## Hardware-Software Co-design For Practical Memory Safety

**Mohamed Tarek** 

Ph.D. Defense - April 11th, 2022



## Hardware-Software Co-design For Practical Memory Safety

**Mohamed Tarek** 

Ph.D. Defense - April 11th, 2022



A program property that guarantees **memory objects** can only be accessed:



A program property that guarantees **memory objects** can only be accessed:

• Between their intended bounds,



Memory

A program property that guarantees **memory objects** can only be accessed:



A program property that guarantees **memory objects** can only be accessed:

- Between their intended bounds,
- During their lifetime, and
- Given their original (or compatible) type.







*Root cause* 



*Root cause* 







12





14









# Why is memory safety a concern?



Computing Sep 6

### Apple says China's Uighur Muslims were targeted in the recent iPhone hacking campaign

The tech giant gave a rare statement that bristled at Google's analysis of the novel hacking operation.

Computing Sep 6

### Apple says China's Uighur Muslims were targeted in the recent iPhone hacking campaign

The tech giant gave a rare statement that bristled at Google's analysis of the novel hacking operation.

EDITOR'S PICK | 42,742 views | Nov 21, 2018, 07:00am

Exclusive: Saudi Dissidents Hit With Stealth iPhone Spyware Before Khashoggi's Murder

Computing Sep 6

## Apple says China's Uighur Muslims were targeted in the recent iPhone hacking campaign

The tech giant gave a rare statement that bristled at Google's analysis

of the novel hacking operation.

The New York Times

WhatsApp Rushes to Fix Security Flaw Exposed in Hacking of Lawyer's Phone EDITOR'S PICK | 42,742 views | Nov 21, 2018, 07:00am

Exclusive: Saudi Dissidents Hit With Stealth iPhone Spyware Before Khashoggi's Murder

## **Prevalence of Memory Safety Vulns**



#### Microsoft Product CVEs between 2006-2018

## **Prevalence of Memory Safety Vulns**



#### Microsoft Product CVEs between 2006-2018



#### Chromium high severity security bugs between 2015-2020

# ATTACKERS



# MEMORY SAFETY

## **Attackers prefer Memory Safety Vulns**

















## How to fix C/C++ memory (un)safety?

## How to fix C/C++ memory (un)safety?

Memory Blocklisting

Memory Permitlisting Exploit Mitigation

## How to fix C/C++ memory (un)safety?

Memory Blocklisting

Memory Permitlisting Exploit Mitigation


Memory Blocklisting

Memory Permitlisting Exploit Mitigation



Memory Blocklisting

Memory Permitlisting Exploit Mitigation



e.g., Google's Address Sanitizer

Memory Blocklisting

Memory Permitlisting Exploit Mitigation





e.g., Google's Address Sanitizer

Memory Blocklisting

Memory Permitlisting Exploit Mitigation



e.g., Google's Address Sanitizer



Memory Blocklisting

Memory Permitlisting Exploit Mitigation



e.g., Google's Address Sanitizer

Memory Blocklisting

Memory Permitlisting Exploit Mitigation







e.g., Google's Address Sanitizer

Memory Blocklisting

Memory Permitlisting Exploit Mitigation



Size Base Ptr V Object (A)



e.g., Google's Address Sanitizer

Memory Blocklisting

Memory Permitlisting Exploit Mitigation



Size Base Ptr V Object (A)



e.g., Google's Address Sanitizer

Memory Blocklisting

Memory Permitlisting Exploit Mitigation



Size Base Ptr V Object (A)



e.g., ARM's PAC

e.g., Google's Address Sanitizer





e.g., Google's Address Sanitizer

e.g., Intel's MPX and CHERI

e.g., ARM's PAC





e.g., Google's Address Sanitizer

e.g., Intel's MPX and CHERI

e.g., ARM's PAC

#### Memory Blocklisting

Memory Permitlisting

#### Exploit Mitigation







Memory Blocklisting Memory Permitlisting Exploit Mitigation





Architectural Support for Low Overhead Memory Safety Checks. [ISCA 2021]

Memory Blocklisting

Memory Permitlisting Exploit Mitigation





ZeRØ: Zero-Overhead Resilient Operation Under Pointer Integrity Attacks. [ISCA 2021]

Memory Blocklisting

Memory Permitlisting Exploit Mitigation















# **Cache Line Formats**

Hiroshi Sasaki, Miguel A. Arroyo, **Mohamed Tarek Ibn Ziad**, Koustubha Bhat, Kanad Sinha, and Simha Sethumadhavan, Practical byte-granular memory blacklisting using Califorms. [<u>MICRO 2019</u>] [IEEE Micro Top Picks Honorable Mention]



54









**Program Memory** 









**Program Memory** 

Our Metadata: Encoded within unused data.



Our Metadata: Encoded within unused data.





Our Metadata: Encoded within unused data.





*bit-vector* 

Our Metadata: Encoded within unused data.





*bit-vector* 

Our Metadata: Encoded within unused data.

Blocklisted Location



Our Metadata: Encoded within unused data.

Blocklisted Location



Our Metadata: Encoded within unused data.

Blocklisted Location



#### **CaLiForms Microarchitectural Overview**



#### **CaLiForms Microarchitectural Overview**



#### **CaLiForms Microarchitectural Overview**


#### **CaLiForms Microarchitectural Overview**



#### **CaLiForms Microarchitectural Overview**



#### **CaLiForms Microarchitectural Overview**



#### **CaLiForms Performance Overheads**



Hardware Modifications

Our measurements show no impact on the cache access latency.

#### **CaLiForms Performance Overheads**

#### 

Hardware Modifications

Our measurements show no impact on the cache access latency.

#### 

Software Modifications

• We evaluate three different insertion policies using Clang/LLVM.

#### **CaLiForms Insertion Polices**

```
struct
A_opportunistic {
   char c;
   char tripwire[3];
   int i;
   char buf[64];
   void (*fp)();
}
```

#### (1) **Opportunistic**

#### **CaLiForms Insertion Polices**

struct
A\_opportunistic {
 char c;
 char tripwire[3];
 int i;
 char buf[64];
 void (\*fp)();
}

(1) **Opportunistic** 

struct A\_full { char tripwire[2]; char c; char tripwire[1]; int i; char tripwire[3]; char buf[64]; char tripwire[2]; void (\*fp)(); char tripwire[1]; } (2) Full

#### **CaLiForms Insertion Polices**

struct
A\_opportunistic {
 char c;
 char tripwire[3];
 int i;
 char buf[64];
 void (\*fp)();
}

#### (1) **Opportunistic**

struct A\_full { char tripwire[2]; char c; char tripwire[1]; int i; char tripwire[3]; char buf[64]; char tripwire[2]; void (\*fp)(); char tripwire[1]; } (2) Full

```
struct A_intelligent
{
    char c;
    int i;
    char tripwire[3];
    char buf[64];
    char tripwire[2];
    void (*fp)();
    char tripwire[3];
}
```

```
(3) Intelligent
```

### **CaLiForms Performance Overheads**



**Hardware Modifications** 

Our measurements show no impact on the cache access latency.

#### 

#### Software Modifications

• We evaluate three different insertion policies using Clang/LLVM.

### **CaLiForms Performance Overheads**



**Hardware Modifications** 

Our measurements show no impact on the cache access latency.

#### 

#### Software Modifications

- We evaluate three different insertion policies using Clang/LLVM.
- We emulate the overheads of BLOC instructions that are used during malloc/free to mark the blocklisted locations per cacheline.

#### CaLiForms Performance Results (x86\_64)



**Opportunistic (BLOC)** 



#### CaLiForms Performance Results (x86\_64)



#### CaLiForms Performance Results (x86\_64)



#### **CaLiForms Performance Overheads**

struct
A\_opportunistic {
 char c;
 char tripwire[3];
 int i;
 char buf[64];
 void (\*fp)();
}

struct A\_full {
 char tripwire[2];
 char c;

The *intelligent* policy provides the best performance-security tradeoff.

(2) Full

struct A\_intelligent
{
 char c;
 int i;
 char tripwire[3];
 char buf[64];
 char tripwire[2];
 void (\*fp)();
 char tripwire[3];

(3) Intelligent

(1) **Opportunistic** 

### **Memory Attacks Taxonomy**





**Mohamed Tarek Ibn Ziad**, Miguel A. Arroyo Evgeny Manzhosov, Ryan Piersma, and Simha Sethumadhavan, Architectural Support for Low Overhead Memory Safety Checks. [ISCA 2021]





Current software trends can be used to enhance systems security



Current software trends can be used to enhance systems security

Increasing adoption of binning allocators



Current software trends can be used to enhance systems security

Increasing adoption of binning allocators

- Maintains memory locality.
- Implicit lookup of allocation information.



Current software trends can be used to enhance systems security

Increasing adoption of binning allocators

- Maintains memory locality.
- Implicit lookup of allocation information.



```
40. int main() {
41. char* ptr = malloc(12);
42. ...
50. }
```











```
40. int main() {
41. char* ptr = malloc(12);
42. ...
50. }
```







97







40.

41.

42.

50.







Virtual Memory

```
40. int main() {
41. char* ptr = malloc(12);
42. ptr[1] = 'A';
43. ...
50. }
```









s\_store ptr[1], A', ptr<sub>trusted\_base</sub>



s\_store ptr[1], A', ptr<sub>trusted\_base</sub>






The **allocation size** information is made **available** to the hardware to verify memory accesses.







```
40. int main() {
41. char* ptr = malloc(12); ptr<sub>trusted_base</sub>
42. ptr[1] = 'A'; s_store ptr[1], 'A', ptr<sub>trusted_base</sub>
43. ...
50. }
```



```
40. int main() {
41. char* ptr = malloc(12); ptr<sub>trusted base</sub>
42. ptr[1] = 'A'; s_store ptr[1], 'A', ptr<sub>trusted base</sub>
43. ...
49. foo(ptr);
50. }
51. void Foo (char*)xptr){
52.
   •••
53. xptr[7] = 'B';
54. ...
60. }
```

```
40. int main() {
41. char* ptr = malloc(12); ptr<sub>trusted base</sub>
42. ptr[1] = 'A'; s_store ptr[1], 'A', ptr<sub>trusted base</sub>
43. ...
49. foo(ptr);
50. }
51. void Foo (char* xptr){
52.
       ...
53. xptr[7] = (B'; ) s_store xptr[7], B', xptr_{trusted base}
54. ...
60. }
```

```
40. int main() {
41. char* ptr = malloc(12); ptr<sub>trusted base</sub>
42. ptr[1] = 'A'; s_store ptr[1], 'A', ptr<sub>trusted base</sub>
43. ...
49. foo(ptr);
50. }
51. void Foo (char* xptr){
52.
       ...
53. xptr[7] = 'B'; s_store xptr[7], 'B', xptr<sub>trusted</sub> base
54. ...
                                                  How do we get this?
60. }
```

```
40. int main() {
41. char* ptr = malloc(12); ptr<sub>trusted base</sub>
42. ptr[1] = 'A'; s_store ptr[1], 'A', ptr<sub>trusted base</sub>
43. ...
49. foo(ptr);
50. }
51. void Foo (char* xptr){
                        52.
     ...
53. xptr[7] = 'B'; s_store xptr[7], 'B', xptr<sub>trusted base</sub>
54. ...
60. }
```

xptr<sub>trusted base</sub> <- compBase(xptr[7])</pre>

xptr<sub>trusted base</sub> < compBase(xptr[7])</pre>



xptr<sub>trusted base</sub> < compBase(xptr[7])</pre>







```
40. int main() {
41. char* ptr = malloc(12); ptr<sub>trusted_base</sub>
42. ptr[1] = 'A'; s_store ptr[1], 'A', ptr<sub>trusted_base</sub>
43. ...
49. foo(ptr);
50. }
```























Most of No-FAT's overheads are attributed to:The binning memory allocator, and



Most of No-FAT's overheads are attributed to:
The binning memory allocator, and
The back-to-back MULs during base address computation



Most of No-FAT's overheads are eliminated with:A performant binning memory allocator (e.g., MiMalloc), and



Most of No-FAT's overheads are eliminated with:
A performant binning memory allocator (e.g., MiMalloc), and

• A base address cache for derived pointers.

# **Memory Attacks Taxonomy**



### My solutions for C/C++ memory (un)safety

Memory Blocklisting

Memory Permitlisting Exploit Mitigation









[ISCA 2021]

| _ |                | Metadata                        | Concerns                                       |
|---|----------------|---------------------------------|------------------------------------------------|
|   | Memory Tagging | N bits per pointer & allocation | Spatial & temporal safety limited by tag width |

|                | Metadata                        | Concerns                                       |
|----------------|---------------------------------|------------------------------------------------|
| Memory Tagging | N bits per pointer & allocation | Spatial & temporal safety limited by tag width |
| Tripwires      | N bits per allocation           | Susceptible to non-adjacent overflows          |

|                | Metadata                        | Concerns                                       |
|----------------|---------------------------------|------------------------------------------------|
| Memory Tagging | N bits per pointer & allocation | Spatial & temporal safety limited by tag width |
| Tripwires      | N bits per allocation           | Susceptible to non-adjacent overflows          |
| CaLiForms      | 1 bit per cache line            | Provides probabilistic<br>guarantees           |

|                        | Metadata                         | Concerns                                                                      |
|------------------------|----------------------------------|-------------------------------------------------------------------------------|
| Memory Tagging         | N bits per pointer & allocation  | Spatial & temporal safety limited by tag width                                |
| Tripwires              | N bits per allocation            | Susceptible to non-adjacent overflows                                         |
| CaLiForms              | 1 bit per cache line             | Provides probabilistic<br>guarantees                                          |
| Explicit Base & Bounds | N bits per pointer or allocation | Breaks compatibility with the rest of the system (eg. unprotected libraries). |
# **Comparison with prior work**

|                        | Metadata                         | Concerns                                                                      |
|------------------------|----------------------------------|-------------------------------------------------------------------------------|
| Memory Tagging         | N bits per pointer & allocation  | Spatial & temporal safety limited by tag width                                |
| Tripwires              | N bits per allocation            | Susceptible to non-adjacent overflows                                         |
| CaLiForms              | 1 bit per cache line             | Provides probabilistic<br>guarantees                                          |
| Explicit Base & Bounds | N bits per pointer or allocation | Breaks compatibility with the rest of the system (eg. unprotected libraries). |
| No-FAT                 | Fixed (1K) bits per process      | Requires binning allocator                                                    |

# My solutions for C/C++ memory (un)safety

Memory Blocklisting

Memory Permitlisting Exploit Mitigation















**Mohamed Tarek Ibn Ziad**, Miguel A. Arroyo, Evgeny Manzhosov, and Simha Sethumadhavan, ZeRØ: Zero-Overhead Resilient Operation Under Pointer Integrity Attacks. [ISCA 2021]



| CALL <foo></foo> |        | ] |
|------------------|--------|---|
| STORE            |        |   |
| RET              |        |   |
|                  |        |   |
|                  |        |   |
|                  |        | 1 |
| Program          | Memory |   |













# **Code Pointer Integrity with ZeRØ**



# **Code Pointer Integrity with ZeRØ**



# **Code Pointer Integrity with ZeRØ**



# Data Pointer Integrity with ZeRØ





# **Efficiently Tracking Metadata**

In ZeRØ, we encode metadata **within** unused pointer bits.



# **Efficiently Tracking Metadata**



## ZeRØ Performance Overheads



Hardware Modifications

Our measurements show no impact on the cache access latency.

## ZeRØ Performance Overheads



Hardware Modifications

Our measurements show no impact on the cache access latency.

#### 

#### **Software Modifications**

• Our special load/stores do not change the binary size.

## ZeRØ Performance Overheads



Hardware Modifications

Our measurements show no impact on the cache access latency.

#### 

#### **Software Modifications**

- Our special load/stores do not change the binary size.
- The ClearMeta instructions are only called on memory deletion.







165





1.8 1.6







PAC's overheads are attributed to the extra QARMA encryption invocations upon pointer:

- loads/stores
- usages



ZeRØ reduces the average runtime overheads of pointer integrity from 14% to 0%!

# An efficient pointer integrity mechanism



An ideal candidate for end-user deployment.

Easy to Implement
No Runtime Overheads
Provides Strong Security

A drop-in replacement for ARM's PAC

# My solutions for C/C++ memory (un)safety

Memory Blocklisting

Memory Permitlisting Exploit Mitigation













# **Memory Attacks Taxonomy**



# **Memory Attacks Taxonomy**



# **Memory Attacks Taxonomy**



## Acknowledgement



Simha Sethumadhavan Columbia University



Miguel A. Arroyo Columbia University



Evgeny Manzhosov Columbia University



Vasileios P. Kemerlis Brown University



Kanad Sinha Columbia University



Koustubha Bhat Vrije Universiteit Amsterdam



**Ryan Piersma** Columbia University



Hiroshi Sasaki Tokyo Institute of Technology

# My solutions for C/C++ memory (un)safety

Memory Blocklisting

Memory Permitlisting Exploit Mitigation











