Secure Low-Level Programming via Hardware-Assisted Memory-Safe C Prof. Milo Martin Santosh Nagarakatte, Joe Devietti, Jianzhou Zhao, Colin Blundell Prof.

Slides:



Advertisements
Similar presentations
Garbage Collection in the Next C++ Standard Hans-J. Boehm, Mike Spertus, Symantec.
Advertisements

HardBound: Architectural Support for Spatial Safety of the C Programming Language Joe Devietti *, Colin Blundell, Milo Martin, Steve Zdancewic * University.
1 Lecture 13: Cache and Virtual Memroy Review Cache optimization approaches, cache miss classification, Adapted from UCB CS252 S01.
IMPACT Second Generation EPIC Architecture Wen-mei Hwu IMPACT Second Generation EPIC Architecture Wen-mei Hwu Department of Electrical and Computer Engineering.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Alias Speculation using Atomic Regions (To appear at ASPLOS 2013) Wonsun Ahn*, Yuelu Duan, Josep Torrellas University of Illinois at Urbana Champaign.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.
Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.
“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
1 1 Lecture 4 Structure – Array, Records and Alignment Memory- How to allocate memory to speed up operation Structure – Array, Records and Alignment Memory-
Honors Compilers Addressing of Local Variables Mar 19 th, 2002.
Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
HARDBOUND: ARCHITECURAL SUPPORT FOR SPATIAL SAFETY OF THE C PROGRAMMING LANGUAGE Kyle Yan Yu Xing 2014/10/15.
May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
MemTracker Efficient and Programmable Support for Memory Access Monitoring and Debugging Guru Venkataramani, Brandyn Roemer, Yan Solihin, Milos Prvulovic.
May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems John Criswell, University of Illinois Andrew Lenharth, University.
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Backwards-Compatible Array Bounds Checking for C with Very Low Overhead Dinakar Dhurjati and Vikram Adve ICSE 2006 Itay Polack
A Survey of Dynamic Techniques for Detecting Device Driver Errors Olatunji Ruwase LBA Reading Group 18 th May 2010.
CS533 Concepts of Operating Systems Jonathan Walpole.
Memory Management 3 Tanenbaum Ch. 3 Silberschatz Ch. 8,9.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Chapter 8 – Main Memory (Pgs ). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.
COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.
Colorama: Architectural Support for Data-Centric Synchronization Luis Ceze, Pablo Montesinos, Christoph von Praun, and Josep Torrellas, HPCA 2007 Shimin.
COMP3190: Principle of Programming Languages
The Fail-Safe C to Java translator Yuhki Kamijima (Tohoku Univ.)
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
 Asserting Expectations. Introduction -Observation alone is not enough for debugging as it can be a burden for a programmer. -One must compare observed.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Debugging via Run-Time Type Checking Title Page Alexey Loginov, Suan Yong, Susan Horwitz, Thomas Reps University of Wisconsin - Madison.
Thread basics. A computer process Every time a program is executed a process is created It is managed via a data structure that keeps all things memory.
MIDORI The Windows Killer!! by- Sagar R. Yeole Under the guidance of- Prof. T. A. Chavan.
CoreDet: A Compiler and Runtime System for Deterministic Multithreaded Execution Tom Bergan Owen Anderson, Joe Devietti, Luis Ceze, Dan Grossman To appear.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
ISA's, Compilers, and Assembly
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
LECTURE 12 Virtual Memory. VIRTUAL MEMORY Just as a cache can provide fast, easy access to recently-used code and data, main memory acts as a “cache”
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
Efficient Software-Based Fault Isolation
Chapter 14: System Protection
Threads Cannot Be Implemented As a Library
High Coverage Detection of Input-Related Security Faults
Reducing Memory Reference Energy with Opportunistic Virtual Caching
Complete Memory-Safety with SoftBoundCETS
Code-Pointer Integrity
CETS: Compiler-Enforced Temporal Safety for C
CS703 - Advanced Operating Systems
Introduction to Computer Systems Engineering
Presentation transcript:

Secure Low-Level Programming via Hardware-Assisted Memory-Safe C Prof. Milo Martin Santosh Nagarakatte, Joe Devietti, Jianzhou Zhao, Colin Blundell Prof. Steve Zdancewic University of Pennsylvania Please feel free to ask questions!

2HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Two Long-Term Research Goals Easier multicore programming Multicore revolution  parallel programs ubiquitous Programming is hard, parallel programming more so Safer and secure low-level programming C’s lack of memory safety: root cause of vulnerabilities Goal: legacy C code as safe and secure as Java Unfortunately, C makes such checking a challenge Using hardware and/or compiler techniques This talk: hardware/compiler for spatial safety of C

3 Hardware Software Efficiency & Compatibility Talk Overview & Project Evolution HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Seminar on “Hardware Support for Security” ‘05 Spatial safety (J&K, SafeC/CCured/Cyclone) HardBound [ASPLOS 08] SoftBound [PLDI 2009] Work in progress… Today’s hardware Hardware bounded pointer primitive New hardware/software contract for pointers Hardware bounded pointer primitive New hardware/software contract for pointers Compiler-based transformation, < 2x overhead Memory layout unchanged ~10% overhead

4HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Why Care About Spatial Safety, Anyway? June 2, 2009: iTunes-8.2 Open URL, stack overflow May 12, 2009: libxml, Safari Visit website, heap overflow Jan 22, 2009: Windows RPC packet, overflow (Conficker worm) Feb 20, 2009: Acrobat Reader Open PDF, overflow Buffer overflows are security vulnerabilities

5 struct BankAccount { char acctID[3]; int balance; } b; b.balance = 0; char* id = &(b.acctID); … … char* p = id; … … do { char ch = readchar(); *p = ch; p++; } while(ch); memory HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Spatial Violation Example acctID reg bal p p x100x110x120x13 a b c id 0x10 id 0x x17 memory registers “Vulnerability of the decade” [Cowan et al] Variants (stack-, heap-, pointer-smashing, jump-to-libc) Facilitated by integer overflow/underflow Can happen anywhere in the code Attackers are clever, highly motivated

6 Preventing Spatial Violations SoftBound – Santosh Nagarakatte – PLDI 2009 write perfect code treat the symptoms address space randomization non-executable stack/heap protect return addresses all incomplete add bounds checking to existing C code use a safe language what about (existing) C code? use static analysis what about false positives?

7 The Cockroach of Programming Languages Ubiquitous Is there any mainstream system without some C code? Relevant Sometimes the right tool for a task Gold standard for performance Evolving Research philosophy: English vs. Esperanto (1887) What if you can’t wipe the slate clean? HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Modify the language?Or modify the hardware?

8 “Modernizing” Legacy C Code Can we provide unmodified C source code… …with key safety features of modern languages? Key feature: memory safety Spatial memory safety (bounds errors) Temporal memory safety (dangling pointers) Alas, such retrofitting challenging Pointer arithmetic, pointers to middle of objects, arrays in structs, legal out-of-bounds pointers, confluence of arrays and singleton pointers, visible memory layout, arbitrary type casts, … Lack of bounds information HardBound/SoftBound – Prof. Milo Martin - Fall 2009 today’s talk key challenge What is this? char *c;

9 Taxonomy of Bounds Checking for C HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Prior work : [Hastings92, Austin94, Jones97, Jim02, Necula02, Yong03, Eigler03, Ruwase04, Nethercote04, Xu04, Dhurjati06, Criswell07, …] Tripwires e.g., Purify, Valgrind … Few bits of state for each byte in memory A “red-zone” block between objects Pointer based e.g., SafeC, Cyclone, CCured, MSCC, … Pointer becomes a fat pointer (ptr, base, bound) Pointer dereferences are checked Object based e.g., Jones & Kelly, CRED, SafeCode, SVA, … Checks pointer manipulations Must point within same object All have one or more challenges: High runtime overheads Incompleteness (sub-objects, handling arbitrary casts) Incompatibilities (language changes, pointer representations)

10 The Tao of Dynamically Checking C HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Compatibility CompletenessContinuous (fast enough)

11 struct BankAccount { char acctID[3]; int balance; } b; b.balance = 0; char* id = &(b.acctID); char* id_bse = &(b.acctID); char* id_bnd = &(b.acctID) + 3; char* p = id; char* p_bse = id_bse; char* p_bnd = id_bnd; do { char ch = readchar(); check(p, p_bse, p_bnd);*p = ch; p++; } while(ch); memory HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Background: Fat Pointer Approach acctID reg bal id 0x10 p p x100x110x12 0x13 id_bse 0x10 id_bnd 0x13 p_bse 0x10 p_bnd 0x13 id_bse 0x10 id_bnd 0x13 id 0x10 a b c memory registers

12 struct BankAccount { char acctID[3]; int balance; } b; insert(b, &b, &b+sizeof(b)); b.balance = 0; char* id = &(b.acctID); … char* p = id; … … do { char ch = readchar(); *p = ch; p++; p = lookup(p, p + 1); } while(ch); Obj table memory HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Background: Object Based Approach acctID reg bal p p x100x110x120x13 a b c id 0x10 id 0x10 10 to 16 0x memory registers object table 10,1111,1212,1316,17 0x16

13 Analysis: Comparison of Approaches Object based +Disjoint metadata  memory layout unchanged  high source compatibility –Problem detecting sub-object overflows –Range lookup overhead Fat pointers +Can detect sub-objects overflows –Inline metadata  memory layout changes  low source compatibility Both –Fail to protect against arbitrary casts (unless augmented, such as CCured’s WILD pointers) HardBound/SoftBound – Prof. Milo Martin - Fall 2009

14 struct BankAccount { char acctID[3]; int balance; } b; b.balance = 0; char* id = &(b.acctID); lookup(&id)->bse = &(b.acctID); lookup(&id)->bnd = &(b.acctID) + 3; char* p = id; char* p_bse = lookup(&id)->bse; char* p_bnd = lookup(&id)->bnd; do { char ch = readchar(); check(p, p_bse, p_bnd);*p=ch; p++; } while(ch); Meta data memory HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Our Approach: Disjoint Pointer Metadata acctID reg bal id p p x100x110x120x13 p_bse 0x10 p_bnd 0x13 0x13 0x10 id 0x13 0x10 a b c memory registers metadata

15 Meta data metadata memory Compatibility Unchanged memory layout Completeness Sub-object bounds Arbitrary casts Continuous (fast) Direct lookup Hardware-assisted HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Our Approach: Disjoint Pointer Metadata acctID reg bal id p p x13 p_bse 0x10 p_bnd 0x13 0x13 0x10 id 0x13 0x10 a b c memory registers

16 Rest of Talk: HardBound & SoftBound HardBound: Hardware/software impl. [ASPLOS ‘08] How does it work? (pointer propagation & checking) How do we make HardBound fast? Dedicated datapaths, compressing metadata SoftBound: Compiler-only prototype [PLDI ‘09] What changes without hardware support? Experiments HardBound/SoftBound – Prof. Milo Martin - Fall 2009

17 HardBound Overview Bounded-pointer hardware primitive datatype All registers and memory have base/bound metadata Implemented via shadow memory and shadow registers Rewrite hardware/software contract for pointers Software identifies where pointers are created Examples: malloc, &variable (inserted by compiler) Using new setbound instruction Hardware checks and propagates the pointers +Fat pointer representation hidden by hardware +Compatibility (memory layout unchanged) +Enables optimized metadata encoding HardBound/SoftBound – Prof. Milo Martin - Fall 2009

18 Hardware Propagates & Checks Metadata All registers and memory have metadata Example operations: a dd R1 <− R2 + imm R1.value <− R2.value + imm R1.base <− R2.base R1.bound <− R2.bound l oad R1 <− Memory[R2] assert(R2.base <= R2.value < R2.bound) R1.value <− Memory[R2.value].value R1.base <− Memory[R2.value].base R1.bound <− Memory[R2.value].bound Performed in parallel (replicate datapath) HardBound/SoftBound – Prof. Milo Martin - Fall 2009 propagation bounds check propagation insn

19 Software Identifies Pointer Creation Even without recompilation… Allocation-granularity checking for heap HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Heap Objects Modified runtime system Hardware executes p = setbound(malloc(size), size) p = malloc(size) p_base = p p_bound = p + size p = malloc(size);

20 Software Identifies Pointer Creation Recompilation protects stack & globals Easy for compiler to identify HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Stack and Global Objects Compiler Hardware executes int array[100]; p = &array; p = setbound(&array, sizeof(array)); p = &array p_base = p p_bound = p + sizeof(array)

21 Bounding Pointers to Structure Fields struct { char acctID[3]; int balance; } *ptr; char* id = &(ptr->acctID); HardBound/SoftBound – Prof. Milo Martin - Fall 2009 option #1 Entire Structure id_base = &(ptr->acctID); id_bound = &(ptr->acctID) + 3; id_base = ptr_base; id_bound = ptr_bound; option #2 Shrink to Field Programmer intent ambiguous; optional shrinking of bounds acctID bal ? #1#2

22 struct BankAccount { char acctID[3]; int balance; } b; b.balance = 0; char* id = char* p = id; do { char ch = readchar(); *p=ch; p++; } while(ch); Meta data memory HardBound/SoftBound – Prof. Milo Martin - Fall 2009 HardBound Example acctID reg bal id p p 38 0 bse bnd 0x13 0x10 id 0x13 0x10 a b c memory registers metadata setbound( &b.acctID,3) &(b.acctID); Hdw. propagation Hdw. check

23 HardBound Memory Layout HardBound/SoftBound – Prof. Milo Martin - Fall 2009 standard C layout struct { int* ptr; int i; } s; ptr i i boundbase metadata shadow space regular space (layout unchanged) enables compatibility… …how do we make it efficient? Virtual Memory

24 Eliminating Metadata for Non-Pointers Most data are not pointers Add 1-bit tag to act as a filter Prevents an expensive base/bound lookup Lives in virtual memory (1 bit per word, 3% overhead) Add tag cache, accessed in parallel HardBound/SoftBound – Prof. Milo Martin - Fall 2009 non-pointer 0 0 pointer base bound 1 1 tag

25 Compressing In-Memory Metadata 1.Many pointers point to the beginning of an object 2.Many pointers point to small objects HardBound/SoftBound – Prof. Milo Martin - Fall 2009 pointer: 1000 base: 1000 bound: tag:1 bound: 1003 used opportunistically (on each store) base: size pointer: 1000

26 Metadata Lookup and Tag Cache HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Processor Core L2$ data$ insn$ tag$ TLB Memory

27 Why Not Just Do HardBound in Software? “SoftBound” Compiler inserts code for propagation and checking Similarities Same disjoint pointer-based metadata approach Differences Memory: access metadata only on pointer load/store No need for “tag” space Doesn’t (yet) use metadata compression Registers: base/bound just temporaries in compiler IR Bounds checks: compiler can elide redundant checks Works on today’s hardware HardBound/SoftBound – Prof. Milo Martin - Fall 2009

28 SoftBound Checking & Propagation All pointer/array dereferences checked if ((p p_bound)) abort(); Five x86 instructions: cmp, br, add, cmp, br Loading/storing a pointer from memory Loads/stores base and bound from metadata space Five x86 instructions: shift, mask, add, two loads Pointer assignments, arithmetic, and casts Just propagate pointer base and bound (share register) Pointer arguments to a function Bounds passed as extra arguments (in registers) int f(char* p) {…} int _f(char* p, void* p_base, void* p_bound) {…} HardBound/SoftBound – Prof. Milo Martin - Fall 2009

29 More in the Papers… Proof of spatial safety guarantees Region delineated by pointer metadata is always valid Formalized a rich subset of C Includes arbitrary casts, recursive structures, etc… Mechanized proof in Coq Hashtable-based metadata storage Handling various aspects of C Separate compilation and library code memcpy() Function pointers Variable argument functions HardBound/SoftBound – Prof. Milo Martin - Fall 2009

30 Experiments Four questions Effective in detecting overflows? Compatible with existing C code? Reasonable overheads? Hardware support justified? HardBound/SoftBound – Prof. Milo Martin - Fall 2009

31 Typed IR Optimize Source Binary Prototypes HardBound Source-to-source compiler based on CIL Simulator: FeS 2 x86 + Simics Simple in-order core model + caches SoftBound prototype LLVM as its foundation Typed IR helps in pointer identification Bounds check elimination not focus Intra-procedural dominator based Existing techniques would help a lot Runtime results on Core 2 Duo HardBound/SoftBound – Prof. Milo Martin - Fall 2009 SoftBound Optimize ~7K lines of code

32 Spatial Violation Detection Effective in detecting overflows? Suite of 286 spatial violations [Kratkiewicz ‘05] Synthetic attacks [Wilander et al] Prevented all these attacks Bugbench [Lu05] : overflows from real applications Detected all known violations HardBound/SoftBound – Prof. Milo Martin - Fall 2009 BenchmarkSoftBoundMudflapValgrind GoYesNo CompressYes PolymorphYes No GzipYes

33 Source Compatibility Experiments Compatible with existing C code? 272K lines of code total 23 benchmarks from Spec, Olden BugBench Multithreaded HTTP Server with CGI support FTP server No spurious runtime violations encountered HardBound/SoftBound – Prof. Milo Martin - Fall 2009

34 HardBound Runtime Results HardBound/SoftBound – Prof. Milo Martin - Fall 2009 bhbisort em3dhealthmst perimpowertreeaddtsp avg 10% average overhead

35 SoftBound Runtime Results HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Percent 67% Full Checking: default for development & testing Check only stores [Yong03, Castro06] Attacks predominantly use stores Store-only: for security critical apps, production code 21%

36 Softbound: Runtime vs Dynamic Instructions HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Percent 132% 67% Bounds checking & propagation off the critical path Processor exploits Instruction Level Parallelism (ILP) 82% 2%

37 Experiments Recap Effective in detecting overflows? Yes Compatible with existing C code? Yes Reasonable overheads? You decide SoftBound: Full checking – 67%, store-only – 21% HardBound: Full checking – ~10% Hardware support justified? Maybe Impact of simple versus sophisticated cores Cost/benefit tradeoff… can we lower the cost? HardBound/SoftBound – Prof. Milo Martin - Fall 2009

38 Future Work: Hardware/Software Continuum HardBound/SoftBound – Prof. Milo Martin - Fall 2009 HardBound Runtime Overhead High None Hardware Modifications High None Ideal SoftBound Hardware-accelerated temporal safety (without GC) Check freshness of each allocation with a “capability”

39 Conclusions HardBound/SoftBound provide spatial safety for C Pointer-based approach, but with disjoint metadata Compatible (no source code changes) Effective (catches know vulnerabilities) Software-only: fast enough for… Debugging & testing: full checking Security-critical software: store only checking Hardware-assisted: even lower overhead HardBound/SoftBound – Prof. Milo Martin - Fall 2009

Want to try SoftBound out?

41HardBound/SoftBound – Prof. Milo Martin - Fall 2009

42 Multiprocessor Issues Prior schemes have multiprocessor issues Issue #1: Need thread-safe base/bound storage Hash table: per bucket locking (or lock-free) Shadow space: if race-free, implicitly synchronized Issue #2: Atomic pointer reads/writes If race free, no problem if not race free, Hash table: protect pointer ld/st with bucket lock Shadow space: transactional memory? HardBound/SoftBound – Prof. Milo Martin - Fall 2009

43 Separate Compilation SoftBound instrumentation is intra-procedural No whole program analysis No information required across different compilation units SoftBound uses procedure cloning There are two version of each function, SoftBounded version and the original version Static or dynamic linker matches up callee and caller as usual SoftBound can be used to cure libraries Create safe versions of libraries No wrappers required HardBound/SoftBound – Prof. Milo Martin - Fall 2009

44 Benchmark Characterization HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Infrequent Metadata Accesses Frequent Metadata Accesses Percent

45 HardBound Memory Overhead Results HardBound/SoftBound – Prof. Milo Martin - Fall %189%140%132% bhbisort em3dhealthmst perimeterpowertreeaddtsp

46 SoftBound Memory Overhead HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Percent 87% 64%

47 Runtime Overhead: Store-only Checking HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Percent 21% For security-critical applications, useful for production code 54%

48 Runtime Overhead: Full Checking HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Percent 92% 67% On by default throughout development & testing Infrequent Metadata Accesses Frequent Metadata Accesses Memory overhead:Hash table – 87%, Shadow space – 54%

49HardBound/SoftBound – Prof. Milo Martin - Fall 2009

50 Making Multicore Programming Easier Transactional memory (with Blundell, Devietti, Lewis) Semantics (e.g., weak vs strong atomicity) [CAL ‘06] Simple unbounded hardware transactions [ISCA ‘07] Faster data sharing (with Raghavan, Blundell) Predictive, adaptive cache coherence [MICRO ’08] Memory consistency (with Blundell, Wenisch) Eliminating memory ordering penalties [ISCA ’09] Multicore software verification (with Burckhardt, Alur) Reordering-aware checking of lock-free code [PLDI ’09] Improve uniprocessors (with Sha, Roth) [MICRO ’05, ‘06] Eliminate load/store queue via predictive forwarding HardBound/SoftBound – Prof. Milo Martin - Fall 2009

51 Future Work: Hardware/Software Continuum HardBound/SoftBound – Prof. Milo Martin - Fall 2009 HardBound Runtime Overhead High None Hardware Modifications High None μop-only implementation Reg-to-reg rename copy elimination Special “pointer load” instructions μop-only implementation Reg-to-reg rename copy elimination Special “pointer load” instructions 128-bit base/bound registers (hijack SSE2 registers?) Single instruction “check” operation Auto-mask/shift addressing mode Hardware-accelerated “key lookup” (hash table) 128-bit base/bound registers (hijack SSE2 registers?) Single instruction “check” operation Auto-mask/shift addressing mode Hardware-accelerated “key lookup” (hash table) Static analysis for check elimination Ideal SoftBound Hardware-accelerated temporal safety (without GC) Check freshness of each allocation with a “capability”

52 Analysis Why is the runtime overhead low? Only pointer operations instrumented (typed IR) Optimize – transform – re-optimize Whole program analysis helps Why lower than dynamic instruction increase? Processor exploits Instruction Level Parallelism (ILP) Bounds checking & propagation off the critical path Could the overheads be even lower? Simple check elimination (from 80% to 67% overhead) More sophisticated techniques will help HardBound/SoftBound – Prof. Milo Martin - Fall 2009

53 Performance Experiments 23 benchmarks selected from Olden pointer-intensive benchmark suite Spec-95, Spec-2000, Spec-2006 Prototype not robust enough for all benchmarks Thus far always prototype bugs Experiments on Intel Core 2 Duo 2.66Ghz Benchmarks classification Number of pointer load/stores per 100 memory ops Low? bounds check overhead dominates High? bounds check + meta-data overheads HardBound/SoftBound – Prof. Milo Martin - Fall 2009

54 Recent Related Work Object based SafeCode [Dhurjati2006] – Reduces overhead Whole program analysis & pool allocation Pointer based CCured[Necula2002] Uses pointer inference to reduce overhead Cyclone [Jim2002] Uses programmer annotations with fat pointers MSCC [Xu2004] Uses split metadata with fat pointers HardBound/SoftBound – Prof. Milo Martin - Fall 2009

55 SoftBound Guarantees Well formed memory Every pointer in memory has metadata associated Region delineated by the pointer metadata is valid Proves safety properties Preservation: starting from a well formed state… Steps to a well formed state Progress: system always makes progress (not stuck) Reaches a well formed state (no violations) Or aborts Mechanized proof in Coq Download - HardBound/SoftBound – Prof. Milo Martin - Fall 2009

56 HardBound Memory Layout HardBound/SoftBound – Prof. Milo Martin - Fall 2009 standard C layout struct { int* ptr; int i; } s; ptr i i boundbase metadata shadow space regular space (layout unchanged) enables compatibility… …how do we make it fast? fat pointer layout ptr i i base bound i ptr Virtual Memory

57 Meta data metadata memory Pointer based Sub-object bounds (complete) Direct lookup (fast) Disjoint metadata Unchanged memory layout (compatible) Safe with arbitrary casts (complete) Hardware-assisted (fast) HardBound/SoftBound – Prof. Milo Martin - Fall 2009 Our Approach: Disjoint Pointer Metadata acctID reg bal id p p x13 p_bse 0x10 p_bnd 0x13 0x13 0x10 id 0x13 0x10 a b c memory registers

58 HardBound Experimental Configurations encodingsize of tag spacetag cache encodes ptrs to objects up to… external 4-bit4 bits8KB56 B internal 4-bit1 bit2KB56 B internal 11-bit1 bit2KB4 KB HardBound/SoftBound – Prof. Milo Martin - Fall 2009

59 Compressing In-Memory Metadata 1.Many pointers point to the beginning of an object 2.Many pointers point to small objects HardBound/SoftBound – Prof. Milo Martin - Fall 2009 pointer: 1000 base: 1000 bound: tag:1 bound: 1003 used opportunistically on stores External encoding: fold size into tag base: size pointer: 1000

60 Compressing Metadata for Pointers Most programs don’t use much of virtual memory pointers contain more bits than are really needed HardBound/SoftBound – Prof. Milo Martin - Fall 2009 base: 1000 bound: 1003 tag: 1 bound: 1003 Internal encoding: hide offset in pointer all loads do decompression, so transparent + + cmprsd? size pointer:

61 Today’s Talk: Spatial Safety for C Detect and prevent attacks & memory corruption… Caused by C’s lack of bounds checking Unfortunately, C makes such checking a challenge Goal: Compatible – no C source modifications Key: unchanged memory layout Approach #1: hardware bounded pointer primitive New hardware/software contract for pointers Approach #2: compiler-based transformation Experiments indicate: Effective Compatible (with actual C codes) Low overhead – compiler-only: <2x, w/ hardware: 10% HardBound/SoftBound – Prof. Milo Martin - Fall 2009

62 Conclusions HardBound/SoftBound provide spatial safety for C Pointer-based approach, but with disjoint metadata Compatible (no source code changes) Effective (catches know vulnerabilities) Software-only: fast enough for… Debugging & testing: full checking Security-critical software: store only checking Hardware-assisted: even lower overhead Future work Temporal safety (dangling pointers) Hardbound ISA extensions Softbound HardBound/SoftBound – Prof. Milo Martin - Fall 2009