Practical Memory Safety with REST · Core = Token Value load/store X. Cache Modifications Comparator at L1-D mem interface + 1b per L1-D line L1-D Memory Core load/store X its = Token

Practical Memory Safety with REST

KANAD SINHA & SIMHA SETHUMADHAVAN

COLUMBIA UNIVERSITY

Is memory safety relevant?

In 2017, 55% of remote-code execution causing bugs in Microsoft due to memory errors

Is memory safety relevant?

Yes!

Practical memory safetyPresenting…

Random Embedded Security Tokens or REST

Core H/W primitive: Insert known 64B random value (token)in program and detect accesses to them.




Otherallocs

bufchar *buf = malloc(BUF_LEN);

for (i=0; i<out_of_bounds; i++)buf = 0;

Heap




char *buf = malloc(BUF_LEN);

for (i=0; i<out_of_bounds; i++)buf = 0;

Otherallocs

buf

Heap

Token

Token




• Trivial hardware implementation

• Software framework based on AddressSanitizer

• Provides heap safety for legacy binaries

Background: Spatial Memory Safety

Zoey’s HouseYana’s HouseXander’s House


bufchar *ptrbuf = malloc(BUF_LEN);… ptrbuf[in_bounds] = X;…ptrbuf[out_of_bounds] = Y;

ptrbuf



ptrbuf



ptrbuf

Xander’s House

Background: Temporal Memory Safety

Xander moves out, Will moves in

Zoey’s HouseYana’s House


Will’s House

Xander moves out, Will moves in



bufchar *ptrbuf = malloc(BUF_LEN);ptrbuf[in_bounds] = X;…free(ptrbuf);ptrbuf[in_bounds] = Y;

ptrbuf


char *ptrbuf = malloc(BUF_LEN);ptrbuf[in_bounds] = X;…free(ptrbuf);ptrbuf[in_bounds] = Y;

ptrbuf

Previous H/W SolutionsMainly categorizable into 2 types.

Previous H/W Solutions

bufptrbuf

Mainly categorizable into 2 types.

• Whitelisting: Pointer based+ Good coverage

+ Temporal safety (for some)

- Performance overhead

- Implementation overhead

- Imprecise

Previous H/W SolutionsMainly categorizable into 2 types.

• Whitelisting: Pointer based+ Good coverage

+ Temporal safety (for some)

- Performance overhead


- Imprecise

• Blacklisting: Location based

+ Fast

- Weaker coverage (has false negatives)


- No temporal protection

bufptr

Buf

Previous H/W Solutions

Tag-based

buf*ptrbuf

Metadatais_valid(ptrbuf)?

Buf

REST: Primitive Overview

Content-based blacklisting

buf*ptrbuf

is(*ptrbuf == token)?

REST primitive has trivial complexity, overhead

Token

Token

REST: Spatial Memory Safety

Zoey’s HouseYana’s HouseXander’s House

REST: Temporal Memory SafetyWill gets new house


REST Software

Heap Safety

• Allocate and bookend region, malloc to program

24

Heap

buf

Heap Safety


• REST’ize at free

• Do not reallocate region until heap sufficiently consumed

25

Heap

Heap Safety




26

Heap

Spatial Protection

Heap Safety




27

Heap

Temporal Protection

Can be enabled for legacy binaries

Previous frame

Stack Safety

28

void foo() {char buf[64];…return;

}

buf

foo‘s frame

Previous frame

Stack Safety

29

buf

void foo() {char rz1[64];char buf[64];char rz2[64];arm(rz1);arm(rz2);…disarm(rz1);disarm(rz2);return;

}

rz1

rz2

foo‘s frame

Previous frame

Stack Safety

30

buf


}

rz1

rz2

foo‘s frame

char rz1[64];char buf[64];char rz2[64];

Previous frame

Stack Safety

31

buf


}

rz1

rz2

foo‘s frame

arm rz1;arm rz2;

arm: Set token

Previous frame

Stack Safety

32

buf


}

rz1

rz2

foo‘s framedisarm rz1;disarm rz2; disarm: Unset token

Previous frame

Stack Safety

33

buf


}

rz1

rz2

foo‘s frame

Requires recompilation with REST plugin

REST Hardware

Naïve Design

Every store involves an extra load Complicated and expensive

L1-D Memory

Core

=

TokenValue

load/store X

Cache Modifications

Comparator at L1-D mem interface + 1b per L1-D line

L1-D Memory

Core

load/store XTo

ken B

its

=

TokenValue

Cache Miss

L1-D Memory

Core

load/store XTo

ken B

its

=

TokenValue

Cache Hit

L1-D Memory

Core

=

TokenValue

load/store XTo

ken B

its

Cache Eviction

L1-D Memory

Core

=

TokenValue

load/store XTo

ken B

its

Armed outgoing line filled with token value

What about the core?TODO: Have to support arms and disarms

• 512b writes

• Special semantics: can only touch token with disarm

LSQ design concerns:

• Forwarding would break semantics

• 512b data entries

• How to match unaligned token access?

Load-Store QueueAdd 1b tag

Only update token bit

Split regular match logic

AddressCAM

Data

Tokenbit

=

MatchLogic

MatchAddress

• Forwarding breaks semantics


• Detecting unaligned token access

6

Load-Store QueueAdd 1b tag

Only update token bit

Split regular match logic

AddressCAM

Data

Tokenbit

=

=

MatchLogic

RESTViolation

6

MatchAddress

• Forwarding breaks semantics


• Detecting unaligned token access

REST Overhead

REST Performance

REST Performance

REST Performance

REST primitive overhead near-zero. Software overhead mostly from allocator.

To conclude…

REST: Hardware/software mechanism to detect common memory safety errors◦ Low overhead, low complexity hardware implementation

◦ Heap safety for legacy binaries

22-90% faster than comparable software solution on SPEC CPU

Questions?

Practical Memory Safety with REST · Core = Token Value load/store X. Cache Modifications Comparator at L1-D mem interface + 1b per L1-D line L1-D Memory Core load/store X its = Token

Documents