Top of the Heap: Efficient Memory Error Protection of Safe Heap Objects

TL;DR

This paper introduces Uriah, a system that efficiently protects a subset of heap objects from memory errors by identifying safe objects and isolating them on a safe heap, significantly reducing overhead while preventing exploits.

Contribution

Uriah's novel approach accurately identifies safe heap objects and isolates them to enforce temporal safety, reducing protection overhead compared to existing methods.

Findings

Uriah finds 72% of heap objects are spatial and type safe in benchmarks and real-world programs.

Uriah incurs only around 3% runtime overhead and 5-9% memory overhead.

Uriah successfully prevents exploits on all tested heap memory errors and recent CVEs.

Abstract

Heap memory errors remain a major source of software vulnerabilities. Existing memory safety defenses aim at protecting all objects, resulting in high performance cost and incomplete protection. Instead, we propose an approach that accurately identifies objects that are inexpensive to protect, and design a method to protect such objects comprehensively from all classes of memory errors. Towards this goal, we introduce the Uriah system that (1) statically identifies the heap objects whose accesses satisfy spatial and type safety, and (2) dynamically allocates such "safe" heap objects on an isolated safe heap to enforce a form of temporal safety while preserving spatial and type safety, called temporal allocated-type safety. Uriah finds 72.0% of heap allocation sites produce objects whose accesses always satisfy spatial and type safety in the SPEC CPU2006/2017 benchmarks, 5 server programs, and Firefox, which are then isolated on a safe heap using Uriah allocator to enforce temporal allocated-type safety. Uriah incurs only 2.9% and 2.6% runtime overhead, along with 9.3% and 5.4% memory overhead, on the SPEC CPU 2006 and 2017 benchmarks, while preventing exploits on all the heap memory errors in DARPA CGC binaries and 28 recent CVEs. Additionally, using existing defenses to enforce their memory safety guarantees on the unsafe heap objects significantly reduces overhead, enabling the protection of heap objects from all classes of memory errors at more practical costs.