MESH: A Memory-Efficient Safe Heap for C/C++

TL;DR

MESH is a memory-efficient safe heap for C/C++ that offers constant, low overhead spatial and temporal safety, making it suitable for memory-constrained environments without sacrificing security or compatibility.

Contribution

MESH introduces a highly memory-efficient safe heap with constant overhead and compatibility, addressing limitations of existing solutions like ASan and Softbound/CETS.

Findings

MESH achieves significant memory savings compared to ASan and Softbound/CETS.

MESH maintains similar execution performance to existing solutions.

MESH is fully compatible with uninstrumented code and libraries.

Abstract

While memory corruption bugs stemming from the use of unsafe programming languages are an old and well-researched problem, the resulting vulnerabilities still dominate real-world exploitation today. Various mitigations have been proposed to alleviate the problem, mainly in the form of language dialects, static program analysis, and code or binary instrumentation. Solutions like AdressSanitizer (ASan) and Softbound/CETS have proven that the latter approach is very promising, being able to achieve memory safety without requiring manual source code adaptions, albeit suffering substantial performance and memory overheads. While performance overhead can be seen as a flexible constraint, extensive memory overheads can be prohibitive for the use of such solutions in memory-constrained environments. To address this problem, we propose MESH, a highly memory-efficient safe heap for C/C++. With its constant, very small memory overhead (configurable up to 2 MB on x86-64) and constant complexity for pointer access checking, MESH offers efficient, byte-precise spatial and temporal memory safety for memory-constrained scenarios. Without jeopardizing the security of safe heap objects, MESH is fully compatible with existing code and uninstrumented libraries, making it practical to use in heterogeneous environments. We show the feasibility of our approach with a full LLVM-based prototype supporting both major architectures, i.e., x86-64 and ARM64, in a Linux runtime environment. Our prototype evaluation shows that, compared to ASan and Softbound/CETS, MESH can achieve huge memory savings while preserving similar execution performance.