This Article 
 Bibliographic References 
 Add to: 
Effective and Efficient Memory Protection Using Dynamic Tainting
January 2012 (vol. 61 no. 1)
pp. 87-100
Ioannis Doudalis, Georgia Institute of Technology, Atlanta
James Clause, University of Delaware, Newark
Guru Venkataramani, The George Washington University, Washington DC
Milos Prvulovic, Georgia Institute of Technology, Atlanta
Alessandro Orso, Georgia Institute of Technology, Atlanta
Programs written in languages allowing direct access to memory through pointers often contain memory-related faults, which cause nondeterministic failures and security vulnerabilities. We present a new dynamic tainting technique to detect illegal memory accesses. When memory is allocated, at runtime, we taint both the memory and the corresponding pointer using the same taint mark. Taint marks are then propagated and checked every time a memory address m is accessed through a pointer p; if the associated taint marks differ, an illegal access is reported. To allow always-on checking using a low overhead, hardware-assisted implementation, we make several key technical decisions. We use a configurable, low number of reusable taint marks instead of a unique mark for each allocated area of memory, reducing the performance overhead without losing the ability to target most memory-related faults. We also define the technique at the binary level, which helps handle applications using third-party libraries whose source code is unavailable. We created a software-only prototype of our technique and simulated a hardware-assisted implementation. Our results show that 1) it identifies a large class of memory-related faults, even when using only two unique taint marks, and 2) a hardware-assisted implementation can achieve performance overheads in single-digit percentages.

[1] T.M. Austin, S.E. Breach, and G.S. Sohi, "Efficient Detection of all Pointer and Array Access Errors," ACM SIGPLAN Notices, vol. 29, pp. 290-301, 1994.
[2] S. Chen, M. Kozuch, T. Strigkos, B. Falsafi, P.B. Gibbons, T.C. Mowry, V. Ramachandran, O. Ruwase, M. Ryan, and E. Vlachos, "Flexible Hardware Acceleration for Instruction-Grain Program Monitoring," Proc. 35th Int'l Symp. Computer Architecture, 2008.
[3] J. Clause, I. Doudalis, A. Orso, and M. Prvulovic, "Effective Memory Protection Using Dynamic Tainting," Proc. 22nd IEEE/ACM Int'l Conf. Automated Software Eng., 2007.
[4] J. Clause, W. Li, and A. Orso, "Dytan: A Generic Dynamic Taint Analysis Framework," Proc. Int'l Symp. Software Testing and Analysis, 2007.
[5] "Malloc Example," cstdlibmalloc.html, June 2007.
[6] J.R. Crandall and F.T. Chong, "Minos: Control Data Attack Prevention Orthogonal to Memory Model," Proc. 37th Int'l Symp. Microarchitecture, 2004.
[7] J. Devietti, C. Blundell, M.M.K. Martin, and S. Zdancewic, "HardBound: Architectural Support for Spatial Safety of the C Programming Language," Proc. 13th Int'l Conf. Architectural Support for Programming Languages and Operating Systems, 2008.
[8] D. Dhurjati and V. Adve, "Backwards-Compatible Array Bounds Checking for C with Very Low Overhead," Proc. 28th Int'l Conf. Software Eng., 2006.
[9] D. Dhurjati, S. Kowshik, and V. Adve, "SAFECode: Enforcing Alias Analysis for Weakly Typed Languages," Proc. ACM SIGPLAN Conf. Programming Language Design and Implementation, 2006.
[10] N. Dor, M. Rodeh, and M. Sagiv, "CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C," Proc. ACM SIGPLAN 2003 Conf. Programming Language Design and Implementation, 2003.
[11] J.S. Fenton, "Memoryless Subsystems," The Computer J., vol. 17, no. 2, pp. 143-147, 1974.
[12] S. Hallem, B. Chelf, Y. Xie, and D. Engler, "A System and Language for Building System-Specific, Static Analyses," ACM SIGPLAN Notices, vol. 37, no. 5, pp. 69-82, 2002.
[13] R. Hastings and B. Joyce, "Purify: Fast Detection of Memory Leaks and Access Errors," Proc. USENIX Winter 1992 Technical Conf., 1992.
[14] D.L. Heine and M.S. Lam, "A Practical Flow-Sensitive and Context-Sensitive C and C++ Memory Leak Detector," ACM SIGPLAN Notices, vol. 38, no. 5, pp. 168-181, 2003.
[15] T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang, "Cyclone: A Safe Dialect of C," Proc. USENIX Ann. Technical Conf., 2002.
[16] C. Lattner and V. Adve, "LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation," Proc. Int'l Symp. Code Generation and Optimization, 2004.
[17] S. Lu, Z. Li, F. Qin, L. Tan, P. Zhou, and Y. Zhou, "BugBench: Benchmarks for Evaluating Bug Detection Tools," Proc. Workshop the Evaluation of Software Defect Detection Tools, 2005.
[18] C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V.J. Reddi, and K. Hazelwood, "Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation," Proc. ACM SIGPLAN Conf. Programming Language Design and Implementation, 2005.
[19] M. Dalton, H. Kannan, and C. Kozyrakis, "Raksha: A Flexible Information Flow Architecture for Software Security," Proc. Int'l Symp. Computer Architecture, 2007.
[20] S. Nagarakatte, J. Zhao, M.M. Martin, and S. Zdancewic, "SoftBound: Highly Compatible and Complete Spatial Memory Safety for C," Proc. ACM SIGPLAN Conf. Programming Language Design and Implementation (PLDI '09), 2009.
[21] G.C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer, "CCured: Type-Safe Retrofitting of Legacy Software," ACM Trans. Programming Languages and Systems, vol. 27, no. 3, pp. 477-526, 2005.
[22] F. Qin, S. Lu, and Y. Zhou, "SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption during Production Runs," Proc. 11th Int'l Symp. High Performance Computer Architecture, 2005.
[23] J. Renau, B. Fraguela, J. Tuck, W. Liu, M. Prvulovic, L. Ceze, S. Sarangi, P. Sack, K. Strauss, and P. Montesinos, "SESC simulator," http:/, Jan. 2005.
[24] O. Ruwase and M.S. Lam, "A Practical Dynamic Buffer Overflow Detector," Proc. 11th Ann. Network and Distributed System Security Symp. (NDSS), 2004.
[25] J. Seward and N. Nethercote, "Using Valgrind to Detect Undefined Value Errors with Bit-Precision," Proc. Ann. Conf. USENIX Ann. Technical Conf., 2005.
[26] Standard Performance Evaluation Corporation, http:/www.spec. org, 2004.
[27] S. Woo, M. Ohara, E. Torrie, J. Singh, and A. Gupta, "The Splash2 Programs: Characterization and Methodological Considerations," Proc. Int'l Symp. Computer Architecture, 1995.
[28] S. Thoziyoor, N. Muralimanohar, and N.P. Jouppi, "Cacti 5.0," , 2007.
[29] N. Vachharajani, M.J. Bridges, J. Chang, R. Rangan, G. Ottoni, J.A. Blome, G.A. Reis, M. Vachharajani, and D.I. August, "RIFLE: An Architectural Framework for User-Centric Information-Flow Security," Proc. 37th Ann. IEEE/ACM Int'l Symp. Microarchitecture, 2004.
[30] G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic, "FlexiTaint: A Programmable Accelerator for Dynamic Taint Propagation," Proc. 14th Int'l Symp. High Performance Computer Architecture, 2008.
[31] G. Venkataramani, B. Roemer, Y. Solihin, and M. Prvulovic, "MemTracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging," Proc. 13th Int'l Symp. High Performance Computer Architecture, 2007.
[32] J. Wilander and M. Kamkar, "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention," Proc. Network and Distributed System Security Symp. (NDSS '03), 2003.
[33] Y. Xie, A. Chou, and D. Engler, "ARCHER: Using Symbolic, Path-Sensitive Analysis to Detect Memory Access Errors," ACM SIGSOFT Software Eng. Notes, vol. 28, no. 5, pp. 327-336, 2003.
[34] W. Xu, D.C. DuVarney, and R. Sekar, "An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs," ACM SIGSOFT Software Eng. Notes, vol. 29, no. 6, pp. 117-126, 2004.

Index Terms:
Computer systems organization, hardware/software interfaces, processor architectures, monitors.
Ioannis Doudalis, James Clause, Guru Venkataramani, Milos Prvulovic, Alessandro Orso, "Effective and Efficient Memory Protection Using Dynamic Tainting," IEEE Transactions on Computers, vol. 61, no. 1, pp. 87-100, Jan. 2012, doi:10.1109/TC.2010.215
Usage of this product signifies your acceptance of the Terms of Use.