research-article

SoftBound: highly compatible and complete spatial memory safety for c

Authors:

Santosh Nagarakatte,

Milo M.K. Martin,

Steve ZdancewicAuthors Info & Claims

PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 245 - 258

https://doi.org/10.1145/1542476.1542504

Published: 15 June 2009 Publication History

Abstract

The serious bugs and security vulnerabilities facilitated by C/C++'s lack of bounds checking are well known, yet C and C++ remain in widespread use. Unfortunately, C's arbitrary pointer arithmetic, conflation of pointers and arrays, and programmer-visible memory layout make retrofitting C/C++ with spatial safety guarantees extremely challenging. Existing approaches suffer from incompleteness, have high runtime overhead, or require non-trivial changes to the C source code. Thus far, these deficiencies have prevented widespread adoption of such techniques.

This paper proposes SoftBound, a compile-time transformation for enforcing spatial safety of C. Inspired by HardBound, a previously proposed hardware-assisted approach, SoftBound similarly records base and bound information for every pointer as disjoint metadata. This decoupling enables SoftBound to provide spatial safety without requiring changes to C source code. Unlike HardBound, SoftBound is a software-only approach and performs metadata manipulation only when loading or storing pointer values. A formal proof shows that this is sufficient to provide spatial safety even in the presence of arbitrary casts. SoftBound's full checking mode provides complete spatial violation detection with 67% runtime overhead on average. To further reduce overheads, SoftBound has a store-only checking mode that successfully detects all the security vulnerabilities in a test suite at the cost of only 22% runtime overhead on average.

References

[1]

Adobe Reader vulnerability exploited in-the-wild, 2008. http://www.trustedsource.org/blog/118/Recent-Adobe-Reader-vulnerability-exploited-in-the-wild.

[2]

Adobe Security Advisories: APSB08-19, Nov. 2008. http://www.adobe.com/support/security/bulletins/apsb08-19.html.

[3]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-Flow Integrity. In Proceedings of the 10th ACM Conference on Computer and Communications Security, Nov. 2005.

Digital Library

[4]

P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing Memory Error Exploits with WIT. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, 2008.

Digital Library

[5]

T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient Detection of All Pointer and Array Access Errors. In Proceedings of the SIGPLAN 1994 Conference on Programming Language Design and Implementation, June 1994.

Digital Library

[6]

E. D. Berger and B. G. Zorn. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the SIGPLAN 2006 Conference on Programming Language Design and Implementation, June 2006.

Digital Library

[7]

B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. A Static Analyzer for Large Safety-critical Software. In Proceedings of the SIGPLAN 2003 Conference on Programming Language Design and Implementation, June 2003.

Digital Library

[8]

R. Bodík, R. Gupta, and V. Sarkar. ABCD: Eliminating Array Bounds Checks on Demand. In Proceedings of the SIGPLAN 2000 Conference on Programming Language Design and Implementation, June 2000.

Digital Library

[9]

H.-J. Boehm. Space Efficient Conservative Garbage Collection. In Proceedings of the SIGPLAN 1993 Conference on Programming Language Design and Implementation, June 1993.

Digital Library

[10]

M. Castro, M. Costa, and T. Harris. Securing Software by Enforcing Data-Flow Integrity. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, Nov. 2006.

Digital Library

[11]

J. Condit, M. Harren, Z. Anderson, D. Gay, and G. C. Necula. Dependent Types for Low-Level Programming. In Proceedings of the 16th European Symposium on Programming, Apr. 2007.

Digital Library

[12]

K. D. Cooper, M. W. Hall, and K. Kennedy. A Methodology for Procedure Cloning. Comput. Lang., 19(2):105--117, 1993.

Digital Library

[13]

The Coq Development Team. The Coq Proof Assistant Reference Manual (Version 8.2beta4), 2008.

[14]

C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. In Proceedings of the Foundations of Intrusion Tolerant Systems, 2003.

[15]

J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, Oct. 2007.

Digital Library

[16]

J. Devietti, C. Blundell, M. M. K. Martin, and S. Zdancewic. Hardbound: Architectural Support for Spatial Safety of the C Programming Language. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, Mar. 2008.

Digital Library

[17]

D. Dhurjati and V. Adve. Backwards-Compatible Array Bounds Checking for C with Very Low Overhead. In Proceeding of the 28th International Conference on Software Engineering, May 2006.

Digital Library

[18]

D. Dhurjati, S. Kowshik, and V. Adve. SAFECode: Enforcing Alias Analysis for Weakly Typed Languages. In Proceedings of the SIGPLAN 2006 Conference on Programming Language Design and Implementation, June 2006.

Digital Library

[19]

D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory Safety Without Runtime Checks or Garbage Collection. In Proceedings of the 2003 ACM SIGPLAN Conference on Language, Compiler, and Tool for Embedded Systems (LCTES), 2003.

Digital Library

[20]

N. Dor, M. Rodeh, and M. Sagiv. CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C. In Proceedings of the SIGPLAN 2003 Conference on Programming Language Design and Implementation, June 2004.

Digital Library

[21]

F. C. Eigler. Mudflap: Pointer Use Checking for C/C++. In GCC Developer's Summit, 2003.

[22]

V. Ganapathy, S. Jha, D. Chandler, D. Melski, and D. Vitek. Buffer Overrun Detection using Linear Programming and Static Analysis. In Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003.

Digital Library

[23]

D. Gay and A. Aiken. Memory Management with Explicit Regions. In Proceedings of the SIGPLAN 1998 Conference on Programming Language Design and Implementation, June 1998.

Digital Library

[24]

D. Grossman. Safe Programming at the C Level of Abstraction. PhD thesis, Department of Computer Science, Cornell University, Aug. 2003.

Digital Library

[25]

D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y. Wang, and J. Cheney. Region--Based Memory Management in Cyclone. In Proceedings of the SIGPLAN 2002 Conference on Programming Language Design and Implementation, June 2002.

Digital Library

[26]

B. Hackett, M. Das, D. Wang, and Z. Yang. Modular Checking for Buffer Overflows in the Large. In Proceedings of the 28th International Conference on Software Engineering (ICSE), 2006.

Digital Library

[27]

R. Hastings and B. Joyce. Purify: Fast Detection of Memory Leaks and Access Errors. In Proceedings of the Winter Usenix Conference, 1992.

[28]

T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect of C. In Proceedings of the 2002 USENIX Annual Technical Conference, June 2002.

Digital Library

[29]

R. W. M. Jones and P. H. J. Kelly. Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs. In Third International Workshop on Automated Debugging, Nov. 1997.\newpage

[30]

V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution via Program Shepherding. In Proceedings of the 11th USENIX Security Symposium, Aug. 2002.

Digital Library

[31]

G. Kroah-Hartman. The Linux Kernel Driver Model: The Benefits of Working Together. In A. Oram and G. Wilson, editors, Beautiful Code: Leading Programmers Explain How They Think. O'Reilly Media, Inc., June 2007.

[32]

L. Lam and T. Chiueh. Checking Array Bound Violation Using Segmentation Hardware. In Proceedings of the International Conference on Dependable Systems and Networks, June 2005.

Digital Library

[33]

C. Lattner and V. Adve. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization, 2004.

Digital Library

[34]

S. Lu, Z. Li, F. Qin, L. Tan, P. Zhou, and Y. Zhou. Bugbench: Benchmarks for Evaluating Bug Detection tools. In In PLDI Workshop on the Evaluation of Software Defect Detection Tools, June 2005.

[35]

G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type--Safe Retrofitting of Legacy Software. ACM Transactions on Programming Languages and Systems, 27(3), May 2005.

Digital Library

[36]

N. Nethercote and J. Fitzhardinge. Bounds-Checking Entire Programs Without Recompiling. In Proceedings of the Second Workshop on Semantics, Program Analysis, and Computing Environments for Memory Management, 2004.

[37]

H. Patil and C. N. Fischer. Low-Cost, Concurrent Checking of Pointer and Array Accesses in C Programs. Software -- Practice & Experience, 27(1):87--110, 1997.

Digital Library

[38]

J. Pincus and B. Baker. Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns. IEEE Security & Privacy, 2(4):20--27, 2004.

Digital Library

[39]

P. Porras, H. Saidi, and V. Yegneswaran. An Analysis of Conficker's Logic and Rendezvous Points. Technical report, SRI International, Feb. 2009.

[40]

A. Rogers, M. C. Carlisle, J. H. Reppy, and L. J. Hendren. Supporting Dynamic Data Structures on Distributed-Memory Machines. ACM Transactions on Programming Languages and Systems, 17(2):233--263, 1995.

Digital Library

[41]

O. Ruwase and M. S. Lam. A Practical Dynamic Buffer Overflow Detector. In Proceedings of the Network and Distributed Systems Security Symposium, Feb. 2004.

[42]

J. Seward and N. Nethercote. Using Valgrind to Detect Undefined Value Errors with Bit-Precision. In Proceedings of the 2005 USENIX Annual Technical Conference, Apr. 2005.

Digital Library

[43]

SoftBound website. http://www.cis.upenn.edu/acg/softbound/.

[44]

D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In Proceedings of the Network and Distributed Systems Security Symposium, 2000.

[45]

J. Wilander and M. Kamkar. A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention. In Proceedings of the Network and Distributed Systems Security Symposium, 2003.

[46]

T. Würthinger, C. Wimmer, and H. Mössenböck. Array Bounds Check Elimination for the Java HotSpot Client Compiler. In Proceedings of the 5th international symposium on Principles and practice of programming in Java, 2007.

Digital Library

[47]

W. Xu, D. C. DuVarney, and R. Sekar. An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2004.

Digital Library

[48]

S. H. Yong and S. Horwitz. Protecting C Programs From Attacks via Invalid Pointer Dereferences. In Proceedings of the 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2003.

Digital Library

Cited By

Wei JChen P(2024)DSLR–: A low-overhead data structure layout randomization for defending data-oriented programmingJournal of Computer Security10.3233/JCS-23005332:3(221-246)Online publication date: 17-Jun-2024
https://doi.org/10.3233/JCS-230053
Yadav NVollmer FSadeghi ASmaragdakis GVoulimeneas A(2024)Orbital Shield: Rethinking Satellite Security in the Commercial Off-the-Shelf Era2024 Security for Space Systems (3S)10.23919/3S60530.2024.10592292(1-11)Online publication date: 27-May-2024
https://doi.org/10.23919/3S60530.2024.10592292
LI LZHANG QXU ZZHAO SSHI ZGUAN Y(2024)rOOM: A Rust-Based Linux Out of Memory Kernel ComponentIEICE Transactions on Information and Systems10.1587/transinf.2023MPP0001E107.D:3(245-256)Online publication date: 1-Mar-2024
https://doi.org/10.1587/transinf.2023MPP0001
Show More Cited By

Index Terms

SoftBound: highly compatible and complete spatial memory safety for c
1. Software and its engineering
  1. Software notations and tools
    1. Compilers

Recommendations

CETS: compiler enforced temporal safety for C
ISMM '10: Proceedings of the 2010 international symposium on Memory management

Temporal memory safety errors, such as dangling pointer dereferences and double frees, are a prevalent source of software bugs in unmanaged languages such as C. Existing schemes that attempt to retrofit temporal safety for such languages have high ...
SoftBound: highly compatible and complete spatial memory safety for c
PLDI '09

The serious bugs and security vulnerabilities facilitated by C/C++'s lack of bounds checking are well known, yet C and C++ remain in widespread use. Unfortunately, C's arbitrary pointer arithmetic, conflation of pointers and arrays, and programmer-...
SoftBound+CETS Revisited: More Than a Decade Later
EuroSec '24: Proceedings of the 17th European Workshop on Systems Security

Memory safety issues, including buffer overflows and use-after-free errors, continue to pose significant security threats in C/C++ programs, necessitating robust defenses and detection mechanisms. Despite advancements in memory-safe languages like Rust, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2009

492 pages

ISBN:9781605583921

DOI:10.1145/1542476

General Chair:
Michael Hind
IBM Research, USA
,
Program Chair:
Amer Diwan
University of Colorado at Boulder, USA

ACM SIGPLAN Notices Volume 44, Issue 6
PLDI '09
June 2009
478 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1543135
Issue’s Table of Contents

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 June 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

PLDI '09

Sponsor:

PLDI '09: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 15 - 21, 2009

Dublin, Ireland

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

429
Total Citations
View Citations
2,783
Total Downloads

Downloads (Last 12 months)360
Downloads (Last 6 weeks)47

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wei JChen P(2024)DSLR–: A low-overhead data structure layout randomization for defending data-oriented programmingJournal of Computer Security10.3233/JCS-23005332:3(221-246)Online publication date: 17-Jun-2024
https://doi.org/10.3233/JCS-230053
Yadav NVollmer FSadeghi ASmaragdakis GVoulimeneas A(2024)Orbital Shield: Rethinking Satellite Security in the Commercial Off-the-Shelf Era2024 Security for Space Systems (3S)10.23919/3S60530.2024.10592292(1-11)Online publication date: 27-May-2024
https://doi.org/10.23919/3S60530.2024.10592292
LI LZHANG QXU ZZHAO SSHI ZGUAN Y(2024)rOOM: A Rust-Based Linux Out of Memory Kernel ComponentIEICE Transactions on Information and Systems10.1587/transinf.2023MPP0001E107.D:3(245-256)Online publication date: 1-Mar-2024
https://doi.org/10.1587/transinf.2023MPP0001
CHEN CWAN HZHAO X(2024)Log refusion: adversarial attacks against the integrity of application logs and defense methodsSCIENTIA SINICA Informationis10.1360/SSI-2024-004254:9(2157)Online publication date: 10-Sep-2024
https://doi.org/10.1360/SSI-2024-0042
Simonnet JLemerre MSighireanu M(2024)A Dependent Nominal Physical Type System for Static Analysis of Memory in Low Level CodeProceedings of the ACM on Programming Languages10.1145/36897128:OOPSLA2(30-59)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689712
Zhao LShuang HXu SHuang WCui RBettadpur PLie D(2024)A Survey of Hardware Improvements to Secure Program ExecutionACM Computing Surveys10.1145/367239256:12(1-37)Online publication date: 12-Jun-2024
https://dl.acm.org/doi/10.1145/3672392
Alshmrany KAldughaim MBhayat ACordeiro L(2024)FuSeBMC v4: Improving Code Coverage with Smart Seeds via BMC, Fuzzing and Static AnalysisFormal Aspects of Computing10.1145/366533736:2(1-25)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3665337
Becker GEisenbarth TFederrath HFischer MLoose NOtt SPecholt JMarwedel SMeyer DStijohann JTalpur AVallentin M(2024)SOVEREIGN - Towards a Holistic Approach to Critical Infrastructure ProtectionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3671410(1-9)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3671410
Du YGuo YZhang YYang J(2024)RTT-UAF: Reuse Time Tracking for Use-After-Free DetectionProceedings of the 38th ACM International Conference on Supercomputing10.1145/3650200.3656606(376-387)Online publication date: 30-May-2024
https://dl.acm.org/doi/10.1145/3650200.3656606
Kang JPark JSeo JKwon DDe V(2024)Look Before You Access: Efficient Heap Memory Safety for Embedded Systems on ARMv8-MProceedings of the 61st ACM/IEEE Design Automation Conference10.1145/3649329.3655949(1-6)Online publication date: 23-Jun-2024
https://dl.acm.org/doi/10.1145/3649329.3655949
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents