Presentation is loading. Please wait.

Presentation is loading. Please wait.

HARDBOUND: ARCHITECURAL SUPPORT FOR SPATIAL SAFETY OF THE C PROGRAMMING LANGUAGE Kyle Yan Yu Xing 2014/10/15.

Published byRalph Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "HARDBOUND: ARCHITECURAL SUPPORT FOR SPATIAL SAFETY OF THE C PROGRAMMING LANGUAGE Kyle Yan Yu Xing 2014/10/15."— Presentation transcript:

1 HARDBOUND: ARCHITECURAL SUPPORT FOR SPATIAL SAFETY OF THE C PROGRAMMING LANGUAGE Kyle Yan Yu Xing 2014/10/15

2 SPATIAL SAFETY IN C PROGRAMMING C is the standard systems programming language:  control over data representation, memory management, performance…  widespread uses makes it the source of software vulnerabilities C is lack of spatial memory safety guarantees:  such as unchecked pointer arithmetic, array indexing…  occurs when a variable tries to access memory outside its object bound

3 SOLUTIONS TO SPATIAL SAFETY  Many special-purpose techniques (SW/HW) proposed  such as protecting return address/data pointers/code pointers/heap metadata…  do not provide complete spatial memory safety  focus on specific attacks or symptoms instead of the root cause  Other software approaches touch the root  Type-safe languages like Java and C#  Implementation of C that enforces full spatial safety  not widely used because of high runtime overheads, incomplete detection or etc.  HardBound: new hardware design  Provides full spatial safety, maintains data structure layout compatibility by placing the bound information in a shadow space and reduces runtime overhead to 10-20%

4 EXISTING APPROACHES AND ANALYSIS Red-Zone Tripwire Object Lookup Fat Pointer

5 RED-ZONE TRIPWIRE 0valid 4 8invalid 12invalid 16valid 20valid 1 2 1.Mem[4] -> Mem[8] hit red-zone tripwire spatial safety violation detected 2.Mem[0] -> Mem[16] jump over tripwire spatial safety violation not detected Cannot guarantee the detection of all spatial violations

6 OBJECT LOOKUP Track size of each object in a lookup table implemented as a splay tree +Memory layout unchanged -High runtime overheads -Weak in detecting the bounds of arrays inside structs (multiple pointers to the same address can have different bounds)

7 FAT POINTER Multi-word pointer/base/bound triples + Enforce complete spatial safety - Propagating and checking results runtime overhead 2x or more - Incompatibility due to memory layout and pointer representation Extension: Cyclone, CCured Actual value0x00000008 Base addr0x00000004 Bound addr0x00000010

8 HARDBOUND Provide a hardware primitive to  enforce complete spatial safety of the fat pointer  retain binary compatibility of the object-table  Incur lower overhead than approaches above ISA support for first-class bounded pointers  Completeness  Performance  binary compatibility  source compatibility  minimal compiler support

9 COMPILER AND RUNTIME SUPPORT Protect heap-allocated objects Protect local and global variables int i; int* ptr = &i; int *ptr = setbound(&i,4); Protect sub-objects struct {char str[5]; int x;} node char *ptr = node.str char *ptr = setbound(node.str, 5); Programmer-specified sub-bounding Programmer-specified (un)checked pointers

10 HARDWARE IMPLEMENTATION  Place metadata into virtual memory space  Adding tag to metadata identifying if a word is a pointer/non-pointer  Compression of bits

11 METADATA IN VIRTUAL MEMORY  Base(addr) = SHADOW_SPACE_BASE + (addr * 2)  Bound(addr) = SHADOW_SPACE_BASE + (addr*2) + 1;

12 TAG METADATA  Single bit to mark whether a word is a pointer  Reduce memory overhead of non-pointers  Most variables in C code are non-pointers  TLB + Caching in parallel with L1 cache

13 COMPRESSION  Decrease memory/runtime overhead through compression.  External Compressed Encoding  Additional bits in the tag space  Internal Compressed Encoding  Using redundant bits from the pointer

14 EXTERNAL COMPRESSION ENCODING  Most c-pointers are:  Small, Pointer = Base, Size is multiple of 4  Extend tag meta data to 4 bits  Can encode 14 compressed patterns  Compressed/non-compressed pointer  Pointer/not pointer  Restrictions  Size must be multiple of four bytes  Object cannot be larger than 56 bytes  Pointer must equal base Pointer = Base 0x1000 TagSize * 4 Bound

15 INTERNAL COMPRESSION ENCODING  Uses n-1 upper bits as metadata.  Still requires tag to signify if word is a pointer  More flexible with larger n  Restrictions  Objects beyond the first 2 64-n bytes cannot be encoded. N bits for metadataPointer Tag

16 PERFORMANCE OVERHEAD  All violations detected. No false positives.  Average runtime overhead: 5%  Average number of additional pages: 10%

17 FUTURE CONSIDERATION  Type Safety  Temporal Errors

18 DISCUSSION POINTS  Performance benchmarks don’t include pthread, fork, UNIX shared memory segments or timers  Power overhead/Layout overhead  Worst case of memory overhead can reach as high as 200%  Intel has a version of base+bound - Intel® SGX

Download ppt "HARDBOUND: ARCHITECURAL SUPPORT FOR SPATIAL SAFETY OF THE C PROGRAMMING LANGUAGE Kyle Yan Yu Xing 2014/10/15."

Similar presentations

HardBound: Architectural Support for Spatial Safety of the C Programming Language Joe Devietti *, Colin Blundell, Milo Martin, Steve Zdancewic * University.

HardBound: Architectural Support for Spatial Safety of the C Programming Language Joe Devietti *, Colin Blundell, Milo Martin, Steve Zdancewic * University.
Memory.

Memory.
Pay-to-use strong atomicity on conventional hardware Martín Abadi, Tim Harris, Mojtaba Mehrara Microsoft Research.

Pay-to-use strong atomicity on conventional hardware Martín Abadi, Tim Harris, Mojtaba Mehrara Microsoft Research.
HW/Study Guide. Synchronization Make sure you understand the HW problems!

HW/Study Guide. Synchronization Make sure you understand the HW problems!
The Linux Kernel: Memory Management

The Linux Kernel: Memory Management
Two alternatives of C: Cyclone and Vault Keami Hung February 01, 2007.

Two alternatives of C: Cyclone and Vault Keami Hung February 01, 2007.
OS Fall’02 Virtual Memory Operating Systems Fall 2002.

OS Fall’02 Virtual Memory Operating Systems Fall 2002.
SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.

SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.
CS 153 Design of Operating Systems Spring 2015

CS 153 Design of Operating Systems Spring 2015
Spring 2003CSE P5481 Introduction Why memory subsystem design is important CPU speeds increase 55% per year DRAM speeds increase 3% per year rate of increase.

Spring 2003CSE P5481 Introduction Why memory subsystem design is important CPU speeds increase 55% per year DRAM speeds increase 3% per year rate of increase.
Pointer. Warning! Dangerous Curves C (and C++) have just about the most powerful, flexible and dangerous pointers in the world. –Most other languages.

Pointer. Warning! Dangerous Curves C (and C++) have just about the most powerful, flexible and dangerous pointers in the world. –Most other languages.
Memory Management and Paging CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.

Memory Management and Paging CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.

Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Translation Buffers (TLB’s)

Translation Buffers (TLB’s)
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Memory Management Five Requirements for Memory Management to satisfy: –Relocation Users generally don’t know where they will be placed in main memory May.

Memory Management Five Requirements for Memory Management to satisfy: –Relocation Users generally don’t know where they will be placed in main memory May.
May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.

May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.
An Intelligent Cache System with Hardware Prefetching for High Performance Jung-Hoon Lee; Seh-woong Jeong; Shin-Dug Kim; Weems, C.C. IEEE Transactions.

An Intelligent Cache System with Hardware Prefetching for High Performance Jung-Hoon Lee; Seh-woong Jeong; Shin-Dug Kim; Weems, C.C. IEEE Transactions.
EECS 370 Discussion 1 SMBC. EECS 370 Discussion Exam 2 Solutions posted online Will be returned in next discussion (12/9) – Grades hopefully up on CTools.

EECS 370 Discussion 1 SMBC. EECS 370 Discussion Exam 2 Solutions posted online Will be returned in next discussion (12/9) – Grades hopefully up on CTools.

Similar presentations

Ads by Google