Description
Memory safety is among the longest-running issues in computer architecture. In fact,
memory errors such as out-of-bounds accesses have been ranked as the most critical
security errors by several entities such as MITRE CWE Top 25 for many years.
The most common solution so far has been to adopt countermeasures at a compiler and
architectural level. While memory-safe languages and libraries have been defending
systems against spatial and temporal memory violations for a long time, essentially all
high-performance software is still based on memory-unsafe languages such as C/C++,
which do not enforce memory safety at a language level. On the other hand, newer
languages such as Rust, promising a compromise between safety, performance, and
logical overhead, are still not adopted in general use.
In general, memory safety solutions tend to adopt a Fail-Stop response, terminating a
process if illegal operations occur, hence affecting the availability of the running program.
To this end, Fault-Tolerant Memory Safety (FTMS) represents a compromise between the
Fail-Stop approach and the default, unsafe behaviour of proceeding execution on illegal
accesses. FTMS aims at reconciling systems with high availability requirements, severely
threatened by crashes, with the lack of built-in safety by finding strategies to continue
the program flow even when overflows or other memory safety violations occur.
Throughout this thesis we propose an architecture with the aim of enabling FTMS on
top of the RISC-V ISA. Our goal is to create a hardware-accelerated FTMS platform
aimed at high-availability software and requiring minimal or no manual intervention to
the source code, but rather enabling safety enforcement and policy selection directly at
an architectural level.
We implement our framework to enable tunable dynamic FTMS on top of RISC-V,
Memory Objects, and the C library memory allocator, and prove its ability to repair a
series of memory safety violations such as Out-Of-Bounds Access and Use-After-Free.
Finally, we evaluate this framework against a series of real-world benchmark test cases to
prove that availability is restored with no overhead in case of legal executions compared
to a standard RISC-V build equipped with the Memory Objects extension.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching