skip to main content
research-article

Validation of memory accesses through symbolic analyses

Published:15 October 2014Publication History
Skip Abstract Section

Abstract

The C programming language does not prevent out-of-bounds memory accesses. There exist several techniques to secure C programs; however, these methods tend to slow down these programs substantially, because they populate the binary code with runtime checks. To deal with this problem, we have designed and tested two static analyses - symbolic region and range analysis - which we combine to remove the majority of these guards. In addition to the analyses themselves, we bring two other contributions. First, we describe live range splitting strategies that improve the efficiency and the precision of our analyses. Secondly, we show how to deal with integer overflows, a phenomenon that can compromise the correctness of static algorithms that validate memory accesses. We validate our claims by incorporating our findings into AddressSanitizer. We generate SPEC CINT 2006 code that is 17% faster and 9% more energy efficient than the code produced originally by this tool. Furthermore, our approach is 50% more effective than Pentagons, a state-of-the-art analysis to sanitize memory accesses.

References

  1. P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In SSYM, pages 51--66. USENIX, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. S. Ananian. The static single information form. Master's thesis, MIT, September 1999.Google ScholarGoogle Scholar
  3. L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, DIKU, University of Copenhagen, 1994.Google ScholarGoogle Scholar
  4. C. Bauer, A. Frink, and R. Kreckel. Introduction to the GiNaC framework for symbolic computation within the C++ programming language. J. Symb. Comput., 33(1):1--12, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. W. Blume and R. Eigenmann. Symbolic range propagation. In IPPS, pages 357--363, 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. R. Bodik, R. Gupta, and V. Sarkar. ABCD: eliminating array bounds checks on demand. In PLDI, pages 321--333. ACM, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. D. Brumley, D. X. Song, T. cker Chiueh, R. Johnson, and H. Lin. RICH: Automatically protecting against integer-based vulnerabilities. In NDSS. USENIX, 2007.Google ScholarGoogle Scholar
  8. J.-D. Choi, R. Cytron, and J. Ferrante. Automatic construction of sparse data flow evaluation graphs. In POPL, pages 55--66. ACM, 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL, pages 238--252. ACM, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In POPL, pages 84--96. ACM, 1978. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, and X. Rival. Why does astrée scale up? Form. Methods Syst. Des., 35(3):229--264, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. R. Cytron, J. Ferrante, B. Rosen, M.Wegman, and K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. TOPLAS, 13(4):451--490, 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. D. Dhurjati, S. Kowshik, and V. Adve. SAFECode: enforcing alias analysis for weakly typed languages. In PLDI, pages 144--157. ACM, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. W. Dietz, P. Li, J. Regehr, and V. Adve. Understanding integer overflow in C/C++. In ICSE, pages 760--770. IEEE, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. J. Ferrante, J. Ottenstein, and D. Warren. The program dependence graph and its use in optimization. TOPLAS, 9(3): 319--349, 1987. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. P. Ferrara, F. Logozzo, and M. Fähndrich. Safer unsafe code for .net. SIGPLAN Not., 43(10):329--346, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. B. Hardekopf and C. Lin. The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code. In PLDI, pages 290--299. ACM, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. C. Lattner and V. S. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In CGO, pages 75--88. IEEE, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. F. Logozzo and M. Fähndrich. Pentagons: A weakly relational abstract domain for the efficient validation of array accesses. Sci. Comput. Program., 75(9):796--807, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. A. Miné. The octagon abstract domain. Higher Order Symbol. Comput., 19:31--100, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. A. Miné. Backward under-approximations in numeric abstract domains to automatically infer sufficient program conditions. Science of Computer Programming, 2013.Google ScholarGoogle Scholar
  22. S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. Softbound: Highly compatible and complete spatial memory safety for c. In PLDI, pages 245--258. ACM, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. F. Nielson, H. R. Nielson, and C. Hankin. Principles of program analysis. Springer, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. H. Oh, K. Heo, W. Lee, W. Lee, and K. Yi. Design and implementation of sparse global analyses for c-like languages. In PLDI, pages 1--11. ACM, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. A. A. Rimsa, M. D'Amorim, F. M. Q. Pereira, and R. Bigonha. Efficient static checker for tainted variable attacks. Science of Computer Programming, 80(1):91--105, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. R. E. Rodrigues, V. H. S. Campos, and F. M. Q. Pereira. A fast and low overhead technique to secure programs against integer overflows. In CGO. ACM, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. R. Rugina and M. C. Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. TOPLAS, 27(2):185--235, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In S&P, pages 1--15. IEEE, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: a fast address sanity checker. In USENIX ATC, pages 28--28. USENIX Association, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. M. S. Simpson and R. K. Barua. Memsafe: Ensuring the spatial and temporal memory safety of c at runtime. Softw. Pract. Exper., 43(1):93--128, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. D. Singh and W. J. Kaiser. The atom LEAP platform for energy-efficient embedded computing. Technical Report 88b146bk, UCLA, 2010.Google ScholarGoogle Scholar
  32. A. L. C. Tavares, B. Boissinot, F. M. Q. Pereira, and F. Rastello. Parameterized construction of program representations for sparse dataflow analyses. In Compiler Construction, pages 2--21. Springer, 2014.Google ScholarGoogle ScholarCross RefCross Ref
  33. F. Tip. A survey of program slicing techniques. Technical report, CWI, 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. J. von Ronne, A. Gampe, D. Niedzielski, and K. Psarris. Safe bounds check annotations. Concurr. Comput.: Pract. Exper., 21(1):41--57, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. M. Weiser. Program slicing. In ICSE, pages 439--449. IEEE, 1981. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In NDSS, pages 1--12. USENIX, 2003.Google ScholarGoogle Scholar
  37. J. Zhao, S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Formal verification of ssa-based optimizations for llvm. In PLDI, pages 175--186. ACM, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Validation of memory accesses through symbolic analyses

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 49, Issue 10
      OOPSLA '14
      October 2014
      907 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/2714064
      • Editor:
      • Andy Gill
      Issue’s Table of Contents
      • cover image ACM Conferences
        OOPSLA '14: Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications
        October 2014
        946 pages
        ISBN:9781450325851
        DOI:10.1145/2660193

      Copyright © 2014 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 15 October 2014

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!