Watchdog: Hardware for safe and secure manual memory management and full memory safety

Languages such as C and C++ use unsafe manual memory management, allowing simple bugs (i.e., accesses to an object after deallocation) to become the root cause of exploitable security vulnerabilities. This paper proposes Watchdog, a hardware-based approach for ensuring safe and secure manual memory management. Inspired by prior software-only proposals, Watchdog generates a unique identifier for each memory allocation, associates these identifiers with pointers, and checks to ensure that the identifier is still valid on every memory access. This use of identifiers and checks enables Watchdog to detect errors even in the presence of reallocations. Watchdog stores these pointer identifiers in a disjoint shadow space to provide comprehensive protection and ensure compatibility with existing code. To streamline the implementation and reduce runtime overhead: Watchdog (1) uses micro-ops to access metadata and perform checks, (2) eliminates metadata copies among registers via modified register renaming, and (3) uses a dedicated metadata cache to reduce checking overhead. Furthermore, this paper extends Watchdog's mechanisms to detect bounds errors, thereby providing full hardware-enforced memory safety at low overheads.

[1]  Babak Falsafi,et al.  Flexible Hardware Acceleration for Instruction-Grain Program Monitoring , 2008, 2008 International Symposium on Computer Architecture.

[2]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[3]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[4]  Satish Narayanasamy,et al.  Accelerating Meta Data Checks for Software Correctness and Security , 2007, J. Instr. Level Parallelism.

[5]  Emery D. Berger,et al.  Quantifying the performance of garbage collection vs. explicit memory management , 2005, OOPSLA '05.

[6]  Guru Venkataramani,et al.  MemTracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging , 2007, 2007 IEEE 13th International Symposium on High Performance Computer Architecture.

[7]  Wei Xu,et al.  An efficient and backwards-compatible transformation to ensure memory safety of C programs , 2004, SIGSOFT '04/FSE-12.

[8]  Emery D. Berger,et al.  DieHarder: securing the heap , 2010, CCS '10.

[9]  Guru Venkataramani,et al.  Comprehensively and efficiently protecting the heap , 2006, ASPLOS XII.

[10]  John Regehr,et al.  Precise garbage collection for C , 2009, ISMM '09.

[11]  Harish Patil,et al.  Low‐cost, Concurrent Checking of Pointer and Array Accesses in C Programs , 1997, Softw. Pract. Exp..

[12]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[13]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[14]  Amir Roth,et al.  DISE: a programmable macro engine for customizing applications , 2003, ISCA '03.

[15]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[16]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[17]  Onur Mutlu,et al.  Flexible reference-counting-based hardware acceleration for garbage collection , 2009, ISCA '09.

[18]  Frank Ch. Eigler Mudflap: Pointer use checking for C/C , 2003 .

[19]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[20]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[21]  Hans-Juergen Boehm Space efficient conservative garbage collection , 2004, SIGP.

[22]  A. Roth,et al.  Physical register reference counting , 2008, IEEE Computer Architecture Letters.

[23]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[24]  Amir Roth,et al.  RENO: a rename-based instruction optimizer , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[25]  Dinakar Dhurjati,et al.  Efficiently Detecting All Dangling Pointer Uses in Production Servers , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[26]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[27]  Matthias Meyer,et al.  A novel processor architecture with exact tag-free pointers , 2004, IEEE Micro.

[28]  Stéphan Jourdan,et al.  A novel renaming scheme to exploit value temporal locality through physical register reuse and unification , 1998, Proceedings. 31st Annual ACM/IEEE International Symposium on Microarchitecture.

[29]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[30]  David Gay,et al.  Safe manual memory management , 2007, ISMM '07.

[31]  Emery D. Berger,et al.  Archipelago: trading address space for reliability and security , 2008, ASPLOS.

[32]  Nicholas Nethercote,et al.  How to shadow every byte of memory used by a program , 2007, VEE '07.

[33]  Saugata Ghose,et al.  Architectural support for low overhead detection of memory violations , 2009, 2009 Design, Automation & Test in Europe Conference & Exhibition.