Checking array bound violation using segmentation hardware

The ability to check memory references against their associated array/buffer bounds helps programmers to detect programming errors involving address overruns early on and thus avoid many difficult bugs down the line. This paper proposes a novel approach called Cash to the array bound checking problem that exploits the segmentation feature in the virtual memory hardware of the X86 architecture. The Cash approach allocates a separate segment to each static array or dynamically allocated buffer, and generates the instructions for array references in such a way that the segment limit check in X86's virtual memory protection mechanism performs the necessary array bound checking for free. In those cases that hardware bound checking is not possible, it falls back to software bound checking. As a result, Cash does not need to pay per-reference software checking overhead in most cases. However, the Cash approach incurs a fixed set-up overhead for each use of an array, which may involve multiple array references. The existence of this overhead requires compiler writers to judiciously apply the proposed technique to minimize the performance cost of array bound checking. This paper presents the detailed design and implementation of the Cash compiler, and a comprehensive evaluation of various performance tradeoffs associated with the proposed array bound checking technique. For the set of complicated network applications we tested, including Apache, Sendmail, Bind, etc., the latency penalty of Cash's bound checking mechanism is between 2.5% to 9.8% when compared with the baseline case that does not perform any bound checking.

[1]  Rajiv Gupta A fresh look at optimizing array bound checking , 1990, PLDI '90.

[2]  Vivek Sarkar,et al.  ABCD: eliminating array bounds checks on demand , 2000, PLDI '00.

[3]  Wei-Ngan Chin,et al.  Deriving Pre-Conditions for Array Bound Check Elimination , 2001, APLAS.

[4]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  Harish Patil,et al.  Efficient Run-time Monitoring Using Shadow Processing , 1995, AADEBUG.

[6]  Michael Wolfe,et al.  Elimination of redundant array subscript range checks , 1995, PLDI '95.

[7]  Johnathan M. Asuru Optimization of array subscript range checks , 1992, LOPL.

[8]  Glenn Pearson,et al.  Array bounds checking with Turbo C: hardware assisted bounds checking thanks to a DOS extender , 1991 .

[9]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[10]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[11]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[12]  David K. Lowenthal,et al.  A Comparison of Array Bounds Checking on Superscalar and VLIW Architectures , 2002 .

[13]  Barton P. Miller,et al.  Safety checking of machine code , 2000, PLDI '00.

[14]  Martin C. Rinard,et al.  Symbolic bounds analysis of pointers, array indices, and accessed memory regions , 2000, PLDI '00.

[15]  Songtao Xia,et al.  Towards array bound check elimination in Java TM virtual machine language , 1999, CASCON.

[16]  T. Chiueh,et al.  Integrating segmentation and paging protection for safe, efficient and transparent software extensions , 2000, OPSR.

[17]  Rajiv Gupta,et al.  Optimizing array bound checks using flow analysis , 1993, LOPL.

[18]  Tzi-cker Chiueh,et al.  Integrating segmentation and paging protection for safe, efficient and transparent software extensions , 1999, SOSP.

[19]  Tzi-cker Chiueh,et al.  A Binary Rewriting Defense Against Stack based Buffer Overflow Attacks , 2003, USENIX Annual Technical Conference, General Track.

[20]  Frank Pfenning,et al.  Eliminating array bound checking through dependent types , 1998, PLDI.