Methods of printing checks Customizing a checks layout Paying by checks process.
Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks...
Transcript of Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks...
![Page 1: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/1.jpg)
Delta Pointers:Buffer Overflow Checks Without the Checks
Taddeus Kroes & Koen KoningErik van der Kouwe Herbert Bos
Cristiano Giuffrida
June 19, 2018
![Page 2: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/2.jpg)
Preview
buffer[10] secret
2
![Page 3: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/3.jpg)
Preview
buffer[10] secret
buffer[5]
2
![Page 4: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/4.jpg)
Preview
buffer[10] secret
buffer[5]buffer[11]
2
![Page 5: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/5.jpg)
Preview
buffer[10] secret
buffer[5]buffer[11]
secret
2
![Page 6: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/6.jpg)
Preview
buffer[10] secret
buffer[5]buffer[11]
2
![Page 7: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/7.jpg)
Preview
buffer[10] secret
buffer[5]buffer[11]
Automatic!FAST!- no branches- no mem access
2
![Page 8: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/8.jpg)
Buffer overflows still very common today
3
![Page 9: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/9.jpg)
Bounds checking is slow /
139%
MPX
94%
SGXBou
nds
80%
ASan
72%
Baggy
Bound
s
64%
Low-F
at Point
ers
0
% o
verh
ead
100
150
50
4
![Page 10: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/10.jpg)
What is bounds checking?
void foo(char *buffer, size_t n) { buffer[n] = 10;}
5
![Page 11: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/11.jpg)
What is bounds checking?
void foo(char *buffer, size_t n) { buffer[n] = 10;}
Attacker-controlled?
5
![Page 12: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/12.jpg)
What is bounds checking?
void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); buffer[n] = 10;}
Automatically
inserted
5
![Page 13: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/13.jpg)
What is bounds checking?
void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); buffer[n] = 10;} Need
s
metadata
5
![Page 14: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/14.jpg)
What is bounds checking?
void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); buffer[n] = 10;} Need
s
metadata
Branchingcheck
5
![Page 15: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/15.jpg)
What is bounds checking?
void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); buffer[n] = 10;} Need
s
metadata
Branchingcheck
Overhead!
5
![Page 16: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/16.jpg)
What is bounds checking?
void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); buffer[n] = 10;} Need
s
metadata
Branchingcheck
Overhead! Efficient solution:
pointer tagging
5
![Page 17: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/17.jpg)
What is bounds checking?
void foo(char *buffer, size_t n) { if (n >= SIZE(buffer)) ERROR("overflow"); buffer[n] = 10;} Need
s
metadata
Branchingcheck
Overhead! Efficient solution:
pointer tagging
Still slow
5
![Page 18: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/18.jpg)
Our approach: Delta Pointers
I Use pointer taggingI No memory access for metadata lookup
I No need for branchesI Delegate checks to (off-the-shelf) hardware instead
I Focus on common case: upper bound on x86 64I Mitigates all CVEs reported by related work
6
![Page 19: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/19.jpg)
Our approach: Delta Pointers
I Use pointer taggingI No memory access for metadata lookup
I No need for branchesI Delegate checks to (off-the-shelf) hardware instead
I Focus on common case: upper bound on x86 64I Mitigates all CVEs reported by related work
6
![Page 20: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/20.jpg)
Our approach: Delta Pointers
I Use pointer taggingI No memory access for metadata lookup
I No need for branchesI Delegate checks to (off-the-shelf) hardware instead
I Focus on common case: upper bound on x86 64I Mitigates all CVEs reported by related work
6
![Page 21: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/21.jpg)
Our approach: Delta Pointers
139%
MPX
94%
SGXBou
nds
80%
ASan
72%
Baggy
Bound
s
64%
Low-F
at Point
ers
35%
Del
ta P
oint
ers
0
% o
verh
ead
100
150
50
7
![Page 22: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/22.jpg)
Regular pointers
00 e8 02 0c 40 1000 00
virtual addressext48 bit16 bit
8
![Page 23: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/23.jpg)
Regular pointers
00 e8 02 0c 40 1000 00
virtual addressext48 bit16 bit
Upper 16 bits
must be zero
8
![Page 24: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/24.jpg)
Regular pointers
00 e8 02 0c 40 1000 00
virtual addressext48 bit16 bit
00 e8 02 0c 40 1000 01
virtual addressext48 bit16 bit
Non-canonical,
MMU faults!
8
![Page 25: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/25.jpg)
Tagged pointers
00 e8 02 0c 40 1012 34
virtual addresstag48 bit16 bit
Encode information
in unused bits!
9
![Page 26: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/26.jpg)
Tagged pointers
02 0c 40 1012 34 56 78
virtual addresstag32 bit32 bit
Shrink address spacefor bigger tags
9
![Page 27: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/27.jpg)
Delta Pointers
02 0c 40 1000 00 00 18
virtual addresstag32 bit32 bit
size
Size=24
10
![Page 28: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/28.jpg)
Delta Pointers
02 0c 40 1c00 00 00 18
virtual addresstag32 bit32 bit
size
Size=24What aboutinternal pointers?
10
![Page 29: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/29.jpg)
Delta Pointers
02 0c 40 1c00 00 00 0c
virtual addresstag32 bit32 bit
distance
Check upper boundfor any pointer
Distance=12
10
![Page 30: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/30.jpg)
Delta Pointers
02 0c 40 1cff ff ff f4
virtual addresstag32 bit32 bit
-distance
10
![Page 31: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/31.jpg)
Delta Pointers
02 0c 40 1c7f ff ff f4
virtual addresstag32 bit32 bit
-distance
0
overflow bit
Set to 1 ifout-of-bounds
10
![Page 32: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/32.jpg)
Delta Pointers
02 0c 40 1c7f ff ff f4
virtual addressdelta tag32 bit32 bit
-distance
0
overflow bit
Set to 1 ifout-of-bounds
10
![Page 33: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/33.jpg)
Instrumentation
02 0c 40 100 00 00 00 00
char *p = malloc(24);
11
![Page 34: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/34.jpg)
Instrumentation
02 0c 40 100 00 00 00 00
char *p = malloc(24);
Distance=24
11
![Page 35: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/35.jpg)
Instrumentation
02 0c 40 100 00 00 00 00
char *p = malloc(24);
Distance=24
-distance
0 00 00 00 00
11
![Page 36: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/36.jpg)
Instrumentation
02 0c 40 100 00 00 00 00
char *p = malloc(24);
Distance=24
| (-24 << 32);
0 7f ff ff e8-24
11
![Page 37: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/37.jpg)
Instrumentation
02 0c 40 270 7f ff ff e8
p += 23;+23
11
![Page 38: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/38.jpg)
Instrumentation
02 0c 40 270 7f ff ff e8
p += 23;+23
Replicatearithmetic on tag
11
![Page 39: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/39.jpg)
Instrumentation
02 0c 40 270 7f ff ff e8
p += 23;+23
+ (23 << 32);+23
0 7f ff ff ffDistance=1
11
![Page 40: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/40.jpg)
Instrumentation
02 0c 40 281 00 00 00 00
carryp += 1 + (1 << 32);
+1+1
Distance=0,overflowed!
11
![Page 41: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/41.jpg)
Instrumentation
02 0c 40 270 7f ff ff ff
p += -1 + (-1 << 32);-1-1carry
Distance=1,in-bounds again
11
![Page 42: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/42.jpg)
Instrumentation
02 0c 40 270 7f ff ff ff
p += -1 + (-1 << 32);-1-1carry
Distance=1,in-bounds again
one operation!
11
![Page 43: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/43.jpg)
Dereferencing an in-bounds pointer
02 0c 40 270 7f ff ff ff
12
![Page 44: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/44.jpg)
Dereferencing an in-bounds pointer
02 0c 40 270 7f ff ff ff
ff ff ff ff1 00 00 00 00 &
Strips away distance
12
![Page 45: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/45.jpg)
Dereferencing an in-bounds pointer
02 0c 40 270 7f ff ff ff
ff ff ff ff1 00 00 00 00 &
02 0c 40 270 00 00 00 00
12
![Page 46: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/46.jpg)
Dereferencing an in-bounds pointer
02 0c 40 270 7f ff ff ff
ff ff ff ff1 00 00 00 00 &
02 0c 40 270 00 00 00 00
Normal (in-bounds) pointer, access OK!
12
![Page 47: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/47.jpg)
Dereferencing an out-of-bounds pointer
02 0c 40 2c1 00 00 00 04
13
![Page 48: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/48.jpg)
Dereferencing an out-of-bounds pointer
02 0c 40 2c1 00 00 00 04
ff ff ff ff1 00 00 00 00 &
13
![Page 49: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/49.jpg)
Dereferencing an out-of-bounds pointer
02 0c 40 2c1 00 00 00 04
ff ff ff ff1 00 00 00 00 &
02 0c 40 2c1 00 00 00 00
13
![Page 50: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/50.jpg)
Dereferencing an out-of-bounds pointer
02 0c 40 2c1 00 00 00 04
ff ff ff ff1 00 00 00 00 &
Non-canonical pointer, MMU faults!
02 0c 40 2c1 00 00 00 00
13
![Page 51: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/51.jpg)
Implementation
I LLVM based prototype for C/C++I Stack + heap + globalsI 32-bit address → 4GB address spaceI 31-bit distance → 2GB allocationsI Instrument NULL pointer with distance = −1I Optimizations: omit instrumentation on in-bounds pointers
14
![Page 52: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/52.jpg)
Pointer tagging breaks things
I Uninstrumented libraries// strdup (ptr);TAG( strdup (MASK(ptr)));
I Non-zero NULL pointer
I Subtraction, addition, multiplication, vectors, etc.
I Incomplete type information (e.g., unions)
I Compiler quirks
I . . . and moreI Solved with TBAA + def-use chain analysisI Details in paper
15
![Page 53: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/53.jpg)
Pointer tagging breaks things
I Uninstrumented libraries// strdup (ptr);TAG( strdup (MASK(ptr)));
I Non-zero NULL pointer
I Subtraction, addition, multiplication, vectors, etc.
I Incomplete type information (e.g., unions)
I Compiler quirks
I . . . and moreI Solved with TBAA + def-use chain analysisI Details in paper
15
![Page 54: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/54.jpg)
Pointer tagging breaks things
I Uninstrumented libraries// strdup (ptr);TAG( strdup (MASK(ptr)));
I Non-zero NULL pointer
I Subtraction, addition, multiplication, vectors, etc.
I Incomplete type information (e.g., unions)
I Compiler quirks
I . . . and moreI Solved with TBAA + def-use chain analysisI Details in paper
15
![Page 55: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/55.jpg)
Pointer tagging breaks things
I Uninstrumented libraries// strdup (ptr);TAG( strdup (MASK(ptr)));
I Non-zero NULL pointer
I Subtraction, addition, multiplication, vectors, etc.
I Incomplete type information (e.g., unions)
I Compiler quirks
I . . . and moreI Solved with TBAA + def-use chain analysisI Details in paper
15
![Page 56: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/56.jpg)
Pointer tagging breaks things
I Uninstrumented libraries// strdup (ptr);TAG( strdup (MASK(ptr)));
I Non-zero NULL pointer
I Subtraction, addition, multiplication, vectors, etc.
I Incomplete type information (e.g., unions)
I Compiler quirks
I . . . and moreI Solved with TBAA + def-use chain analysisI Details in paper
15
![Page 57: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/57.jpg)
Pointer tagging breaks things
I Uninstrumented libraries// strdup (ptr);TAG( strdup (MASK(ptr)));
I Non-zero NULL pointer
I Subtraction, addition, multiplication, vectors, etc.
I Incomplete type information (e.g., unions)
I Compiler quirks
I . . . and moreI Solved with TBAA + def-use chain analysisI Details in paper
15
![Page 58: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/58.jpg)
Evaluation
16
![Page 59: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/59.jpg)
Nginx
0
0.1
0.2
0.3
0.4
0.5
0.6
5 10 15 20 25 30 35 40 45 50 55 60
La
ten
cy (
ms)
Throughput (x1000 reqs/s)
BaselineDelta Pointers
3-6% (I/O bound)
17
![Page 60: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/60.jpg)
SPEC CPU2006 (C/C++)
0% 25% 50% 75% 100%
400.perlbench401.bzip2
403.gcc429.mcf433.milc
444.namd445.gobmk447.dealII
450.soplex453.povray456.hmmer
458.sjeng462.libquantum
464.h264ref470.lbm
471.omnetpp473.astar
482.sphinx3483.xalancbmk
maskingtaggingarithmetic
35% geomean with optimizations
18
![Page 61: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/61.jpg)
Is that any good?
Is it better than branches?Branching implementation: 48% overhead
> 35%!
Yes
19
![Page 62: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/62.jpg)
Is that any good?Is it better than branches?
Branching implementation: 48% overhead
> 35%!
Yes
19
![Page 63: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/63.jpg)
Is that any good?Is it better than branches?Branching implementation: 48% overhead
> 35%!
Yes
19
![Page 64: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/64.jpg)
Is that any good?Is it better than branches?Branching implementation: 48% overhead > 35%!
Yes
19
![Page 65: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/65.jpg)
Is that any good?Is it better than branches?Branching implementation: 48% overhead > 35%!
Yes
19
![Page 66: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/66.jpg)
Conclusion
I Reliable pointer tagging implementationI We can check (upper) bounds without checksI Faster than existing solutions
https://github.com/vusec/deltapointers
VUSecVUSec20
![Page 67: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/67.jpg)
Related work
System
C++
Metadata
Checks
PassingOoB
pointers
Non-linea
r
Runtime
Mem
ory
Softbound 7 Table Deref 3 3 67% 64%
Baggy Bounds 7 Layout Arith 3a 3 72% 11%PAriCheck 7 Shadow Arith 3 3b 96% 18%LBC 7 Shadow Deref 3 7 22% 7.7%
ASan 3 Shadow Deref 3 7 80% 237%Intel MPX 3 Table Deref 3 3 139% 90%LowFat 3 Layout Deref 7 3 54% 5.2%SGXBounds 3 Tag Deref 3 3 89% 0.1%Delta Pointers 3 Tag — 3 3 35% 0%
a Only up to alloc size/2 on 32-bit.b Unless wrap-around on 16-bit labels occurs.
21
![Page 68: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/68.jpg)
Impact of optimization with static analysis
0% 25% 50% 75% 100%
400.perlbench401.bzip2
403.gcc429.mcf433.milc
444.namd445.gobmk447.dealII
450.soplex453.povray456.hmmer
458.sjeng462.libquantum
464.h264ref470.lbm
471.omnetpp473.astar
482.sphinx3483.xalancbmk
unoptimizedoptimized
41% ⇒ 35%
22
![Page 69: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/69.jpg)
Statistics
I 72% of SPEC offsets are dynamicI 80% increase in code size with Delta Pointers
23
![Page 70: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/70.jpg)
Branching implementation
void foo(int n) { char *buffer = malloc(24); char *p = buffer + n; *p = 'x';}
24
![Page 71: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/71.jpg)
Branching implementation
Store end pointer
distance in tag
void foo(int n) { char *buffer = malloc(24); buffer |= (buffer + 24) << 32; char *p = buffer + n; *p = 'x';}
24
![Page 72: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/72.jpg)
Branching implementation
Extract tag onload/store
void foo(int n) { char *buffer = malloc(24); buffer |= (buffer + 24) << 32; char *p = buffer + n; tag = p >> 32; p = p & 0xffffffff; *p = 'x';}
24
![Page 73: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/73.jpg)
Branching implementation
Branch
ing
check
void foo(int n) { char *buffer = malloc(24); buffer |= (buffer + 24) << 32; char *p = buffer + n; tag = p >> 32; p = p & 0xffffffff; if (p >= tag) ERROR("overflow"); *p = 'x';}
24
![Page 74: Delta Pointers: Buffer Overflow Checks Without the Checks · Related work System C++ Metadata ks ters OoB Non-linear time Memory Softbound 7 Table Deref 3 3 67% 64% Baggy Bounds 7](https://reader036.fdocuments.net/reader036/viewer/2022062505/5ed6f0a4ff4a11075f77159e/html5/thumbnails/74.jpg)
Some pointer tagging challenges
I Some operations need masking to preserve semantics
char a[10];// size_t len = &a[10] - &a[0];size_t len = MASK (&a[10]) - MASK (&a[0]);
I Pointers that look like integers
union {char *buf;uint64_t foo;
} field;
field.buf += 42; // should instrumentfield.foo += 42; // should NOT
25