Memory safety
Encyclopedia
Memory safety is a concern in software development that aims to avoid software bugs that cause security vulnerabilities
dealing with random-access memory
(RAM) access, such as buffer overflow
s and dangling pointer
s.
Computer languages such as C
and C++
that support arbitrary pointer arithmetic, casting, and deallocation are typically not memory safe. There are several different approaches to find errors in such languages, see the Detection section below.
The Cyclone language uses a hybrid approach, including "fat pointers" (pointers that carry their metadata directly) and regions
to give programmers some low-level control while still ensuring memory safety.
Most high-level programming language
s avoid the problem by disallowing pointer arithmetic and casting entirely, and by enforcing tracing garbage collection
as the sole memory management scheme.
A language could support even more uses of pointer arithmetic, casting, and deallocation without sacrificing memory safety by using automated theorem proving
as a form of static code analysis
. ESC/Java
and D
demonstrate two ways that programmers can declare their invariant
s in ways that can be understood by a theorem prover.
being removed.
e.g.
int *a = new int;
int *b = a;
delete b;
is a temporary data storage area.
Buffer overflow is the most common way for an attacker outside the system to gain unauthorized access to the target system. A buffer overflow occurs when a program tries to store more data in a buffer than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.It allows attacker to interfere into the existing process code.
Attacker uses buffer or stack overflow to do following,
E.g.consider the following program
int main(int argc, char *argv[])
{
char arr[ARRAY_SIZE];
if(argc < 2)
return -1;
else
{
strcpy(arr, argv[1]);
return 0;
}
}
As long as the size of this array is less than ARRAY_SIZE program works properly.If the size of the command line argument is greater than that ARRAY_SIZE then it won't work properly. strcpy function will work until it encounters NULL terminator(\0) or until the program crashes.This program suffers from the buffer overflow problem.
Some programming languages are immune to buffer overflow.Perl
automatically resizes arrays, and Ada95 detects and prevents buffer overflow.
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
dealing with random-access memory
Random-access memory
Random access memory is a form of computer data storage. Today, it takes the form of integrated circuits that allow stored data to be accessed in any order with a worst case performance of constant time. Strictly speaking, modern types of DRAM are therefore not random access, as data is read in...
(RAM) access, such as buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
s and dangling pointer
Dangling pointer
Dangling pointers and wild pointers in computer programming are pointers that do not point to a valid object of the appropriate type. These are special cases of memory safety violations....
s.
Computer languages such as C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
and C++
C++
C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...
that support arbitrary pointer arithmetic, casting, and deallocation are typically not memory safe. There are several different approaches to find errors in such languages, see the Detection section below.
The Cyclone language uses a hybrid approach, including "fat pointers" (pointers that carry their metadata directly) and regions
Region-based memory management
In computer science, region-based memory management is a type of memory management in which each allocated object is assigned to a region. A region, also called a zone, arena, or memory context, is a collection of allocated objects that can be efficiently deallocated all at once...
to give programmers some low-level control while still ensuring memory safety.
Most high-level programming language
Programming language
A programming language is an artificial language designed to communicate instructions to a machine, particularly a computer. Programming languages can be used to create programs that control the behavior of a machine and/or to express algorithms precisely....
s avoid the problem by disallowing pointer arithmetic and casting entirely, and by enforcing tracing garbage collection
Garbage collection (computer science)
In computer science, garbage collection is a form of automatic memory management. The garbage collector, or just collector, attempts to reclaim garbage, or memory occupied by objects that are no longer in use by the program...
as the sole memory management scheme.
A language could support even more uses of pointer arithmetic, casting, and deallocation without sacrificing memory safety by using automated theorem proving
Automated theorem proving
Automated theorem proving or automated deduction, currently the most well-developed subfield of automated reasoning , is the proving of mathematical theorems by a computer program.- Decidability of the problem :...
as a form of static code analysis
Static code analysis
Static program analysis is the analysis of computer software that is performed without actually executing programs built from that software In most cases the analysis is performed on some version of the source code and in the other cases some form of the object code...
. ESC/Java
ESC/Java
ESC/Java , the "Extended Static Checker for Java," is a programming tool that attempts to find common run-time errors in Java programs at compile time...
and D
D (programming language)
The D programming language is an object-oriented, imperative, multi-paradigm, system programming language created by Walter Bright of Digital Mars. It originated as a re-engineering of C++, but even though it is mainly influenced by that language, it is not a variant of C++...
demonstrate two ways that programmers can declare their invariant
Invariant (computer science)
In computer science, a predicate is called an invariant to a sequence of operations provided that: if the predicate is true before starting the sequence, then it is true at the end of the sequence.-Use:...
s in ways that can be understood by a theorem prover.
Types of Memory Errors
Several types of memory errors can occur, depending on which programming language is used:- Buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
- Out-of bound writes can corrupt the content of adjacent objects, or internal data like bookkeeping information for the heap or returnReturn statementIn computer programming, a return statement causes execution to leave the current subroutine and resume at the point in the code immediately after where the subroutine was called, known as its return address. The return address is saved, usually on the process's call stack, as part of the operation...
addresses. - Dynamic memory errors - Incorrect management of dynamic memory and pointers:
- Dangling pointerDangling pointerDangling pointers and wild pointers in computer programming are pointers that do not point to a valid object of the appropriate type. These are special cases of memory safety violations....
- A pointer storing the address of an object that has been deleted. - Double freesMallocC dynamic memory allocation refers to performing dynamic memory allocation in the C via a group of functions in the C standard library, namely malloc, realloc, calloc and free....
- Repeated call to freeMallocC dynamic memory allocation refers to performing dynamic memory allocation in the C via a group of functions in the C standard library, namely malloc, realloc, calloc and free....
though the object has been already freed can cause freelist-based allocators to fail. - Invalid Free - Passing an invalid address to freeMallocC dynamic memory allocation refers to performing dynamic memory allocation in the C via a group of functions in the C standard library, namely malloc, realloc, calloc and free....
can corrupt the heap. Or sometimes will lead to an undefined behavior. - Null pointer accesses will cause an exception or program termination in most environments, but can cause corruption in operating system kernelsKernel (computing)In computing, the kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware level. The kernel's responsibilities include managing the system's resources...
or systems without memory protectionMemory protectionMemory protection is a way to control memory access rights on a computer, and is a part of most modern operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug within a process from affecting...
.
- Dangling pointer
- Uninitialized variables - A variable that has not been assigned a value is used. It may contain an undesired or, in some languages, a corrupt value.
- Wild pointers arise when a pointer is used prior to initialization to some known state. They show the same erratic behaviour as dangling pointers, though they are less likely to stay undetected.
- Out of memory errors:
- Stack overflowStack overflowIn software, a stack overflow occurs when too much memory is used on the call stack. The call stack contains a limited amount of memory, often determined at the start of the program. The size of the call stack depends on many factors, including the programming language, machine architecture,...
- Occurs when a program runs out of stack space, typically because of too deep recursionRecursion (computer science)Recursion in computer science is a method where the solution to a problem depends on solutions to smaller instances of the same problem. The approach can be applied to many types of problems, and is one of the central ideas of computer science....
. - Allocation failues - The program tries to use more memory than the amount available. In some languages, this condition must be checked for manually after each allocation.
- Stack overflow
Dangling pointer
Dangling pointer points to a memory location which isbeing removed.
e.g.
int *a = new int;
int *b = a;
delete b;
Buffer overflow
BuffersBuffer
Buffer may refer to:*Buffer state, a country lying between two potentially hostile greater powers, thought to prevent conflict between them* Buffer zone, any area that keeps two or more other areas distant from one another, may be demilitarized...
is a temporary data storage area.
Buffer overflow is the most common way for an attacker outside the system to gain unauthorized access to the target system. A buffer overflow occurs when a program tries to store more data in a buffer than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.It allows attacker to interfere into the existing process code.
Attacker uses buffer or stack overflow to do following,
- Overflow the input field, command line space or input buffer.
- Overwrite the current return address on the stack with the address of the attacking code.
- write a simple code that attacker wishes to execute.
E.g.consider the following program
- include
- define ARRAY_SIZE 128
int main(int argc, char *argv[])
{
char arr[ARRAY_SIZE];
if(argc < 2)
return -1;
else
{
strcpy(arr, argv[1]);
return 0;
}
}
As long as the size of this array is less than ARRAY_SIZE program works properly.If the size of the command line argument is greater than that ARRAY_SIZE then it won't work properly. strcpy function will work until it encounters NULL terminator(\0) or until the program crashes.This program suffers from the buffer overflow problem.
- Solution for this problem is that the feature that will not allow execution of code in stack section of memory.
Some programming languages are immune to buffer overflow.Perl
Perl
Perl is a high-level, general-purpose, interpreted, dynamic programming language. Perl was originally developed by Larry Wall in 1987 as a general-purpose Unix scripting language to make report processing easier. Since then, it has undergone many changes and revisions and become widely popular...
automatically resizes arrays, and Ada95 detects and prevents buffer overflow.
Detection
There are many different ways to detect memory errors in programs written in unsafe languages:- By using special heap allocators that provide dead zones around heap allocated storage, and check that accesses don't reach into such dead zones. DieHardDiehard testsThe diehard tests are a battery of statistical tests for measuring the quality of a random number generator. They were developed by George Marsaglia over several years and first published in 1995 on a CD-ROM of random numbers.These are the tests:...
does this by allocating objects in their own virtual memory page. - By instrumenting the source code. Tools like SoftBound and CheckPointer do this to collect and track legitimate values for pointers ("metadata") and check each pointer access against the metadata for validity.
- By running the compiled program in a memory-checking virtual machine. The memcheck tool of ValgrindValgrindValgrind is a GPL licensed programming tool for memory debugging, memory leak detection, and profiling. The name valgrind comes from the main entrance to Valhalla in Norse mythology....
works this way. - Static code analysis can detect errors in some cases as well.