Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ShadowBound: Efficient Heap Memory Protection Through Advanced Metadata Management and Customized Compiler Optimization

Zheng Yu, Ganxiang Yang, Xinyu Xing

TL;DR

ShadowBound tackles heap vulnerabilities in unsafe languages by combining a shadow-memory metadata layer with a compiler pass that instruments boundary checks at pointer-arithmetic sites. It achieves robust spatial protection while remaining compatible with leading UAF defenses (MarkUs, FFMalloc, PUMM), leveraging a shadow memory layout that encodes per-pointer boundaries with minimal overhead. The approach delivers practical security gains, preventing 34 real-world OOB exploits across 19 apps and stopping a broad set of synthesized vulnerabilities, while maintaining modest runtime overhead (approximately $5.72\%$ on SPEC CPU2017 and $10.58\%$ on SPEC CPU2006 for ShadowBound itself, with variants achieving similar or better performance) and reasonable memory costs. The combination of metadata efficiency, targeted optimizations (runtime-driven elimination, directional checks, security-pattern-based pruning, and merge-able metadata extraction), and LLVM-based integration makes ShadowBound a scalable, interoperable solution for protecting heap memory in large real-world programs.

Abstract

In software development, the prevalence of unsafe languages such as C and C++ introduces potential vulnerabilities, especially within the heap, a pivotal component for dynamic memory allocation. Despite its significance, heap management complexities have made heap corruption pervasive, posing severe threats to system security. While prior solutions aiming for temporal and spatial memory safety exhibit overheads deemed impractical, we present ShadowBound, a unique heap memory protection design. At its core, ShadowBound is an efficient out-of-bounds defense that can work with various use-after-free defenses (e.g. MarkUs, FFMalloc, PUMM) without compatibility constraints. We harness a shadow memory-based metadata management mechanism to store heap chunk boundaries and apply customized compiler optimizations tailored for boundary checking. We implemented ShadowBound atop the LLVM framework and integrated three state-of-the-art use-after-free defenses. Our evaluations show that ShadowBound provides robust heap protection with minimal time and memory overhead, suggesting its effectiveness and efficiency in safeguarding real-world programs against prevalent heap vulnerabilities.

ShadowBound: Efficient Heap Memory Protection Through Advanced Metadata Management and Customized Compiler Optimization

TL;DR

ShadowBound tackles heap vulnerabilities in unsafe languages by combining a shadow-memory metadata layer with a compiler pass that instruments boundary checks at pointer-arithmetic sites. It achieves robust spatial protection while remaining compatible with leading UAF defenses (MarkUs, FFMalloc, PUMM), leveraging a shadow memory layout that encodes per-pointer boundaries with minimal overhead. The approach delivers practical security gains, preventing 34 real-world OOB exploits across 19 apps and stopping a broad set of synthesized vulnerabilities, while maintaining modest runtime overhead (approximately on SPEC CPU2017 and on SPEC CPU2006 for ShadowBound itself, with variants achieving similar or better performance) and reasonable memory costs. The combination of metadata efficiency, targeted optimizations (runtime-driven elimination, directional checks, security-pattern-based pruning, and merge-able metadata extraction), and LLVM-based integration makes ShadowBound a scalable, interoperable solution for protecting heap memory in large real-world programs.

Abstract

In software development, the prevalence of unsafe languages such as C and C++ introduces potential vulnerabilities, especially within the heap, a pivotal component for dynamic memory allocation. Despite its significance, heap management complexities have made heap corruption pervasive, posing severe threats to system security. While prior solutions aiming for temporal and spatial memory safety exhibit overheads deemed impractical, we present ShadowBound, a unique heap memory protection design. At its core, ShadowBound is an efficient out-of-bounds defense that can work with various use-after-free defenses (e.g. MarkUs, FFMalloc, PUMM) without compatibility constraints. We harness a shadow memory-based metadata management mechanism to store heap chunk boundaries and apply customized compiler optimizations tailored for boundary checking. We implemented ShadowBound atop the LLVM framework and integrated three state-of-the-art use-after-free defenses. Our evaluations show that ShadowBound provides robust heap protection with minimal time and memory overhead, suggesting its effectiveness and efficiency in safeguarding real-world programs against prevalent heap vulnerabilities.
Paper Structure (46 sections, 10 figures, 7 tables)

This paper contains 46 sections, 10 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background & Design Overview
  3. Heap Memory Protection
  4. Out-Of-Bounds Exploitation
  5. Design Overview
  6. Threat Model
  7. Metadata Management
  8. Shadow Memory Layout
  9. Boundary Checking
  10. Compatibility with UAF Defense
  11. Compiler Optimization
  12. Runtime-Driven Checking Elimination
  13. Directional Boundary Checking
  14. Security Pattern Identification
  15. Constant Array Argument
  16. ...and 31 more sections

Figures (10)

  • Figure 1: Shadow Memory Mapping and Metadata Layout
  • Figure 2: Example: Instrumentation of ShadowBound
  • Figure 3: Pseudocode for boundary checking
  • Figure 4: Example of Runtime-Driven Checking Elimination
  • Figure 5: Example of Security Pattern Identification and Directional Boundary Checking Optimization
  • ...and 5 more figures