow down processor operation (0% runtime overhead). To achieve the safety of fat pointers without increasing program state, we compactly encode approximate base and bound pointers along with exact address pointers for a 46b address space into one 64-bit word with a worst-case memory overhead of 3%. We develop gate-level implementations of the logic for updating and validating these compact fat pointers and show that the hardware requirements are low and the critical paths for common operations are smaller than processor ALU operations. Specifically, we show that the fat-pointer check and update operations can run in a 4 ns clock cycle on a Virtex 6 (40nm) implementation while only using 1100 6-LUTs or about the area of a double-precision, floating-point adder.

[1]  Wouter Joosen,et al.  PAriCheck: an efficient pointer arithmetic checker for C programs , 2010, ASIACCS '10.

[2]  Elliott I. Organick,et al.  The multics system: an examination of its structure , 1972 .

[3]  Richard D. Greenblatt,et al.  A LISP machine , 1974, CAW '80.

[4]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[5]  G. Edward Suh,et al.  High-performance parallel accelerator for flexible and efficient run-time monitoring , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[6]  S. Schwartz,et al.  Properties of the working-set model , 1972, OPSR.

[7]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[8]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[9]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[10]  Dave Johnson,et al.  The Intel 432: A VLSI Architecture for Fault-Tolerant Computer Systems , 1984, Computer.

[11]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[12]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[13]  Marc Dacier,et al.  Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services , 2015, USENIX Security Symposium.

[14]  Jonathan M. Smith,et al.  Hardware Support for Safety Interlocks and Introspection , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[15]  Peter G. Neumann,et al.  CHERI: a research platform deconflating hardware virtualisation and protection , 2012 .

[16]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[17]  Srinivas Devadas,et al.  PrORAM: Dynamic prefetcher for Oblivious RAM , 2015, 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA).

[18]  Robert S. Fabry,et al.  Capability-based addressing , 1974, CACM.

[19]  Andrew T. Phillips,et al.  Exploring security vulnerabilities by exploiting buffer overflow using the MIPS ISA , 2003, SIGCSE.

[20]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[21]  R. L. Hoffman,et al.  IBM System/38 support for capability-based addressing , 1981, ISCA '81.

[22]  Srinivas Devadas,et al.  Freecursive ORAM: [Nearly] Free Recursion and Integrity Verification for Position-based Oblivious RAM , 2015 .

[23]  Somayeh Sardashti,et al.  The gem5 simulator , 2011, CARN.

[24]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[25]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[26]  Niranjan Hasabnis,et al.  Light-weight bounds checking , 2012, CGO '12.

[27]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[28]  Jonathan M. Smith,et al.  RotoRouter: Router support for endpoint-authorized decentralized traffic filtering to prevent DoS attacks , 2014, 2014 International Conference on Field-Programmable Technology (FPT).

[29]  Edward A. Feustel,et al.  On The Advantages of Tagged Architecture , 1973, IEEE Transactions on Computers.

[30]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[31]  Richard L. Sites,et al.  Alpha AXP architecture , 1993, CACM.

[32]  Roger M. Needham,et al.  The Cambridge CAP computer and its protection system , 1977, SOSP '77.

[33]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[34]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[35]  Milo M. K. Martin,et al.  Practical low-overhead enforcement of memory safety for c programs , 2012 .

[36]  William A. Wulf,et al.  HYDRA/C.Mmp, An Experimental Computer System , 1981 .

[37]  James Leslie Keedy,et al.  Tagged architecture: how compelling are its advantages? , 1985, ISCA '85.

[38]  Thomas F. Knight,et al.  A capability representation with embedded address and nearly-exact object bounds , 2000 .

[39]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[40]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[41]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[42]  Elliott I. Organick,et al.  A programmer's view of the intel 432 system. mcgraw hill , 1983 .

[43]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[44]  Robert P. Colwell,et al.  Performance effects of architectural complexity in the Intel 432 , 1988, TOCS.

[45]  Babak Falsafi,et al.  Log-based architectures for general-purpose monitoring of deployed code , 2006, ASID '06.

[46]  Elliott I. Organick,et al.  Computer System Organization: The B5700/B6700 Series , 1973 .

[47]  Elliott Irving Organick,et al.  Computer system organization: The B5700/B6700 series (ACM monograph series) , 1973 .