Sound garbage collection for C using pointer provenance

Banerjee, Subarno; Devecsery, David; Chen, Peter M.; Narayanasamy, Satish

doi:10.1145/3428244

Cited by 3 publications

(7 citation statements)

References 105 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…MineSweeper preserves compatibility with hidden and misaligned pointers; while these are rare, they are common enough that not supporting them breaks real programs [2]. MineSweeper achieves this by not freeing anything the programmer has not requested to be freed, unlike garbage collectors [8], which are unsafe in C/C++ without additional provenance tracking and sticking strictly to the C/C++ standard [5], and significantly more expensive than MineSweeper [2,5]. It gives no additional security guarantees for objects whose only pointers are hidden.…”

Section: Threat Modelmentioning

confidence: 99%

See 1 more Smart Citation

MineSweeper: a “clean sweep” for drop-in use-after-free prevention

Erdős

Ainsworth

Jones

2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

Low-level languages, which require manual memory management from the programmer, remain in wide use for performance-critical applications. Memory-safety bugs are common, and now a major source of exploits. In particular, a use-after-free bug occurs when an object is erroneously deallocated, whilst pointers to it remain active in memory, and those (dangling) pointers are later used to access the object. An attacker can reallocate the memory area backing an erroneously freed object, then overwrite its contents, injecting carefully chosen data into the host program, thus altering its execution and achieving privilege escalation.We present MineSweeper, a system to mitigate use-after-free vulnerabilities by retaining freed allocations in a quarantine, until no pointers to them remain in program memory, thus preventing their reallocation until it is safe. MineSweeper performs efficient linear sweeps of memory to identify quarantined items that have no dangling pointers to them, and thus can be safely reallocated. This allows MineSweeper to be significantly more efficient than previous transitive marking procedure techniques.MineSweeper, attached to JeMalloc, improves security at an acceptable overhead in memory footprint (11.1% on average) and an execution-time cost of only 5.4% (geometric mean for SPEC CPU2006), with 9.6% additional threaded CPU usage. These figures considerably improve on the state-of-the-art for non-probabilistic drop-in temporal-safety systems, and make MineSweeper the only such scheme suitable for deployment in real-world production environments. CCS CONCEPTS• Security and privacy → Software and application security; Systems security.

show abstract

Section: Threat Modelmentioning

confidence: 99%

“…The sweep is largely independent of the application thread: to limit its performance impact, we can run it concurrently with the application. Still, the sweep should see a consistent picture of memory to avoid pointers being lost 5 .…”

Section: Concurrencymentioning

confidence: 99%

MineSweeper: a “clean sweep” for drop-in use-after-free prevention

Erdős

Ainsworth

Jones

2022

Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

show abstract

“…With this goal in mind, we bring, from the systems community into the software engineering community techniques to create Program Inspection Points, a notion that we define in Section 2. Like in classic garbage collectors for C/C++, [6][7][8][9][10] inspection points impose no overhead on programs unless they need to be inspected; Moreover, like in that line of work, we are willing to accept some imprecision: the inability to distinguish pointers from integers, for instance, might prevent the inspection of some parts of the heap. Yet, in contrast to garbage collectors, we provide the program with the means to associate low-level data-heap and stack allocated memory, for instance-with high-level source-code information: user-defined names and line locations.…”

Section: Contributionsmentioning

confidence: 99%

“…5 They own this qualifier to a weak type system, that neither associates size information with memory regions, nor distinguish pointers from scalars. Although there exist garbage collectors for languages like C or C++, [6][7][8][9][10] such implementations are not mainstream. The more reliable these garbage collectors are, the heavier their overhead.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Automatic inspection of program state in an uncooperative environment

2022

View full text Add to dashboard Cite

The program state is formed by the values that the program manipulates. These values are stored in the stack, in the heap, or in static memory. The ability to inspect the program state is useful as a debugging or as a verification aid. Yet, there exists no general technique to insert inspection points in type‐unsafe languages such as C or C++. The difficulty comes from the need to traverse the memory graph in a so‐called uncooperative environment. In this article, we propose an automatic technique to deal with this problem. We introduce a static code transformation approach that inserts in a program the instrumentation necessary to report its internal state. Our technique has been implemented in LLVM. It is possible to adjust the granularity of inspection points trading precision for performance. In this article, we demonstrate how to use inspection points to debug compiler optimizations; to augment benchmarks with verification code; and to visualize data structures.

show abstract

EarlyDLDetect: An Early Root-Cause Locator of Dangling Pointers and Memory Leaks

Gondow,

Arahori

2024

IEEE Access

View full text Add to dashboard Cite

Sound garbage collection for C using pointer provenance

Cited by 3 publications

References 105 publications

MineSweeper: a “clean sweep” for drop-in use-after-free prevention

MineSweeper: a “clean sweep” for drop-in use-after-free prevention

Automatic inspection of program state in an uncooperative environment

EarlyDLDetect: An Early Root-Cause Locator of Dangling Pointers and Memory Leaks

Contact Info

Product

Resources

About