article

Memory safety without garbage collection for embedded applications

Authors:

Dinakar Dhurjati,

Sumant Kowshik,

Chris LattnerAuthors Info & Claims

ACM Transactions on Embedded Computing Systems (TECS), Volume 4, Issue 1

Pages 73 - 111

https://doi.org/10.1145/1053271.1053275

Published: 01 February 2005 Publication History

Abstract

Traditional approaches to enforcing memory safety of programs rely heavily on run-time checks of memory accesses and on garbage collection, both of which are unattractive for embedded applications. The goal of our work is to develop advanced compiler techniques for enforcing memory safety with minimal run-time overheads. In this paper, we describe a set of compiler techniques that, together with minor semantic restrictions on C programs and no new syntax, ensure memory safety and provide most of the error-detection capabilities of type-safe languages, without using garbage collection, and with no run-time software checks, (on systems with standard hardware support for memory management). The language permits arbitrary pointer-based data structures, explicit deallocation of dynamically allocated memory, and restricted array operations. One of the key results of this paper is a compiler technique that ensures that dereferencing dangling pointers to freed memory does not violate memory safety, without annotations, run-time checks, or garbage collection, and works for arbitrary type-safe C programs. Furthermore, we present a new interprocedural analysis for static array bounds checking under certain assumptions. For a diverse set of embedded C programs, we show that we are able to ensure memory safety of pointer and dynamic memory usage in all these programs with no run-time software checks (on systems with standard hardware memory protection), requiring only minor restructuring to conform to simple type restrictions. Static array bounds checking fails for roughly half the programs we study due to complex array references, and these are the only cases where explicit run-time software checks would be needed under our language and system assumptions.

References

[1]

Aho, A. V., Sethi, R., and Ullman, J. D. 1986. Compilers: Principles, Techniques, and Tools. Addison-Wesley Longman, Reading, MA.

[2]

Austin, T. M., Breach, S. E., and Sohi, G. S. 1994. Efficient detection of all pointer and array access errors. In SIGPLAN Conference on Programming Language Design and Implementation. 290--301.

[3]

Bachmann, O., Wang, P. S., and Zima, E. V. 1994. Chains of recurrences---A method to expedite the evaluation of closed-form functions. In International Symposium on Symbolic and Algebraic Computation. 242--249.

[4]

Bacon, D., Cheng, P., and Rajan, V. 2003. A real-time garbage collector with low overhead and consistent utilization. In Proceedings of 30th ACM Symposium on Principles of Programming Languages (POPL03). 285--298.

[5]

Birch, J. 2002. Using the chains of recurrences algebra for data dependence testing and induction variable substitution. M.S. thesis, Computer Science Dept., Florida State University, Tallahassee, FL.

[6]

Bodik, R., Gupta, R., and Sarkar, V. 2000. ABCD: Eliminating array bounds checks on demand. In SIGPLAN Conference on Programming Language Design and Implementation. 321--333.

[7]

Bollella, G. and Gosling, J. 2000. The real-time specification for Java. Computer 33, 6, 47--54.

[8]

Boyapati, C., Salcianu, A., Beebee, W., and Rinard, M. 2003. Ownership types for safe region-based memory management in real-time Java. In SIGPLAN Conference on Programming Language Design and Implementation, 324--337.

[9]

Cardelli, L., Donahue, J., Glassman, L., Jordan, M., Kalsow, B., and Nelson, G. 1992. Modula3 language definition. ACM Sigplan Not. 27, 8 (Aug.).

[10]

Chin, W.-N., Craciun, F., Qin, S., and Rinard, M. 2004. Region inference for an object-oriented language. SIGPLAN Not. 39, 6, 243--254.

[11]

Condit, J., Harren, M., McPeak, S., Necula, G. C., and Weimer, W. 2003. CCured in the real world. In Proceedings of SIGPLAN Conference on Programming Language Design and Implementation, 232--244.

[12]

Cousot, P. and Halbwachs, N. 1978. Automatic discovery of linear restraints among variables of a program. In Conference Record of the 5th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Tucson, AZ. ACM Press, New York, 84--97.

[13]

Crary, K., Walker, D., and Morrisett, G. 1999. Typed memory management in a calculus of capabilities. In Conference Record of POPL 99: The 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Antonio, TX. ACM, New York, 262--275.

[14]

DeLine, R. and Fahndrich, M. 2001. Enforcing high-level protocols in low-level software. In Proceedings of SIGPLAN Conference on Programming Language Design and Implementation. Snowbird, UT. 59--69.

[15]

Dhurjati, D., Kowshik, S., Adve, V., and Lattner, C. 2003. Memory safety without runtime checks or garbage collection. In Proceedings of the Conference on Languages, Compilers, and Tools for Embedded Systems. San Diego, CA, 69--80.

[16]

Dor, N., Rodeh, M., and Sagiv, M. 2003. CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In SIGPLAN Conference on Programming Language Design and Implementation, San Diego, CA, 155--167.

[17]

Fahndrich, M. and DeLine, R. 2002. Adoption and focus: Practical linear types for imperative programming. In Proceedings of SIGPLAN Conference on Programming Language Design and Implementation. 13--24.

[18]

Gay, D. and Aiken, A. 1998. Memory management with explicit regions. In SIGPLAN Conference on Programming Language Design and Implementation, Montreal, Canada. 313--323.

[19]

Gordon, A. D. and Syme, D. 2001. Typing a multi-language intermediate code. ACM SIGPLAN Notices. 36, 3, 248--260.

[20]

Gosling, J., Joy, B., Steele, G., and Bracha, G. 2000. The Java Language Specification. Sun Microsystems.

[21]

Grossman, D., Morrisett, G., Jim, T., Hicks, M., Wang, Y., and Cheney, J. 2002. Region-based memory management in Cyclone. In Proceedings of SIGPLAN Conference on Programming Language Design and Implementation. 282--293.

[22]

Gupta, R. 1993. Optimizing array bound checks using flow analysis. ACM Lett. Prog. Lang. Syst. 2, 1-4 (Mar.--Dec.), 135--150.

[23]

Guthaus, M. R., Ringenberg, J. S., Ernst, D., Austin, T. M., Mudge, T., and Brown, R. B. 2001. Mibench: A free, commercially representative embedded benchmark suite. In IEEE 4th Annual Workshop on Workload Characterization, Austin, TX, 1--12.

[24]

Heine, D. L. and Lam, M. S. 2003. A practical flow-sensitive and context-sensitive C and C++ memory leak detector. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation. New York, 168--181.

[25]

Hill, J., Szewczyk, R., Woo, A., Hollar, S., Culler, D., and Pister, K. 2000. System architecture directions for network sensors. In International Conference on Architectural Support for Programming Languages and Operating Systems. 93--104.

[26]

Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., and Wang, Y. 2002. Cyclone: A safe dialect of C. In Proceedings of USENIX Annual Technical Conference, 275--288.

[27]

Jones, R. W. M. and Kelly, P. H. J. 1997. Backwards-compatible bounds checking for arrays and pointers in C programs. In Automated and Algorithmic Debugging. 13--26.

[28]

Kelly, W., Maslov, V., Pugh, W., Rosser, E., Shpeisman, T., and Wonnacott, D. 1996. The Omega Library Interface Guide. Tech. Rep., Computer Science Dept., U. Maryland, College Park. Apr.

[29]

Lattner, C. 2002. LLVM: An infrastructure for multi-stage optimization. M.S. thesis, Computer Science Dept., University of Illinois at Urbana-Champaign, Urbana, IL. See http://llvm. cs.uiuc.edu.

[30]

Lattner, C. and Adve, V. 2005. Automatic pool allocation: Improving performance by controlling data structure layout in the heap. In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation, Chicago, IL.

[31]

Lattner, C. and Adve, V. 2003. Data Structure Analysis: An Efficient Context-Sensitive Heap Analysis. Tech. Report UIUCDCS-R-2003-2340, Computer Science Dept., Univ. of Illinois at Urbana-Champaign.

[32]

Lattner, C. and Adve, V. 2004. LLVM: A complilation framework for lifelong program analysis and transformation. In Proceedings of the Second International Conference on Code Generation and Optimization. Palo Alto, CA. 75--86.

[33]

Lee, C., Potkonjak, M., and Mangione-Smith, W. H. 1997. MediaBench: A tool for evaluating and synthesizing multimedia and communicatons systems. In International Symposium on Micro- architecture. 330--335.

[34]

Levis, P. and Culler, D. 2002. Mate: A tiny virtual machine for sensor networks. In International Conference on Architectural Support for Programming Languages and Operating Systems, San Jose, CA. 85--95.

[35]

Necula, G. C. 1997. Proof-carrying code. In Proceedings of of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '97), Paris. 106--119.

[36]

Necula, G. C., McPeak, S., and Weimer, W. 2002. CCured: Type-safe retrofitting of legacy code. In Proceedings of 29th ACM Symposium on Principles of Programming Languages (POPL '02), London. 128--139.

[37]

Oaks, S. 2001. Java Security, 2nd ed. O'Reilly. ISBN 0-596-00157-6.

[38]

Patil, H. and Fischer, C. 1995. Low-cost, concurrent checking of pointer and array accesses in C programs. Software--Practice and Experience 27, 1, 87--110.

[39]

Pugh, W. 1992. A practical algorithm for exact array dependence analysis. Commun. ACM 35, 8 (Aug.), 102--114.

[40]

Sha, L. 1998. Dependable system upgrades. In Proceedings of IEEE Real-Time System Symposium, 440.

[41]

Sha, L. 2001. Using simplicity to control complexity. IEEE Software, 20--28.

[42]

Tofte, M. and Birkedal, L. 1998. A region inference algorithm. ACM Trans. Prog. Lang. Sys. 20, 1, 724--767.

[43]

Tofte, M. and Talpin, J.-P. 1997. Region-based memory management. Inform. Comput. 132,2, 109--176.

[44]

Tu, P. and Padua, D. A. 1995. Gated SSA-based demand-driven symbolic analysis for parallelizing compilers. In International Conference on Supercomputing. 414--423.

[45]

Wagner, D., Foster, J. S., Brewer, E. A., and Aiken, A. 2000. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Distributed System Security Symposium, San Diego, CA. 3--17.

[46]

Wahbe, R., Lucco, S., Anderson, T. E., and Graham, S. L. 1993. Efficient software-based fault isolation. ACM SIGOPS Operating Systems Review 27, 5 (December), 203--216.

[47]

Walker, D. and Morrisett, G. 2001. Alias types for recursive data structures. Lecture Notes in Computer Science Vol. 2071, 177+.

Cited By

Amar SChisnall DChen TFilardo NLaurie BLiu KNorton RMoore STao YWatson RXia H(2023)CHERIoT: Complete Memory Safety for Embedded DevicesProceedings of the 56th Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3613424.3614266(641-653)Online publication date: 28-Oct-2023
https://dl.acm.org/doi/10.1145/3613424.3614266
Milburn AVan Der Kouwe EGiuffrida C(2022)Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833675(1049-1065)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833675
Shen ZDharsee KCriswell J(2020)Fast Execute-Only Memory for Embedded Systems2020 IEEE Secure Development (SecDev)10.1109/SecDev45635.2020.00017(7-14)Online publication date: Sep-2020
https://doi.org/10.1109/SecDev45635.2020.00017
Show More Cited By

Index Terms

Memory safety without garbage collection for embedded applications

Recommendations

Memory safety without runtime checks or garbage collection
LCTES '03: Proceedings of the 2003 ACM SIGPLAN conference on Language, compiler, and tool for embedded systems

Traditional approaches to enforcing memory safety of programs rely heavily on runtime checks of memory accesses and on garbage collection, both of which are unattractive for embedded applications. The long-term goal of our work is to enable 100% static ...
Memory safety without runtime checks or garbage collection
Special Issue: Proceedings of the 2003 ACM SIGPLAN conference on Language, compiler, and tool support for embedded systems (San Diego, CA).

Traditional approaches to enforcing memory safety of programs rely heavily on runtime checks of memory accesses and on garbage collection, both of which are unattractive for embedded applications. The long-term goal of our work is to enable 100% static ...
SAFECode: enforcing alias analysis for weakly typed languages
PLDI '06: Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation

Static analysis of programs in weakly typed languages such as C and C++ is generally not sound because of possible memory errors due to dangling pointer references, uninitialized pointers, and array bounds overflow. We describe a compilation strategy ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Embedded Computing Systems

ACM Transactions on Embedded Computing Systems Volume 4, Issue 1

February 2005

254 pages

ISSN:1539-9087

EISSN:1558-3465

DOI:10.1145/1053271

Issue’s Table of Contents

Copyright © 2005 ACM.

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

ACM Journals for the Design of Smart and Connected Systems

Publication History

Published: 01 February 2005

Published in TECS Volume 4, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
1,452
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)3

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Amar SChisnall DChen TFilardo NLaurie BLiu KNorton RMoore STao YWatson RXia H(2023)CHERIoT: Complete Memory Safety for Embedded DevicesProceedings of the 56th Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3613424.3614266(641-653)Online publication date: 28-Oct-2023
https://dl.acm.org/doi/10.1145/3613424.3614266
Milburn AVan Der Kouwe EGiuffrida C(2022)Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833675(1049-1065)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833675
Shen ZDharsee KCriswell J(2020)Fast Execute-Only Memory for Embedded Systems2020 IEEE Secure Development (SecDev)10.1109/SecDev45635.2020.00017(7-14)Online publication date: Sep-2020
https://doi.org/10.1109/SecDev45635.2020.00017
Zhang TLee DJung CBahar IHerlihy MWitchel ELebeck A(2019)BOGOProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3297858.3304017(631-644)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297858.3304017
Dhurjati DKowshik SAdve V(2019)SAFECodeACM SIGPLAN Notices10.1145/1133255.113399941:6(144-157)Online publication date: 27-Feb-2019
https://dl.acm.org/doi/10.1145/1133255.1133999
van der Kouwe EKroes TOuwehand CBos HGiuffrida C(2018)Type-After-TypeProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274705(17-27)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274705
Xia HWoodruff JBarral HEsswood LJoannou AKovacsics RChisnall DRoe MDavis BNapierala EBaldwin JGudka KNeumann PRichardson AMoore SWatson R(2018)CheriRTOS: A Capability Model for Embedded Devices2018 IEEE 36th International Conference on Computer Design (ICCD)10.1109/ICCD.2018.00023(92-99)Online publication date: Oct-2018
https://doi.org/10.1109/ICCD.2018.00023
Hatzivasilis G(2017)Password-Hashing StatusCryptography10.3390/cryptography10200101:2(10)Online publication date: 27-Jun-2017
https://doi.org/10.3390/cryptography1020010
Danner DMuller RSchroder-Preikschat WHofer WLohmann D(2014)SAFER SLOTH: Efficient, hardware-tailored memory protection2014 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS.2014.6925989(37-48)Online publication date: Apr-2014
https://doi.org/10.1109/RTAS.2014.6925989
Ghose SGilgeous LDudnik PAggarwal AWaxman CBenini LDe Micheli GAl-Hashimi BMueller W(2009)Architectural support for low overhead detection of memory violationsProceedings of the Conference on Design, Automation and Test in Europe10.5555/1874620.1874782(652-657)Online publication date: 20-Apr-2009
https://dl.acm.org/doi/10.5555/1874620.1874782
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents