fat pointers
play

FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? - PowerPoint PPT Presentation

Jan 11, 2024 •21 likes •511 views

FAT POINTERS Arjun Menon IIT Madras What is a Fat Pointer? METADATA ADDRESS PTR Typically metadata contains the base and bounds of the pointer which is essentially the valid accessible memory region by the pointer if(

  1. FAT POINTERS Arjun Menon IIT Madras

  2. What is a Fat Pointer? METADATA ADDRESS PTR ● Typically metadata contains the “base” and “bounds” of the pointer which is essentially the valid accessible memory region by the pointer ● if( (ADDRESS >= PTR.base) && (ADDRESS <= PTR.bound) ) perform load or store else jump to error handler 2

  3. Recap of Memory-based attacks ● Spatial (Buffer overflow) ○ Stack overflow ○ Heap overflow ○ Format string attacks ● Temporal ○ Use-after-free ○ Double free 3

  4. Object based struct { Key concept: Base and bounds associated per object char id[8]; Advantage: int account_balance; } bank_account; ● Memory layout of objects is not changed char* ptr = &(bank_account.id); ○ Improves source and binary compatibility strcpy(ptr, "overflow..."); Disadvantage: ● Overflows can occur on a sub-object basis ● Performance bottleneck: Object lookup is a range lookup ○ Typically implemented using splay trees ● Out-of-bounds pointers need special care Examples: [1], [2], [3] 4

  5. Pointer based Key concept: Base and bounds associated per pointer Advantages: ● Can enforce complete spatial safety ● Out-of-bounds pointers are taken care implicitly Disadvantage: ● Performance overhead: Propagation and checking of base and bounds ● Changes memory layout in a programmer visible way ● Do not handle arbitrary casts ● May be not support dynamic linking of libraries Examples: [4], [5], [6], [7] 5

  6. Agenda 1. SoftBound [4] 2. Low-fat Pointers [5] 3. WatchDog [6] 4. Shakti-T [7] 6

  7. 1. SoftBound (PLDI ‘09) 7

  8. SoftBound ● Tries to combine advantages of both object and pointer based solutions ● Source code compatibility ○ Disjoint metadata: Avoids any programmer visible memory layout changes ○ Allows arbitrary casts ● Completeness ○ Guarantees spatial safety ○ Includes a formal proof ● Separate compilation ○ Allows library code to be recompiled with SoftBound and dynamically linked 8

  9. Pointer dereference check check (ptr, ptr_base, ptr_bound, sizeof(*ptr)) value= *ptr; void check(ptr, base, bound, size) { if ((ptr < base) || (ptr+size > bound)) { abort(); } } 9

  10. Creating pointers ptr = malloc(size); 1. Explicit memory allocation i.e. malloc() ptr_base = ptr; ptr_bound = ptr + size; if (ptr == NULL) ptr_bound = NULL; int array[100]; 2. Taking the address of a global or a stack ptr = &array; allocated variable using the “&” operator ptr_base = &array[0]; ptr_bound = ptr_base+ sizeof(array); 10

  11. Pointer arithmetic and pointer assignment ● new_ptr= ptr + index newptr = ptr + index; newptr_base = ptr_base; ● No checks are required newptr_bound = ptr_bound; ○ Out-of-bounds value of newptr_bound is fine as long as “newptr” is not dereferenced 11

  12. Optional narrowings of pointer bounds 1. Creating a pointer to a field of a structure. NARROWED struct { ... int num; ... } *n; ... p = &(n->num); p_base = max(&(n->num), n_base); p_bound = min(p_base + sizeof(n->num), n_bound); 2. Creating a pointer to an element of an array. NOT NARROWED memset(&arr[4], 0, size); p_base = arr_base; p_bound = arr_bound; 12

  13. In-Memory Pointer Metadata Encoding int** ptr; 1. Load int** ptr; int *new_ptr; int* new_ptr; . . . new_ptr= *ptr; check(ptr, ptr_base, ptr_bound, sizeof(*ptr)); newptr = *ptr; newptr_base = table_lookup(ptr)->base; newptr_bound = table_lookup(ptr)->bound; int** ptr; 2. Store int** ptr; int *new_ptr; int* new_ptr; . . . (*ptr)= new_ptr; check(ptr, ptr_base, ptr_bound, sizeof(*ptr)); (*ptr) = new_ptr; table_lookup(ptr)->base = newptr_base; table_lookup(ptr)->bound = newptr_bound; 13

  14. Metadata Propagation with Function Calls int func(char *s) int sb_func(char *s, void* s_base, void* s_bound) { . . . } { . . . } int val = func(ptr); int val = sb_func(ptr, ptr_base, ptr_bound); ● Functions that return a pointer are changed to return a 3- element structure by value 14

  15. Disadvantages ● Performance overhead of 67% on average ● Does not provide security against temporal attacks 15

  16. 2. Low-Fat Pointers (CCS ‘13) 16

  17. Low-fat Pointers ● Use the upper unused bits of virtual address to store the base and bounds ● New, compact fat-pointer encoding and implementation (BIMA) ● Dedicated hardware checks in parallel if the Effective Address (EA) is within the valid base and bounds ○ Does not affect the processor clock speed ● Assumptions: ○ The memory is tagged ■ Every word has a type associated with it 17

  18. Aligned Encoding ● Assumption ○ The pointer is aligned on a boundary that is a power of 2 ○ The size of the segment the pointer is referencing is also a power of two (i.e. 2 B for some B) ● The base can be determined by replacing B bits in the LSB with 0’s base= A - (A & ((1 << B) -1) ) ● The bound can be determined by replacing B bits in the LSB with 1’s ● Therefore, only B bits are required to represent both the base and the bounds ● Disadvantage: ○ Very high memory fragmentation 18

  19. BIMA encoding 63 58 57 52 51 46 45 0 B I M A 6 6 6 46 ● B: Block size exponent ● I: Minimum bound ● M: Maximum bound ● A: Address 19

  20. The formula carry = 1 << (B + | I |) Atop = ( A & (carry-1) ) Mshift = M << B I shift = I << B D under = (A >> B)[5:0] < I ? (carry | Atop) - I shift : Atop - I shift D over = (A >> B)[5:0] > M? (carry | Mshift) - Atop : Mshift - Atop 20

  21. Example Base = 2 Bound = 13 Address = 7 carry = 1 << (B + | I |) carry = 1 << (1+6) = ‘b1000_0000 Atop = ( A & (carry-1) ) Atop = ‘b111 & (‘b0111_111) = ‘b111 = 7 Mshift = M << B Mshift = 7 << 1 = 14 I shift = I << B I shift = 1 << 1 = 2 D under = (A >> B)[5:0] < I ? D under = 3 < 1 ? (carry | Atop) - I shift : Atop - I shift (carry | Atop) - I shift : 7 - 2 = 5 D over = (A >> B)[5:0] > M? D over = (A >> B)[5:0] > M? (carry | Mshift) - Atop : Mshift - Atop (carry | Mshift) - Atop : 14 - 7 = 7 21

  22. Drawbacks ● Cannot express Out-of-Bounds pointer implicitly ● Memory fragmentation (~3%) ● Managing the base and bounds of stack allocated variables ● Prevents only spatial, and not temporal memory attacks 22

  23. 3. WatchDog (ISCA ‘12) 23

  24. Key idea ● Associate a base, bound, lock and a key with every pointer ● Hardware is responsible for propagation and checking of metadata ● Software manages the values of these metadata ● To prevent temporal attacks, fetch the value at the lock address, and check if it matches the value of the key 24

  25. Temporal protection (Conceptual) ● Assumptions: ○ Every register has a sidecar part which stores the metadata (id or lock) ○ Every memory address has a shadow region which stores the id of the pointer stored in that memory location 25

  26. Lock and Key Mechanism 26

  27. Code instrumentation 27

  28. Drawbacks ● The metadata overhead per pointer is 256bits ● Separate lock location cache 28

  29. Existing Hardware Solutions (Common design choice) ● Store the base and bound values (in shadow registers) in the register file alongside the value. ● It has the following implications: ○ Most of the base and bound shadow registers remain unused ○ When register spilling occurs, the base and bounds are also discarded ○ If aliased pointers exists in the registers, the base and bound values will have duplicate entries 29

  30. 4. Shakti-T (HASP ‘17) 30

  31. Proposed solution 1. Have a common memory region called Pointer Limits Memory (PLM) to store the values of base and bounds • Declare a new register which points the base address of PLM • Base and bounds are associated with a pointer by the value of the offset ( pointer_id ) MEMORY Tag bit ( Data + 2. Add a 1-bit tag to every memory word Instructions ) • 0: Data/Instruction PLBR • 1: Pointer PLM 31

  32. Proposed solution 3. Maintain a separate table alongside the register file that stores the values of base and bounds (and the pointer_id ) • One level indexing is used to associate a GPR holding a pointer with its corresponding values of base and bounds 32

  33. Proposed solution 33

  34. New Instructions • Write tag [ wrtag rd, imm ] • Write PLM [ wrplm rs1, r2, rs3 ] • Load base and bounds [ ldbnb rd, rs1 ] • Load pointer [ ldptr rd, rs1, imm ] • Write special register [ wrspreg rs1, imm ] • Read special register [ rdspreg rd, imm ] • Function store [ fnst rs1, imm(rs2) ] • Function load [ fnld rd, imm(rs1) ] 34

  35. Example programs • Dynamic memory allocation char * ptr = malloc(n); 1. After malloc returns with the base address, the bounds is computed as bound = base + n 2. Store the value of base and bound in the PLM at the address PLBR+ptr_id using the wrplm instruction. 3. When storing the initialized value of ptr in the memory at an address addr , store the value of ptr_id at addr +8 35

  36. Example programs • A function call function foo( ) { ptr_id= 5 char *ptr5; ptr5= malloc(20); … bar( ); … } 36

  37. Example programs • A function call function foo( ) { char *ptr5; ptr5= malloc(20); … bar( ); … } 37

  38. Example programs • A function call function foo( ) { char *ptr5; ptr5= malloc(20); … bar( ); … } 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Topic 7 1. Defining and using pointers 2. Arrays and pointers 3. C and C++ strings 4.

Topic 7 1. Defining and using pointers 2. Arrays and pointers 3. C and C++ strings 4.

Topic 7 1. Defining and using pointers 2. Arrays and pointers 3. C and C++ strings 4. Dynamic memory allocation 5. Arrays and vectors of pointers 6. Problem solving: draw a picture 7. Classes of objects 8. Pointers and objects

613 views • 21 slides
Class Five You havent run screaming yet... Lets do pointers! pointers are one of the

Class Five You havent run screaming yet... Lets do pointers! pointers are one of the

The Code Liberation Foundation Lecture 5 Pointers Class Five You havent run screaming yet... Lets do pointers! pointers are one of the most powerful things about c++ A pointer is a variable that holds the address of another

608 views • 22 slides
Pointers III: Struct &amp; Pointers 1 Structures What is

Pointers III: Struct &amp; Pointers 1 Structures What is

Pointers III: Struct &amp; Pointers 1 Structures What is a structure? One or more values, called members, with possibly dissimilar types that are

444 views • 26 slides
Pointers III: Struct &amp; Pointers 1 Structures What is

Pointers III: Struct &amp; Pointers 1 Structures What is

Pointers III: Struct &amp; Pointers 1 Structures What is a structure? One or more values, called members, with possibly dissimilar types that are

531 views • 25 slides
Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our LC-3

Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our LC-3

Chapter 16 Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our LC-3 programs; now we'll see them in C. Pointer Address of a variable in memory Allows us to indirectly access variables in other words,

1.1k views • 29 slides
Fundamentals of Programming Lecture 15 Hamed Rasifard 1 Outline Types of Pointers

Fundamentals of Programming Lecture 15 Hamed Rasifard 1 Outline Types of Pointers

Fundamentals of Programming Lecture 15 Hamed Rasifard 1 Outline Types of Pointers Arrays of Pointers Multiple Indirection Initializing Pointers Pointers to Functions Dynamic Memory Allocation 2 Types of Pointers

199 views • 19 slides
Pointers II 1 Outline Pointers arithmetic and others Functions &amp; pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions &amp; pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions &amp; pointers 2 Pointer Arithmetic When you add to or subtract from a pointer, the amount by which you do that is multiplied by the size of the type the pointer points

689 views • 33 slides
Today: C Pointers &amp; Arrays Understand str / ldr Understand C pointers ARM

Today: C Pointers &amp; Arrays Understand str / ldr Understand C pointers ARM

This week Assignment 1 due Tuesday: youll have proved your bare-metal mettle! Lab 2 prep do pre-lab reading! bring your tools Today: C Pointers &amp; Arrays Understand str / ldr Understand C pointers ARM addressing

520 views • 38 slides
Pointers to Functions C doesn t require that pointers point only to data; it s also

Pointers to Functions C doesn t require that pointers point only to data; it s also

Pointers to Functions C doesn t require that pointers point only to data; it s also possible to have pointers to functions. Pointers to Functions Function pointers point to memory addresses where functions are stored. o int (*fp)

240 views • 5 slides
Pointers &amp; Dynamic Memory Review C Pointers Introduce C++ Pointers Data Abstractions

Pointers &amp; Dynamic Memory Review C Pointers Introduce C++ Pointers Data Abstractions

Pointers &amp; Dynamic Memory Review C Pointers Introduce C++ Pointers Data Abstractions CSCI-2320 Dr. Tom Hicks Computer Science Department 2 Printing! Use Computer Science Printers Only For Your Computer Science Homework!!!! Print

1.19k views • 37 slides
Chapter 16 Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our

Chapter 16 Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our

Chapter 16 Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our C programs; now we'll see how they are implemented in LC-3. Pointer Address of a variable in memory Allows us to indirectly access

343 views • 16 slides
CS162 - POINTERS Lecture: Pointers and Dynamic Memory What are pointers Why dynamically

CS162 - POINTERS Lecture: Pointers and Dynamic Memory What are pointers Why dynamically

CS162 - POINTERS Lecture: Pointers and Dynamic Memory What are pointers Why dynamically allocate memory How to dynamically allocate memory What about deallocation? Walk thru pointer exercises CS162 Pointers 1 CS162 -

477 views • 27 slides
C Programming for Engineers Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1 Pointers

C Programming for Engineers Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1 Pointers

C Programming for Engineers Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1 Pointers Pointers are variables whose values are memory addresses . A variable name directly references a value, and a pointer indirectly references a value.

730 views • 29 slides
Programming for Engineers Pointers ICEN 200 Spring 2018 Prof. Dola Saha 1 Pointers

Programming for Engineers Pointers ICEN 200 Spring 2018 Prof. Dola Saha 1 Pointers

Programming for Engineers Pointers ICEN 200 Spring 2018 Prof. Dola Saha 1 Pointers Pointers are variables whose values are memory addresses . A variable name directly references a value, and a pointer indirectly references a value.

738 views • 28 slides
Pointers and Dynamic Memory Allocation Pointers 2 Pointers Pointer-type variables allow

Pointers and Dynamic Memory Allocation Pointers 2 Pointers Pointer-type variables allow

Pointers and Dynamic Memory Allocation Pointers 2 Pointers Pointer-type variables allow accessing memory in an indirect way. Memory Memory a a p int a; int a; int *p; a=10; p=&amp;a; *p=10; 3 Operators * and &amp;

325 views • 17 slides
Pointers Eric McCreath Introduction Pointers in c are basically memory addresses, they provide a

Pointers Eric McCreath Introduction Pointers in c are basically memory addresses, they provide a

Pointers Eric McCreath Introduction Pointers in c are basically memory addresses, they provide a simple and flexible way of your program referencing data. All parameters in C are passed by making copies of the arguments to the function call.

271 views • 7 slides
Section 40: Muscle Mechanics Section 40: Muscle Mechanics 40-1 40-2 From: Hamill Smallest

Section 40: Muscle Mechanics Section 40: Muscle Mechanics 40-1 40-2 From: Hamill Smallest

Section 40: Muscle Mechanics Section 40: Muscle Mechanics 40-1 40-2 From: Hamill Smallest MU recruited at lowest stimulation frequency stimulation frequency As frequency of stimulation of smallest MU increases, force of its

369 views • 10 slides
Meta-analysis is wit ith a general genetic model: ACTN3 &amp; athletic performance Damjan

Meta-analysis is wit ith a general genetic model: ACTN3 &amp; athletic performance Damjan

Meta-analysis is wit ith a general genetic model: ACTN3 &amp; athletic performance Damjan Vukcevic Centre for Systems Genomics University of Melbourne 25 May 2017 ViCBiostat Seminar Overview Part 1 Part 2 Background Simpler

778 views • 53 slides
Muscle Fiber Types PSK 4U North Grenville DHS Mr. S. Kelly Slow Twitch Muscle Fibers

Muscle Fiber Types PSK 4U North Grenville DHS Mr. S. Kelly Slow Twitch Muscle Fibers

Muscle Fiber Types PSK 4U North Grenville DHS Mr. S. Kelly Slow Twitch Muscle Fibers Darker (red) in colour Contract and relax relatively slowly Able to maintain low(er) tension for a longer period of time Low levels of

413 views • 19 slides
Computational Topology - Mapper Jiaqi Ni Eindhoven University of Technology June 14, 2018

Computational Topology - Mapper Jiaqi Ni Eindhoven University of Technology June 14, 2018

Computational Topology - Mapper Jiaqi Ni Eindhoven University of Technology June 14, 2018 Outline Introduction Mapper in the continuous setting Mapper in practice Parameters of Mapper in practice Applications Summary Introduction Mapper

1.12k views • 77 slides
The Pancreas Study Question: Is the decrease in triglyceride content of the pancreas

The Pancreas Study Question: Is the decrease in triglyceride content of the pancreas

The Pancreas Study Question: Is the decrease in triglyceride content of the pancreas specifically related to type 2 diabetes and it reversal? Or is it merely a generalised effect of loss of fat from the body? Design: Compare pancreas

510 views • 11 slides
FAT cont / HDDs/ SSDs / inodes 1 Changelog Changes made in this version not seen in fjrst

FAT cont / HDDs/ SSDs / inodes 1 Changelog Changes made in this version not seen in fjrst

FAT cont / HDDs/ SSDs / inodes 1 Changelog Changes made in this version not seen in fjrst lecture: 28 March 2019: SSD block remapping: fjx some animation issues 28 March 2019: xv6 disk layout: add note re: specialness of some block numbers

1.34k views • 115 slides
Filesystems and FAT CS 4411 Spring 2020 Announcements Major EGOS update Careful when

Filesystems and FAT CS 4411 Spring 2020 Announcements Major EGOS update Careful when

Filesystems and FAT CS 4411 Spring 2020 Announcements Major EGOS update Careful when using Pull Requests to get updates Project 4 Eliminated Outline for Today EGOS File/Storage System FAT Filesystem Design Project 5

547 views • 19 slides
Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 The Case

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 The Case

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 The Case for Bi-Lateral End-To-End Strong Authentication C. Chandersekaran William R Simpson Institute for Defense Analyses (IDA) The publication of this

326 views • 13 slides

More recommend