Computer Laboratory

Technical reports

Practical memory safety for C

Periklis Akritidis

June 2011, 136 pages

This technical report is based on a dissertation submitted May 2010 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Wolfson College.

Abstract

Copious amounts of high-performance and low-level systems code are written in memory-unsafe languages such as C and C++. Unfortunately, the lack of memory safety undermines security and reliability; for example, memory-corruption bugs in programs can breach security, and faults in kernel extensions can bring down the entire operating system. Memory-safe languages, however, are unlikely to displace C and C++ in the near future; thus, solutions for future and existing C and C++ code are needed.

Despite considerable prior research, memory-safety problems in C and C++ programs persist because the existing proposals that are practical enough for production use cannot offer adequate protection, while comprehensive proposals are either too slow for practical use, or break backwards compatibility by requiring significant porting or generating binary-incompatible code.

To enable practical protection against memory-corruption attacks and operating system crashes, I designed new integrity properties preventing dangerous memory corruption at low cost instead of enforcing strict memory safety to catch every memory error at high cost. Then, at the implementation level, I aggressively optimised for the common case, and streamlined execution by modifying memory layouts as far as allowed without breaking binary compatibility.

I developed three compiler-based tools for analysing and instrumenting unmodified source code to automatically generate binaries hardened against memory errors: BBC and WIT to harden user-space C programs, and BGI to harden and to isolate Microsoft Windows kernel extensions. The generated code incurs low performance overhead and is binary-compatible with uninstrumented code. BBC offers strong protection with lower overhead than previously possible for its level of protection; WIT further lowers overhead while offering stronger protection than previous solutions of similar performance; and BGI improves backwards compatibility and performance over previous proposals, making kernel extension isolation practical for commodity systems.

Full text

PDF (2.1 MB)

BibTeX record

@TechReport{UCAM-CL-TR-798,
  author =	 {Akritidis, Periklis},
  title = 	 {{Practical memory safety for C}},
  year = 	 2011,
  month = 	 jun,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-798.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-798}
}