David Chisnall
Colin Rothwell
Robert N.M. Watson
Simon W. Moore
ABSTRACT
We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary implementations of C have converged on a memory model similar to the PDP-11, the original target for C. This model lacks support for memory safety despite well-documented impacts on security and reliability.
Attempts to change this model are often hampered by assumptions embedded in a large body of existing C code, dating back to the memory model exposed by the original C compiler for the PDP-11. Our experience with attempting to implement a memory-safe variant of C on the CHERI experimental microprocessor led us to identify a number of problematic idioms. We describe these as well as their interaction with existing memory safety schemes and the assumptions that they make beyond the requirements of the C specification. Finally, we refine the CHERI ISA and abstract model for C, by combining elements of the CHERI capability model and fat pointers, and present a softcore CPU that implements a C abstract machine that can run legacy C code with strong memory protection guarantees.
- Is address space 1 reserved? URL http://lists.cs.uiuc.edu/pipermail/llvmdev/2015-January/080288.html.Google Scholar
- Alelph One. Smashing the stack for fun and profit. Phrack Magazine, 7:14--16, 1996.Google Scholar
- ARM Architecture Reference Manual. ARMv8, for ARMv8- A architecture profile. ARM Limited, 110 Fulbourn Road, Cambridge, England CB1 9NJ, 2013.Google Scholar
- A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler. A few billion lines of code later: Using static analysis to find bugs in the real world. Commun. ACM, 53(2):66--75, Feb. 2010. ISSN 0001-0782. URL http://doi.acm.org/10.1145/1646353.1646374. Google ScholarDigital Library
- H.-J. Boehm and M. Weiser. Garbage collection in an unco- operative environment. Softw. Pract. Exper., 18(9):807--820, Sept. 1988. ISSN 0038-0644. . URL http://dx.doi.org/10.1002/spe.4380180902. Google ScholarDigital Library
- R. Chandra, V. Padmanabhan, and M. Zhang. CRAWDAD data set microsoft/osdi2006 (v. 2007-05-23). Downloaded from http://crawdad.org/microsoft/osdi2006/, May 2007.Google Scholar
- C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and Exposition, 2000. DISCEX '00. Proceedings, volume 2, pages 119--129 vol.2, 2000.Google Scholar
- J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure virtual architecture: A safe execution environment for commodity operating systems. In SOSP '07: Proceedings of the Twenty First ACM Symposium on Operating Systems Principles, October 2007. Google ScholarDigital Library
- J. Criswell, N. Geoffray, and V. Adve. Memory safety for low-level software/hardware interactions. In Proceedings of the Eighteenth Usenix Security Symposium, August 2009. Google ScholarDigital Library
- G. Czajkowski, L. Daynes, and M. Wolczko. Automated and portable native code isolation. In Software Reliability Engineering, 2001. ISSRE 2001. Proceedings. 12th International Symposium on, pages 298--307, Nov 2001. Google ScholarDigital Library
- R. Dannenberg, W. Dormann, D. Keaton, R. Seacord, D. Svoboda, A. Volkovitsky, T. Wilson, and T. Plum. As-if infinitely ranged integer model. In Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on, pages 91--100, Nov 2010. Google ScholarDigital Library
- J. Devietti, C. Blundell, M. M. K. Martin, and S. Zdancewic. Hardbound: Architectural support for spatial safety of the C programming language. SIGPLAN Not., 43(3):103--114, Mar. 2008. ISSN 0362-1340. URL http://doi.acm.org/10.1145/1353536.1346295. Google ScholarDigital Library
- J. Evans. A scalable concurrent malloc(3) implementation for FreeBSD. In BSDCan, 2006.Google Scholar
- Gimpel Software. FlexeLint for C/C++, August 2014. URL http://www.gimpel.com/html/flex.htm.Google Scholar
- Intel Plc. Introduction to Intel R memory protection extensions. http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, July 2013.Google Scholar
- ISO. ISO/IEC 9899:2011 Information technology -- Programming languages -- C. International Organization for Standardization, Geneva, Switzerland, Dec. 2011. URL http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=57853.Google Scholar
- T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of the General Track of the Annual Conference on USENIX Annual Technical Conference, ATEC '02, pages 275--288, Berkeley, CA, USA, 2002. USENIX Association. ISBN 1-880446-00-6. URL http://dl.acm.org/citation.cfm?id=647057.713871. Google ScholarDigital Library
- A. Kwon, U. Dhawan, J. M. Smith, T. F. Knight, Jr., and A. DeHon. Low-fat pointers: Compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS '13, pages 721--732, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-2477-9. . URL http://doi.acm.org/10.1145/2508859.2516713. Google ScholarDigital Library
- Managed C++. Managed extensions for C++ specification. http://msdn.microsoft.com/en-us/library/Aa712867 (accessed2014/07/14).Google Scholar
- Microsoft Corporation. CONTAINING RECORD macro. URL http://msdn.microsoft.com/en-us/library/windows/hardware/ff542043%28v=vs.85%29.aspx.Google Scholar
- Mitre. CWE/SANS top 25 most dangerous software errors, 2011. URL http://cwe.mitre.org/top25.Google Scholar
- S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. Softbound: Highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 245--258, New York, NY, USA, 2009. ACM. ISBN 978-1-60558-392-1. . URL http://doi.acm.org/10.1145/1542476.1542504. Google ScholarDigital Library
- G. C. Necula, S. McPeak, and W. Weimer. Ccured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '02, pages 128--139, New York, NY, USA, 2002. ACM. ISBN 1-58113-450-9. . URL http://doi.acm.org/10.1145/503272.503286. Google ScholarDigital Library
- M. Richards. BCPL: A Tool for Compiler Writing and System Programming. In Proceedings of the May 14-16, 1969, Spring Joint Computer Conference, AFIPS '69 (Spring), pages 557-- 566, New York, NY, USA, 1969. ACM. . URL http://doi.acm.org/10.1145/1476793.1476880. Google ScholarDigital Library
- D. Ritchie, S. Johnson, M. Lesk, and B. Kernighan. UNIX time-sharing system: The C programming language. Bell System Technical Journal, 57(6):1991--2019, July-Aug 1978.Google ScholarCross Ref
- J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975. URL http://www.multicians.org.Google ScholarCross Ref
- H. Shahriar and M. Zulkernine. Mitigating program security vulnerabilities: Approaches and challenges. ACM Comput. Surv., 44(3):11:1--11:46, June 2012. ISSN 0360-0300. URL http://doi.acm.org/10.1145/2187671.2187673. Google ScholarDigital Library
- M. Sun, G. Tan, J. Siefers, B. Zeng, and G. Morrisett. Bringing Java's wild native world under control. ACM Trans. Inf. Syst. Secur., 16(3):9:1--9:28, Dec. 2013. ISSN 1094-9224. . URL http://doi.acm.org/10.1145/2535505. Google ScholarDigital Library
- L. Szekeres, M. Payer, T. Wei, and D. Song. Eternal war in memory. In IEEE Symposium on Security and Privacy, 2013. Google ScholarDigital Library
- R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In SOSP '93: Proceedings of the fourteenth ACM Symposium on Operating Systems Principles, pages 203--216, New York, NY, USA, 1993. ACM. ISBN 0-89791-632-8. Google ScholarDigital Library
- X. Wang, H. Chen, Z. Jia, N. Zeldovich, and M. F. Kaashoek. Improving integer security for systems with KINT. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, OSDI'12, pages 163--177, Berkeley, CA, USA, 2012. USENIX Association. ISBN 978-1-931971-96-6. URL http://dl.acm.org/citation.cfm?id=2387880.2387897. Google ScholarDigital Library
- X. Wang, N. Zeldovich, M. F. Kaashoek, and A. Solar- Lezama. Towards optimization-safe systems: Analyzing the impact of undefined behavior. In Proceedings of the Twenty- Fourth ACM Symposium on Operating Systems Principles, SOSP '13, pages 260--275, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-2388-8. . URL http://doi.acm.org/10.1145/2517349.2522728. Google ScholarDigital Library
- R. N. Watson, P. G. Neumann, J. Woodruff, J. Anderson, D. Chisnall, B. Davis, B. Laurie, S. W. Moore, S. J. Murdoch, and M. Roe. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture. Technical Report UCAM-CL-TR-850, University of Cambridge, Computer Laboratory, Apr. 2014. URL http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-850.pdf.Google Scholar
- R. N. M. Watson, P. G. Neumann, J. Woodruff, J. Anderson, D. Chisnall, B. Davis, B. Laurie, S. W. Moore, S. J. Murdoch, and M. Roe. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture. Technical Report UCAM-CL-TR-864, University of Cambridge, Computer Laboratory, 15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom, phone +44 1223 763500, Dec. 2014. URL http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-864.pdf.Google Scholar
- J. Woodruff, R. N. M. Watson, D. Chisnall, S. W. Moore, J. Anderson, B. Davis, B. Laurie, P. G. Neumann, R. Norton, and M. Roe. The CHERI capability model: Revisiting RISC in an age of risk. In Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), June 2014. Google ScholarDigital Library
- B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. Commun. ACM, 53(1):91--99, Jan. 2010. ISSN 0001-0782. . URL http://doi.acm.org/10.1145/1629175.1629203. Google ScholarDigital Library
- A. Zakai. Emscripten: An LLVM-to-JavaScript Compiler. In Proceedings of the ACM International Conference Companion on Object Oriented Programming Systems Languages and Applications Companion, SPLASH '11, pages 301--312, New York, NY, USA, 2011. ACM. ISBN 978-1-4503-0942-4. URL http://doi.acm.org/10.1145/2048147.2048224. Google ScholarDigital Library
Index Terms
- Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine
Recommendations
Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine
ASPLOS '15We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary ...
Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine
ASPLOS'15We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary ...
Implementation of the memory-safe full ANSI-C compiler
PLDI '09This paper describes a completely memory-safe compiler for C language programs that is fully compatible with the ANSI C specification.
Programs written in C often suffer from nasty errors due to dangling pointers and buffer overflow. Such errors in ...
Comments