MESH: a Memory-Efficient Safe Heap for C/C++

MESH: a Memory-Efficient Safe Heap for C/C++

MESH: A Memory-Efficient Safe Heap for C/C++ Emanuel Q. Vintila Philipp Zieris Julian Horsch [email protected] [email protected] [email protected] Fraunhofer AISEC Fraunhofer AISEC Fraunhofer AISEC Garching, near Munich, Germany Garching, near Munich, Germany Garching, near Munich, Germany ABSTRACT 1 INTRODUCTION While memory corruption bugs stemming from the use of unsafe The C and C++ programming languages are preferred for system programming languages are an old and well-researched problem, programming because they are efficient and offer low-level control. the resulting vulnerabilities still dominate real-world exploitation These advantages come at the cost of memory safety, requiring the today. Various mitigations have been proposed to alleviate the programmer to manually manage heap memory and ensure the problem, mainly in the form of language dialects, static program legality of memory accesses. Incorrect handling by the programmer analysis, and code or binary instrumentation. Solutions like Adress- can lead to serious issues [43] such as buffer overflows or use-after- Sanitizer (ASan) and Softbound/CETS have proven that the latter free bugs, which can be exploited by attackers to hijack the control- approach is very promising, being able to achieve memory safety flow (causing the program to inadvertently change its course of without requiring manual source code adaptions, albeit suffering execution) [6, 11, 35, 39] or to leak information [18, 40]. Even though substantial performance and memory overheads. While perfor- memory vulnerabilities are long-known issues, they are still very mance overhead can be seen as a flexible constraint, extensive common in mainstream programs: Out of all the vulnerabilities memory overheads can be prohibitive for the use of such solutions reported in the Common Vulnerabilities and Exposures (CVE) data- in memory-constrained environments. To address this problem, base, 14.7% are marked as overflows and 4.3% are marked as memory we propose MESH, a highly memory-efficient safe heap for C/C++. corruptions [13]. C/C++ memory corruption bugs can be divided With its constant, very small memory overhead (configurable up into two categories: to 2 MB on x86-64) and constant complexity for pointer access Temporal memory bugs access an object outside of its lifetime, checking, MESH offers efficient, byte-precise spatial and temporal i.e., before its allocation or after its deallocation. memory safety for memory-constrained scenarios. Without jeopar- Spatial memory bugs access an object outside of its bounds, i.e., dizing the security of safe heap objects, MESH is fully compatible using addresses lower than the start or higher than the end with existing code and uninstrumented libraries, making it practical of the object. to use in heterogeneous environments. We show the feasibility of our approach with a full LLVM-based prototype supporting both Several mechanisms have been proposed to mitigate the effects of major architectures, i.e., x86-64 and ARM64, in a Linux runtime en- memory bugs. A widely used mitigation mechanism are stack ca- vironment. Our prototype evaluation shows that, compared to ASan naries [14], detecting overflows on the stack before they can affect and Softbound/CETS, MESH can achieve huge memory savings the control flow via the stack-based return address. Another miti- while preserving similar execution performance. gation mechanism is Address Space Layout Randomization (ASLR) [24], randomizing the location of program parts, making it harder KEYWORDS for the attacker to correctly guess valid code addresses. Finally, in memory safety, unsafe programming languages, buffer overflows, recent years, a plethora of Control-Flow Integrity (CFI) approaches pointer tagging, dangling pointers, use-after-free have been proposed [7, 9], trying to protect indirect jumps, calls, ACM Reference Format: and function returns using various policies and techniques. Unfortu- Emanuel Q. Vintila, Philipp Zieris, and Julian Horsch. 2021. MESH: A nately, trading security for performance typically leaves mitigation Memory-Efficient Safe Heap for C/C++. In The 16th International Conference techniques vulnerable to exploitation, as shown in various attacks on Availability, Reliability and Security (ARES 2021), August 17–20, 2021, on CFI [10, 12, 17] and ASLR [4, 33, 40]. arXiv:2108.08683v1 [cs.CR] 19 Aug 2021 Vienna, Austria. ACM, New York, NY, USA, 10 pages. https://doi.org/10. A more complete way to counter memory vulnerabilities is to 1145/3465481.3465760 detect and mitigate the memory bugs themselves—and not just their effects—by imposing memory safety. Several ways of enforc- ing memory safety in C/C++ have been proposed, among which are language dialects, static analysis, and, more relevant to our work, code or binary instrumentation. Language dialects remove unsafe features from the languages, offering alternatives, for example, in the form of new pointers types [2, 21, 30]. While they can be effec- tive and efficient (fewer run-time checks), dialects ofC/C++ lack ARES 2021, August 17–20, 2021, Vienna, Austria © 2021 Copyright held by the owner/author(s). Publication rights licensed to ACM. compatibility with existing code and are less likely to be accepted This is the author’s version of the work. It is posted here for your personal use. Not for in practice. Static analysis techniques [3, 20] detect bugs without redistribution. The definitive Version of Record was published in The 16th International running the code, and hence do not impose any run-time over- Conference on Availability, Reliability and Security (ARES 2021), August 17–20, 2021, Vienna, Austria, https://doi.org/10.1145/3465481.3465760. heads, but are less effective. Finally, code or binary instrumentation can be used for detecting memory bugs through dynamic analysis ARES 2021, August 17–20, 2021, Vienna, Austria Emanuel Q. Vintila, Philipp Zieris, and Julian Horsch [25, 41, 42]. They work on existing code and allow the program- 2 DESIGN GOALS mer to write new code as usual, without any knowledge about the For the design of MESH, we assume an attacker who can perform underlying instrumentation. memory corruption attacks on objects in arbitrary data regions of The most prominent instrumentation-based memory safety mech- a program. Further, we assume that the attacker cannot corrupt the anism is AddressSanitizer (ASan)[36]. ASan approximates memory code itself (typically guaranteed by non-writable text segments) or safety by inserting protected memory regions between objects modify the program’s data regions from outside the instrumented and delaying reuse of freed memory. A more precise solution is code, e.g., using special hardware access. offered by SoftBound/CETS [28, 29], which ties pointers to their Based on these assumptions, we define six design goals for MESH objects and achieves strong temporal and spatial memory safety. to ensure heap memory safety for C/C++ while maintaining high Both approaches, as well as other similar solutions [8, 16, 37], im- compatibility and memory efficiency. Our first three design goals pose substantial run-time and memory overheads. While a large aim to ensure memory safety for the MESH heap: performance overhead might be impractical, it presents a flexible constraint and does not prevent a solution from being applicable at ¶ Detect temporal bugs: Detect the usage of heap pointers all. In contrast, extensive memory overheads can be prohibitive for to heap objects that are no longer allocated (i.e., dangling applying a solution in memory-constrained devices. Furthermore, pointers). most of the approaches [2, 8, 16, 21, 28–30] do not offer a concept for · Detect spatial bugs: Detect any access (read/write) using (secure) compatibility with uninstrumented code, hindering their a heap pointer pointing outside the allocation bounds of its real-world applicability, e.g., in situations where external libraries object (i.e., overflows or underflows) with byte precision. cannot be instrumented. ¸ Detect unprotected pointer accesses: Detect accesses to To tackle those problems, we present MESH, a novel, highly protected objects using unprotected pointers (e.g., stack or memory-efficient heap safety mechanism, which uses a config- external pointers). urable but constant-sized lookup table, the MESH table, for storing The next design goals target MESH’s compatibility. Our defense bounds and the validity of objects in memory. MESH makes use mechanism must not change the functionality of the software it of the unused bits in a pointer (by default, on Linux, only 47 bits protects and developers should not have to be aware of the underly- of a pointer are used on x86-641, and 48 on ARM642) to link point- ing protection. In other words, MESH has to work on any existing ers to their objects’ metadata entries in the MESH table. Using a C/C++ code without requiring modifications. We formalize these constant lookup algorithm, MESH ensures that only legal pointer goals as follows: uses are permitted at run-time. Since stack corruptions have be- come less important in recent years while heap corruptions are still ¹ Support standard C/C++: Every language feature in the very common and often critical [27], MESH focuses on heap safety. C/C++ standards must be supported. Moreover, language Nonetheless, MESH offers not only memory safety for heap objects, features should not be limited or extended. but also protects its safe heap against other accesses, e.g., using º Support

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us