Abstract
Memory shadowing associates addresses from an application's memory to values stored in a disjoint memory space called shadow memory. At runtime shadow values store metadata about application memory locations they are mapped to. Shadow state encodings -- the structure of shadow values and their interpretation -- vary across different tools. Encodings used by the state-of-the-art monitoring tools have been proven useful for tracking memory at a byte-level, but cannot address properties related to memory block boundaries. Tracking block boundaries is however crucial for spatial memory safety analysis, where a spatial violation such as out-of-bounds access, may dereference an allocated location belonging to an adjacent block or a different struct member.
This paper describes two novel shadow state encodings which capture block-boundary-related properties. These encodings have been implemented in E-ACSL - a runtime verification tool for C programs. Initial experiments involving checking validity of pointer and array accesses in computationally intensive runs of programs selected from SPEC CPU benchmarks demonstrate runtime and memory overheads comparable to state-of-the-art memory debuggers.
- Runtime error annotation generation plug-in, 2009. https:// frama-c.com/rte.html.Google Scholar
- P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In Proceedings of the IEEE Symposium on Security and Privacy, pages 263–277. IEEE Computer Society, May 2008. Google Scholar
Digital Library
- P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-ofbounds errors. In Proceedings of the USENIX Security Symposium, pages 51–66. USENIX Association, August 2009. Google Scholar
Digital Library
- A. Arya and C. Neckar. Fuzzing for security, April 2012. http:// blog.chromium.org/2012/04/fuzzing-for-security.html.Google Scholar
- H. B¨eck. Safer use of C code - running gentoo with AddressSanitizer, January 2016.Google Scholar
- https://blog.hboeck.de/archives/ 879-Safer-use-of-C-code-running-Gentoo-with-Address-Sanitizer.html.Google Scholar
- D. Bruening and Q. Zhao. Practical memory checking with Dr. Memory. In Proceedings of the Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO ’11, pages 213–223, Washington, DC, USA, 2011. IEEE Computer Society. Google Scholar
Digital Library
- D. L. Bruening. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. PhD thesis, Massachusetts Institute of Technology, Cambridge, MA, USA, 2004. Google Scholar
Digital Library
- S. Christey. 2011 CWE/SANS top 25 most dangerous software errors. Technical Report 1.0.3, The MITRE Corporation, http://www. mitre.org, September 2011.Google Scholar
- M. Delahaye, N. Kosmatov, and J. Signoles. Common specification language for static and dynamic analysis of C programs. In Proceedings of the ACM Symposium on Applied Computing, pages 1230–1235. Google Scholar
Digital Library
- ACM, March 2013.Google Scholar
- D. Dhurjati and V. S. Adve. Backwards-compatible array bounds checking for C with very low overhead. In Proceedings of the International Conference on Software Engineering, pages 162–171. ACM, May 2006. Google Scholar
Digital Library
- F. C. Eigler. Mudflap: pointer use checking for C/C++. In Proceedings of the GCC Developers Summit, pages 57–70, May 2003.Google Scholar
- J. Evans. A scalable concurrent malloc(3) implementation for FreeBSD. In Proceedings of the Technical BSD Conference, April 2006.Google Scholar
- S. Ghemawat and P. Menage. TCMalloc: Thread-caching malloc, 2009. http://goog-perftools.sourceforge.net/doc/ tcmalloc.html.Google Scholar
- I. Haller, E. van der Kouwe, C. Giuffrida, and H. Bos. METAlloc: Efficient and comprehensive metadata management for software security hardening. In Proceedings of the European Workshop on System Security, EuroSec ’16, pages 5:1–5:6. ACM, 2016. Google Scholar
Digital Library
- N. Hasabnis, A. Misra, and R. Sekar. Light-weight bounds checking. In Proceedings of the International Symposium on Code Generation and Optimization, CGO ’12, pages 135–144, New York, NY, USA, 2012. ACM. Google Scholar
Digital Library
- R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, pages 125–136, January 1992.Google Scholar
- A. Jakobsson, N. Kosmatov, and J. Signoles. Fast as a shadow, expressive as a tree: hybrid memory monitoring for C. In Proceedings of the Annual ACM Symposium on Applied Computing, pages 1765– 1772. ACM, April 2015. Google Scholar
Digital Library
- A. Jakobsson, N. Kosmatov, and J. Signoles. Fast as a shadow, expressive as a tree: Optimized memory monitoring for C. Science of Computer Programming, 132, Part 2:226 – 246, 2016. Special Issue on Software Verification and Testing (SAC-SVT’15). Google Scholar
Digital Library
- T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of the General Track: 2002 USENIX Annual Technical Conference, pages 275–288. USENIX, June 2002. Google Scholar
Digital Library
- R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the International Workshop on Automatic Debugging, pages 13–26. Linköping University Electronic Press, September 1997.Google Scholar
- F. Kirchner, N. Kosmatov, V. Prevosto, J. Signoles, and B. Yakobowski. Frama-C: A software analysis perspective. Formal Aspects of Computing, 27(3):573–609, 2015. Google Scholar
Cross Ref
- N. Kosmatov, G. Petiot, and J. Signoles. An optimized memory monitoring for runtime assertion checking of C programs. In Proceedings of the International Conference on Runtime Verification, volume 8174 of Lecture Notes in Computer Science, pages 167–182. Springer, September 2013.Google Scholar
Cross Ref
- V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pages 147– 163. USENIX Association, October 2014. Google Scholar
Digital Library
- A. Kwon, U. Dhawan, J. M. Smith, T. F. K. Jr., and A. DeHon. Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pages 721–732. ACM, November 2013. Google Scholar
Digital Library
- S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. Soft-Bound: highly compatible and complete spatial memory safety for C. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 245–258. ACM, June 2009. Google Scholar
Digital Library
- G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems, 27(3):477–526, 2005. Google Scholar
Digital Library
- N. Nethercote and J. Seward. Valgrind: A program supervision framework. Electronic Notes in Theoretical Computer Science, 89(2):44– 66, 2003.Google Scholar
Cross Ref
- N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. SIGPLAN Notices, 42(6):89–100, June 2007. Google Scholar
Digital Library
- F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, and Y. Wu. LIFT: A lowoverhead practical information flow tracking system for detecting security attacks. In Proceedings of the IEEE/ACM International Symposium on Microarchitecture, pages 135–148, December 2006. Google Scholar
Digital Library
- O. Ruwase and M. S. Lam. A practical dynamic buffer overflow detector. In Proceedings of the Network and Distributed System Security Symposium. The Internet Society, December 2004.Google Scholar
- K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Address-Sanitizer: A fast address sanity checker. In Proceedings of the USENIX Annual Technical Conference, pages 309–319. USENIX Association, June 2012. Google Scholar
Digital Library
- K. Serebryany, A. Potapenko, T. Iskhodzhanov, and D. Vyukov. Dynamic race detection with LLVM compiler - compile-time instrumentation for threadsanitizer. In Proceedings of the International Conference on Runtime Verification, volume 7186 of Lecture Notes in Computer Science, pages 110–114. Springer, September 2011. Google Scholar
Digital Library
- J. Seward and N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision. In Proceedings of the USENIX Annual Technical Conference, pages 17–30. USENIX, 2005. Google Scholar
Digital Library
- SGCheck: An experimental stack and global array overrun detector. http://valgrind.org/docs/manual/sg-manual.html.Google Scholar
- Standard Performance Evaluation Corporation. SPEC CPU, 2006. http://www.spec.org/benchmarks.html.Google Scholar
- E. Stepanov and K. Serebryany. MemorySanitizer: fast detector of uninitialized memory use in C++. In Proceedings of the Annual IEEE/ACM International Symposium on Code Generation and Optimization, pages 46–55. IEEE Computer Society, February 2015. Google Scholar
Digital Library
- W. Szpankowski. Patricia tries again revisited. Journal of the ACM, 37(4):691–711, October 1990. Google Scholar
Digital Library
- Projects using Valgrind. http://valgrind.org/gallery/users. html.Google Scholar
- V. van der Veen, N. dutt Sharma, L. Cavallaro, and H. Bos. Memory errors: The past, the present, and the future. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), September 2012. Google Scholar
Digital Library
- K. Vorobyov, P. Krishnan, and P. Stocks. A dynamic approach to locating memory leaks. In Proceedings of the IFIP International Conference on Testing Software and Systems, volume 8254 of Lecture Notes in Computer Science, pages 255–270. Springer, November 2013.Google Scholar
Cross Ref
- W. Xu, D. C. DuVarney, and R. Sekar. An efficient and backwardscompatible transformation to ensure memory safety of C programs. In Proceedings of the ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 117–126. ACM, October - November 2004. Google Scholar
Digital Library
- H. Yin, D. X. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the ACM Conference on Computer and Communications Security, pages 116–127. ACM, October 2007. Google Scholar
Digital Library
Index Terms
Shadow state encoding for efficient monitoring of block-level properties
Recommendations
Shadow state encoding for efficient monitoring of block-level properties
ISMM 2017: Proceedings of the 2017 ACM SIGPLAN International Symposium on Memory ManagementMemory shadowing associates addresses from an application's memory to values stored in a disjoint memory space called shadow memory. At runtime shadow values store metadata about application memory locations they are mapped to. Shadow state encodings --...
Architectural support for shadow memory in multiprocessors
VEE '09: Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsRuntime monitoring support serves as a foundation for the important tasks of providing security, performing debugging, and improving performance of applications. Often runtime monitoring requires the maintenance of information associated with each of ...
How to shadow every byte of memory used by a program
VEE '07: Proceedings of the 3rd international conference on Virtual execution environmentsSeveral existing dynamic binary analysis tools use shadowmemory-they shadow, in software, every byte of memory used by a program with another value that says something about it. Shadow memory is difficult to implement both efficiently and robustly. ...






Comments