Table of Contents
- 1. What problem does this paper try to solve?
- 2. Why is the problem important?
- 3. What is this paper's solution to the problem?
- 4. What are the strengths of this paper?
- 5. What are the limitations of this paper?
- 6. What are other solutions and what are the most relevant works?
- 7. What's your favourite part of this work?
Authors: Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic
Keywords: Memory safety, Buffer overflows, Dangling pointers, Pointer-based check- ing, SoftBoundCETS
[SNAPL'15]
What problem does this paper try to solve?
Provide full memory safety for C.
Why is the problem important?
Refer to Google's article: Secure by Design: Google's Perspective on Memory Safety
What is this paper's solution to the problem?
Employ a pointer-based approach which injecting code to maintain per-pointer metadata and checking the metadata before dereferencing a pointer. The metadata is stored in a disjoint space.
How to maintain the metadata?
metadata layout: [ base | bound ]|{ key | lock }
Fields in [] are for spatial memory safety, fields in {} are for temporal memory safety.
base (64-bit value): the base address of the value pointed by a pointer.
bound (64-bit value): the end address of the value pointed by a pointer.
key: an allocation identifier.
lock: a pointer points to a location in memory. The key and the value pointed by lock should match.
How they handle function calls?
Problem: variable arguments, function pointers (indirect calls).
adding metadata as extra arguments
using a shadow stack
How to provide backward compatibility?
provide wrappers for commonly used libraries
write glue code for pointer modified by the external libray
What are the strengths of this paper?
Backward Compatibility. (disjoint metadata)
trie data structure
comprehensive safety
metadata can't be overwrited
less invasiveness
What are the limitations of this paper?
bad performance (70%-80%)
They assume that these overheads are within the reach of the acceptable threshold for a large class of applications. But they don't provide any evidence.
What are other solutions and what are the most relevant works?
AddressSanitizer (tripwire approach)
SAFECode, BaggyBound (Object-based approach)
SafeC, CCured, Cyclone, MSCC (Pointer-based approach)
What's your favourite part of this work?
Numerous design for their approach, from hardware to software.