Runtime Bound Checking

Reference1

Runtime Bounds Checking

Reference: Runtime Defenses agains Memory Corruption, or here

Three kinds of solutions:

  1. Modified pointer representation.
    • Pointer keeps information about its referent object
    • Incompatible with external code, libraries, etc.

  2. Special table maps pointers to referent objects

    • Check referent object on every dereference
    • What if a pointer is modified by external code?

  3. Keep track of address range of each object

    • For every pointer arithmetic operation, check that the results points to the same referent object.

Examples:

  • Jones-Kelly2: pad each object by 1 byte; maintain a runtime tree of allocated objects; replace all out-of-bound addresses with illegal value; backwards-compatible pointer representation.

    • What if a pointer to an out-of-bounds address is used to compute an in-bounds address? ==> Result: False alarm.
    • details

  • Ruwas-Lam3: catch out-of-bounds pointers at runtime.

    • Requires instrumentation of malloc() and a special runtime environment.
    • Out-of-bounds pointer pointer to a special OOB object: stores the original out-of-bounds value; stores a pointer to the original referent object.
    • Pointer arithmetic on out-of-bounds pointers:
    • details
  1. Runtime Defenses agains Memory Corruption, here. ↩
  2. Backwards-compatible bounds checking for arrays and pointers in C programs, here. In Automated & Algorithmic Debugging, 1997. ↩
  3. A Practical Dynamic Buffer Overflow Detector, here. NDSS, 2004. ↩
Created Jul 26, 2019 // Last Updated Oct 12, 2019

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?