Abstract
Memory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users vulnerable to attack for long periods of time. A variety of approaches have been introduced to combat these errors, but these often incur large runtime overheads and generally abort on errors, threatening availability.
This paper presents Archipelago, a runtime system that takes advantage of available address space to substantially reduce the likelihood that a memory error will affect program execution. Archipelago randomly allocates heap objects far apart in virtual address space, effectively isolating each object from buffer overflows. Archipelago also protects against dangling pointer errors by preserving the contents of freed objects after they are freed. Archipelago thus trades virtual address space---a plentiful resource on 64-bit systems---for significantly improved program reliability and security, while limiting physical memory consumption by tracking the working set of an application and compacting cold objects. We show that Archipelago allows applications to continue to run correctly in the face of thousands of memory errors. Across a suite of server applications, Archipelago's performance overhead is 6% on average (between -7% and 22%), making it especially suitable to protect servers that have known security vulnerabilities due to heap memory errors.
Supplemental Material
Available for Download
Supplemental material for Archipelago: trading address space for reliability and security
- A.W. Appel and K. Li. Virtual memory primitives for user programs. In ASPLOS-IV: Proceedings of the fourth international conference on Architectural support for programming languages and operating systems, pages 96--107, New York, NY, USA, 1991. ACM Press. Google Scholar
Digital Library
- T.M. Austin, S.E. Breach, and G.S. Sohi. Efficient detection of all pointer and array access errors. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation, pages 290--301, New York, NY, USA, 1994. ACM Press. Google Scholar
Digital Library
- D. Avots, M. Dalton, V.B. Livshits, and M.S. Lam. Improving software security with a C pointer analysis. In ICSE '05: Proceedings of the 27th international conference on Software engineering, pages 332--341, New York, NY, USA, 2005. ACM Press. Google Scholar
Digital Library
- E.D. Berger and B.G. Zorn. DieHard: Probabilistic memory safety for unsafe languages. In Proceedings of the 2006 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2006), pages 158--168, New York, NY, USA, 2006. ACM Press. Google Scholar
Digital Library
- E.D. Berger and B.G. Zorn. Efficient probabilistic memory safety. Technical Report UMCS TR-2007-17, Department of Computer Science, University of Massachusetts Amherst, Mar. 2007.Google Scholar
- E.D. Berger, B.G. Zorn, and K.S. McKinley. Composing high-performance memory allocators. In Proceedings of the 2001 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2001), Snowbird, Utah, June 2001. Google Scholar
Digital Library
- H.-J. Boehm and M. Weiser. Garbage collection in an uncooperative environment. Software Practice and Experience, 18(9):807--820, 1988. Google Scholar
Digital Library
- R.W. Carr and J.L. Hennessy. Wsclock -- a simple and effective algorithm for virtual memory management. In SOSP, pages 87--95, 1981. Google Scholar
Digital Library
- J.S. Chase, H.M. Levy, M.J. Feeley, and E.D. Lazowska. Sharing and protection in a single-address-space operating system. ACM Transactions on Computer Systems, 12(4):271--307, Nov. 1994. Google Scholar
Digital Library
- P.J. Denning. The working set model for program behaviour. Communications of the ACM, 11:323--333, 1968. Google Scholar
Digital Library
- D. Dhurjati and V. Adve. Backwards-Compatible Array Bounds Checking for C with Very Low Overhead. In Proceedings of the 2006 International Conference on Software Engineering (ICSE'06), Shanghai, China, May 2006. Google Scholar
Digital Library
- D. Dhurjati and V. Adve. Efficiently detecting all dangling pointer uses in production servers. In DSN '06: Proceedings of the International Conference on Dependable Systems and Networks (DSN'06), pages 269--280, Washington, DC, USA, 2006. IEEE Computer Society. Google Scholar
Digital Library
- D. Dhurjati, S. Kowshik, and V. Adve. Safecode: enforcing alias analysis for weakly typed languages. In Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, pages 144--157, New York, NY, USA, 2006. ACM Press. Google Scholar
Digital Library
- D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory safety without runtime checks or garbage collection. In ACM SIGPLAN 2003 Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES'2003), San Diego, CA, June 2003. ACM Press. Google Scholar
Digital Library
- P. Druschel and L.L. Peterson. High-performance cross-domain data transfer. Technical Report TR 92-11, Dept. Comp. of Sc., U. of Arizona, Tucson, AZ (USA), Mar. 1992.Google Scholar
- R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proc. of the Winter 1992 USENIX Conference, pages 125--138, San Francisco, California, 1991.Google Scholar
- M. Hertz and E.D. Berger. Quantifying the performance of garbage collection vs. explicit memory management. In Proceedings of the 20th annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), San Diego, CA, Oct. 2005. Google Scholar
Digital Library
- J. Huck and J. Hays. Architectural support for translation table management in large address space machines. In ISCA '93: Proceedings of the 20th annual international symposium on Computer architecture, pages 39--50, New York, NY, USA, 1993. ACM Press. Google Scholar
Digital Library
- T. Jim, J.G. Morrisett, D. Grossman, M.W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of the General Track: 2002 USENIX Annual Technical Conference, pages 275--288, Berkeley, CA, USA, 2002. USENIX Association. Google Scholar
Digital Library
- M. Kharbutli, X. Jiang, Y. Solihin, G. Venkataramani, and M. Prvulovic. Comprehensively and efficiently protecting the heap. In ASPLOS-XII: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 207--218, New York, NY, USA, 2006. ACM Press. Google Scholar
Digital Library
- D. Lea. A memory allocator. http://gee.cs.oswego.edu/dl/html/malloc.html, 1997.Google Scholar
- Microsoft Corporation. Pageheap. http://support.microsoft.com/kb/286470.Google Scholar
- G.C. Necula, S. McPeak, and W. Weimer. CCured: type--safe retrofitting of legacy code. In POPL '02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, pages 128--139, New York, NY, USA, 2002. ACM Press. Google Scholar
Digital Library
- N. Nethercote and J. Fitzhardinge. Bounds-checking entire programs without recompiling. In SPACE 2004, Venice, Italy, Jan. 2004.Google Scholar
- G. Novark, E.D. Berger, and B.G. Zorn. Exterminator: automatically correcting memory errors with high probability. In PLDI '07: Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, pages 1--11, New York, NY, USA, 2007. ACM Press. Google Scholar
Digital Library
- O. Ruwase and Monica S. Lam. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, pages 159--169, Feb. 2004.Google Scholar
- B. Perens. Electric Fence v2.1. http://perens.com/FreeSoftware/ElectricFence/.Google Scholar
- F. Qin, J. Tucek, J. Sundaresan, and Y. Zhou. Rx: Treating bugs as allergies: A safe method to survive software failures. In Proceedings of the Twentieth Symposium on Operating Systems Principles, volume XX of Operating Systems Review, Brighton, UK, Oct. 2005. ACM. Google Scholar
Digital Library
- M. Rinard, C. Cadar, D. Dumitran, D.M. Roy, and T. Leu. A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors). In Proceedings of the 2004 Annual Computer Security Applications Conference, Dec. 2004. Google Scholar
Digital Library
- M. Rinard, C. Cadar, D. Dumitran, D.M. Roy, T. Leu, and J. William S. Beebee. Enhancing server availability and security through failure-oblivious computing. In Sixth Symposium on Operating Systems Design and Implementation, San Francisco, CA, Dec. 2004. USENIX. Google Scholar
Digital Library
- J. Seward and N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision. In Proceedings of the USENIX'05 Annual Technical Conference, Anaheim, California, USA, Apr. 2005. Google Scholar
Digital Library
- N. Swamy, M. Hicks, G. Morrisett, D. Grossman, and T. Jim. Experience with safe manual memory management in cyclone. Science of Computer Programming, 2006. Special issue on memory management. Expands ISMM conference paper of the same name. To appear. Google Scholar
Digital Library
- Symantec. Internet security threat report. http://www.symantec.com/enterprise/threatreport/index.jsp, Sept. 2006.Google Scholar
- P.R. Wilson, S.F. Kaplan, and Y. Smaragdakis. The case for compressed caching in virtual memory systems. In Proceedings of the Annual Technical Conference on 1999 USENIX Annual Technical Conference, pages 101--116, Berkeley, CA, USA, 1999. USENIX Association. Google Scholar
Digital Library
- W. Xu, D.C. DuVarney, and R. Sekar. An efficient and backwards-compatible transformation to ensure memory safety of C programs. In SIGSOFT'04/FSE-12: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering, pages 117--126, New York, NY, USA, 2004. ACM Press. Google Scholar
Digital Library
- C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RPC: Low-latency protection in a 64-bit address space. In Proceedings of the 1993 Summer USENIX Conference, pages 175--186, 1993. Google Scholar
Digital Library
- S.H. Yong and S. Horwitz. Protecting C programs from attacks via invalid pointer dereferences. In ESEC/FSE--11: 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 307--316, New York, NY, USA, 2003. ACM Press. Google Scholar
Digital Library
Index Terms
Archipelago: trading address space for reliability and security
Recommendations
DieHarder: securing the heap
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityHeap-based attacks depend on a combination of memory management error and an exploitable memory allocator. Many allocators include ad hoc countermeasures against particular exploits but their effectiveness against future exploits has been uncertain. ...
Archipelago: trading address space for reliability and security
ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systemsMemory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users ...
Archipelago: trading address space for reliability and security
ASPLOS '08Memory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users ...







Comments