The Meaning of Memory Safety

Figure 2 summarizes basic notation used in our results. By permutation, we mean a function \(\pi : \mathbb {I}\rightarrow \mathbb {I}\) that has a two-sided inverse \(\pi ^{-1}\); that is, \(\pi \circ \pi ^{-1} = \pi ^{-1} \circ \pi = \mathsf {id}_{\mathbb {I}}\). Some of these operations are standard and omitted for brevity.³

The first frame theorem states that, if a program terminates successfully, then we can extend its initial state almost without affecting execution.

The second premise, \(\mathsf {vars}(c) \subseteq \mathsf {vars}(s_1)\), guarantees that all the variables needed to run c are already defined in \(s_1\), implying that their values do not change once we extend that initial state with \(s_2\). The third premise, \(\mathsf {blocks}(s_1) \mathrel {\#}\mathsf {blocks}(s_2)\), means that the memories of \(s_1\) and \(s_2\) store disjoint regions. Finally, the conclusion of the theorem states that (1) the execution of c does not affect the extra state \(s_2\) and (2) the rest of the result is almost the same as \(s_1'\), except for a permutation of block identifiers.

Permutations are needed to avoid clashes between identifiers in \(s_2\) and those assigned to regions allocated by c when running on \(s_1\). For instance, suppose that the execution of c on \(s_1\) allocated a new block, and that this block was assigned some identifier \(i \in \mathbb {I}\). If the memory of \(s_2\) already had a block corresponding to i, c would have to choose a different identifier \(i'\) for allocating that block when running on \(s_1 \cup s_2\). This change requires replacing all occurrences of i by \(i'\) in the result of the first execution, which can be achieved with a permutation that swaps these two identifiers.

The proof of Theorem 1 relies crucially on the facts that programs cannot inspect identifiers, that memory can grow indefinitely (a common assumption in formal models of memory), and that memory operations fail on invalid pointers. Because of the permutations, we also need to show that permuting the initial state s of a command c with any permutation \(\pi \) yields the same outcome, up to some additional permutation \(\pi '\) that again accounts for different choices of fresh identifiers.

A similar line of reasoning yields a second frame theorem, which says that we cannot make a program terminate just by extending its initial state.

The third frame theorem shows that extending the initial state also preserves erroneous executions. Its statement is similar to the previous ones, but with a subtle twist. In general, by extending the state of a program with a block, we might turn an erroneous execution into a successful one—if the error was caused by accessing a pointer whose identifier matches that new block. To avoid this, we need a different premise (\(\mathsf {ids}(s_1) \mathrel {\#}\mathsf {blocks}(s_2)\)) preventing any pointers in the original state \(s_1\) from referencing the new blocks in \(s_2\)—which is only useful because our language prevents programs from forging pointers to existing regions. Since \(\mathsf {blocks}(s) \subseteq \mathsf {ids}(s)\), this premise is stronger than the analogous ones in the preceding results.

The consequences of memory safety analyzed so far are intimately tied to the notion of noninterference [19]. In its most widely understood sense, noninterference is a secrecy guarantee: varying secret inputs has no effect on public outputs. Sometimes, however, it is also used to describe integrity guarantees: low-integrity inputs have no effect on high-integrity outputs. In fact, both guarantees apply to unreachable memory in our language, since they do not affect code execution; that is, execution (1) cannot modify these inaccessible regions (preserving their integrity), and (2) cannot learn anything meaningful about them, not even their presence (preserving their secrecy).

Noninterference is often formulated using an indistinguishability relation on states, which expresses that one state can be obtained from the other by varying its secrets. We could have equivalently phrased the above result in a similar way. Recall that the hypothesis \(\mathsf {ids}(s_1) \mathrel {\#}\mathsf {blocks}(s_2)\) means that memory regions stored in \(s_2\) are unreachable via \(s_1\). Then, we could call two states “indistinguishable” if the reachable portions are the same (except for a possible permutation). In Sect. 4, the connection with noninterference will provide a good benchmark for comparing different flavors of memory safety.

We now explore the relation between the principles identified above, especially regarding integrity, and the local reasoning facilities of separation logic. Separation logic targets specifications of the form \(\{p\}\; c\; \{q\}\), where p and q are predicates over program states (subsets of \(\mathcal {S}\)). For our language, this could roughly meanThat is, if we run c in a state satisfying p, it will either diverge or terminate in a state that satisfies q, but it will not trigger an error. Part of the motivation for precluding errors is that in unsafe settings like C they yield undefined behavior, destroying all hope of verification.

Local reasoning in separation logic is embodied by the frame rule, a consequence of Theorems 1 and 3. Roughly, it says that a verified program can only affect a well-defined portion of the state, with all other memory regions left untouched.⁴

As useful as it is, precluding errors during execution makes it difficult to use separation logic for partial verification: proving any property, no matter how simple, of a nontrivial program requires detailed reasoning about its internals. Even the following vacuous rule is unsound in separation logic:For a counterexample, take p to be \(\mathsf {true}\) and c to be some arbitrary memory read \(x \leftarrow [y]\). If we run c on an empty heap, which trivially satisfies the precondition, we obtain an error, contradicting the specification.

Fortunately, our memory-safe language—in which errors have a sensible, predictable semantics, as opposed to wild undefined behavior—supports a variant of separation logic that allows looser specifications of the form \(\{p\}\; c\; \{q\}_e\), defined asThese specifications are weaker than their conventional counterparts, leading to a subsumption rule:Because errors are no longer prevented, the Taut rule \(\{p\}\; c\; \{\mathsf {true}\}_e\) becomes sound, since the \(\mathsf {true}{}\) postcondition now means that any outcome whatsoever is acceptable. Unfortunately, there is a price to pay for allowing errors: they compromise the soundness of the frame rule. The reason, as hinted in the introduction, is that preventing run-time errors has an additional purpose in separation logic: it forces programs to act locally—that is, to access only the memory delimited their pre- and postconditions. To see why, consider the same program c as above, \(x \leftarrow [y]\). This program clearly yields an error when run on an empty heap, implying that the triple \(\{\mathsf {emp}\}\; c\; \{x = 0\}_e\) is valid, where the predicate \(\mathsf {emp}\) holds of any state with an empty heap and \(x = 0\) holds of states whose local store maps x to 0. Now consider what happens if we try to apply an analog of the frame rule to this triple using the frame predicate \(y \mapsto 1\), which holds in states where y contains a pointer to the unique defined location on the heap, which stores the value 1. After some simplification, we arrive at the specification \(\{y \mapsto 1\}\; c\; \{x = 0 \wedge y \mapsto 1\}_e\), which clearly does not hold, since executing c on a state satisfying the precondition leads to a successful final state mapping x to 1.

For the frame rule to be recovered, it needs to take errors into account. The solution lies on the reachability properties of memory safety: instead of enforcing locality by preventing errors, we can use the fact that memory operations in a safe language are automatically local—in particular, local to the identifiers that the program possesses.

The proof is similar to the one for the original rule, but it relies additionally on Theorem 4. This explains why the isolating conjunction is needed, since it ensures that the fragment satisfying r is unreachable from the rest of the state.

As hinted by their connection with the frame rule, the theorems of Sect. 3.1 are a form of local reasoning: to reason about a command, it suffices to consider its reachable state; how this state is used bears no effect on the unreachable portions. In a more realistic language, reachability might be inferred from additional information such as typing. But even here it can probably be accomplished by a simple check of the program text.

For example, consider the hypothetical jpeg decoder from Sect. 1. We would like to guarantee that the decoder cannot tamper with an unreachable object—a window object, a whitelist of trusted websites, etc. The frame theorems give us a means to do so, provided that we are able to show that the object is indeed unreachable; additionally, they imply that the jpeg decoder cannot directly extract any information from this unreachable object, such as passwords or private keys.

Many real-world attacks involve direct violations of these reasoning principles. For example, consider the infamous Heartbleed attack on OpenSSL, which used out-of-bounds reads from a buffer to leak data from completely unrelated parts of the program state and to steal sensitive information [16]. Given that the code fragment that enabled that attack was just manipulating an innocuous array, a programmer could easily be fooled into believing (as probably many have) that that snippet could not possibly access sensitive information, allowing that vulnerability to remain unnoticed for years.

Finally, our new frame rule only captures the fact that a command cannot influence the heap locations that it cannot reach, while our noninterference result (Corollary 1) captures not just this integrity aspect of memory safety, but also a secrecy aspect. We hope that future research will explore the connection between the secrecy aspect of memory safety and (relational) program logics.

Many real-world C programs use integers as pointers. If this idiom is allowed without restrictions, then local reasoning is compromised, as every memory region may be reached from anywhere in the program. It is not surprising that languages that strive for safety either forbid this kind of pointer forging or confine it to clear unsafe fragments.

More insidiously, and perhaps surprisingly, similar dangers lurk in the stateful abstractions of some systems that are widely regarded as “memory safe.” JavaScript, for example, allows code to access arbitrary global variables by indexing an associative array with a string, a feature that enables many serious attacks [1, 18, 29, 44]. One might argue that global variables in JavaScript are “memory unsafe” because they fail to validate local reasoning: even if part of a JavaScript program does not explicitly mention a given global variable, it might still change this variable or the objects it points to. Re-enabling local reasoning requires strong restrictions on the programming style [1, 9, 18].

The language of Sect. 2 maintains a complete separation between pointers and other values. In reality, this separation is often only enforced in one direction. For example, some tools for enforcing memory safety in C [13, 31] allow pointer-to-integer casts [23] (a feature required by many low-level idioms [10, 28]); and the default implementation of hashCode() in Java leaks address information. To model such features, we can extend the syntax of expressions with a form \(\mathsf {cast}(e)\), the semantics of which are defined with some function \([\![\mathsf {cast}]\!]: \mathbb {I}\times \mathbb {Z}\rightarrow \mathbb {Z}\) for converting a pointer to an integer:Note that the original language included an operator for extracting the offset of a pointer. Their definitions are similar, but have crucially different consequences: while offsets do not depend on the identifier, allocation order, or other low-level details of the language implementation (such as the choice of physical addresses when allocating a block), all of these could be relevant when defining the semantics of \(\mathsf {cast}\). The three frame theorems (1, 3, and 4) are thus lost, because the state of unreachable parts of the heap may influence integers observed by the program. An important consequence is that secrecy is weakened in this language: an attacker could exploit pointers as a side-channel to learn secrets about data it shouldn’t access.

The stronger noninterference result of Corollary 1 showed that, if pointer-to-integer casts are prohibited, changing the contents of the unreachable portion \(s_2\) has no effect on the reachable portion, \(s_1'\). In contrast, Theorem 7 allows changes in \(s_2\) to influence \(s_1'\) in arbitrary ways in the presence of these casts: not only can the contents of this final state change, but the execution can also loop forever or terminate in an error.

To see why, suppose that the jpeg decoder of Sect. 1 is part of a web browser, but that it does not have the required pointers to learn the address that the user is currently visiting. Suppose that there is some relation between the memory consumption of the program and that website, and that there is some correlation between the memory consumption and the identifier assigned to a new block. Then, by allocating a block and converting its pointer to a integer, the decoder might be able to infer useful information about the visited website [22]. Thus, if \(s_2\) denoted the part of the state where that location is stored, changing its contents would have a nontrivial effect on \(s_1'\), the part of the state that the decoder does have access to. We could speculate that, in a reasonable system, this channel can only reveal information about the layout of unreachable regions, and not their contents. Indeed, we conjecture this for the language of this subsection.

Finally, it is worth noting that simply excluding casts might not suffice to prevent this sort of vulnerability. Recall that our language takes both offsets and identifiers into account for equality tests. For performance reasons, we could have chosen a different design that only compares physical addresses, completely discarding identifiers. If attackers know the address of a pointer in the program—which could happen, for instance, if they have access to the code of the program and of the allocator—they can use pointer arithmetic (which is generally harmless and allowed in our language) to find the address of other pointers. If x holds the pointer they control, they can run, for instance,to learn the location assigned to y and draw conclusions about the global state.

Safe languages typically initialize new variables and objects. But this can degrade performance, leading to cases where this feature is dropped—including standard C implementations, safer alternatives [13, 31], OCaml’s Bytes.create primitive, or Node.js’s Buffer.allocUnsafe, for example.

The problem with this concession is that the entire memory becomes relevant to execution, and local reasoning becomes much harder. By inspecting old values living in uninitialized memory, an attacker can learn about parts of the state they shouldn’t access and violate secrecy. This issue would become even more severe in a system that allowed old pointers or other capabilities to occur in re-allocated memory in a way that the program can use, since they could yield access to restricted resources directly, leading to potential integrity violations as well. (The two examples given above—OCaml and Node.js—do not suffer from this issue, because any preexisting pointers in re-allocated memory are treated as bare bytes that cannot be used to access memory.)

Another crucial issue is the treatment of dangling pointers—references to previously freed objects. Dangling pointers are problematic because there is an inherent tension between giving them a sensible semantics (for instance, one that validates the properties of Sect. 3) and obtaining good performance and predictability. Languages with garbage collection avoid the issue by forbidding dangling pointers altogether—heap storage is freed only when it is unreachable. In the language of Sect. 2, besides giving a well-defined behavior to the use of dangling pointers (signaling an error), we imposed strong freshness requirements on allocation, mandating not only that the new identifier not correspond to any existing block, but also that it not be present anywhere else in the state.

To see how the results of Sect. 3 are affected by weakening freshness, suppose we run the program \(x \leftarrow \mathsf {alloc}(1); z \leftarrow (y = x)\) on a state where y holds a dangling pointer. Depending on the allocator and the state of the memory, the pointer assigned to x could be equal to y. Since this outcome depends on the entire state of the system, not just the reachable memory, Theorems 1, 3 and 4 now fail. Furthermore, an attacker with detailed knowledge of the allocator could launder secret information by testing pointers for equality. Weakening freshness can also have integrity implications, since it becomes harder to ensure that blocks are properly isolated. For instance, a newly allocated block might be reachable through a dangling pointer controlled by an attacker, allowing them to access that block even if they were not supposed to.

Some practical solutions for memory safety use mechanisms similar to our language’s, where each memory location is tagged with an identifier describing the region it belongs to [11, 15]. Pointers are tagged similarly, and when a pointer is used to access memory, a violation is detected if its identifier does not match the location’s. However, for performance reasons, the number of possible identifiers might be limited to a relatively small number, such as 2 or 4 [11] or 16 [46]. In addition to the problems above, since multiple live regions can share the same identifier in such schemes, it might be possible for buffer overflows to lead to violations of secrecy and integrity as well.

Although we framed our discussion in terms of identifiers, the issue of freshness can manifest itself in other ways. For example, many systems for spatial safety work by adding base and bounds information to pointers. In some of these [13, 31], dangling pointers are treated as an orthogonal issue, and it is possible for the allocator to return a new memory region that overlaps with the range of a dangling pointer, in which case the new region will not be properly isolated from the rest of the state.

Finally, dangling pointers can have disastrous consequences for overall system security, independently of the freshness issues just described: freeing a pointer more than once can break allocator invariants, enabling attacks [43].

Our idealized language allows memory to grow indefinitely. But real languages run on finite memory, and allocation fails when programs run out of space. Besides enabling denial-of-service attacks, finite memory has consequences for secrecy. Corollary 1 does not hold in a real programming language as is, because an increase in memory consumption can cause a previously successful allocation to fail. By noticing this difference, a piece of code might learn something about the entire state of the program. How problematic this is in practice will depend on the particular system under consideration.

A potential solution is to force programs that run out of memory to terminate immediately. Though this choice might be bad from an availability standpoint, it is probably the most benign in terms of secrecy. We should be able to prove an error-insensitive variant of Corollary 1, where the only significant effect that unreachable memory can have is to turn a successful execution or infinite loop into an error. Similar issues arise for IFC mechanisms that often cannot prevent secrets from influencing program termination, leading to termination-insensitive notions of noninterference.

Unfortunately, even an error-insensitive result might be too strong for real systems, which often make it possible for attackers to extract multiple bits of information about the global state of the program—as previously noted in the IFC literature [4]. Java, for example, does not force termination when memory runs out, but triggers an exception that can be caught and handled by user code, which is then free to record the event and probe the allocator with a different test. And most languages do not operate in batch mode like ours does, merely producing a single answer at the end of execution; rather, their programs continuously interact with their environment through inputs and outputs, allowing them to communicate the exact amount of memory that caused an error.

This discussion suggests that, if size vulnerabilities are a real concern, they need to be treated with special care. One approach would be to limit the amount of memory an untrusted component can allocate [47], so that exhausting the memory allotted to that component doesn’t reveal information about the state of the rest of the system (and so that also global denial-of-service attacks are prevented). A more speculative idea is to develop quantitative versions [6, 39] of the noninterference results discussed here that apply only if the total memory used by the program is below a certain limit.

We content ourselves with a brief overview of Dhawan et al.’s monitor [5, 15], since the formal statement of the reasoning principles it supports are more complex than the one for the abstract machine from Sect. 5.2, on which we will focus. Following a proposal by Clause et al. [11], Dhawan et al.’s monitor enforces memory safety for heap-allocated data by checking and propagating metadata tags. Every memory location receives a tag that uniquely identifies the allocated region to which that location belongs (akin to the identifiers in Sect. 2), and pointers receive the tag of the region they are allowed to reference. The monitor assigns these tags to new regions by storing a monotonic counter in protected memory that is bumped on every call to malloc; with a large number of possible tags, it is possible to avoid the freshness pitfalls discussed in Sect. 4.4. When a memory access occurs, the monitor checks whether the tag on the pointer matches the tag on the location. If they do, the operation is allowed; otherwise, execution halts. The monitor instruments the allocator to make set up tags correctly. Its implementation achieves good performance using the PUMP, a hardware extension accelerating such micro-policies for metadata tagging [15].

The memory-safe abstract machine [5] operates on two kinds of values: machine words w, or pointers (i, w), which are pairs of an identifier \(i \in \mathbb {I}\) and an offset w. We use \(\mathcal {W}\) to denote the set of machine words, and \(\mathcal {V}\) to denote the set of values. Machine states are triples \((m, rs , pc )\), where (1) \(m \in \mathbb {I}\rightharpoonup _\mathrm {fin}\mathcal {V}^*\) is a memory mapping identifiers to lists of values; (2) \( rs \in \mathcal {R}\rightharpoonup _\mathrm {fin}\mathcal {V}\) is a register bank, mapping register names to values; and (3) \( pc \in \mathcal {V}\) is the program counter.

The execution of an instruction is specified by a step relation \(s \rightarrow s'\). If there is no \(s'\) such that \(s \rightarrow s'\), we say that s is stuck, which means that a fatal error occurred during execution. On each instruction, the machine checks if the current program counter is a pointer and, if so, tries to fetch the corresponding value in memory. The machine then ensures that this value is a word that correctly encodes an instruction and, if so, acts accordingly. The instructions of the machine, representative of typical RISC architectures, allow programs to perform binary and logical operations, move values to and from memory, and branch. The machine is in fact fairly similar to the language of Sect. 2. Some operations are overloaded to manipulate pointers; for example, adding a pointer to a word is allowed, and the result is obtained by adjusting the pointer’s offset accordingly. Accessing memory causes the machine to halt when the corresponding position is undefined.

In addition to these basic instructions, the machine possesses a set of special monitor services that can be invoked as regular functions, using registers to pass in arguments and return values. There are two services \(\mathsf {alloc}\) and \(\mathsf {free}\) for managing memory, and one service \(\mathsf {eq}\) for testing whether two values are equal. The reason for using separate monitor services instead of special instructions is to keep its semantics closer to the more concrete machine that implements it. While instructions include an equality test, it cannot replace the \(\mathsf {eq}\) service, since it only takes physical addresses into account. As argued in Sect. 4.2, such comparisons can be turned into a side channel. To prevent this, testing two pointers for equality directly using the corresponding machine instruction results in an error if the pointers have different block identifiers.

The proof of memory safety for this abstract machine mimics the one carried for the language in Sect. 3. We use similar notations as before: \(\pi \cdot s\) means renaming every identifier that appears in s according to the permutation \(\pi \), and \(\mathsf {ids}(s)\) is the finite set of all identifiers that appear in the state s. A simple case analysis on the possible instructions yields analogs of Theorems 1, 2 and 4 (we don’t include an analog of Theorem 3 because we consider individual execution steps, where loops cannot occur).

Once again, we can combine these properties to obtain a proof of noninterference. Our Coq development includes a complete statement.

The reasoning principles supported by the memory-safety monitor have an important difference compared to the ones of Sect. 3. In the memory-safe language, reachability is relative to a program’s local variables. If we want to argue that part of the state is isolated from some code fragment, we just have to consider that fragment’s local variables—other parts of the program are still allowed to access the region. The memory-safety monitor, on the other hand, does not have an analogous notion: an unreachable memory region is useless, since it remains unreachable by all components forever.

On a last note, although the abstract machine we verified is fairly close to our original language, the dynamic monitor that implements it using tags is quite different (Sect. 5.1). In particular, the monitor works on a machine that has a flat memory model, and keeps track of free and allocated memory using a protected data structure that stores block metadata. It was claimed that reasoning about this base and bounds information was the most challenging part of the proof that the monitor implements the abstract machine [5]. For this reason, we believe that this proof can be adapted to other enforcement mechanisms that rely solely on base and bounds information—for example, fat pointers [13, 25] or SoftBound [31]—while keeping a similar abstract machine as their specification, and thus satisfying a similar noninterference property. This gives us confidence that our memory safety characterization generalizes to other settings.