Practical Memory Safety with REST KANAD SINHA & SIMHA - - PowerPoint PPT Presentation

practical memory safety with
SMART_READER_LITE
LIVE PREVIEW

Practical Memory Safety with REST KANAD SINHA & SIMHA - - PowerPoint PPT Presentation

Feb 11, 2023 338 likes •828 views

Practical Memory Safety with REST KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY Is memory safety relevant? In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors Is memory safety relevant? Yes!

slide-1
SLIDE 1

Practical Memory Safety with REST

KANAD SINHA & SIMHA SETHUMADHAVAN COLUMBIA UNIVERSITY

slide-2
SLIDE 2

Is memory safety relevant?

In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors

slide-3
SLIDE 3

Is memory safety relevant?

Yes!

slide-4
SLIDE 4

Practical memory safety

Presenting…

Random Embedded Security Tokens or REST

Core H/W primitive: Insert known 64B random value (token) in program and detect accesses to them.

slide-5
SLIDE 5

Practical memory safety

Presenting…

Random Embedded Security Tokens or REST

Core H/W primitive: Insert known 64B random value (token) in program and detect accesses to them.

Other allocs buf char *buf = malloc(BUF_LEN); for (i=0; i<out_of_bounds; i++) buf = 0;

Heap

slide-6
SLIDE 6

Practical memory safety

Presenting…

Random Embedded Security Tokens or REST

Core H/W primitive: Insert known 64B random value (token) in program and detect accesses to them.

char *buf = malloc(BUF_LEN); for (i=0; i<out_of_bounds; i++) buf = 0; Other allocs buf

Heap Token Token

slide-7
SLIDE 7

Practical memory safety

Presenting…

Random Embedded Security Tokens or REST

Core H/W primitive: Insert known 64B random value (token) in program and detect accesses to them.

  • Trivial hardware implementation
  • Software framework based on AddressSanitizer
  • Provides heap safety for legacy binaries
slide-8
SLIDE 8

Background: Spatial Memory Safety

Zoey’s House Yana’s House Xander’s House

slide-9
SLIDE 9

Background: Spatial Memory Safety

buf

char *ptrbuf = malloc(BUF_LEN); … ptrbuf[in_bounds] = X; … ptrbuf[out_of_bounds] = Y; ptrbuf

slide-10
SLIDE 10

Background: Spatial Memory Safety

buf

char *ptrbuf = malloc(BUF_LEN); … ptrbuf[in_bounds] = X; … ptrbuf[out_of_bounds] = Y; ptrbuf

slide-11
SLIDE 11

Background: Spatial Memory Safety

buf

char *ptrbuf = malloc(BUF_LEN); … ptrbuf[in_bounds] = X; … ptrbuf[out_of_bounds] = Y; ptrbuf

slide-12
SLIDE 12

Xander’s House

Background: Temporal Memory Safety

Xander moves out, Will moves in Zoey’s House Yana’s House

slide-13
SLIDE 13

Background: Temporal Memory Safety

Will’s House Xander moves out, Will moves in Zoey’s House Yana’s House

slide-14
SLIDE 14

Background: Temporal Memory Safety

buf

char *ptrbuf = malloc(BUF_LEN); ptrbuf[in_bounds] = X; … free(ptrbuf); ptrbuf[in_bounds] = Y; ptrbuf

slide-15
SLIDE 15

Background: Temporal Memory Safety

char *ptrbuf = malloc(BUF_LEN); ptrbuf[in_bounds] = X; … free(ptrbuf); ptrbuf[in_bounds] = Y; ptrbuf

slide-16
SLIDE 16

Previous H/W Solutions

Mainly categorizable into 2 types.

slide-17
SLIDE 17

Previous H/W Solutions

buf

ptrbuf

Mainly categorizable into 2 types.

  • Whitelisting: Pointer based

+ Good coverage + Temporal safety (for some)

  • Performance overhead
  • Implementation overhead
  • Imprecise
slide-18
SLIDE 18

Previous H/W Solutions

Mainly categorizable into 2 types.

  • Whitelisting: Pointer based

+ Good coverage + Temporal safety (for some)

  • Performance overhead
  • Implementation overhead
  • Imprecise
  • Blacklisting: Location based

+ Fast

  • Weaker coverage (has false negatives)
  • Implementation overhead
  • No temporal protection

buf

ptr

slide-19
SLIDE 19

Buf

Previous H/W Solutions

Tag-based

buf

*ptrbuf

Metadata

is_valid(ptrbuf)?

slide-20
SLIDE 20

Buf

REST: Primitive Overview

Content-based blacklisting

buf

*ptrbuf is(*ptrbuf == token)?

REST primitive has trivial complexity, overhead

Token Token

slide-21
SLIDE 21

REST: Spatial Memory Safety

Zoey’s House Yana’s House Xander’s House

slide-22
SLIDE 22

REST: Temporal Memory Safety

Will gets new house Zoey’s House Yana’s House

slide-23
SLIDE 23

REST Software

slide-24
SLIDE 24

Heap Safety

  • Allocate and bookend region, malloc to

program

24

Heap buf

slide-25
SLIDE 25

Heap Safety

  • Allocate and bookend region, malloc to

program

  • REST’ize at free
  • Do not reallocate region until heap

sufficiently consumed

25

Heap

slide-26
SLIDE 26

Heap Safety

  • Allocate and bookend region, malloc to

program

  • REST’ize at free
  • Do not reallocate region until heap

sufficiently consumed

26

Heap

Spatial Protection

slide-27
SLIDE 27

Heap Safety

  • Allocate and bookend region, malloc to

program

  • REST’ize at free
  • Do not reallocate region until heap

sufficiently consumed

27

Heap

Temporal Protection

Can be enabled for legacy binaries

slide-28
SLIDE 28

Previous frame

Stack Safety

28

void foo() { char buf[64]; … return; }

buf

foo‘s frame

slide-29
SLIDE 29

Previous frame

Stack Safety

29

buf

void foo() { char rz1[64]; char buf[64]; char rz2[64]; arm(rz1); arm(rz2); … disarm(rz1); disarm(rz2); return; }

rz1 rz2

foo‘s frame

slide-30
SLIDE 30

Previous frame

Stack Safety

30

buf

void foo() { char rz1[64]; char buf[64]; char rz2[64]; arm(rz1); arm(rz2); … disarm(rz1); disarm(rz2); return; }

rz1 rz2

foo‘s frame

char rz1[64]; char buf[64]; char rz2[64];

slide-31
SLIDE 31

Previous frame

Stack Safety

31

buf

void foo() { char rz1[64]; char buf[64]; char rz2[64]; arm(rz1); arm(rz2); … disarm(rz1); disarm(rz2); return; }

rz1 rz2

foo‘s frame

arm rz1; arm rz2;

arm: Set token

slide-32
SLIDE 32

Previous frame

Stack Safety

32

buf

void foo() { char rz1[64]; char buf[64]; char rz2[64]; arm(rz1); arm(rz2); … disarm(rz1); disarm(rz2); return; }

rz1 rz2

foo‘s frame

disarm rz1; disarm rz2;

disarm: Unset token

slide-33
SLIDE 33

Previous frame

Stack Safety

33

buf

void foo() { char rz1[64]; char buf[64]; char rz2[64]; arm(rz1); arm(rz2); … disarm(rz1); disarm(rz2); return; }

rz1 rz2

foo‘s frame

Requires recompilation with REST plugin

slide-34
SLIDE 34

REST Hardware

slide-35
SLIDE 35

Naïve Design

Every store involves an extra load  Complicated and expensive

L1-D

Memory Core =

Token Value

load/store X

slide-36
SLIDE 36

Cache Modifications

Comparator at L1-D mem interface + 1b per L1-D line

L1-D

Memory Core load/store X Token Bits =

Token Value

slide-37
SLIDE 37

Cache Miss

L1-D

Memory Core load/store X Token Bits =

Token Value

slide-38
SLIDE 38

Cache Hit

L1-D

Memory Core =

Token Value

load/store X Token Bits

slide-39
SLIDE 39

Cache Eviction

L1-D

Memory Core =

Token Value

load/store X Token Bits

Armed outgoing line filled with token value

slide-40
SLIDE 40

What about the core?

TODO: Have to support arms and disarms

  • 512b writes
  • Special semantics: can only touch token with disarm

LSQ design concerns:

  • Forwarding would break semantics
  • 512b data entries
  • How to match unaligned token access?
slide-41
SLIDE 41

Load-Store Queue

Add 1b tag Only update token bit Split regular match logic

Address CAM

Data

Token bit

=

Match Logic Match Address

  • Forwarding breaks semantics
  • 512b data entries
  • Detecting unaligned token access

6

slide-42
SLIDE 42

Load-Store Queue

Add 1b tag Only update token bit Split regular match logic

Address CAM

Data

Token bit = = Match Logic REST Violation

6

Match Address

  • Forwarding breaks semantics
  • 512b data entries
  • Detecting unaligned token access
slide-43
SLIDE 43

REST Overhead

slide-44
SLIDE 44

REST Performance

slide-45
SLIDE 45

REST Performance

slide-46
SLIDE 46

REST Performance

REST primitive overhead near-zero. Software overhead mostly from allocator.

slide-47
SLIDE 47

To conclude…

REST: Hardware/software mechanism to detect common memory safety errors

  • Low overhead, low complexity hardware implementation
  • Heap safety for legacy binaries

22-90% faster than comparable software solution on SPEC CPU

Questions?