article

DieHard: probabilistic memory safety for unsafe languages

Authors:
Emery D. Berger

University of Massachusetts Amherst, Amherst, MA

University of Massachusetts Amherst, Amherst, MA
View Profile

,
Benjamin G. Zorn

Microsoft Research, Redmond, WA

Microsoft Research, Redmond, WA
View Profile

Authors Info & Claims

ACM SIGPLAN Notices Volume 41 Issue 6June 2006pp 158–168https://doi.org/10.1145/1133255.1134000

Published:11 June 2006Publication History

ACM SIGPLAN Notices

Abstract

Applications written in unsafe languages like C and C++ are vulnerable to memory errors such as buffer overflows, dangling pointers, and reads of uninitialized data. Such errors can lead to program crashes, security vulnerabilities, and unpredictable behavior. We present DieHard, a runtime system that tolerates these errors while probabilistically maintaining soundness. DieHard uses randomization and replication to achieve probabilistic memory safety by approximating an infinite-sized heap. DieHard's memory manager randomizes the location of objects in a heap that is at least twice as large as required. This algorithm prevents heap corruption and provides a probabilistic guarantee of avoiding memory errors. For additional safety, DieHard can operate in a replicated mode where multiple replicas of the same application are run simultaneously. By initializing each replica with a different random seed and requiring agreement on output, the replicated version of Die-Hard increases the likelihood of correct execution because errors are unlikely to have the same effect across all replicas. We present analytical and experimental results that show DieHard's resilience to a wide range of memory errors, including a heap-based buffer overflow in an actual application.

References

T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient detection of all pointer and array access errors. In PLDI '94: Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation, pages 290--301, New York, NY, USA, 1994. ACM Press. Google ScholarDigital Library
A. Avizienis. The N-version approach to fault-tolerant systems. IEEE Transactions on Software Engineering, 11(12):1491--1501, Dec. 1985.Google ScholarDigital Library
D. Avots, M. Dalton, V. B. Livshits, and M. S. Lam. Improving software security with a C pointer analysis. In ICSE '05: Proceedings of the 27th international conference on Software engineering, pages 332--341, New York, NY, USA, 2005. ACM Press. Google ScholarDigital Library
T. Ball, S. Chaki, and S. K. Rajamani. Parameterized verification of multithreaded software libraries. In 7th International Conference on Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume 2031 of Lecture Notes in Computer Science, pages 158--173, 2001. Google ScholarDigital Library
E. D. Berger, K. S. McKinley, R. D. Blumofe, and P. R. Wilson. Hoard: A scalable memory allocator for multithreaded applications. In ASPLOS-IX: Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, pages 117--128, Cambridge, MA, Nov. 2000. Google ScholarDigital Library
E. D. Berger, B. G. Zorn, and K. S. McKinley. Composing high performance memory allocators. In Proceedings of the 2001 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), Snowbird, Utah, June 2001. Google ScholarDigital Library
S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium, pages 105--120. USENIX, Aug. 2003. Google ScholarDigital Library
S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, pages 271--286. USENIX, Aug. 2005. Google ScholarDigital Library
H.-J. Boehm and M. Weiser. Garbage collection in an uncooperative environment. Software Practice and Experience, 18(9):807--820, 1988. Google ScholarDigital Library
T. C. Bressoud and F. B. Schneider. Hypervisor-based fault tolerance. In SOSP '95: Proceedings of the fifteenth ACM symposium on Operating systems principles, pages 1--11, New York, NY, USA, 1995. ACM Press. Google ScholarDigital Library
T. M. Chilimbi, M. D. Hill, and J. R. Larus. Cache-conscious structure layout. In Proceedings of SIGPLAN'99 Conference on Programming Languages Design and Implementation, ACM SIGPLAN Notices, pages 1--12, Atlanta, May 1999. ACM Press. Google ScholarDigital Library
D. L. Detlefs. Empirical evidence for using garbage collection in C and C++ programs. In E. Moss, P. R. Wilson, and B. Zorn, editors, OOPSLA/ECOOP '93 Workshop on Garbage Collection in Object-Oriented Systems, Oct. 1993.Google Scholar
D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory safety without runtime checks or garbage collection. In ACM SIGPLAN 2003 Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES'2003), San Diego, CA, June 2003. ACM Press. Google ScholarDigital Library
Y. Feng and E. D. Berger. A locality-improving dynamic memory allocator. In Proceedings of the ACM SIGPLAN 2005 Workshop on Memory System Performance (MSP), Chicago, IL, June 2005. Google ScholarDigital Library
M. J. Fischer, N. A. Lynch, and M. S. Paterson. Impossibility of distributed consensus with one faulty process. J. ACM, 32(2):374--382, 1985. Google ScholarDigital Library
D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y.Wang, and J. Cheney. Region-based memory management in Cyclone. In PLDI '02: Proceedings of the ACMSIGPLAN 2002 Conference on Programming language design and implementation, pages 282--293, New York, NY, USA, 2002. ACM Press. Google ScholarDigital Library
D. Grunwald, B. Zorn, and R. Henderson. Improving the cache locality of memory allocation. In Proceedings of SIGPLAN'93 Conference on Programming Languages Design and Implementation, volume 28(6) of ACM SIGPLAN Notices, pages 177--186, Albuquerque, NM, June 1993. ACM Press. Google ScholarDigital Library
R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proc. of the Winter 1992 USENIX Conference, pages 125--138, San Francisco, California, 1991.Google Scholar
M. Hauswirth and T. M. Chilimbi. Low-overhead memory leak detection using adaptive statistical profiling. In ASPLOS-XI: Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 156--164, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
M. Hertz and E. D. Berger. Quantifying the performance of garbage collection vs. explicit memory management. In Proceedings of the 20th annual ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications, San Diego, CA, Oct. 2005. Google ScholarDigital Library
T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y.Wang. Cyclone: A safe dialect of C. In Proceedings of the General Track: 2002 USENIX Annual Technical Conference, pages 275--288, Berkeley, CA, USA, 2002. USENIX Association. Google ScholarDigital Library
M. S. Johnstone and P. R. Wilson. The memory fragmentation problem: Solved? In P. Dickman and P. R. Wilson, editors, OOPSLA '97 Workshop on Garbage Collection and Memory Management, Oct. 1997. Google ScholarDigital Library
M. Kaempf. Vudo malloc tricks. Phrack Magazine, 57(8), Aug. 2001.Google Scholar
P.-H. Kamp. Malloc(3) revisited. http://phk.freebsd.dk/pubs/malloc.pdf. Google ScholarDigital Library
D. Lea. A memory allocator. http://gee.cs.oswego.edu/dl/html/malloc.html,1997.Google Scholar
G. Marsaglia. yet another RNG. posted to the electronic bulletin board sci.stat.math, Aug. 1994.Google Scholar
G. C. Necula, S. McPeak, and W. Weimer. Ccured: type-safe retrofitting of legacy code. In POPL '02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 128--139, New York, NY, USA, 2002. ACM Press. Google ScholarDigital Library
N. Nethercote and J. Fitzhardinge. Bounds-checking entire programs without recompiling. In SPACE 2004, Venice, Italy, Jan. 2004.Google Scholar
PaX Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
F. Qin, J. Tucek, J. Sundaresan, and Y. Zhou. Rx: Treating bugs as allergies: A safe method to survive software failures. In Proceedings of the Twentieth Symposium on Operating Systems Principles, volume XX of Operating Systems Review, Brighton, UK, Oct. 2005. ACM. Google ScholarDigital Library
M. Rinard, C. Cadar, D. Dumitran, D. M. Roy, and T. Leu. A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors). In Proceedings of the 2004 Annual Computer Security Applications Conference, Dec. 2004. Google ScholarDigital Library
M. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and J. William S. Beebee. Enhancing server availability and security through failure oblivious computing. In Sixth Symposium on Operating Systems Design and Implementation, San Francisco, CA, Dec. 2004. USENIX. Google ScholarDigital Library
W. Robertson, C. Kruegel, D. Mutz, and F. Valeur. Run-time detection of heap-based overflows. In LISA '03: Proceedings of the 17th Large Installation Systems Administration Conference, pages 51-60. USENIX, 2003. Google ScholarDigital Library
J. M. Robson. Bounds for some functions concerning dynamic storage allocation. Journal of the ACM, 21(3):419--499, July 1974. Google ScholarDigital Library
J. Seward and N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision. In Proceedings of the USENIX'05 Annual Technical Conference, Anaheim, California, USA, Apr. 2005. Google ScholarDigital Library
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In CCS '04: Proceedings of the 11th ACM conference on Computer and Communications Security, pages 298--307, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
Standard Performance Evaluation Corporation. SPEC2000. http://www.spec.org.Google Scholar
N. Swamy, M. Hicks, G. Morrisett, D. Grossman, and T. Jim. Experience with safe manual memory management in Cyclone. Science of Computer Programming, 2006. Special issue on memory management. Expands ISMM conference paper of the same name. To appear. Google ScholarDigital Library
US-CERT. US-CERT vulnerability notes. http://www.kb.cert.org/vuls/.Google Scholar
P. R. Wilson, M. S. Johnstone, M. Neely, and D. Boles. Dynamic storage allocation: A survey and critical review. In Proceedings of the International Workshop on Memory Management, volume 986 of Lecture Notes in Computer Science, pages 1--116, Kinross, Scotland, Sept. 1995. Springer-Verlag. Google ScholarDigital Library
W. Xu, D. C. DuVarney, and R. Sekar. An efficient and backwards compatible transformation to ensure memory safety of C programs. In SIGSOFT '04/FSE-12: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering, pages 117-126, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
S. H. Yong and S. Horwitz. Protecting C programs from attacks via invalid pointer dereferences. In ESEC/FSE-11: 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 307--316, New York, NY, USA, 2003. ACM Press. Google ScholarDigital Library
Y. Younan, W. Joosen, F. Piessens, and H. V. den Eynden. Security of memory allocators for C and C++. Technical Report CW 419, Department of Computer Science, Katholieke Universiteit Leuven, Belgium, July 2005. Available at http://www.cs.kuleuven.ac.be/publicaties/rapporten/cw/CW419.pdf.Google Scholar
B. Zorn. The measured cost of conservative garbage collection. Software Practice and Experience, 23:733--756, 1993. Google ScholarDigital Library

Index Terms

Recommendations

DieHarder: securing the heap
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Heap-based attacks depend on a combination of memory management error and an exploitable memory allocator. Many allocators include ad hoc countermeasures against particular exploits but their effectiveness against future exploits has been uncertain. ...
Read More
DieHard: probabilistic memory safety for unsafe languages
PLDI '06: Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation

Applications written in unsafe languages like C and C++ are vulnerable to memory errors such as buffer overflows, dangling pointers, and reads of uninitialized data. Such errors can lead to program crashes, security vulnerabilities, and unpredictable ...
Read More
Archipelago: trading address space for reliability and security
ASPLOS '08

Memory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGPLAN Notices Volume 41, Issue 6
Proceedings of the 2006 PLDI Conference
June 2006
426 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1133255
Issue’s Table of Contents
PLDI '06: Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2006
438 pages
ISBN:1595933204
DOI:10.1145/1133981
General Chair:
Michael Schwartzbach
University of Aarhus, Denmark
,
Program Chair:
Thomas Ball
Microsoft Research
Copyright © 2006 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 11 June 2006
Check for updates
Author Tags
DieHard
dynamic memory allocation
probabilistic memory safety
randomization
replication
Qualifiers
- article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 397
  Total Citations
  View Citations
- 2,041
  Total Downloads
- Downloads (Last 12 months)147
- Downloads (Last 6 weeks)16
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

DieHard: probabilistic memory safety for unsafe languages

ACM SIGPLAN Notices

Abstract

References

Cited By

Index Terms

Recommendations

DieHarder: securing the heap

DieHard: probabilistic memory safety for unsafe languages

Archipelago: trading address space for reliability and security