Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security
Albert Kwon,Udit Dhawan,Jonathan M. Smith,Thomas F. Knight,André DeHon +4 more
- pp 721-732
Reads0
Chats0
TLDR
To achieve the safety of fat pointers without increasing program state, this work compactly encode approximate base and bound pointers along with exact address pointers for a 46b address space into one 64-bit word with a worst-case memory overhead of 3%.Abstract:
Referencing outside the bounds of an array or buffer is a common source of bugs and security vulnerabilities in today's software. We can enforce spatial safety and eliminate these violations by inseparably associating bounds with every pointer (fat pointer) and checking these bounds on every memory access. By further adding hardware-managed tags to the pointer, we make them unforgeable. This, in turn, allows the pointers to be used as capabilities to facilitate fine-grained access control and fast security domain crossing. Dedicated checking hardware runs in parallel with the processor's normal datapath so that the checks do not slow down processor operation (0% runtime overhead). To achieve the safety of fat pointers without increasing program state, we compactly encode approximate base and bound pointers along with exact address pointers for a 46b address space into one 64-bit word with a worst-case memory overhead of 3%. We develop gate-level implementations of the logic for updating and validating these compact fat pointers and show that the hardware requirements are low and the critical paths for common operations are smaller than processor ALU operations. Specifically, we show that the fat-pointer check and update operations can run in a 4 ns clock cycle on a Virtex 6 (40nm) implementation while only using 1100 6-LUTs or about the area of a double-precision, floating-point adder.read more
Citations
More filters
Journal ArticleDOI
The CHERI capability model: revisiting RISC in an age of risk
Jonathan Woodruff,Robert N. M. Watson,David Chisnall,Simon W. Moore,Jonathan Anderson,Brooks Davis,Ben Laurie,Peter G. Neumann,Robert Norton,Michael Roe +9 more
TL;DR: CHERI, a hybrid capability model that extends the 64-bit MIPS ISA with byte-granularity memory protection, is presented, demonstrating that it enables language memory model enforcement and fault isolation in hardware rather than software, and that the CHERI mechanisms are easily adopted by existing programs for efficient in-program memory safety.
Proceedings ArticleDOI
Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity
Isaac Evans,Fan Long,Ulziibayar Otgonbaatar,Howard Shrobe,Martin Rinard,Hamed Okhravi,Stelios Sidiroglou-Douskos +6 more
TL;DR: It is shown that many popular code bases such as Apache and Nginx use coding practices that create flexibility in their intended control flow graph (CFG) even when a strong static analyzer is used to construct the CFG, which allows an attacker to gain control of the execution while strictly adhering to a fine-grained CFI.
Proceedings ArticleDOI
CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization
Robert N. M. Watson,Jonathan Woodruff,Peter G. Neumann,Simon W. Moore,Jonathan Anderson,David Chisnall,Nirav Dave,Brooks Davis,Khilan Gudka,Ben Laurie,Steven J. Murdoch,Robert Norton,Michael Roe,Stacey Son,Munraj Vadera +14 more
TL;DR: This work demonstrates multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs.
Proceedings ArticleDOI
Missing the Point(er): On the Effectiveness of Code Pointer Integrity
Isaac Evans,Sam Fingeret,Julian Gonzalez,Ulziibayar Otgonbaatar,Tiffany Y. Tang,Howard Shrobe,Stelios Sidiroglou-Douskos,Martin Rinard,Hamed Okhravi +8 more
TL;DR: It is shown that, for architectures that do not support segmentation in which CPI relies on information hiding, CPI's safe region can be leaked and then maliciously modified by using data pointer overwrites.
Proceedings ArticleDOI
SGXBOUNDS: Memory Safety for Shielded Execution
Dmitrii Kuvaiskii,Oleksii Oleksenko,Sergei Arnautov,Bohdan Trach,Pramod Bhatotia,Pascal Felber,Christof Fetzer +6 more
TL;DR: SGXBounds is an efficient memory-safety approach for shielded execution exploiting the architectural features of Intel SGX based on the LLVM compiler framework targeting unmodified multithreaded applications and has performance and memory overheads similar to AddressSanitizer and Intel MPX.
References
More filters
Proceedings ArticleDOI
Hardbound: architectural support for spatial safety of the C programming language
TL;DR: A hardware bounded pointer architectural primitive that supports cooperative hardware/software enforcement of spatial memory safety for C programs is proposed, which is a new hardware primitive datatype for pointers that leaves the standard C pointer representation intact, but augments it with bounds information maintained separately and invisibly by the hardware.
Journal ArticleDOI
Properties of the working-set model
TL;DR: The independent-reference model, in which page references are statistically independent, is used to assess the effects of interpage dependencies on working-set size observations and under general assumptions, working- set size is shown to be normally distributed.
Book
HYDRA/C.mmp, an experimental computer system
TL;DR: It's important for you to start having that hobby that will lead you to join in better concept of life and reading will be a positive activity to do every time.
Book
The Cambridge CAP computer and its operating system
TL;DR: The need for hardware memory protection was first met when operating systems which permitted the running of users' programs written in a variety of languages, including assembly language, came into use.
Proceedings Article
Capsicum: practical capabilities for UNIX
TL;DR: This work demonstrates the approach by adapting core FreeBSD utilities and Google's Chromium web browser to use Capsicum primitives, and compares the complexity and robustness of Capsicum with other sandboxing techniques.