Top of the Heap: Efficient Memory Error Protection of Safe Heap Objects
Kaiming Huang, Mathias Payer, Zhiyun Qian, Jack Sampson, Gang Tan, Trent Jaeger
TL;DR
The paper presents Uriah, a system that statically identifies heap objects whose accesses satisfy spatial and type safety and dynamically isolates those objects on a safe heap to enforce temporal safety (temporal allocated-type safety). By combining static alias analysis, spatial and type safety validations, and symbolic validation, Uriah protects about 72% of heap allocations across benchmarks and real-world programs, with low runtime (≈2.9% on SPEC2006, ≈2.6% on SPEC2017) and memory overhead (≈9.3% and 5.4%, respectively). It demonstrates strong exploitation mitigation, preventing exploits on DARPA CGC binaries and 28 CVEs, and achieves further cost reductions when combined with existing defenses. The approach offers a practical foundation for energy-efficient, broad-spectrum heap memory safety by focusing protection where it is cheapest and using isolation to contain residual risks.
Abstract
Heap memory errors remain a major source of software vulnerabilities. Existing memory safety defenses aim at protecting all objects, resulting in high performance cost and incomplete protection. Instead, we propose an approach that accurately identifies objects that are inexpensive to protect, and design a method to protect such objects comprehensively from all classes of memory errors. Towards this goal, we introduce the Uriah system that (1) statically identifies the heap objects whose accesses satisfy spatial and type safety, and (2) dynamically allocates such "safe" heap objects on an isolated safe heap to enforce a form of temporal safety while preserving spatial and type safety, called temporal allocated-type safety. Uriah finds 72.0% of heap allocation sites produce objects whose accesses always satisfy spatial and type safety in the SPEC CPU2006/2017 benchmarks, 5 server programs, and Firefox, which are then isolated on a safe heap using Uriah allocator to enforce temporal allocated-type safety. Uriah incurs only 2.9% and 2.6% runtime overhead, along with 9.3% and 5.4% memory overhead, on the SPEC CPU 2006 and 2017 benchmarks, while preventing exploits on all the heap memory errors in DARPA CGC binaries and 28 recent CVEs. Additionally, using existing defenses to enforce their memory safety guarantees on the unsafe heap objects significantly reduces overhead, enabling the protection of heap objects from all classes of memory errors at more practical costs.