HexSafe: Efficient Memory Safety for C
Primary Investigator:
Mathias Payer
Nathan Burow, Derrick McKee
Abstract
C/C++ remain the languages of choice for large scale systems such as operating systems, servers, and web browsers. The design of C/C++ emphasizes programmer control and efficiency. Consequently, programs may arbitrarily access, without interference from the language, any valid virtual address for their process. The languages rely on programmers to enforce memory safety. As experience shows, programmers inevitably omit necessary checks. These omissions account for the vast majority of security flaws: from the simple buffer overflow of the 90’s to the recent glibc exploit in getaddrinfo. We introduce HexSafe, an LLVM compiler based solution that inserts the necessary memory safety checks for programmers. HexSafe improves upon previous memory safety mechanisms by introducing (i) a novel metadata scheme and (ii) supporting memory safety for all code in the process and not just the main executable.
Memory Safety is best defined by introducing the notion of capabilities for pointers. Pointers allow arbitrary memory accesses, including illegal ones such as overwriting a return address or function pointer. A capability limits a pointer in two ways: it must be within the bounds of the allocated object (spatial memory safety), and that object must still be valid in memory (temporal memory safety). A new capability is assigned to a pointer when the associated object is allocated or has its address taken. Capabilities can also be transferred to a pointer via pointer assignment (allowing aliasing). When a pointer is dereferenced, HexSafe ensures that it is valid for its associated capability, thereby ensuring both spatial and temporal memory safety.
To perform these checks, metadata is kept for each pointer specifying its current capability. HexSafe uses a novel hybrid metadata scheme that is neither inline nor disjoint. It places a capability ID into the unused portion of x86_64 pointers, which only use 48 of the available 64 bits. Utilizing these free bits maintains the application binary interface, ensuring compatibility with unprotected libraries. Further, including the capability ID in the pointer reduces metadata lookup time and provides automatic metadata propagation. We anticipate that this simplified approach will be faster than the state of the art. Additionally, HexSafe is the first memory safety solution to fully support and protect libc.