research-article

Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine

Authors:

David Chisnall,

Colin Rothwell,

Robert N.M. Watson,

Jonathan Woodruff,

Simon W. Moore,

Peter G. NeumannAuthors Info & Claims

ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 117 - 130

https://doi.org/10.1145/2694344.2694367

Published: 14 March 2015 Publication History

Abstract

We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary implementations of C have converged on a memory model similar to the PDP-11, the original target for C. This model lacks support for memory safety despite well-documented impacts on security and reliability.

Attempts to change this model are often hampered by assumptions embedded in a large body of existing C code, dating back to the memory model exposed by the original C compiler for the PDP-11. Our experience with attempting to implement a memory-safe variant of C on the CHERI experimental microprocessor led us to identify a number of problematic idioms. We describe these as well as their interaction with existing memory safety schemes and the assumptions that they make beyond the requirements of the C specification. Finally, we refine the CHERI ISA and abstract model for C, by combining elements of the CHERI capability model and fat pointers, and present a softcore CPU that implements a C abstract machine that can run legacy C code with strong memory protection guarantees.

References

[1]

Is address space 1 reserved? URL http://lists.cs.uiuc.edu/pipermail/llvmdev/2015-January/080288.html.

[2]

Alelph One. Smashing the stack for fun and profit. Phrack Magazine, 7:14--16, 1996.

[3]

ARM Architecture Reference Manual. ARMv8, for ARMv8- A architecture profile. ARM Limited, 110 Fulbourn Road, Cambridge, England CB1 9NJ, 2013.

[4]

A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler. A few billion lines of code later: Using static analysis to find bugs in the real world. Commun. ACM, 53(2):66--75, Feb. 2010. ISSN 0001-0782. URL http://doi.acm.org/10.1145/1646353.1646374.

Digital Library

[5]

H.-J. Boehm and M. Weiser. Garbage collection in an unco- operative environment. Softw. Pract. Exper., 18(9):807--820, Sept. 1988. ISSN 0038-0644. . URL http://dx.doi.org/10.1002/spe.4380180902.

Digital Library

[6]

R. Chandra, V. Padmanabhan, and M. Zhang. CRAWDAD data set microsoft/osdi2006 (v. 2007-05-23). Downloaded from http://crawdad.org/microsoft/osdi2006/, May 2007.

[7]

C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and Exposition, 2000. DISCEX '00. Proceedings, volume 2, pages 119--129 vol.2, 2000.

[8]

J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure virtual architecture: A safe execution environment for commodity operating systems. In SOSP '07: Proceedings of the Twenty First ACM Symposium on Operating Systems Principles, October 2007.

Digital Library

[9]

J. Criswell, N. Geoffray, and V. Adve. Memory safety for low-level software/hardware interactions. In Proceedings of the Eighteenth Usenix Security Symposium, August 2009.

Digital Library

[10]

G. Czajkowski, L. Daynes, and M. Wolczko. Automated and portable native code isolation. In Software Reliability Engineering, 2001. ISSRE 2001. Proceedings. 12th International Symposium on, pages 298--307, Nov 2001.

Digital Library

[11]

R. Dannenberg, W. Dormann, D. Keaton, R. Seacord, D. Svoboda, A. Volkovitsky, T. Wilson, and T. Plum. As-if infinitely ranged integer model. In Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on, pages 91--100, Nov 2010.

Digital Library

[12]

J. Devietti, C. Blundell, M. M. K. Martin, and S. Zdancewic. Hardbound: Architectural support for spatial safety of the C programming language. SIGPLAN Not., 43(3):103--114, Mar. 2008. ISSN 0362-1340. URL http://doi.acm.org/10.1145/1353536.1346295.

Digital Library

[13]

J. Evans. A scalable concurrent malloc(3) implementation for FreeBSD. In BSDCan, 2006.

[14]

Gimpel Software. FlexeLint for C/C++, August 2014. URL http://www.gimpel.com/html/flex.htm.

[15]

Intel Plc. Introduction to Intel R memory protection extensions. http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, July 2013.

[16]

ISO. ISO/IEC 9899:2011 Information technology -- Programming languages -- C. International Organization for Standardization, Geneva, Switzerland, Dec. 2011. URL http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=57853.

[17]

T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of the General Track of the Annual Conference on USENIX Annual Technical Conference, ATEC '02, pages 275--288, Berkeley, CA, USA, 2002. USENIX Association. ISBN 1-880446-00-6. URL http://dl.acm.org/citation.cfm?id=647057.713871.

Digital Library

[18]

A. Kwon, U. Dhawan, J. M. Smith, T. F. Knight, Jr., and A. DeHon. Low-fat pointers: Compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS '13, pages 721--732, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-2477-9. . URL http://doi.acm.org/10.1145/2508859.2516713.

Digital Library

[19]

Managed C++. Managed extensions for C++ specification. http://msdn.microsoft.com/en-us/library/Aa712867 (accessed2014/07/14).

[20]

Microsoft Corporation. CONTAINING RECORD macro. URL http://msdn.microsoft.com/en-us/library/windows/hardware/ff542043%28v=vs.85%29.aspx.

[21]

Mitre. CWE/SANS top 25 most dangerous software errors, 2011. URL http://cwe.mitre.org/top25.

[22]

S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. Softbound: Highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 245--258, New York, NY, USA, 2009. ACM. ISBN 978-1-60558-392-1. . URL http://doi.acm.org/10.1145/1542476.1542504.

Digital Library

[23]

G. C. Necula, S. McPeak, and W. Weimer. Ccured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '02, pages 128--139, New York, NY, USA, 2002. ACM. ISBN 1-58113-450-9. . URL http://doi.acm.org/10.1145/503272.503286.

Digital Library

[24]

M. Richards. BCPL: A Tool for Compiler Writing and System Programming. In Proceedings of the May 14-16, 1969, Spring Joint Computer Conference, AFIPS '69 (Spring), pages 557-- 566, New York, NY, USA, 1969. ACM. . URL http://doi.acm.org/10.1145/1476793.1476880.

Digital Library

[25]

D. Ritchie, S. Johnson, M. Lesk, and B. Kernighan. UNIX time-sharing system: The C programming language. Bell System Technical Journal, 57(6):1991--2019, July-Aug 1978.

[26]

J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975. URL http://www.multicians.org.

[27]

H. Shahriar and M. Zulkernine. Mitigating program security vulnerabilities: Approaches and challenges. ACM Comput. Surv., 44(3):11:1--11:46, June 2012. ISSN 0360-0300. URL http://doi.acm.org/10.1145/2187671.2187673.

Digital Library

[28]

M. Sun, G. Tan, J. Siefers, B. Zeng, and G. Morrisett. Bringing Java's wild native world under control. ACM Trans. Inf. Syst. Secur., 16(3):9:1--9:28, Dec. 2013. ISSN 1094-9224. . URL http://doi.acm.org/10.1145/2535505.

Digital Library

[29]

L. Szekeres, M. Payer, T. Wei, and D. Song. Eternal war in memory. In IEEE Symposium on Security and Privacy, 2013.

Digital Library

[30]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In SOSP '93: Proceedings of the fourteenth ACM Symposium on Operating Systems Principles, pages 203--216, New York, NY, USA, 1993. ACM. ISBN 0-89791-632-8.

Digital Library

[31]

X. Wang, H. Chen, Z. Jia, N. Zeldovich, and M. F. Kaashoek. Improving integer security for systems with KINT. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, OSDI'12, pages 163--177, Berkeley, CA, USA, 2012. USENIX Association. ISBN 978-1-931971-96-6. URL http://dl.acm.org/citation.cfm?id=2387880.2387897.

Digital Library

[32]

X. Wang, N. Zeldovich, M. F. Kaashoek, and A. Solar- Lezama. Towards optimization-safe systems: Analyzing the impact of undefined behavior. In Proceedings of the Twenty- Fourth ACM Symposium on Operating Systems Principles, SOSP '13, pages 260--275, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-2388-8. . URL http://doi.acm.org/10.1145/2517349.2522728.

Digital Library

[33]

R. N. Watson, P. G. Neumann, J. Woodruff, J. Anderson, D. Chisnall, B. Davis, B. Laurie, S. W. Moore, S. J. Murdoch, and M. Roe. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture. Technical Report UCAM-CL-TR-850, University of Cambridge, Computer Laboratory, Apr. 2014. URL http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-850.pdf.

[34]

R. N. M. Watson, P. G. Neumann, J. Woodruff, J. Anderson, D. Chisnall, B. Davis, B. Laurie, S. W. Moore, S. J. Murdoch, and M. Roe. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture. Technical Report UCAM-CL-TR-864, University of Cambridge, Computer Laboratory, 15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom, phone +44 1223 763500, Dec. 2014. URL http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-864.pdf.

[35]

J. Woodruff, R. N. M. Watson, D. Chisnall, S. W. Moore, J. Anderson, B. Davis, B. Laurie, P. G. Neumann, R. Norton, and M. Roe. The CHERI capability model: Revisiting RISC in an age of risk. In Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), June 2014.

Digital Library

[36]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. Commun. ACM, 53(1):91--99, Jan. 2010. ISSN 0001-0782. . URL http://doi.acm.org/10.1145/1629175.1629203.

Digital Library

[37]

A. Zakai. Emscripten: An LLVM-to-JavaScript Compiler. In Proceedings of the ACM International Conference Companion on Object Oriented Programming Systems Languages and Applications Companion, SPLASH '11, pages 301--312, New York, NY, USA, 2011. ACM. ISBN 978-1-4503-0942-4. URL http://doi.acm.org/10.1145/2048147.2048224.

Digital Library

Cited By

Yu JWatt CBadole ACarlson TSaxena PCalandrino JTroncoso C(2023)CAPSTONEProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620282(787-804)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620282
Burtsev ANarayanan VHuang YHuang KTan GJaeger TBaumann ACrooks NSchwarzkopf M(2023)Evolving Operating System Kernels Towards Secure Kernel-Driver InterfacesProceedings of the 19th Workshop on Hot Topics in Operating Systems10.1145/3593856.3595914(166-173)Online publication date: 22-Jun-2023
https://dl.acm.org/doi/10.1145/3593856.3595914
Grisenthwaite RBarnes GWatson RMoore SSewell PWoodruff J(2023)The Arm Morello Evaluation Platform—Validating CHERI-Based Security in a High-Performance SystemIEEE Micro10.1109/MM.2023.326467643:3(50-57)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/MM.2023.3264676
Show More Cited By

Index Terms

Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine
1. Computer systems organization
  1. Architectures
2. Software and its engineering
  1. Software notations and tools
    1. General programming languages

Recommendations

Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine
ASPLOS '15

We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary ...
Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine
ASPLOS'15

We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary ...
Implementation of the memory-safe full ANSI-C compiler
PLDI '09

This paper describes a completely memory-safe compiler for C language programs that is fully compatible with the ANSI C specification.

Programs written in C often suffer from nasty errors due to dangling pointers and buffer overflow. Such errors in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems

March 2015

720 pages

ISBN:9781450328357

DOI:10.1145/2694344

General Chairs:
Ozcan Ozturk
Bilkent University, Turkey
,
Kemal Ebcioglu
Global Supercomputing, USA
,
Program Chair:
Sandhya Dwarkadas
University of Rochester, USA

ACM SIGPLAN Notices Volume 50, Issue 4
ASPLOS '15
April 2015
676 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2775054
Editor:
Andy Gill
University of Kansas, Lawrence, KS
Issue’s Table of Contents
ACM SIGARCH Computer Architecture News Volume 43, Issue 1
ASPLOS'15
March 2015
676 pages
ISSN:0163-5964
DOI:10.1145/2786763
Editor:
Doug DeGroot
acm dot org
Issue’s Table of Contents

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 March 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Defense Advanced Research Projects Agency

Conference

ASPLOS '15

Sponsor:

ASPLOS '15: Architectural Support for Programming Languages and Operating Systems

March 14 - 18, 2015

Istanbul, Turkey

Acceptance Rates

ASPLOS '15 Paper Acceptance Rate 48 of 287 submissions, 17%;

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

65
Total Citations
View Citations
747
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)9

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yu JWatt CBadole ACarlson TSaxena PCalandrino JTroncoso C(2023)CAPSTONEProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620282(787-804)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620282
Burtsev ANarayanan VHuang YHuang KTan GJaeger TBaumann ACrooks NSchwarzkopf M(2023)Evolving Operating System Kernels Towards Secure Kernel-Driver InterfacesProceedings of the 19th Workshop on Hot Topics in Operating Systems10.1145/3593856.3595914(166-173)Online publication date: 22-Jun-2023
https://dl.acm.org/doi/10.1145/3593856.3595914
Grisenthwaite RBarnes GWatson RMoore SSewell PWoodruff J(2023)The Arm Morello Evaluation Platform—Validating CHERI-Based Security in a High-Performance SystemIEEE Micro10.1109/MM.2023.326467643:3(50-57)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/MM.2023.3264676
Anderson SBlanco RLampropoulos LPierce BTolmach A(2023)Formalizing Stack Safety as a Security Property2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00037(356-371)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00037
Suchy BGhosh SKersnar DChai SHuang ZNelson ACuevas MBernat AChaudhary GHardavellas NCampanoni SDinda PFalsafi BFerdman MLu SWenisch T(2022)CARAT CAKE: replacing paging via compiler/kernel cooperationProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507771(98-114)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507771
Dietrich CBargholz MLoeck YBudoj MNedaskowskij LLohmann D(2022)SailFAIL: Model-Derived Simulation-Assisted ISA-Level Fault-Injection PlatformsComputer Safety, Reliability, and Security10.1007/978-3-031-14835-4_14(207-221)Online publication date: 25-Aug-2022
https://doi.org/10.1007/978-3-031-14835-4_14
Ibn Ziad MArroyo MManzhosov EPiersma RSethumadhavan S(2021)No-FAT: Architectural Support for Low Overhead Memory Safety Checks2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA52012.2021.00076(916-929)Online publication date: Jun-2021
https://doi.org/10.1109/ISCA52012.2021.00076
El-Korashy ATsampas SPatrignani MDevriese DGarg DPiessens F(2021)CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00036(1-16)Online publication date: Jun-2021
https://doi.org/10.1109/CSF51468.2021.00036
VAN STRYDONCK TPIESSENS FDEVRIESE D(2021)Linear capabilities for fully abstract compilation of separation-logic-verified codeJournal of Functional Programming10.1017/S095679682100002231Online publication date: 30-Mar-2021
https://doi.org/10.1017/S0956796821000022
Banerjee SDevecsery DChen PNarayanasamy S(2020)Sound garbage collection for C using pointer provenanceProceedings of the ACM on Programming Languages10.1145/34282444:OOPSLA(1-28)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3428244
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents