skip to main content

MSWasm: Soundly Enforcing Memory-Safe Execution of Unsafe Code

Published:11 January 2023Publication History
Skip Abstract Section

Abstract

Most programs compiled to WebAssembly (Wasm) today are written in unsafe languages like C and C++. Unfortunately, memory-unsafe C code remains unsafe when compiled to Wasm—and attackers can exploit buffer overflows and use-after-frees in Wasm almost as easily as they can on native platforms. Memory- Safe WebAssembly (MSWasm) proposes to extend Wasm with language-level memory-safety abstractions to precisely address this problem. In this paper, we build on the original MSWasm position paper to realize this vision. We give a precise and formal semantics of MSWasm, and prove that well-typed MSWasm programs are, by construction, robustly memory safe. To this end, we develop a novel, language-independent memory-safety property based on colored memory locations and pointers. This property also lets us reason about the security guarantees of a formal C-to-MSWasm compiler—and prove that it always produces memory-safe programs (and preserves the semantics of safe programs). We use these formal results to then guide several implementations: Two compilers of MSWasm to native code, and a C-to-MSWasm compiler (that extends Clang). Our MSWasm compilers support different enforcement mechanisms, allowing developers to make security-performance trade-offs according to their needs. Our evaluation shows that on the PolyBenchC suite, the overhead of enforcing memory safety in software ranges from 22% (enforcing spatial safety alone) to 198% (enforcing full memory safety), and 51.7% when using hardware memory capabilities for spatial safety and pointer integrity.

More importantly, MSWasm’s design makes it easy to swap between enforcement mechanisms; as fast (especially hardware-based) enforcement techniques become available, MSWasm will be able to take advantage of these advances almost for free.

References

  1. Carmine Abate, Roberto Blanco, Deepak Garg, Cătălin Hriţcu, Marco Patrignani, and Jérémy Thibault. 2019. Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation. In 2019 IEEE 32th Computer Security Foundations Symposium (CSF 2019). Google ScholarGoogle Scholar
  2. Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. 2009. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors. In USENIX Security Symposium. 10. Google ScholarGoogle Scholar
  3. Arm. 2019. Armv8.5-A Memory Tagging Extension. White Paper. Google ScholarGoogle Scholar
  4. 2022. Arm Morello Program. https://www.arm.com/architecture/cpu/morello Google ScholarGoogle Scholar
  5. Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. 1994. Efficient Detection of All Pointer and Array Access Errors. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation (PLDI ’94). Association for Computing Machinery, New York, NY, USA. 290–301. isbn:089791662X https://doi.org/10.1145/178243.178446 Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Arthur Azevedo de Amorim, Cătălin Hriţcu, and Benjamin C. Pierce. 2018. The Meaning of Memory Safety. In Principles of Security and Trust, Lujo Bauer and Ralf Küsters (Eds.). Springer International Publishing, Cham. 79–105. isbn:978-3-319-89722-6 Google ScholarGoogle Scholar
  7. Jay Bosamiya, Wen Shih Lim, and Bryan Parno. 2022. Provably-Safe Multilingual Software Sandboxing using WebAssembly. In USENIX Security Symposium. Google ScholarGoogle Scholar
  8. CTSRD-CHERI. 2022. The CHERI LLVM Compiler Infrastructure. https://github.com/CTSRD-CHERI/llvm-project Google ScholarGoogle Scholar
  9. A. A. d. Amorim, M. Dénès, N. Giannarakis, C. Hritcu, B. C. Pierce, A. Spector-Zabusky, and A. Tolmach. 2015. Micro-Policies: Formally Verified, Tag-Based Security Monitors. In 2015 IEEE Symposium on Security and Privacy. 813–830. https://doi.org/10.1109/SP.2015.55 Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Thurston HY Dang, Petros Maniatis, and David Wagner. 2017. Oscar: A Practical page-permissions-based scheme for thwarting dangling pointers. In USENIX Security. Google ScholarGoogle Scholar
  11. Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. 2008. Hardbound: Architectural Support for Spatial Safety of the C Programming Language. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, New York, NY, USA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Craig Disselkoen, John Renner, Conrad Watt, Tal Garfinkel, Amit Levy, and Deian Stefan. 2019. Position Paper: Progressive Memory Safety for WebAssembly. In Proceedings of the 8th International Workshop on Hardware and Architectural Support for Security and Privacy. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Nathaniel Wesley Filardo, Brett F Gutstein, Jonathan Woodruff, Sam Ainsworth, Lucian Paul-Trifu, Brooks Davis, Hongyan Xia, Edward Tomasz Napierala, Alexander Richardson, and John Baldwin. 2020. Cornucopia: Temporal safety for CHERI heaps. In 2020 IEEE Symposium on Security and Privacy (SP). 608–625. Google ScholarGoogle ScholarCross RefCross Ref
  14. Phani Kishore Gadepalli, Sean McBride, Gregor Peach, Ludmila Cherkasova, and Gabriel Parmer. 2020. Sledge: A Serverless-First, Light-Weight Wasm Runtime for the Edge. In Proceedings of the 21st International Middleware Conference (Middleware ’20). ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Richard Grisenthwaite. 2019. Supporting the UK in becoming a leading global player in cybersecurity. https://community.arm.com/blog/company/b/blog/posts/supporting-the-uk-in-becoming-a-leading-global-player-in-cybersecurity Google ScholarGoogle Scholar
  16. Andreas Haas, Andreas Rossberg, Derek L. Schuff, Ben L. Titzer, Michael Holman, Dan Gohman, Luke Wagner, Alon Zakai, and JF Bastien. 2017. Bringing the Web up to Speed with WebAssembly. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2017). Association for Computing Machinery, New York, NY, USA. 185–200. isbn:9781450349888 https://doi.org/10.1145/3062341.3062363 Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Andreas Haas, Andreas Rossberg, Derek L. Schuff, Ben L. Titzer, Michael Holman, Dan Gohman, Luke Wagner, Alon Zakai, and JF Bastien. 2017. Bringing the Web up to Speed with WebAssembly. SIGPLAN Not., 52, 6 (2017), June, 185–200. issn:0362-1340 https://doi.org/10.1145/3140587.3062363 Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Cristiano Giuffrida, Herbert Bos, and Erik Van Der Kouwe. 2016. TypeSan: Practical type confusion detection. In Conference on Computer and Communications Security. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Michael Hicks. 2014. What is memory safety? http://www.pl-enthusiast.net/2014/07/21/memory-safety/ Google ScholarGoogle Scholar
  20. Aaron Hilbig, Daniel Lehmann, and Michael Pradel. 2021. An Empirical Study of Real-World WebAssembly Binaries: Security, Languages, Use Cases. ACM. Google ScholarGoogle Scholar
  21. Abhinav Jangda, Bobby Powers, Emery D. Berger, and Arjun Guha. 2019. Not So Fast: Analyzing the Performance of WebAssembly vs. Native Code. In 2019 USENIX Annual Technical Conference (USENIX ATC 19). USENIX Association. Google ScholarGoogle Scholar
  22. Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A Safe Dialect of C. In 2002 USENIX Annual Technical Conference (USENIX ATC 02). USENIX Association. Google ScholarGoogle Scholar
  23. Taddeus Kroes, Koen Koning, Erik van der Kouwe, Herbert Bos, and Cristiano Giuffrida. 2018. Delta Pointers: Buffer Overflow Checks without the Checks. In Proceedings of the Thirteenth EuroSys Conference. ACM. Google ScholarGoogle Scholar
  24. Albert Kwon, Udit Dhawan, Jonathan M. Smith, Thomas F. Knight, and Andre DeHon. 2013. Low-Fat Pointers: Compact Encoding and Efficient Gate-Level Implementation of Fat Pointers for Spatial Safety and Capability-Based Security. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. 2015. Preventing Use-after-free with Dangling Pointers Nullification.. In NDSS. The Internet Society. http://dblp.uni-trier.de/db/conf/ndss/ndss2015.html##LeeSJWKLL15 Google ScholarGoogle ScholarCross RefCross Ref
  26. Daniel Lehmann, Johannes Kinder, and Michael Pradel. 2020. Everything Old is New Again: Binary Security of WebAssembly. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association. Google ScholarGoogle Scholar
  27. Michael LeMay, Joydeep Rakshit, Sergej Deutsch, David M Durham, Santosh Ghosh, Anant Nori, Jayesh Gaur, Andrew Weiler, Salmin Sultana, and Karanvir Grewal. 2021. Cryptographic Capability Computing. In IEEE/ACM International Symposium on Microarchitecture. ACM. Google ScholarGoogle Scholar
  28. Xavier Leroy. 2009. A Formally Verified Compiler Back-end. Journal of Automated Reasoning, 43, 4 (2009), 363–446. http://dx.doi.org/10.1007/s10817-009-9155-4 Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Hans Liljestrand, Thomas Nyman, Kui Wang, Carlos Chinea Perez, Jan-Erik Ekberg, and N. Asokan. 2019. PAC it up: Towards Pointer Integrity using ARM Pointer Authentication. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association. Google ScholarGoogle Scholar
  30. Tyler McMullen. 2020. Lucet: A Compiler and Runtime for High-Concurrency Low-Latency Sandboxing. Principles of Secure Compilation (PriSC). Google ScholarGoogle Scholar
  31. Kayvan Memarian, Victor B. F. Gomes, Brooks Davis, Stephen Kell, Alexander Richardson, Robert N. M. Watson, and Peter Sewell. 2019. Exploring C Semantics and Pointer Provenance. Proc. ACM Program. Lang., 3, POPL (2019), Article 67, Jan., 32 pages. https://doi.org/10.1145/3290380 Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Kayvan Memarian, Victor B. F. Gomes, Brooks Davis, Stephen Kell, Alexander Richardson, Robert N. M. Watson, and Peter Sewell. 2019. Exploring C Semantics and Pointer Provenance. Proc. ACM Program. Lang., 3, POPL (2019), Article 67, jan, 32 pages. https://doi.org/10.1145/3290380 Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Kayvan Memarian, Justus Matthiesen, James Lingard, Kyndylan Nienhuis, David Chisnall, Robert N. M. Watson, and Peter Sewell. 2016. Into the Depths of C: Elaborating the de Facto Standards. SIGPLAN Not., 51, 6 (2016), June, 1–15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. MSWasm. [n.d.]. Memory-Safe WebAssembly. https://mswasm.programming.systems Google ScholarGoogle Scholar
  35. MSWasm. 2023. Reproduction Package for “MSWasm: Soundly Enforcing Memory-Safe Execution of Unsafe Code”. https://doi.org/10.1145/3554344 Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. SIGPLAN Not., 44, 6 (2009), June, 245–258. issn:0362-1340 https://doi.org/10.1145/1543135.1542504 Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. SIGPLAN Not., 45, 8 (2010), June, 31–40. issn:0362-1340 https://doi.org/10.1145/1837855.1806657 Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. 2020. Retrofitting Fine Grain Isolation in the Firefox Renderer. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association. Google ScholarGoogle Scholar
  39. George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. 2005. CCured: Type-safe Retrofitting of Legacy Software. ACM Trans. Program. Lang. Syst., 27, 3 (2005), May, 477–526. issn:0164-0925 https://doi.org/10.1145/1065887.1065892 Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2018. Intel MPX Explained: A Cross-Layer Analysis of the Intel MPX System Stack. Proc. ACM Meas. Anal. Comput. Syst., 2, 2 (2018), Article 28, jun, 30 pages. https://doi.org/10.1145/3224423 Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Aleph One. 1996. Smashing the stack for fun and profit. Phrack magazine, 7, 49 (1996), 14–16. Google ScholarGoogle Scholar
  42. Oracle. 2021. GraalVM. https://www.graalvm.org/ Google ScholarGoogle Scholar
  43. Oracle. 2021. Truffle Language Implementation Framework. https://www.graalvm.org/22.0/graalvm-as-a-platform/language-implementation-framework/ Google ScholarGoogle Scholar
  44. Matthew Parkinson, Kapil Vaswani, Dimitrios Vytiniotis, Manuel Costa, Pantazis Deligiannis, Aaron Blankstein, Dylan McDermott, and Jonathan Balkind. 2017. Project Snowflake: Non-blocking safe manual memory management in .NET. Microsoft. https://www.microsoft.com/en-us/research/publication/project-snowflake-non-blocking-safe-manual-memory-management-net/ Google ScholarGoogle Scholar
  45. Harish Patil and Charles Fischer. 1997. Low-Cost, Concurrent Checking of Pointer and Array Accesses in C Programs. Softw. Pract. Exper., 27, 1 (1997), jan, 87–110. issn:0038-0644 Google ScholarGoogle Scholar
  46. Gregor Peach, Runyu Pan, Zhuoyi Wu, Gabriel Parmer, Christopher Haster, and Ludmila Cherkasova. 2020. eWASM: Practical Software Fault Isolation for Reliable Embedded Devices. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 39, 11 (2020), 3492–3505. https://doi.org/10.1109/TCAD.2020.3012647 Google ScholarGoogle ScholarCross RefCross Ref
  47. Louis-Noel Pouchet. 2011. PolyBench-C: the Polyhedral Benchmark suite. https://web.cs.ucla.edu/ pouchet/software/polybench/ Google ScholarGoogle Scholar
  48. Aleksandar Prokopec. 2019. Announcing GraalWasm – a WebAssembly engine in GraalVM. https://medium.com/graalvm/announcing-graalwasm-a-webassembly-engine-in-graalvm-25cd0400a7f2 Google ScholarGoogle Scholar
  49. Andrew Ruef, Leonidas Lampropoulos, Ian Sweet, David Tarditi, and Michael Hicks. 2019. Achieving Safety Incrementally with Checked C. In Principles of Security and Trust. Springer. Google ScholarGoogle Scholar
  50. Fred B. Schneider. 2000. Enforceable Security Policies. ACM Trans. Inf. Syst. Secur., 3, 1 (2000), feb, 30–50. issn:1094-9224 https://doi.org/10.1145/353323.353382 Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP ’13). IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Gang Tan. 2017. Principles and Implementation Techniques of Software-Based Fault Isolation. 1, Now Publishers Inc.. Google ScholarGoogle Scholar
  53. Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient Software-based Fault Isolation. In Proceedings of the Fourteenth ACM Symposium on Operating Systems Principles (SOSP ’93). ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Robert N.M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, and Munraj Vadera. 2015. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In 2015 IEEE Symposium on Security and Privacy. 20–37. https://doi.org/10.1109/SP.2015.9 Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. WebAssembly. [n.d.]. WebAssembly System Interface. https://github.com/WebAssembly/wasi Google ScholarGoogle Scholar
  56. Hongyan Xia, Jonathan Woodruff, Sam Ainsworth, Nathaniel W. Filardo, Michael Roe, Alexander Richardson, Peter Rugg, Peter G. Neumann, Simon W. Moore, Robert N. M. Watson, and Timothy M. Jones. 2019. CHERIvoke: Characterising Pointer Revocation Using CHERI Capabilities for Temporal Memory Safety. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO ’52). Association for Computing Machinery, New York, NY, USA. 545–557. isbn:9781450369381 https://doi.org/10.1145/3352460.3358288 Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Wei Xu, Daniel C. DuVarney, and R. Sekar. 2004. An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs. In Proceedings of the 12th ACM SIGSOFT Twelfth International Symposium on Foundations of Software Engineering. ACM. Google ScholarGoogle Scholar

Index Terms

  1. MSWasm: Soundly Enforcing Memory-Safe Execution of Unsafe Code

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!