Fast and Generic Metadata Management with Mid-Fat Pointers

Kroes, Taddeus; Koning, Koen; Giuffrida, Cristiano; Bos, Herbert; Kouwe, Erik van der

doi:10.1145/3065913.3065920

Cited by 9 publications

(7 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We also assume that orthogonal defenses against spatial memory safety issues are in place [4,30,28,18]. However, to bypass xTag's protection using a spatial memory error, the attacker would need an arbitrary write primitive to corrupt xTag's shadow memory.…”

Section: Use-after-free Mitigation Schemementioning

confidence: 99%

xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64

Lukas¹,

Rodler²,

Holz³

et al. 2022

Preprint

View full text Add to dashboard Cite

Memory safety in complex applications implemented in unsafe programming languages such as C/C ++ is still an unresolved problem in practice. Such applications were often developed in an ad-hoc, security-ignorant fashion, and thus they contain many types of security issues. Many different types of defenses have been proposed in the past to mitigate these problems, some of which are even widely used in practice. However, advanced attacks are still able to circumvent these defenses, and the arms race is not (yet) over. On the defensive side, the most promising next step is a tighter integration of the hardware and software level: modern mitigation techniques are either accelerated using hardware extensions or implemented in the hardware by extensions of the instruction set architecture (ISA). In particular, memory tagging, as proposed by ARM or SPARC, promises to solve many issues for practical memory safety. Unfortunately, Intel x86-64, which represents the most important ISA for both the desktop and server domain, lacks support for hardware-accelerated memory tagging, so memory tagging is not considered practical for this platform.In this paper, we present the design and implementation of an efficient, software-only pointer tagging scheme for Intel x86-64 based on a novel metadata embedding scheme. The basic idea is to alias multiple virtual pages to one physical page so that we can efficiently embed tag bits into a pointer. Furthermore, we introduce several optimizations that significantly reduce the performance impact of this approach to memory tagging. Based on this scheme, we propose a novel use-after-free mitigation scheme, called xTag, that offers better performance and strong security properties compared to state-of-the-art methods. We also show how double-free vulnerabilities can be mitigated. Our approach is highly compatible, allowing pointers to be passed back and forth between instrumented and non-instrumented code without losing metadata, and it is even compatible with inline assembly. We conclude that building exploit mitigation mechanisms on top of our memory tagging scheme is feasible on Intel x86-64, as demonstrated by the effective prevention of use-after-free bugs in the Firefox web browser.

show abstract

Section: Use-after-free Mitigation Schemementioning

confidence: 99%

xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64

Lukas¹,

Rodler²,

Holz³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…We encourage further research into efficient metadata storage schemes that are sufficiently generic to support a wide variety of sanitizers [81], [95], and into sanitizers that build on such metadata storage schemes. This problem could also be addressed by using multi-variant execution systems to run multiple variants of the same program in parallel on the same inputs.…”

Section: Composing Sanitizersmentioning

confidence: 99%

SoK: Sanitizing for Security

Song

Lettner

Rajasekaran

et al. 2019

2019 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

The C and C ++ programming languages are notoriously insecure yet remain indispensable. Developers therefore resort to a multi-pronged approach to find security issues before adversaries. These include manual, static, and dynamic program analysis. Dynamic bug finding tools-henceforth "sanitizers"can find bugs that elude other types of analysis because they observe the actual execution of a program, and can therefore directly observe incorrect program behavior as it happens.A vast number of sanitizers have been prototyped by academics and refined by practitioners. We provide a systematic overview of sanitizers with an emphasis on their role in finding security issues. Specifically, we taxonomize the available tools and the security vulnerabilities they cover, describe their performance and compatibility properties, and highlight various trade-offs. class Base { virtual void func(); }; class Derived : public Base { public: int extra; }; Base b[2]; Derived * d = static_cast(&b[0]); // Bad-casting d->extra = ...; // Type-unsafe, out-of-bounds access, which // overwrites the vtable pointer of b[1]Listing 4. Bad-casting vulnerability leading to a type-and memory-unsafe memory access

show abstract

“…A kernel patch is the most straightforward way to limit the address space for mappings, but provides poor portability. Instead, we use the approach of Mid-Fat Pointers [25] to limit the address space in user mode: First, we prelink the binary, loader, and any shared libraries used by the program at locations that fit 32 bits. Then, during program startup, we move the stack and thread-local storage down in the address space.…”

Section: Address Space Reductionmentioning

confidence: 99%

“…The concept of tagged pointers has been used for decades, but generally concerns the lower bit(s) of a pointer [3,14]. Baggy Bounds [1], Boundless [6], SGXBounds [26], and Mid-Fat [25] all store tags in the upper bits of pointers. Our design provides a more comprehensive analysis increasing compatibility of pointer tagging over these approaches.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Delta pointers

Kroes

Koning

Kouwe

et al. 2018

Proceedings of the Thirteenth EuroSys Conference

Self Cite

View full text Add to dashboard Cite

Despite decades of research, buffer overflows still rank among the most dangerous vulnerabilities in unsafe languages such as C and C++. Compared to other memory corruption vulnerabilities, buffer overflows are both common and typically easy to exploit. Yet, they have proven so challenging to detect in real-world programs that existing solutions either yield very poor performance, or introduce incompatibilities with the C/C++ language standard.We present Delta Pointers, a new solution for buffer overflow detection based on efficient pointer tagging. By carefully altering the pointer representation, without violating language specifications, Delta Pointers use existing hardware features to detect both contiguous and non-contiguous overflows on dereferences, without a single check incurring extra branch or memory access operations. By focusing on buffer overflows rather than other vulnerabilities (e.g., underflows), Delta Pointers offer a unique checkless design to provide high performance while still maintaining compatibility. We show that Delta Pointers are effective in detecting arbitrary buffer overflows and, at 35% overhead on SPEC, offer much better performance than competing solutions. CCS CONCEPTS· Security and privacy → Systems security; Software and application security;

show abstract

Fast and Generic Metadata Management with Mid-Fat Pointers

Cited by 9 publications

References 16 publications

xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64

xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64

SoK: Sanitizing for Security

Delta pointers

Contact Info

Product

Resources

About