ScholarlyCommons

Title

SoftBound: Highly Compatible and Complete Spatial Memory Safety for C

Author(s)

Santosh Nagarakatte, University of Pennsylvania
Jianzhou Zhao, University of Pennsylvania
Milo Martin, University of PennsylvaniaFollow
Stephan A. Zdancewic, University of PennsylvaniaFollow

Document Type

Technical Report

Date of this Version

January 2009

Comments

University of Pennsylvania Department of Computer and Information Science Technical Report No. MS-CIS-09-01

Abstract

The serious bugs and security vulnerabilities facilitated by C/C++’s lack of bounds checking are well known. Yet, C and C++ remain in widespread use. Unfortunately, C’s arbitrary pointer arithmetic, conflation of pointers and arrays, and programmer-visible memory layout make retrofitting C/C++ with spatial safety guarantees extremely challenging. Existing approaches suffer from incompleteness, have high runtime overhead, or require non-trivial changes to the C source code. Thus far, these deficiencies have prevented widespread adoption of such techniques.

This paper proposes SoftBound, a compile time transformation for enforcing complete spatial safety of C. SoftBound records base and bound information for every pointer as disjoint metadata. This decoupling enables SoftBound to provide complete spatial safety while requiring no changes to C source code. Moreover, SoftBound performs metadata manipulation only when loading or storing pointer values. A formal proof shows this is sufficient to provide complete spatial safety even in the presence of wild casts. SoftBound’s full checking mode provides complete spatial violation detection. To further reduce overheads, SoftBound has a store-only checking mode that successfully detects all the security vulnerabilities in a test suite while adding 15% or less overhead to half of the benchmarks.

Recommended Citation

Santosh Nagarakatte, Jianzhou Zhao, Milo Martin, and Stephan A. Zdancewic, "SoftBound: Highly Compatible and Complete Spatial Memory Safety for C", . January 2009.