MSWasm: Soundly Enforcing Memory-Safe Execution of Unsafe Code-Reference-Cited by-同舟云学术

MSWasm: Soundly Enforcing Memory-Safe Execution of Unsafe Code

Published:2023-01-09 Issue:POPL Volume:7 Page:425-454
ISSN:2475-1421
Container-title:Proceedings of the ACM on Programming Languages
language:en
Short-container-title:Proc. ACM Program. Lang.

Author:

Michael Alexandra E.¹^ORCID,Gollamudi Anitha²^ORCID,Bosamiya Jay³^ORCID,Johnson Evan⁴^ORCID,Denlinger Aidan⁵^ORCID,Disselkoen Craig⁵^ORCID,Watt Conrad⁶^ORCID,Parno Bryan³^ORCID,Patrignani Marco⁷^ORCID,Vassena Marco⁸^ORCID,Stefan Deian⁵^ORCID

Affiliation:

1. University of California at San Diego, USA / University of Washington, USA

2. University of Massachusetts Lowell, USA

3. Carnegie Mellon University, USA

4. University of California at San Diego, USA / Arm, USA

5. University of California at San Diego, USA

6. University of Cambridge, UK

7. University of Trento, Italy

8. Utrecht University, Netherlands

Abstract

Most programs compiled to WebAssembly (Wasm) today are written in unsafe languages like C and C++. Unfortunately, memory-unsafe C code remains unsafe when compiled to Wasm—and attackers can exploit buffer overflows and use-after-frees in Wasm almost as easily as they can on native platforms. Memory- Safe WebAssembly (MSWasm) proposes to extend Wasm with language-level memory-safety abstractions to precisely address this problem. In this paper, we build on the original MSWasm position paper to realize this vision. We give a precise and formal semantics of MSWasm, and prove that well-typed MSWasm programs are, by construction, robustly memory safe. To this end, we develop a novel, language-independent memory-safety property based on colored memory locations and pointers. This property also lets us reason about the security guarantees of a formal C-to-MSWasm compiler—and prove that it always produces memory-safe programs (and preserves the semantics of safe programs). We use these formal results to then guide several implementations: Two compilers of MSWasm to native code, and a C-to-MSWasm compiler (that extends Clang). Our MSWasm compilers support different enforcement mechanisms, allowing developers to make security-performance trade-offs according to their needs. Our evaluation shows that on the PolyBenchC suite, the overhead of enforcing memory safety in software ranges from 22% (enforcing spatial safety alone) to 198% (enforcing full memory safety), and 51.7% when using hardware memory capabilities for spatial safety and pointer integrity. More importantly, MSWasm’s design makes it easy to swap between enforcement mechanisms; as fast (especially hardware-based) enforcement techniques become available, MSWasm will be able to take advantage of these advances almost for free.

Publisher

Association for Computing Machinery (ACM)

Subject

Safety, Risk, Reliability and Quality,Software

Link

https://dl.acm.org/doi/pdf/10.1145/3571208

Reference57 articles.

1. Carmine Abate , Roberto Blanco , Deepak Garg , Cătălin Hriţcu , Marco Patrignani , and Jérémy Thibault . 2019 . Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation. In 2019 IEEE 32th Computer Security Foundations Symposium (CSF 2019). Carmine Abate, Roberto Blanco, Deepak Garg, Cătălin Hriţcu, Marco Patrignani, and Jérémy Thibault. 2019. Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation. In 2019 IEEE 32th Computer Security Foundations Symposium (CSF 2019).

2. Periklis Akritidis , Manuel Costa , Miguel Castro , and Steven Hand . 2009 . Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors . In USENIX Security Symposium. 10 . Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. 2009. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors. In USENIX Security Symposium. 10.

3. Arm. 2019. Armv8.5-A Memory Tagging Extension. White Paper. Arm. 2019. Armv8.5-A Memory Tagging Extension. White Paper.

4. 2022. Arm Morello Program. https://www.arm.com/architecture/cpu/morello 2022. Arm Morello Program. https://www.arm.com/architecture/cpu/morello

5. Efficient detection of all pointer and array access errors

Cited by 6 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. WASMaker: Differential Testing of WebAssembly Runtimes via Semantic-Aware Binary Generation;Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis;2024-09-11

2. RichWasm: Bringing Safe, Fine-Grained, Shared-Memory Interoperability Down to WebAssembly;Proceedings of the ACM on Programming Languages;2024-06-20

3. Whose Baseline Compiler is it Anyway?;2024 IEEE/ACM International Symposium on Code Generation and Optimization (CGO);2024-03-02

4. Put Your Memory in Order: Efficient Domain-based Memory Isolation for WASM Applications;Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security;2023-11-15

5. Iris-Wasm: Robust and Modular Verification of WebAssembly Programs;Proceedings of the ACM on Programming Languages;2023-06-06