Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fully Randomized Pointers

Sai Dhawal Phaye, Gregory J. Duck, Roland H. C. Yap, Trevor E. Carlson

TL;DR

This work addresses memory-safety in low-level languages by introducing Fully Randomized Pointers (FRP), a pointer-encoding scheme that decouples pointers from actual addresses and fully randomizes their bits to maximize bypass resistance. Implemented as a software prototype (BlueFat) and a hardware simulation (GreenFat), FRP preserves binary compatibility and demonstrates practical performance overheads, with GreenFat achieving under 4% overhead in hardware. The authors provide a rigorous security analysis, showing 52–64 bits of effective entropy and infeasibility of brute-forcing under strong attacker models, and show full binary compatibility on the SPEC2017 suite. Together, these results suggest FRP offers a viable, high-assurance memory-safety defense for existing binaries without recompilation, with hardware acceleration further improving practicality.

Abstract

Memory errors continue to be a critical concern for programs written in low-level programming languages such as C and C++. Many different memory error defenses have been proposed, each with varying trade-offs in terms of overhead, compatibility, and attack resistance. Some defenses are highly compatible but only provide minimal protection, and can be easily bypassed by knowledgeable attackers. On the other end of the spectrum, capability systems offer very strong (unforgeable) protection, but require novel software and hardware implementations that are incompatible by definition. The challenge is to achieve both very strong protection and high compatibility. In this paper, we propose {\em Fully Randomized Pointers} FRP as a strong memory error defense that also maintains compatibility with existing binary software. The key idea behind FRP is to design a new pointer encoding scheme that allows for the full randomization of most pointer bits, rendering even brute force attacks impractical. We design a FRP encoding that is: (1) compatible with existing binary code (recompilation not needed); and (2) decoupled from the underlying object layout. FRP is prototyped as: (i) a software implementation (BlueFat) to test security and compatibility; and (ii) a proof-of-concept hardware implementation (GreenFat) to evaluate performance. We show FRP is secure, practical, and compatible at the binary level, while our hardware implementation achieves low performance overheads (< 4%).

Fully Randomized Pointers

TL;DR

This work addresses memory-safety in low-level languages by introducing Fully Randomized Pointers (FRP), a pointer-encoding scheme that decouples pointers from actual addresses and fully randomizes their bits to maximize bypass resistance. Implemented as a software prototype (BlueFat) and a hardware simulation (GreenFat), FRP preserves binary compatibility and demonstrates practical performance overheads, with GreenFat achieving under 4% overhead in hardware. The authors provide a rigorous security analysis, showing 52–64 bits of effective entropy and infeasibility of brute-forcing under strong attacker models, and show full binary compatibility on the SPEC2017 suite. Together, these results suggest FRP offers a viable, high-assurance memory-safety defense for existing binaries without recompilation, with hardware acceleration further improving practicality.

Abstract

Memory errors continue to be a critical concern for programs written in low-level programming languages such as C and C++. Many different memory error defenses have been proposed, each with varying trade-offs in terms of overhead, compatibility, and attack resistance. Some defenses are highly compatible but only provide minimal protection, and can be easily bypassed by knowledgeable attackers. On the other end of the spectrum, capability systems offer very strong (unforgeable) protection, but require novel software and hardware implementations that are incompatible by definition. The challenge is to achieve both very strong protection and high compatibility. In this paper, we propose {\em Fully Randomized Pointers} FRP as a strong memory error defense that also maintains compatibility with existing binary software. The key idea behind FRP is to design a new pointer encoding scheme that allows for the full randomization of most pointer bits, rendering even brute force attacks impractical. We design a FRP encoding that is: (1) compatible with existing binary code (recompilation not needed); and (2) decoupled from the underlying object layout. FRP is prototyped as: (i) a software implementation (BlueFat) to test security and compatibility; and (ii) a proof-of-concept hardware implementation (GreenFat) to evaluate performance. We show FRP is secure, practical, and compatible at the binary level, while our hardware implementation achieves low performance overheads (< 4%).
Paper Structure (25 sections, 7 equations, 3 figures, 4 tables)

This paper contains 25 sections, 7 equations, 3 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Memory Errors
  4. Threat Model
  5. Threat Mitigation
  6. Problem Statement
  7. Our Approach
  8. Detailed Example
  9. Decoupled Pointers
  10. Pointer Requirements
  11. Decoupled Pointer Design
  12. Discussion
  13. Fully Randomized Pointers
  14. Decoupled Pointer Randomization
  15. Security Analysis
  16. ...and 10 more sections

Figures (3)

  • Figure 1: Entropy for each defense. More entropy = better.
  • Figure 2: Example pointer decoding.
  • Figure 3: Normalized SPEC timings for Valgrind and BlueFat. For (*) we exclude cam4, which runs under BlueFat but not Valgrind. The results demonstrate perfect compatibility for BlueFat and FRP--despite pointers being radically different. The absolute slowdown for BlueFat is $11.19{\times}$, mainly due to DBI costs.

Theorems & Definitions (1)

  • Example 1: Fully Randomized Pointers