Memory Safety


Top Wonderings

  • Until now, how many ways do we have to resolve memory safety issues?
    • Tackling layers in the system, one or two but not all layers:
    • New language. Cyclone, CCured, Java, Rust, …
    • Compiler analysis/instrumentation. SoftBound,
    • Hardware extension. NX bit, page/region permission, Intel MPX, Enclaves, HardBound, …
    • Operating system. ASLR, …
    • A new ecosystem (with revision to all layers)
    • CHERI.
    • Technique side:
    • Static property checking
      • Some static types for memory safety. Examples ???
    • Dynamic property checking
      • Some dynamic types for memory safety. Examples ???

Quotes:

Intel Memory Protection Extensions(MPX) and Software Guard Extensions (SGX), as well as Oracle Silicon Secured Memory (SSM), signal an unprecedented industrial willingness to implement hardware mechanisms for memory safety and security.

Capability Pointers vs. address-space separation

Capability pointers are stronger than fault detection schemes such as MPX and SSM, and are able to achieve provable containment at the granularity of program-defined objects that is as strong as address-space separation.

Surveys

  • SoK: Eternal War in Memory. SP. 2013.

  • “70% of all security issues addressed in Microsoft products are caused by violations of memory safety”

    • Matt Miller. Trends, challenges, and strategic shifts in the software vulnerability mitigation landscape. BlueHat, 2019. slides

Contents

  • Temporal
  • References: [1] CETS: Compiler-Enforced Temporal Safety for C, ISMM, 2010. [paper] Basics Temporal safety Temporal safety erros include: dangling pointer dereferences (referencing an object that has been deallocated); dangling pointer to stack; dangling pointer to reallocated heap objects; double free’s (calling free() on the same object multiple times); invalid frees (calling free() with a non-heap address or pointer to the middle of a heap-allocated region). Location-based temporal checking Use location (or address) to determine whether it is allocated or not.

  • Mem Tag
  • Q & A Is it possible to automatically set/check tags without changing ISA interface? Taint tracking tags? References: Efficient Tagged Memory, ICCD, 2017. CheriABI UCAM-CL-TR-932, 2019. Secure program execution via dynamic information flow tracking. 2004, ASPLOS. A small cache of large ranges: Hardware methods for efficiently searching, storing, and updating big dataflow tags. 2008. MICRO. Hardware enforcement of application security policies using tagged memory. 2008, OSDI. E.

  • Secure by Permission bits on Page Table
  • Example: MMU and its variants MPK on Intel MPU on ARM Supervisor Mode Access Prevention. On CR4/x86 Reference 1 Dang Q&A How to detect there is still reference pointing to a pool? What if there is a buffer overflow to the freed variable on the same page? Reference 1 Problem: Allocate only one object per physical page would be quickly exhaust physical memory. Changing the allocation in this way would potentially lead to poor cache performance in physically indexed cache.

  • Secure Memory by Compiling
  • A special case of building isolated software boxes. With Static & Dynamic analysis and/or Compiler Instrumentations. Examples: Shadow Stacks SafeCode nesCheck Reference 1 201904 Secswift Reference 1 A compiler approach to cyber-security ↩ Sok: Shining Light on Shadow Stacks Reference 1 SoK: Shining Light on Shadow Stacks. arXiv, 2019. ↩ Defending Embedded Systems Against Control Flow Attacks A hardware controlled stack split: one for data, one for return; Reference 1 Defending Embedded Systems Against Control Flow Attacks.

  • Secure Memory by using Metadata for Pointers
  • Bookkeeping the metadat for pointers, such as base,bounds,ownerships,lock/keys, etc., to secure the system. Examples: fat pointers and its variants. Reference 1 Code Pointer Integrity References: Code Pointer Integrity Motivation CFI 1 2 3 4 5 is shown to be ineffective 6 7 8. Transactions on Information Forensics and Security, 6(4):1404–1417, Dec. 2011. More Code-Pointer Integrity References: Code-Pointer Integrity Goal Guarantees the integrity of all code pointers in a program, e.

  • Secure Memory by Language
  • Design or leverage language features to secure a system. Example: Cyclone CCured nesC CheckedC Reference 1 CCured Reference 1 CCured: Type-Safe Retrofitting of Legacy Software. ACM Transactions on PL and Systems. 2005. ↩ nesC Reference 1 reference ↩ reference ↩

  • Attacks
  • Reference 1 Overflow Reference 1 Heart Bleed CVE-2014-0160 OpenSSL 1.0.1f, Fixed in 1.0.1g tlsl_process_heartbeat() in t1_lib.c // 2553 int tls1_process_heartbeat(SSL *s){ unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned short hbtype; unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); pl = p; if (s->msg_callback) s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, &s->s3->rrec.data[0], s->s3->rrec.length, s, s->msg_callback_arg); if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp; int r; /* Allocate memory for the response, size is 1 bytes * message type, plus 2 bytes payload length, plus * payload, plus padding */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); bp += payload; /* Random padding */ RAND_pseudo_bytes(bp, padding); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); .

  • RIPE: Runtime Intrusion Prevention Evaluator
  • 850 buffer overflow attack forms. RIPE 1 extends 2003 NDSS 2 paper from 20 attack forms to 850 attack forms. Dimensions Location of the buffer in memory, target code pointer, overflow technique, D1: Location Stack Heap BSS segment Data segment D2: Target Code Pointer Return address Old base pointer: The previous contents of the EBP register, which is used to reference functin arguments and local variables Functino pointers: Generic function pointers allowing programmers to dymanically call different functions from the same code Longjmp buffers: Setjmp/longjmp is a technique which allows programmers to easily jump back to a predefined point in their code.

Created Jun 27, 2019 // Last Updated Jul 8, 2021

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?