ABSTRACT
The C programming language is at least as well known for its absence of spatial memory safety guarantees (i.e., lack of bounds checking) as it is for its high performance. C's unchecked pointer arithmetic and array indexing allow simple programming mistakes to lead to erroneous executions, silent data corruption, and security vulnerabilities. Many prior proposals have tackled enforcing spatial safety in C programs by checking pointer and array accesses. However, existing software-only proposals have significant drawbacks that may prevent wide adoption, including: unacceptably high run-time overheads, lack of completeness, incompatible pointer representations, or need for non-trivial changes to existing C source code and compiler infrastructure.
Inspired by the promise of these software-only approaches, this paper proposes a hardware bounded pointer architectural primitive that supports cooperative hardware/software enforcement of spatial memory safety for C programs. This bounded pointer is a new hardware primitive datatype for pointers that leaves the standard C pointer representation intact, but augments it with bounds information maintained separately and invisibly by the hardware. The bounds are initialized by the software, and they are then propagated and enforced transparently by the hardware, which automatically checks a pointer's bounds before it is dereferenced. One mode of use requires instrumenting only malloc, which enables enforcement of perallocation spatial safety for heap-allocated objects for existing binaries. When combined with simple intraprocedural compiler instrumentation, hardware bounded pointers enable a low-overhead approach for enforcing complete spatial memory safety in unmodified C programs.
Supplemental Material
Available for Download
Supplemental material for Hardbound: architectural support for spatial safety of the C programming language
- D. Arora, A. Raghunathan, S. Ravi, and N.K. Jha. Architectural Support for Safe Software Execution on Embedded Processors. In Proceedings of the International Conference on Hardware Software Co-design and System Synthesis, Oct. 2006. Google Scholar
Digital Library
- T.M. Austin, S.E. Breach, and G.S. Sohi. Efficient Detection of All Pointer and Array Access Errors. In Proceedings of the SIGPLAN 1994 Conference on Programming Language Design and Implementation, June 1994. Google Scholar
Digital Library
- E.D. Berger and B.G. Zorn. DieHard: Probabilistic Memory Safety for Unsafe Languages. In Proceedings of the SIGPLAN 2006 Conference on Programming Language Design and Implementation, June 2006. Google Scholar
Digital Library
- H.-J. Boehm and M. Weiser. Garbage Collection in an Uncooperative Environment. Software -- Practice & Experience, 18(9):807--820, Sept. 1988. Google Scholar
Digital Library
- W. Chuang, S. Narayanasamy, and B. Calder. Accelerating Meta Data Checks for Software Correctness and Security. Journal of Instruction-Level Parallelism, 9, June 2007.Google Scholar
- W. Chuang, S. Narayanasamy, and B. Calder. Bounds Checking with Taint-Based Analysis. In Proceedings of the International Conference on High Performance Embedded Architectures & Compilers (HiPEAC), Jan. 2007. Google Scholar
Digital Library
- J. Condit, M. Harren, Z. Anderson, D. Gay, and G.C. Necula. Dependent Types for Low-Level Programming. In Proceedings of the 16th European Symposium on Programming, Apr. 2007. Google Scholar
Digital Library
- C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities. In Proceedings of the 12th USENIX Security Conference, 2003. Google Scholar
Digital Library
- C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Conference, Jan. 1998. Google Scholar
Digital Library
- J.R. Crandall and F.T. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google Scholar
Digital Library
- J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, Oct. 2007. Google Scholar
Digital Library
- M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: A Flexible Information Flow Architecture for Software Security. In Proceedings of the 34th Annual International Symposium on Computer Architecture, June 2007. Google Scholar
Digital Library
- J.B. Dennis and E.C.V. Horn. Programming Semantics for Multiprogrammed Computations. Communications of the ACM, 9(3):143--155, 1966. Google Scholar
Digital Library
- D. Dhurjati and V. Adve. Backwards-Compatible Array Bounds Checking for C with Very Low Overhead. In Proceeding of the 28th International Conference on Software Engineering, May 2006. Google Scholar
Digital Library
- D. Dhurjati and V. Adve. Efficiently Detecting All Dangling Pointer Uses in Production Servers. In Proceedings of the International Conference on Dependable Systems and Networks, June 2006. Google Scholar
Digital Library
- D. Dhurjati, S. Kowshik, and V. Adve. SAFECode: Enforcing Alias Analysis for Weakly Typed Languages. In Proceedings of the SIGPLAN 2006 Conference on Programming Language Design and Implementation, June 2006. Google Scholar
Digital Library
- D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory Safety Without Runtime Checks or Garbage Collection. In Proceedings of the 2003 ACM SIGPLAN Conference on Language, Compiler, and Tool for Embedded Systems (LCTES), 2003. Google Scholar
Digital Library
- M. Drinic and D. Kirovski. A Hardware-Software Platform for Intrusion Prevention. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google Scholar
Digital Library
- F.C. Eigler. Mudflap: Pointer Use Checking for C/C++. In GCC Developer's Summit, 2003.Google Scholar
- A.M. Fiskiran and R.B. Lee. Runtime Execution Monitoring (REM) to Detect and Prevent Malicious Code Execution. In Proceedings of the International Conference on Computer Design, Oct. 2004. Google Scholar
Digital Library
- D. Gay, R. Ennals, and E. Brewer. Safe Manual Memory Management. In Proceedings of the 2007 International Symposium on Memory Management, Oct. 2007. Google Scholar
Digital Library
- D. Grossman. Type-Safe Multithreading in Cyclone. In Proceedings of the SIGPLAN Workshop on Types in Languages Design and Implementation, Jan. 2003. Google Scholar
Digital Library
- D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y. Wang, and J. Cheney. Region-Based Memory Management in Cyclone. In Proceedings of the SIGPLAN 2002 Conference on Programming Language Design and Implementation, June 2002. Google Scholar
Digital Library
- R. Hastings and B. Joyce. Purify: Fast Detection of Memory Leaks and Access Errors. In Proceedings of the Winter Usenix Conference, 1992.Google Scholar
- M. Herlihy and J.E.B. Moss. Transactional Memory: Architectural Support for Lock-Free Data Structures. In Proceedings of the 20th Annual International Symposium on Computer Architecture, May 1993. Google Scholar
Digital Library
- M. Hicks, G. Morrisett, D. Grossman, and T. Jim. Experience With Safe Manual Memory Management in Cyclone. In Proceedings of the 2004 International Symposium on Memory Management, Oct. 2004. Google Scholar
Digital Library
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect of C. In Proceedings of the 2002 USENIX Annual Technical Conference, June 2002. Google Scholar
Digital Library
- R.W.M. Jones and P.H.J. Kelly. Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs. In Third International Workshop on Automated Debugging, Nov. 1997.Google Scholar
- M. Kharbutli, X. Jiang, Y. Solihin, G. Venkataramani, and M. Prvulovic. Comprehensively and Efficiently Protecting the Heap. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2006. Google Scholar
Digital Library
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution via Program Shepherding. In Proceedings of the 11th USENIX Security Symposium, Aug. 2002. Google Scholar
Digital Library
- K. Kratkiewicz and R. Lippmann. Using a Diagnostic Corpus of C Programs to Evaluate Buffer Overflow Detection by Static Analysis Tools. In Workshop on the Evaluation of Software Defect Detection Tools, 2005.Google Scholar
- L. Lam and T. Chiueh. Checking Array Bound Violation Using Segmentation Hardware. In Proceedings of the International Conference on Dependable Systems and Networks, June 2005. Google Scholar
Digital Library
- J.R. Larus and R. Rajwar. Transactional Memory. Morgan and Claypool, 2007.Google Scholar
- R.B. Lee, D.K. Karig, J.P. McGregor, and Z. Shi. Enlisting Hardware Architecture to Thwart Malicious Code Injection. In Proceedings of the International Conference on Security in Pervasive Computing, Mar. 2003.Google Scholar
- R.B. Lee, P.C.S. Kwan, J.P. McGregor, J. Dwoskin, and Z. Wang. Architecture for Protecting Critical Secrets in Microprocessors. In Proceedings of the 32nd Annual International Symposium on Computer Architecture, June 2005. Google Scholar
Digital Library
- D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural Support for Copy and Tamper Resistant Software. In Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, Nov. 2000. Google Scholar
Digital Library
- T.A. Linden. Operating System Structures to Support Security and Reliable Software. ACM Computing Surveys, 8(4):409--445, 1976. Google Scholar
Digital Library
- P.S. Magnusson et al. Simics: A Full System Simulation Platform. IEEE Computer, 35(2):50--58, Feb. 2002. Google Scholar
Digital Library
- J.P. McGregor, D.K. Karig, Z. Shi, and R.B. Lee. A Processor Architecture Defense against Buffer Overflow Attacks. In Proceedings of the IEEE International Conference on Information Technology: Research and Education, Aug. 2003.Google Scholar
Cross Ref
- G.C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-Safe Retrofitting of Legacy Software. ACM Transactions on Programming Languages and Systems, 27(3), May 2005. Google Scholar
Digital Library
- G.C. Necula, S. McPeak, S.P. Rahul, and W. Weimer. CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs. In 11th International Conference on Compiler Construction, 2002. Google Scholar
Digital Library
- N. Nethercote and J. Fitzhardinge. Bounds-Checking Entire Programs Without Recompiling. In Proceedings of the Second Workshop on Semantics, Program Analysis, and Computing Environments for Memory Management, 2004.Google Scholar
- N. Nethercote and J. Seward. Valgrind: A Framework for Heavy-weight Dynamic Binary Instrumentation. In Proceedings of the SIGPLAN 2007 Conference on Programming Language Design and Implementation, June 2007. Google Scholar
Digital Library
- G. Novark, E.D. Berger, and B.G. Zorn. Exterminator: Automatically Correcting Memory Errors with High Probability. In Proceedings of the SIGPLAN 2007 Conference on Programming Language Design and Implementation, June 2007. Google Scholar
Digital Library
- H. Patil and C.N. Fischer. Efficient Run-time Monitoring Using Shadow Processing. In Second International Workshop on Automated Debugging, May 1997.Google Scholar
- F. Qin, Z. Li, Y. Zhou, C. Wang, H. Kim, and Y. Wu. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting General Security Attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2006. Google Scholar
Digital Library
- F. Qin, S. Lu, and Y. Zhou. SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs. In Proceedings of the 11th Symposium on High-Performance Computer Architecture, Feb. 2005. Google Scholar
Digital Library
- A. Rogers, M.C. Carlisle, J.H. Reppy, and L.J. Hendren. Supporting Dynamic Data Structures on Distributed-Memory Machines. ACM Transactions on Programming Languages and Systems, 17(2):233--263, 1995. Google Scholar
Digital Library
- O. Ruwase and M.S. Lam. A Practical Dynamic Buffer Overflow Detector. In Proceedings of the Network and Distributed System Security (NDSS) Symposium, Feb 2004.Google Scholar
- R. Shetty, M. Kharbutli, Y. Solihin, and M. Prvulovic. HeapMon: A Helper-Thread Approach to Programmable, Automatic, and Low-Overhead Memory Bug Detection. IBM Journal of Research and Development, 50(2/3):261--275, 2006. Google Scholar
Digital Library
- W. Shi, J. Fryman, G. Gu, H.-H. Lee, Y. Zhang, and J. Yang. InfoShield: A Security Architecture for Protecting Information Usage in Memory. In Proceedings of the 12th Symposium on High-Performance Computer Architecture, Feb. 2006.Google Scholar
- W. Shi and H.-H.S. Lee. Authentication Control Point and its Implications for Secure Processor Design. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2006. Google Scholar
Digital Library
- F.G. Soltis. Inside the AS/400. Duke Press, 2nd edition, 1997. Google Scholar
Digital Library
- G.E. Suh, D. Clarke, B. Gassend, M. van Dijk, and S. Devadas. AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing. In Proceedings of the 17th International Conference on Supercomputing, June 2003. Google Scholar
Digital Library
- G.E. Suh, J.W. Lee, D. Zhang, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking. In Proceedings of the 31st Annual International Symposium on Computer Architecture, June 2004.Google Scholar
Digital Library
- G.E. Suh, C.W. O'Donnell, I. Sachdev, and S. Devadas. Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions. In Proceedings of the 32nd Annual International Symposium on Computer Architecture, June 2005. Google Scholar
Digital Library
- N. Tuck, B. Calder, and G. Varghese. Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google Scholar
Digital Library
- N. Vachharajani, M.J. Bridges, J. Chang, R. Rangan, G. Ottoni, J.A. Blome, G.A. Reis, M. Vachharajani, and D.I. August. RIFLE: An Architectural Framework for User-Centric Information-Flow Security. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2004. Google Scholar
Digital Library
- G. Venkataramani, B. Roemer, M. Prvulovic, and Y. Solihin. Mem-Tracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging. In Proceedings of the 13th Symposium on High-Performance Computer Architecture, Feb. 2007. Google Scholar
Digital Library
- E. Witchel, J. Cates, and K. Asanovic. Mondrian Memory Protection. In Proceedings of the Tenth International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2002. Google Scholar
Digital Library
- W. Xu, D.C. DuVarney, and R. Sekar. An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2004. Google Scholar
Digital Library
- S.H. Yong and S. Horwitz. Protecting C Programs From Attacks via Invalid Pointer Dereferences. In Proceedings of the 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), 2003. Google Scholar
Digital Library
- M.T. Yourst. PTLsim: A Cycle Accurate Full System x86-64 Microarchitectural Simulator. In Proceedings of the 2007 IEEE International Symposium on Performance Analysis of Systems and Software, Apr 2007.Google Scholar
Cross Ref
- F. Zhou, J. Condit, Z. Anderson, I. Bagrak, R. Ennals, M. Harren, G. Necula, and E. Brewer. SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques. In Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, Nov. 2006. Google Scholar
Digital Library
- P. Zhou, F. Qin, W. Liu, Y. Zhou, and J. Torrellas. iWatcher: Efficient Architectural Support for Software Debugging. In Proceedings of the 31st Annual International Symposium on Computer Architecture, June 2004. Google Scholar
Digital Library
- X. Zhuang, T. Zhang, and S. Pande. Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, Dec. 2006. Google Scholar
Digital Library
Index Terms
Hardbound: architectural support for spatial safety of the C programming language
Recommendations
SoftBound: highly compatible and complete spatial memory safety for c
PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and ImplementationThe serious bugs and security vulnerabilities facilitated by C/C++'s lack of bounds checking are well known, yet C and C++ remain in widespread use. Unfortunately, C's arbitrary pointer arithmetic, conflation of pointers and arrays, and programmer-...
SoftBound: highly compatible and complete spatial memory safety for c
PLDI '09The serious bugs and security vulnerabilities facilitated by C/C++'s lack of bounds checking are well known, yet C and C++ remain in widespread use. Unfortunately, C's arbitrary pointer arithmetic, conflation of pointers and arrays, and programmer-...
Hardbound: architectural support for spatial safety of the C programming language
ASPLOS '08The C programming language is at least as well known for its absence of spatial memory safety guarantees (i.e., lack of bounds checking) as it is for its high performance. C's unchecked pointer arithmetic and array indexing allow simple programming ...









Comments