Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Mustakimur Khandaker,Abu Naser,Wenqing Liu,Zhi Wang,Yajin Zhou,Yueqiang Cheng

DOI: https://doi.org/10.1109/eurosp.2019.00017

2019-01-01

Abstract:Low-level languages like C/C++ are widely used in various applications for their performance and flexibility. Unfortunately, these languages are prone to memory corruption vulnerabilities, leading to control-flow hijacking attacks. Control flow integrity (CFI) is a general principle to enforce run-time control flow of a program to a pre-computed control-flow graph (CFG). While the traditional context-insensitive CFI falls short in protecting critical control transfers, recent context-sensitive CFI research shows promising improvements but has various limitations. We present Control Flow Integrity with Look Back (CFI-LB), a call-site sensitive CFI in which a conventional source-target control transfer is strengthened by a look back into its call-sites (return addresses). CFI-LB features the adaptive call-site sensitivity in which each indirect call has its own level of sensitivity and the multi-scope CFG to improve the security even if a precise context-sensitive static CFG is not available, especially for large programs such as GCC and NGINX. One of the CFGs is constructed by our localized concolic execution, which significantly extends the dynamic CFG with very low false positives. In addition, CFI-LB is the first CFI system explicitly designed to protect its reference monitors from race conditions. We have built a prototype of CFI-LB. The evaluation with SPEC CPU2006 benchmarks and NGINX indicates that CFI-LB has a low-performance overhead (less than 5% on average for the full protection) while increasing the security.

Wang Ji-min,Ping Ling-di,Pan Xue-zeng,Shen Hai-bin,Yan Xiao-lang

DOI: https://doi.org/10.1007/bf02842479

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:The C programming language is expressive and flexible, but not safe; as its expressive power and flexibility are obtained through unsafe language features, and improper use of these features can lead to program bugs whose causes are hard to identify. Since C is widely used, and it is impractical to rewrite all existing C programs in safe languages, so ways must be found to make C programs safe. This paper deals with the unsafe features of C and presents a survey on existing solutions to make C programs safe. We have studied binary-level instrumentation tools, source checkers, source-level instrumentation tools and safe dialects of C, and present a comparison of different solutions, summarized the strengths and weaknesses of different classes of solutions, and show measures that could possibly improve the accuracy or alleviate the overhead of existing solutions.

Zhenpeng Lin,Zheng Yu,Ziyi Guo,Simone Campanoni,Peter Dinda,Xinyu Xing

2024-06-05

Abstract:The heap is a critical and widely used component of many applications. Due to its dynamic nature, combined with the complexity of heap management algorithms, it is also a frequent target for security exploits. To enhance the heap's security, various heap protection techniques have been introduced, but they either introduce significant runtime overhead or have limited protection. We present CAMP, a new sanitizer for detecting and capturing heap memory corruption. CAMP leverages a compiler and a customized memory allocator. The compiler adds boundary-checking and escape-tracking instructions to the target program, while the memory allocator tracks memory ranges, coordinates with the instrumentation, and neutralizes dangling pointers. With the novel error detection scheme, CAMP enables various compiler optimization strategies and thus eliminates redundant and unnecessary check instrumentation. This design minimizes runtime overhead without sacrificing security guarantees. Our evaluation and comparison of CAMP with existing tools, using both real-world applications and SPEC CPU benchmarks, show that it provides even better heap corruption detection capability with lower runtime overhead.

Cryptography and Security,Software Engineering

Konrad Hohentanner,Philipp Zieris,Julian Horsch

DOI: https://doi.org/10.48550/arXiv.2202.08669

2022-02-17

Cryptography and Security

Abstract:Memory safety bugs remain in the top ranks of security vulnerabilities, even after decades of research on their detection and prevention. Various mitigations have been proposed for C/C++, ranging from language dialects to instrumentation. Among these, compiler-based instrumentation is particularly promising, not requiring manual code modifications and being able to achieve precise memory safety. Unfortunately, existing compiler-based solutions compromise in many areas, including performance but also usability and memory safety guarantees. New developments in hardware can help improve performance and security of compiler-based memory safety. ARM Pointer Authentication, added in the ARMv8.3 architecture, is intended to enable hardware-assisted Control Flow Integrity. But since its operations are relatively generic, it also enables other, more comprehensive hardware-supported runtime integrity approaches. As such, we propose PACSafe, a memory safety approach based on ARM Pointer Authentication. PACSafe uses pointer signatures to retrofit full memory safety to C/C++ programs, protecting heap, stack, and globals against temporal and spatial vulnerabilities. We present a full, LLVM-based prototype implementation, running on an M1 MacBook Pro, i.e., on actual ARMv8.3 hardware. Our prototype evaluation shows that the system outperforms similar approaches under real-world conditions. This, together with its compatibility with uninstrumented libraries and cryptographic protection against attacks on metadata, makes PACSafe a viable solution for retrofitting memory safety to C/C++ programs.

Konrad Hohentanner,Philipp Zieris,Julian Horsch

DOI: https://doi.org/10.1145/3555776.3577635

2023-05-11

Abstract:Memory safety bugs remain in the top ranks of security vulnerabilities, even after decades of research on their detection and prevention. Various mitigations have been proposed for C/C++, ranging from language dialects to instrumentation. Among these, compiler-based instrumentation is particularly promising, not requiring manual code modifications and being able to achieve precise memory safety. Unfortunately, existing compiler-based solutions compromise in many areas, including performance but also usability and memory safety guarantees. New developments in hardware can help improve performance and security of compiler-based memory safety. ARM Pointer Authentication, added in the ARMv8.3 architecture, is intended to enable hardware-assisted Control Flow Integrity (CFI). But since its operations are generic, it also enables other, more comprehensive hardware-supported runtime integrity approaches. As such, we propose CryptSan, a memory safety approach based on ARM Pointer Authentication. CryptSan uses pointer signatures to retrofit memory safety to C/C++ programs, protecting heap, stack, and globals against temporal and spatial vulnerabilities. We present a full LLVM-based prototype implementation, running on an M1 MacBook Pro, i.e., on actual ARMv8.3 hardware. Our prototype evaluation shows that the system outperforms similar approaches under real-world conditions. This, together with its interoperability with uninstrumented libraries and cryptographic protection against attacks on metadata, makes CryptSan a viable solution for retrofitting memory safety to C/C++ programs.

Cryptography and Security,Programming Languages,Software Engineering

Kaiming Huang,Mathias Payer,Zhiyun Qian,Jack Sampson,Gang Tan,Trent Jaeger

2024-08-20

Abstract:Heap memory errors remain a major source of software vulnerabilities. Existing memory safety defenses aim at protecting all objects, resulting in high performance cost and incomplete protection. Instead, we propose an approach that accurately identifies objects that are inexpensive to protect, and design a method to protect such objects comprehensively from all classes of memory errors. Towards this goal, we introduce the Uriah system that (1) statically identifies the heap objects whose accesses satisfy spatial and type safety, and (2) dynamically allocates such "safe" heap objects on an isolated safe heap to enforce a form of temporal safety while preserving spatial and type safety, called temporal allocated-type safety. Uriah finds 72.0% of heap allocation sites produce objects whose accesses always satisfy spatial and type safety in the SPEC CPU2006/2017 benchmarks, 5 server programs, and Firefox, which are then isolated on a safe heap using Uriah allocator to enforce temporal allocated-type safety. Uriah incurs only 2.9% and 2.6% runtime overhead, along with 9.3% and 5.4% memory overhead, on the SPEC CPU 2006 and 2017 benchmarks, while preventing exploits on all the heap memory errors in DARPA CGC binaries and 28 recent CVEs. Additionally, using existing defenses to enforce their memory safety guarantees on the unsafe heap objects significantly reduces overhead, enabling the protection of heap objects from all classes of memory errors at more practical costs.

Cryptography and Security

Yuan Li,Wende Tan,Zhizheng Lv,Songtao Yang,Mathias Payer,Ying Liu,Chao Zhang

DOI: https://doi.org/10.48550/arXiv.2202.03950

2022-02-09

Abstract:Memory safety is a key security property that stops memory corruption vulnerabilities. Existing sanitizers enforce checks and catch such bugs during development and testing. However, they either provide partial memory safety or have overwhelmingly high performance overheads. Our novel sanitizer PACSan enforces spatial and temporal memory safety with no false positives at low performance overheads. PACSan removes the majority of the overheads involved in pointer tracking by sealing metadata in pointers through ARM PA (Pointer Authentication), and performing the memory safety checks when pointers are dereferenced. We have developed a prototype of PACSan and systematically evaluated its security and performance on the Magma, Juliet, Nginx, and SPEC CPU2017 test suites, respectively. In our evaluation, PACSan shows no false positives together with negligible false negatives, while introducing stronger security guarantees and lower performance overheads than state-of-the-art sanitizers, including HWASan, ASan, SoftBound+CETS, Memcheck, LowFat, and PTAuth. Specifically, PACSan has 0.84x runtime overhead and 1.92x memory overhead on average. Compared to the widely deployed ASan, PACSan has no false positives and much fewer false negatives and reduces 7.172% runtime overheads and 89.063%memory overheads.

Cryptography and Security

Jingfeng Xue,Changzhen Hu,Hongyu Ren,Rui Ma,Jian Li

DOI: https://doi.org/10.1109/nlpke.2011.6138200

2011-01-01

Abstract:Applications written in unsafe languages like C and C++ are vulnerable to memory errors such as buffer overflows and dangling pointers. Such errors can lead to program crashes, security vulnerabilities, and unpredictable behavior. Aiming at the problem, PSC, a new probabilistic safeguard C, is proposed in this paper. At the basis of Diehard, memory allocating strategy is improved in PSC. PSC can avoid memory errors in all probability during software executing by combing random memory allocating algorithm and virtual memory. Physical memory consumption is decreased by building hot object space working set and compressing non frequently used objects. Experiments show PSC is better than Diehard for memory errors prevention and physical memory consumption. So it is a valid memory errors prevention technology based on probability.

Yuan Li,Wende Tan,Zhizheng Lv,Songtao Yang,Mathias Payer,Ying Liu,Chao Zhang

DOI: https://doi.org/10.1145/3548606.3560598

2022-01-01

Abstract:ABSTRACTMemory safety is a key security property that stops memory corruption vulnerabilities. Different types of memory safety enforcement solutions have been proposed and adopted by sanitizers or mitigations to catch and stop such bugs, at the development or deployment phase. However, existing solutions either provide partial memory safety or have overwhelmingly high performance overheads. In this paper, we present a novel sanitizer PACMem to efficiently catch spatial and temporal memory safety bugs. PACMem removes the majority of the overheads by sealing metadata in pointers through the COTS hardware feature -- ARM PA (Pointer Authentication) and saving the overhead of pointer metadata tracking. We have developed a prototype of PACMem and systematically evaluated its security and performance on the Magma, Juliet, Nginx, and SPEC CPU2017 test suites. In our evaluation, PACMem shows no false positives together with negligible false negatives, while introducing stronger bug detection capabilities and lower performance overheads than state-of-the-art sanitizers, including HWASan, ASan, SoftBound+CETS, Memcheck, LowFat, and PTAuth. Compared to the widely deployed ASan, PACMem has no false positives and much fewer false negatives and reduces the runtime overheads by 15.80% and the memory overheads by 71.58%.

Jingfeng Xue,Changzhen Hu,Hongyu Ren,Rui Ma,Jian Li

DOI: https://doi.org/10.1109/NLPKE.2011.6138200

2011-01-01

Abstract:Applications written in unsafe languages like C and C++ are vulnerable to memory errors such as buffer overflows and dangling pointers. Such errors can lead to program crashes, security vulnerabilities, and unpredictable behavior. Aiming at the problem, PSC, a new probabilistic safeguard C, is proposed in this paper. At the basis of Diehard, memory allocating strategy is improved in PSC. PSC can avoid memory errors in all probability during software executing by combing random memory allocating algorithm and virtual memory. Physical memory consumption is decreased by building hot object space working set and compressing non frequently used objects. Experiments show PSC is better than Diehard for memory errors prevention and physical memory consumption. So it is a valid memory errors prevention technology based on probability. © 2011 IEEE.

Eyasu Getahun Chekole,Unnikrishnan Cheramangalath,Sudipta Chattopadhyay,Martin Ochoa,Guo Huaqun

DOI: https://doi.org/10.48550/arXiv.1809.07477

2019-09-19

Abstract:Memory-safety attacks have been one of the most critical threats against computing systems. Although a wide-range of defense techniques have been developed against these attacks, the existing mitigation strategies have several limitations. In particular, most of the existing mitigation approaches are based on aborting or restarting the victim program when a memory-safety attack is detected, thus making the system unavailable. This might not be acceptable in systems with stringent timing constraints, such as cyber-physical systems (CPS), since the system unavailability leaves the control system in an unsafe state. To address this problem, we propose CIMA -- a resilient and light-weight mitigation technique that prevents invalid memory accesses at runtime. CIMA manipulates the compiler-generated control flow graph to automatically detect and bypass unsafe memory accesses at runtime, thereby mitigating memory-safety attacks along the process. An appealing feature of CIMA is that it also ensures system availability and resilience of the CPS even under the presence of memory-safety attacks. To this end, we design our experimental setup based on a realistic Secure Water Treatment (SWaT) and Secure Urban Transportation System (SecUTS) testbeds and evaluate the effectiveness and the efficiency of our approach. The experimental results reveal that CIMA handles memory-safety attacks effectively with low overhead. Moreover, it meets the real-time constraints and physical-state resiliency of the CPS under test.

Cryptography and Security

Chengyan Ma,Ning Xi,Di Lu,Yebo Feng,Jianfeng Ma

DOI: https://doi.org/10.1007/s11432-023-3865-0

2024-05-26

Science China Information Sciences

Abstract:Memory corruption attacks (MCAs) refer to malicious behaviors of system intruders that modify the contents of a memory location to disrupt the normal operation of computing systems, causing leakage of sensitive data or perturbations to ongoing processes. Unlike general-purpose systems, unmanned systems cannot deploy complete security protection schemes, due to their limitations in size, cost and performance. MCAs in unmanned systems are particularly difficult to defend against. Furthermore, MCAs have diverse and unpredictable attack interfaces in unmanned systems, severely impacting digital and physical sectors. In this paper, we first generalize, model and taxonomize MCAs found in unmanned systems currently, laying the foundation for designing a portable and general defense approach. According to different attack mechanisms, we found that MCAs are mainly categorized into two types — return2libc and return2shellcode. To tackle return2libc attacks, we model the erratic operation of unmanned systems with cycles and then propose a cycle-task-oriented memory protection (CToMP) approach to protect control flows from tampering. To defend against return2shellcode attacks, we introduce a secure process stack with a randomized memory address by leveraging the memory pool to prevent Shellcode from being executed. Moreover, we discuss the mechanism by which CToMP resists the return-oriented programming (ROP) attack, a novel variant of return2libc attacks. Finally, we implement CToMP on CUAV V5+ with Ardupilot and Crazyflie. The evaluation and security analysis results demonstrate that the proposed approach CToMP is resilient to various MCAs in unmanned systems with low footprints and system overhead.

computer science, information systems,engineering, electrical & electronic

Piyus Kedia,Rahul Purandare,Udit Kumar Agarwal,Rishabh

DOI: https://doi.org/10.48550/arXiv.2107.10533

2023-08-29

Abstract:Spatial safety violations are the root cause of many security attacks and unexpected behavior of applications. Existing techniques to enforce spatial safety work broadly at either object or pointer granularity. Object-based approaches tend to incur high CPU overheads, whereas pointer-based approaches incur both high CPU and memory overheads. SGXBounds, an object-based approach, is so far the most efficient technique that provides complete out-of-bounds protection for objects. However, a major drawback of this approach is that it can't support address space larger than 32-bit. In this paper, we present CGuard, a tool that provides object-bounds protection for C applications with comparable overheads to SGXBounds without restricting the application address space. CGuard stores the bounds information just before the base address of an object and encodes the relative offset of the base address in the spare bits of the virtual address available in x86_64 architecture. For an object that can't fit in the spare bits, CGuard uses a custom memory layout that enables it to find the base address of the object in just one memory access. Our study revealed spatial safety violations in the gcc and x264 benchmarks from the SPEC CPU2017 benchmark suite and the string_match benchmark from the Phoenix benchmark suite. The execution time overheads for the SPEC CPU2017 and Phoenix benchmark suites were 42% and 26% respectively, whereas the reduction in the throughput for the Apache webserver when the CPUs were fully saturated was 30%. These results indicate that CGuard can be highly effective while maintaining a reasonable degree of efficiency.

Cryptography and Security,Programming Languages,Software Engineering

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Weizhong Qiang,Weifeng Li,Hai Jin,Jayachander Surbiryala

DOI: https://doi.org/10.1109/access.2019.2908022

IF: 3.9

2019-01-01

IEEE Access

Abstract:Highly efficient languages, such as C/C++, have low-level control over memory. Due to the lack of validity detection for pointers and garbage collection for memory, developers are responsible for dynamic memory management by explicitly allocating and deallocating memory. However, explicit memory management brings a large number of memory safety-related vulnerabilities, such as use-after-free. The threat of use-after-free vulnerabilities has become more and more serious due to their high level of the severity and quick emergence of the number. In this paper, a dynamic defense system is proposed against use-after-free exploits by introducing an approach based on multi-level pointers that insert intermediate pointers between a heap object and its related pointers. First, the relationship between a heap object to be protected, and the related pointers pointing to it, is established by combing with intermediate pointers. Then, all of the accesses to this object via its related pointers can only be achieved through these intermediate pointers. Finally, to prevent the dangling pointers from being dereferenced to this object, all the intermediate pointers related to this object are invalidated when it is freed so that any access to a freed object can be prevented due to the invalidated intermediate pointers. The prototype system MPChecker is implemented, which can prevent use-after-free exploits for C/C++ multi-threaded programs. Compared with the related methods, MPChecker can protect pointers that are copied in a type-unsafe way from being de-referenced to freed objects. In addition, it can also defend against dangling pointers located on the whole memory, including the stack, the heap, and global memory, rather than the heap only. The defense capability is proved by protecting against two exploits to a real-world program, comparing the support of type-unsafe copy with a self-written program. The performance evaluation of MPChecker with some benchmarks, multi-threaded programs, and real-world programs, shows its comparable efficiency.

Zhe Chen,Qi Zhang,Jun Wu,Junqi Yan,Jingling Xue

DOI: https://doi.org/10.1109/tse.2022.3210580

IF: 7.4

2023-04-21

IEEE Transactions on Software Engineering

Abstract:Low-level control makes C unsafe, resulting in memory errors that can lead to data corruption, security vulnerabilities or program crashes. Dynamic analysis tools, which have been widely used for detecting memory errors at runtime, usually perform instrumentation at the IR or binary level. However, these non-source-level instrumentation frameworks and tools suffer from two inherent drawbacks: optimization sensitivity and platform dependence. Due to optimization sensitivity, the user of these tools must trade either performance for effectiveness by compiling the program at -O0 or effectiveness for performance by compiling the program at a higher optimization level, say, -O3. In this paper, we propose a new source-level instrumentation framework to overcome these two drawbacks, and implement it in a new dynamic analysis tool, called Movec, that adopts a pointer-based monitoring algorithm. We have evaluated Movec comprehensively by using the NIST's SARD benchmark suite (1152 programs), a set of 126 microbenchmarks (with ground truth), a set of 20 MiBench benchmarks and 5 pure-C SPEC CPU 2017 benchmarks. In terms of effectiveness, Movec outperforms three state-of-the-art dynamic analysis tools, AddressSanitizer, SoftBoundCETS and Valgrind, for all the standard optimization levels (from -O0 to -O3). In terms of performance, Movec outperforms SoftBoundCETS and Valgrind, and is slower than AddressSanitizer but consumes less memory.

engineering, electrical & electronic,computer science, software engineering

Chao Zhang,Tao Wei,Zhaofeng Chen,Lei Duan,Laszlo Szekeres,Stephen McCamant,Dawn Song,Wei Zou

DOI: https://doi.org/10.1109/sp.2013.44

2013-01-01

Security and Privacy

Abstract:Control Flow Integrity (CFI) provides a strong protection against modern control-flow hijacking attacks. However, performance and compatibility issues limit its adoption. We propose a new practical and realistic protection method called CCFIR (Compact Control Flow Integrity and Randomization), which addresses the main barriers to CFI adoption. CCFIR collects all legal targets of indirect control-transfer instructions, puts them into a dedicated "Springboard section" in a random order, and then limits indirect transfers to flow only to them. Using the Springboard section for targets, CCFIR can validate a target more simply and faster than traditional CFI, and provide support for on-site target-randomization as well as better compatibility. Based on these approaches, CCFIR can stop control-flow hijacking attacks including ROP and return-into-libc. Results show that ROP gadgets are all eliminated. We observe that with the wide deployment of ASLR, Windows/x86 PE executables contain enough information in relocation tables which CCFIR can use to find all legal instructions and jump targets reliably, without source code or symbol information. We evaluate our prototype implementation on common web browsers and the SPEC CPU2000 suite: CCFIR protects large applications such as GCC and Firefox completely automatically, and has low performance overhead of about 3.6%/8.6% (average/max) using SPECint2000. Experiments on real-world exploits also show that CCFIR-hardened versions of IE6, Firefox 3.6 and other applications are protected effectively.

Kang Sun,Daliang Xu,Dongwei Chen,Xu Cheng,Dong Tong

2020-01-01

Abstract: Annex K of C11, bounds-checking interfaces, recently introduced a set of alternative functions to mitigate buffer overflows, primarily those caused by string/memory functions. However, poor compatibility limits their adoption. Failure oblivious computing can eliminate the possibility that an attacker can exploit memory errors to corrupt the address space and significantly increase the availability of systems. In this paper, we present S3Library (Saturation-Memory-Access Safer String Library), which is compatible with the standard C library in terms of function signature. Our technique automatically replaces unsafe deprecated memory/string functions with safer versions that perform bounds checking and eliminate buffer overflows via boundless memory. S3Library employs MinFat, a very compact pointer representation following the Less is More principle, to encode metadata into unused upper bits within pointers. In addition, S3Library utilizes Saturation Memory Access to eliminate illegal memory accesses into boundless padding area. Even if an out-of-bounds access is made, the fault program will not be interrupted. We implement our scheme within the LLVM framework on X86-64 and evaluate our approach on correctness, security, runtime performance and availability.

Zheng Yu,Ganxiang Yang,Xinyu Xing

2024-09-24

Abstract:In software development, the prevalence of unsafe languages such as C and C++ introduces potential vulnerabilities, especially within the heap, a pivotal component for dynamic memory allocation. Despite its significance, heap management complexities have made heap corruption pervasive, posing severe threats to system security. While prior solutions aiming for temporal and spatial memory safety exhibit overheads deemed impractical, we present ShadowBound, a unique heap memory protection design. At its core, ShadowBound is an efficient out-of-bounds defense that can work with various use-after-free defenses (e.g. MarkUs, FFMalloc, PUMM) without compatibility constraints. We harness a shadow memory-based metadata management mechanism to store heap chunk boundaries and apply customized compiler optimizations tailored for boundary checking. We implemented ShadowBound atop the LLVM framework and integrated three state-of-the-art use-after-free defenses. Our evaluations show that ShadowBound provides robust heap protection with minimal time and memory overhead, suggesting its effectiveness and efficiency in safeguarding real-world programs against prevalent heap vulnerabilities.

Cryptography and Security