skip to main content
research-article

Archipelago: trading address space for reliability and security

Published:01 March 2008Publication History
Skip Abstract Section

Abstract

Memory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users vulnerable to attack for long periods of time. A variety of approaches have been introduced to combat these errors, but these often incur large runtime overheads and generally abort on errors, threatening availability.

This paper presents Archipelago, a runtime system that takes advantage of available address space to substantially reduce the likelihood that a memory error will affect program execution. Archipelago randomly allocates heap objects far apart in virtual address space, effectively isolating each object from buffer overflows. Archipelago also protects against dangling pointer errors by preserving the contents of freed objects after they are freed. Archipelago thus trades virtual address space---a plentiful resource on 64-bit systems---for significantly improved program reliability and security, while limiting physical memory consumption by tracking the working set of an application and compacting cold objects. We show that Archipelago allows applications to continue to run correctly in the face of thousands of memory errors. Across a suite of server applications, Archipelago's performance overhead is 6% on average (between -7% and 22%), making it especially suitable to protect servers that have known security vulnerabilities due to heap memory errors.

Skip Supplemental Material Section

Supplemental Material

Video

References

  1. A.W. Appel and K. Li. Virtual memory primitives for user programs. In ASPLOS-IV: Proceedings of the fourth international conference on Architectural support for programming languages and operating systems, pages 96--107, New York, NY, USA, 1991. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. T.M. Austin, S.E. Breach, and G.S. Sohi. Efficient detection of all pointer and array access errors. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation, pages 290--301, New York, NY, USA, 1994. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. D. Avots, M. Dalton, V.B. Livshits, and M.S. Lam. Improving software security with a C pointer analysis. In ICSE '05: Proceedings of the 27th international conference on Software engineering, pages 332--341, New York, NY, USA, 2005. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. E.D. Berger and B.G. Zorn. DieHard: Probabilistic memory safety for unsafe languages. In Proceedings of the 2006 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2006), pages 158--168, New York, NY, USA, 2006. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. E.D. Berger and B.G. Zorn. Efficient probabilistic memory safety. Technical Report UMCS TR-2007-17, Department of Computer Science, University of Massachusetts Amherst, Mar. 2007.Google ScholarGoogle Scholar
  6. E.D. Berger, B.G. Zorn, and K.S. McKinley. Composing high-performance memory allocators. In Proceedings of the 2001 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2001), Snowbird, Utah, June 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. H.-J. Boehm and M. Weiser. Garbage collection in an uncooperative environment. Software Practice and Experience, 18(9):807--820, 1988. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. R.W. Carr and J.L. Hennessy. Wsclock -- a simple and effective algorithm for virtual memory management. In SOSP, pages 87--95, 1981. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. J.S. Chase, H.M. Levy, M.J. Feeley, and E.D. Lazowska. Sharing and protection in a single-address-space operating system. ACM Transactions on Computer Systems, 12(4):271--307, Nov. 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. P.J. Denning. The working set model for program behaviour. Communications of the ACM, 11:323--333, 1968. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. D. Dhurjati and V. Adve. Backwards-Compatible Array Bounds Checking for C with Very Low Overhead. In Proceedings of the 2006 International Conference on Software Engineering (ICSE'06), Shanghai, China, May 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. D. Dhurjati and V. Adve. Efficiently detecting all dangling pointer uses in production servers. In DSN '06: Proceedings of the International Conference on Dependable Systems and Networks (DSN'06), pages 269--280, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. D. Dhurjati, S. Kowshik, and V. Adve. Safecode: enforcing alias analysis for weakly typed languages. In Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation, pages 144--157, New York, NY, USA, 2006. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory safety without runtime checks or garbage collection. In ACM SIGPLAN 2003 Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES'2003), San Diego, CA, June 2003. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. P. Druschel and L.L. Peterson. High-performance cross-domain data transfer. Technical Report TR 92-11, Dept. Comp. of Sc., U. of Arizona, Tucson, AZ (USA), Mar. 1992.Google ScholarGoogle Scholar
  16. R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proc. of the Winter 1992 USENIX Conference, pages 125--138, San Francisco, California, 1991.Google ScholarGoogle Scholar
  17. M. Hertz and E.D. Berger. Quantifying the performance of garbage collection vs. explicit memory management. In Proceedings of the 20th annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), San Diego, CA, Oct. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. J. Huck and J. Hays. Architectural support for translation table management in large address space machines. In ISCA '93: Proceedings of the 20th annual international symposium on Computer architecture, pages 39--50, New York, NY, USA, 1993. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. T. Jim, J.G. Morrisett, D. Grossman, M.W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of the General Track: 2002 USENIX Annual Technical Conference, pages 275--288, Berkeley, CA, USA, 2002. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. M. Kharbutli, X. Jiang, Y. Solihin, G. Venkataramani, and M. Prvulovic. Comprehensively and efficiently protecting the heap. In ASPLOS-XII: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 207--218, New York, NY, USA, 2006. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. D. Lea. A memory allocator. http://gee.cs.oswego.edu/dl/html/malloc.html, 1997.Google ScholarGoogle Scholar
  22. Microsoft Corporation. Pageheap. http://support.microsoft.com/kb/286470.Google ScholarGoogle Scholar
  23. G.C. Necula, S. McPeak, and W. Weimer. CCured: type--safe retrofitting of legacy code. In POPL '02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, pages 128--139, New York, NY, USA, 2002. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. N. Nethercote and J. Fitzhardinge. Bounds-checking entire programs without recompiling. In SPACE 2004, Venice, Italy, Jan. 2004.Google ScholarGoogle Scholar
  25. G. Novark, E.D. Berger, and B.G. Zorn. Exterminator: automatically correcting memory errors with high probability. In PLDI '07: Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, pages 1--11, New York, NY, USA, 2007. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. O. Ruwase and Monica S. Lam. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, pages 159--169, Feb. 2004.Google ScholarGoogle Scholar
  27. B. Perens. Electric Fence v2.1. http://perens.com/FreeSoftware/ElectricFence/.Google ScholarGoogle Scholar
  28. F. Qin, J. Tucek, J. Sundaresan, and Y. Zhou. Rx: Treating bugs as allergies: A safe method to survive software failures. In Proceedings of the Twentieth Symposium on Operating Systems Principles, volume XX of Operating Systems Review, Brighton, UK, Oct. 2005. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. M. Rinard, C. Cadar, D. Dumitran, D.M. Roy, and T. Leu. A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors). In Proceedings of the 2004 Annual Computer Security Applications Conference, Dec. 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. M. Rinard, C. Cadar, D. Dumitran, D.M. Roy, T. Leu, and J. William S. Beebee. Enhancing server availability and security through failure-oblivious computing. In Sixth Symposium on Operating Systems Design and Implementation, San Francisco, CA, Dec. 2004. USENIX. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. J. Seward and N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision. In Proceedings of the USENIX'05 Annual Technical Conference, Anaheim, California, USA, Apr. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. N. Swamy, M. Hicks, G. Morrisett, D. Grossman, and T. Jim. Experience with safe manual memory management in cyclone. Science of Computer Programming, 2006. Special issue on memory management. Expands ISMM conference paper of the same name. To appear. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Symantec. Internet security threat report. http://www.symantec.com/enterprise/threatreport/index.jsp, Sept. 2006.Google ScholarGoogle Scholar
  34. P.R. Wilson, S.F. Kaplan, and Y. Smaragdakis. The case for compressed caching in virtual memory systems. In Proceedings of the Annual Technical Conference on 1999 USENIX Annual Technical Conference, pages 101--116, Berkeley, CA, USA, 1999. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. W. Xu, D.C. DuVarney, and R. Sekar. An efficient and backwards-compatible transformation to ensure memory safety of C programs. In SIGSOFT'04/FSE-12: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering, pages 117--126, New York, NY, USA, 2004. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RPC: Low-latency protection in a 64-bit address space. In Proceedings of the 1993 Summer USENIX Conference, pages 175--186, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. S.H. Yong and S. Horwitz. Protecting C programs from attacks via invalid pointer dereferences. In ESEC/FSE--11: 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 307--316, New York, NY, USA, 2003. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Archipelago: trading address space for reliability and security

                  Recommendations

                  Comments

                  Login options

                  Check if you have access through your login credentials or your institution to get full access on this article.

                  Sign in

                  Full Access

                  PDF Format

                  View or Download as a PDF file.

                  PDF

                  eReader

                  View online with eReader.

                  eReader
                  About Cookies On This Site

                  We use cookies to ensure that we give you the best experience on our website.

                  Learn more

                  Got it!