Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security

Authors:
Albert Kwon

University of Pennsylvania, Philadelphia, PA, USA

University of Pennsylvania, Philadelphia, PA, USA
View Profile

,
Udit Dhawan

University of Pennsylvania, Philadelphia, PA, USA

University of Pennsylvania, Philadelphia, PA, USA
View Profile

,
Jonathan M. Smith

University of Pennsylvania, Philadelphia, PA, USA

University of Pennsylvania, Philadelphia, PA, USA
View Profile

,
Thomas F. Knight

Gingko Bioworks, Boston, MA, USA

Gingko Bioworks, Boston, MA, USA
View Profile

,
Andre DeHon

University of Pennsylvania, Philadelphia, PA, USA

University of Pennsylvania, Philadelphia, PA, USA
View Profile

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityNovember 2013Pages 721–732https://doi.org/10.1145/2508859.2516713

Published:04 November 2013Publication History

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 721–732

ABSTRACT

Referencing outside the bounds of an array or buffer is a common source of bugs and security vulnerabilities in today's software. We can enforce spatial safety and eliminate these violations by inseparably associating bounds with every pointer (fat pointer) and checking these bounds on every memory access. By further adding hardware-managed tags to the pointer, we make them unforgeable. This, in turn, allows the pointers to be used as capabilities to facilitate fine-grained access control and fast security domain crossing. Dedicated checking hardware runs in parallel with the processor's normal datapath so that the checks do not slow down processor operation (0% runtime overhead). To achieve the safety of fat pointers without increasing program state, we compactly encode approximate base and bound pointers along with exact address pointers for a 46b address space into one 64-bit word with a worst-case memory overhead of 3%. We develop gate-level implementations of the logic for updating and validating these compact fat pointers and show that the hardware requirements are low and the critical paths for common operations are smaller than processor ALU operations. Specifically, we show that the fat-pointer check and update operations can run in a 4 ns clock cycle on a Virtex 6 (40nm) implementation while only using 1100 6-LUTs or about the area of a double-precision, floating-point adder.

References

Introduction to Intel Memory Protection extensions. http://software.intel.com/en-us/articles/ introduction-to-intel-memory-protection-extensions. Accessed: 2013-08-01.Google Scholar
P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In Proceedings of the 18th Conference on USENIX Security Symposium, pages 51--66, 2009. Google ScholarDigital Library
Aleph One. Smashing the Stack for Fun and Profit. Phrack, 7(49), November 1996.Google Scholar
AMD Corporation. AMD64 Architecture Programmer's Manual, Volume 2: System Programming, revision 3.22 edition, September 2012.Google Scholar
N. Binkert, B. Beckmann, G. Black, S. K. Reinhardt, A. Saidi, A. Basu, J. Hestness, D. R. Hower, T. Krishna, S. Sardashti, R. Sen, K. Sewell, M. Shoaib, N. Vaish, M. D. Hill, and D. A. Wood. The gem5 simulator. SIGARCH Comput. Archit. News, 39(2):1--7, Aug. 2011. Google ScholarDigital Library
Bluespec, Inc. Bluespec SystemVerilog.Google Scholar
J. Brown, J. Grossman, A. Huang, and T. F. Knight, Jr. A capability representation with embedded address and nearly-exact object bounds. Technical Report 5, MIT AI Lab, April 2000. Aries Project.Google Scholar
N. P. Carter, S. W. Keckler, and W. J. Dally. Hardware support for fast capability-based addressing. In Proceedings of the international conference on Architectural support for programming languages and operating systems, ASPLOS-VI, pages 319--327, 1994. Google ScholarDigital Library
S. Chen, B. Falsafi, P. B. Gibbons, M. Kozuch, T. C. Mowry, R. Teodorescu, A. Ailamaki, L. Fix, G. R. Ganger, B. Lin, and S. W. Schlosser. Log-based architectures for general-purpose monitoring of deployed code. In 1st Workshop on Architectural and System Support for Improving Software Dependability (ASID), pages 63--65. ACM, 2006. Google ScholarDigital Library
R. P. Colwell, E. F. Gehringer, and E. D. Jensen. Performance effects of architectural complexity in the Intel 432. ACM Trans. Comput. Syst., 6:296--339, August 1988. Google ScholarDigital Library
J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure virtual architecture: A safe execution environment for commodity operating systems. In Proceedings of the Symposium on Operating Systems Principles, October 2007. Google ScholarDigital Library
D. Y. Deng and G. E. Suh. High-performance parallel accelerator for flexible and efficient run-time monitoring. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 1--12. IEEE Computer Society, 2012. Google ScholarDigital Library
P. J. Denning and S. C. Schwartz. Properties of the working-set model. Communications of the ACM, 15(3):191--198, March 1972. Google ScholarDigital Library
J. B. Dennis and E. C. Van Horn. Programming semantics for multiprogrammed computations. Communications of the ACM, 9(3):143--155, March 1966. Google ScholarDigital Library
J. Devietti, C. Blundell, M. M. K. Martin, and S. Zdancewic. HardBound: Architectural support for spatial safety of the C programming language. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems, pages 103--114, 2008. Google ScholarDigital Library
U. Dhawan, A. Kwon, E. Kadric, C. Hri¸tcu, B. C. Pierce, J. M. Smith, A. DeHon, G. Malecha, G. Morrisett, T. F. Knight, Jr., A. Sutherland, T. Hawkins, A. Zyxnfryx, D. Wittenberg, P. Trei, S. Ray, and G. Sullivan. Hardware support for safety interlocks and introspection. In SASO Workshop on Adaptive Host and Network Security, Sept. 2012. Google ScholarDigital Library
R. S. Fabry. Capability-based Addressing. Communications of the ACM, 17(7):403--412, July 1974. Google ScholarDigital Library
E. A. Feustel. On the advantages of tagged architecture. IEEE Transactions on Computers, C-22(7):644--656, July 1973. Google ScholarDigital Library
E. F. Gehringer and J. L. Keedy. Tagged architecture: How compelling are its advantages? In Proceedings of the 12th International Symposium on Computer Architecture, pages 162--170, 1985. Google ScholarDigital Library
R. Greenblatt, T. Knight, Jr., J. Holloway, D. Moon, and D. Weinreb. The LISP machine. In Interactive Programming Environments. McGraw-Hill, 1984.Google Scholar
N. Hasabnis, A. Misra, and R. Sekar. Light-weight bounds checking. In Proceedings of the Tenth International Symposium on Code Generation and Optimization, pages 135--144, 2012. Google ScholarDigital Library
J. L. Henning. SPEC CPU2006 benchmark descriptions. SIGARCH Comput. Archit. News, 34(4):1--17, September 2006. Google ScholarDigital Library
M. E. Houdek, F. G. Soltis, and R. L. Hoffman. IBM System/38 Support for Capability-based Addressing. In Proceedings of the Eighth Annual Symposium on Computer Architecture, pages 341--348, 1981. Google ScholarDigital Library
C. Hri¸tcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. All your IFCException are belong to us. In 34th IEEE Symposium on Security and Privacy, pages 3--17. IEEE Computer Society Press, May 2013. Google ScholarDigital Library
IBM. IBM System/360 Principles of Operation. 1968. Google ScholarDigital Library
Intel Corporation. Intel64 and IA-32 Architectures Software Developer's Manual, August 2012.Google Scholar
T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In ATEC '02: Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference, pages 275--288, 2002. Google ScholarDigital Library
D. Johnson. The Intel 432: A VLSI Architecture for Fault-Tolerant Computer Systems. Computer, 17:40--48, August 1984. Google ScholarDigital Library
H. M. Levy. Capability Based Computer Systems. Digital Press, 1984. Google ScholarDigital Library
S. Nagarakatte. Practical Low-overhead Enforcement of Memory Safety for C Programs. PhD thesis, University of Pennsylvania, 2012. Google ScholarDigital Library
S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. Softbound: Highly compatible and complete spatial memory safety for C. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 245--258, 2009. Google ScholarDigital Library
S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. CETS: Compiler enforced temporal safety for C. In Proceedings of the International Symposium on Memory Management, pages 31--40, 2010. Google ScholarDigital Library
G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27(3):477--526, May 2005. Google ScholarDigital Library
R. M. Needham and R. D. H. Walker. The Cambridge CAP computer and its protection system. In Proceedings of the Symposium on Operating Systems Principles, pages 1--10, Nov. 1977. Google ScholarDigital Library
E. I. Organick. The MULTICS System: An Examination of Its Structure. MIT Press, 1972. Google ScholarDigital Library
E. I. Organick. Computer System Organization: The B5700/B6700 Series. Academic Press, 1973. Google ScholarDigital Library
E. I. Organick. A Programmer's View of the Intel 432 System. McGraw-Hill, 1983. Google ScholarDigital Library
A. T. Phillips and J. S. Tan. Exploring security vulnerabilities by exploiting buffer overflow using the MIPS ISA. In Proceedings of the SIGCSE technical symposium on Computer science education, pages 172--176, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
O. Ruwase and M. S. Lam. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, pages 159--169, 2004.Google Scholar
J. S. Shapiro, J. M. Smith, and D. J. Farber. Eros: a fast capability system. In Proceedings of the Symposium on Operating Systems Principles, pages 170--185. ACM, 1999. Google ScholarDigital Library
R. L. Sites. Alpha AXP Architecture. Digital Technical Journal, 4(4):1--17, 1992. Special Issue.Google Scholar
R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium, Washington, DC, August 2010. Google ScholarDigital Library
R. N. M. Watson, P. G. Neumann, J. Woodruff, J. Anderson, R. Anderson, N. Dave, B. Laurie, S. W. Moore, S. J. Murdoch, P. Paeps, M. Roe, and H. Saidi. CHERI: a research platform deconflating hardware virtualization and protection. In Proc. RESoLVE, March 2012.Google Scholar
M. V. Wilkes and R. M. Needham. The Cambridge CAP Computer and Its Operating System. North Holland, 1979. Google ScholarDigital Library
W. Wulf, E. Cohen, W. Corwin, A. Jones, R. Levin, C. Pierson, and F. Pollack. Hydra: The kernel of a multiprocessor operating system. Communications of the ACM, 17(6):337--345, June 1974. Google ScholarDigital Library
W. A. Wulf, R. Levin, and S. P. Harbison. HYDRA/C.mmp: An Experimental Computer System. McGraw-Hill, 1981.Google Scholar
Xilinx, Inc. Virtex-6 FPGA ML605 Evaluation Kit.Google Scholar
Xilinx, Inc., 2100 Logic Drive, San Jose, CA 95124. Virtex-6 FPGA Data Sheet: DC and Switching Characteristics, September 2011. DS512.Google Scholar
Xilinx, Inc., 2100 Logic Drive, San Jose, CA 95124. LogiCORE IP Floating-Point Operator v6.0, January 2012.Google Scholar
Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar, F. Piessens, and W. Joosen. Paricheck: an efficient pointer arithmetic checker for C programs. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 145--156, 2010. Google ScholarDigital Library

Index Terms

Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security

Recommendations

BOGO: Buy Spatial Memory Safety, Get Temporal Memory Safety (Almost) Free
ASPLOS '19: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems

A memory safety violation occurs when a program has an out-of-bound (spatial safety) or use-after-free (temporal safety) memory access. Given its importance as a security vulnerability, recent Intel processors support hardware-accelerated bound checks, ...
Read More
Heap bounds protection with low fat pointers
CC 2016: Proceedings of the 25th International Conference on Compiler Construction

Heap buffer overflow (underflow) errors are a common source of security vulnerabilities. One prevention mechanism is to add object bounds meta information and to instrument the program with explicit bounds checks for all memory access. The so-called "...
Read More
CHEx86: context-sensitive enforcement of memory safety via microcode-enabled capabilities
ISCA '20: Proceedings of the ACM/IEEE 47th Annual International Symposium on Computer Architecture

This work introduces the CHEx86 processor architecture for securing applications, including legacy binaries, against a wide array of security exploits that target temporal and spatial memory safety vulnerabilities such as out-of-bounds accesses, use-...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
November 2013
1530 pages
ISBN:9781450324779
DOI:10.1145/2508859
General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 4 November 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
capabilities
fat pointer
memory safety
processor
security
spatial confinement
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '13 Paper Acceptance Rate105of530submissions,20%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 84
  Total Citations
  View Citations
- 1,646
  Total Downloads
- Downloads (Last 12 months)229
- Downloads (Last 6 weeks)24
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

BOGO: Buy Spatial Memory Safety, Get Temporal Memory Safety (Almost) Free

Heap bounds protection with low fat pointers

CHEx86: context-sensitive enforcement of memory safety via microcode-enabled capabilities