1 Effective and Efficient Memory Protection Using Dynamic Tainting Ioannis Doudalis, Student Member, IEEE, James Clause, Member, IEEE, Guru Venkataramani, Member, IEEE, Milos Prvulovic, Senior Member, IEEE, and Alessandro Orso, Member, IEEE, ! Abstract—Programs written in languages allowing direct access to pointer p or a pointer derived from p and 2) if the access memory through pointers often contain memory-related faults, which occurs during the interval when p is valid, (i.e. between the cause non-deterministic failures and security vulnerabilities. We present allocation and deallocation of m). All other accesses to m are a new dynamic tainting technique to detect illegal memory accesses. illegal memory accesses (IMAs), where a pointer is used to When memory is allocated, at runtime, we taint both the memory and the corresponding pointer using the same taint mark. Taint marks access memory outside the bounds of the memory area with are then propagated and checked every time a memory address m which it was originally associated, or outside the time period is accessed through a pointer p; if the associated taint marks differ, during which the pointer is valid. an illegal access is reported. To allow always-on checking using a IMAs are especially relevant for several reasons. First, they low-overhead, hardware-assisted implementation, we make several key are caused by typical programming errors, such as array-out- technical decisions. We use a configurable, low number of reusable taint of-bounds accesses and stale pointer dereferences, and are thus marks instead of a unique mark for each allocated area of memory, reducing the performance overhead without losing the ability to target widespread and common. Second, they often result in non- most memory-related faults. We also define the technique at the binary deterministic failures that are hard to identify and diagnose; level, which helps handle applications using third-party libraries whose the specific effects of an IMA depend on several factors, such source code is unavailable. We created a software-only prototype of as memory layout, that may vary between executions. Finally, our technique and simulated a hardware-assisted implementation. Our many security concerns such as viruses, worms, and rootkits results show that (1) it identifies a large class of memory-related faults, use IMAs as injection vectors. even when using only two unique taint marks, and (2) a hardware- This paper is an extended version of our previous work [3], assisted implementation can achieve performance overheads in single- digit percentages. that presents a new dynamic technique for protecting programs against most known types of IMAs. The basic idea behind the Index Terms—C Computer Systems Organization, C.0.b Hardware/- technique is to use dynamic tainting, also known as dynamic software interfaces, C.1 Processor Architectures, D.2.5.g Monitors information flow tracking (DIFT) [11], to link memory areas with their valid pointers. Every time memory is accessed 1 INTRODUCTION through a pointer, our technique checks if the access is legal by comparing the taint mark associated with the memory and EMORY-RELATED faults are a serious problem for the taint mark associated with the pointer used to access it. M languages that allow direct memory access through The access is considered legitimate if the taint marks match. pointers. An important class of memory-related faults are what Otherwise, an IMA is reported. we call illegal memory accesses. In languages such as C Because our technique is intended for efficient hardware- and C++, when memory is allocated, a currently-free area assisted implementation, one of the key goals in our design is of memory m of the required size is reserved. After m is to allow runtime decisions about the tradeoff between appli- allocated, its starting address can be assigned to a pointer p, cation performance and IMA detection probability. Whereas a either immediately (e.g., in the case of heap allocated memory) software-only tool can select among any number of schemes or at a later time (e.g., when retrieving and storing the address that offer different tradeoffs, in a hardware-assisted tool the of a local variable). An access to m is legal only if 1) it uses hardware cost would be the sum of hardware costs of all supported schemes. In effect, hardware support for each dis- • I.Doudalis, M.Prvulovic and A.Orso are with the College of Com- puting, Georgia Institute of Technology, Klaus Advanced Comput- tinct scheme would be included in the hardware cost of a ing Building, 266 Ferst Drive, Atlanta, GA 30332-0765. E-mail: system even if that particular system never actually uses that {idoud,milos,orso}@cc.gatech.edu. scheme. For this reason, our technique should be parametrized • J.Clause is with the University of Delaware, University of Delaware 18 Amstel Ave 439 Smith Hall Newark DE, 19711. Email: [email protected]. such that the same scheme can be used to achieve different • G.Venkataramani is with Department of Electical and Computer Engg, The points in the performance-accuracy tradeoff. We achieve this George Washington University, 801 22nd St Suite 624D Washington DC parametrization by using a configurable number of taint marks, 20052. E-mail: [email protected]. instead of using a distinct taint mark for each memory al- 2 void prRandStr(int n) { location. Limiting the number of taint marks can result in 1. int i, seed; false negatives, because different memory regions and their 2. char *buffer; pointers can have the same taint mark and an IMA where 3. buffer = (char *) malloc(n); the address and the memory region happen to have the same 4. if (buffer == NULL) return; taint mark would be undetected. Thus, the probability of IMA detection depends on how many taint marks can be used. The 5. getSeedFromUser(&seed); 6. srand(seed); hardware-assisted performance of the scheme also depends on the number of taint marks – the number of bits needed to 7. for(i = 0; i <= n; i++) /* fault */ encode each taint mark determines how much extra capacity 8. buffer[i] = rand()%26+’a’; /* IMA */ 9. buffer[n - 1] = ’\0’; and bandwidth are used by the memory subsystem, and also how much extra latency is added by taint propagation circuitry. 10. free(buffer); Overall, the number of taint marks can be used to select the 11. printf("Random string: %s\n", buffer); } desired point in the performance-accuracy tradeoff. Our evaluation has dual goals: evaluating the ability of Fig. 1. An example IMA. our technique to detect IMAs, and determining its effect on program performance. To assess IMA detection, we developed a software-only prototype that implements the approach for given an integer n, generates and prints a string of n − 1 x86 64-bit binaries and protects stack, heap and global allo- random characters. We slightly modified the original code by cated memory and was used to perform a set of empirical adding the use of a seed for the random number generation and studies. This prototype instruments the application’s code adding a call to a function (getSeedFromUser) that reads using LLVM [16] and its runtime component is built within the seed from the user and returns it in a parameter passed by DYTAN [4], a generic dynamic-taint analysis framework. To address. We also introduced two memory-related faults. First, determine the performance impact of the hardware-assisted at line 7 we changed the terminating condition for the for implementation, we implemented another prototype within the loop from “i < n” to “i <= n”, which causes the statement SESC [23] computer architecture simulator that uses MIPS at line 8 to write a random character at position buffer + binaries. This two-pronged evaluation approach is needed n. Because the address at offset n is outside the bounds of because hardware simulation is extremely time-consuming, the memory area pointed to by buffer, accessing it through making start-to-finish simulations of real large programs with buffer is an IMA. The second IMA we introduced is that known IMAs infeasible. Instead, we use a software-only buffer is freed in line 10, so at line 11 the user-level library prototype to run these programs to evaluate our technique’s code in printf accesses memory that is no longer allocated. IMA detection ability, but determine expected overheads using The first IMA in this example is a spatial IMA – the access a benchmarking methodology traditionally used in computer is illegal because a pointer accesses memory outside of the architecture research – simulation of smaller applications and range that is valid for that pointer. The second IMA in our using only a representative fraction of the entire run. example is a temporal IMA – a previously valid pointer- Our experiments show that our proposed technique can memory association is no longer valid at the time of the access. identify a large number of IMAs, even when using only one- bit taint marks (only two unique taint marks). They also show that a hardware-assisted implementation imposes low time 3 OUR TECHNIQUE overheads, typically a few percent for a single taint mark, We first outline our technique at the source code level using that grow moderately as the number of taint marks increases. an unlimited number of taint marks. Sections 3.2 and 4 then These low overheads should make our scheme practical for discuss how the technique works when the number of taint use on deployed software. marks is limited and when operating at the level of binaries. The contributions of this paper are: • A new technique for detecting IMAs that is effective and 3.1 General Approach amenable to hardware-supported implementation. • A design space analysis for hardware implementation of Our technique is based on dynamic tainting, which is a our technique.