Bookkeeping the metadat for pointers, such as base,bounds,ownerships,lock/keys, etc., to secure the system. Examples:
Reference 1
References: Code Pointer Integrity Motivation CFI 1 2 3 4 5 is shown to be ineffective 6 7 8. Transactions on Information Forensics and Security, 6(4):1404–1417, Dec. 2011. More Code-Pointer Integrity References: Code-Pointer Integrity Goal Guarantees the integrity of all code pointers in a program, e.g. function pointers, saved return addresses), and thereby prevents all control-flow hijack attacks, including return-oriented programming. Challenges Hard to make Low level languages safe (C/C++) while preserving their benefits including performance and flexible programming patterns.
Reference 1 Folding tags into the pointer By alignment: Certain types of data will be aligned to the size of data, often a word or multiple thereof. This discrepancy leaves a few of the least significant bits of the pointer unused, which can be used for tags – most often as a bit field (each bit a separate tag) – as long as code that uses the pointer masks out these bits before accessing memory.
References: ARM Pointer Authentication. LWN.net. April 2017. PAC it up: Towards Pointer Integrity using ARM Pointer Authentication.. USENIX Security, 2019. ARMv8-A Architecture Reference Manual Qualcomm Technologies, Inc. Pointer Authentication on ARMv8.3. 2017 Pointer Authentication (PA) Added in ARMv8-A. Purpose is to detect pointers created by an external entity. PA uses cryptographic message authentication codes (MACs) to protect the integrity of pointers. It attaches a cryptographic signature to pointer values; unused uppermost bits [62:48/42/39] of the address, could be used to hold auth code.
Reference1 Runtime Bounds Checking Reference: Runtime Defenses agains Memory Corruption, or here Three kinds of solutions: Modified pointer representation. Pointer keeps information about its referent object Incompatible with external code, libraries, etc. Special table maps pointers to referent objects Check referent object on every dereference What if a pointer is modified by external code? Keep track of address range of each object For every pointer arithmetic operation, check that the results points to the same referent object.
Reference: CETS paper Temporal errors include: dangling pointer dereferences (referencing an object that has been deallocated), double frees (calling free() on the same object multiple times), invalid frees (calling free() with a non-heap address or pointer to the middle of a heap-allocated region). CETS: Compiler Enforced Temporal Safety. Movivation Temporal errors are challenging. Prior proposals suffer from one or more of the following deficiencies: high runtime overheads, high memory overheads, failure to detect all temporal errors (for example, to the stack, to reallocated heap locations, or in the face of arbitrary casts) requiring annotations inserted by the programmer, or altering memory layout (which breaks compatibility with existing C code).
References: [1] Low-Fat Pointers: Compact Encoding and Efficient Gate-Level Implementation of Fat Pointers for Spatial Safety and Capability-based Security. [paper] Low-fat Capability Format
Reference: SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. PLDI, 2009. Background spatial violation detection and prevention. Object-Based Approaches. Pointer-Based Approaches. Comparison of Various Approaches. Design Associates base and bound metadata with every pointer. Disjoint metadata representation avoids memory layout changes and arbitrary casts. Metadata Propagation with Function Calls. When pointers are passed as arguments or returned from functions, their base and bound metadata must also travel with them.
References: [1] HardBound: Architectural Support for Spatial Safety of the C Programming Language. [paper] The C programming language is at least as well known for its absence of spatial memory safety guarantees (i.e., lack of bounds checking) as it is for its high performance. C’s unchecked pointer arithmetic and array indexing allow simple programming mistakes to lead to erroneous executions, silent data corruption, and security vulnerabilities. Many prior proposals have tackled enforcing spatial safety in C programs by checking pointer and array accesses.
References: [1] Hardware support for fast capability based addressing. SIGPLAN, 1994. [2] CHERI Concentrate: Practical Compressed Capabilities, IEEE Transactions on Computers, 2019. M-Machine Capability Format
Reference1 Arch support Instructions: BNDMK: saving bound pair for bounds register BNDCL: checking lower bound with bounds register value and operands BNDCU, BNDCN: checking upper bound with bounds register upper value and operands. BNDMOV: accessing bound register. BNDLDX: loading bounds reigister from memory. BNDSTX: saving bounds register to memory. Registers: BND0-3 Bound registers. BNDCFGU. configuration register for bound paging in ring 3.
References: reference More
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?