Check out the new USENIX Web site. next up previous
Next: Memory Access Checking Up: Related Work Previous: FreeBSD Stack Integrity Check

Array Bounds Checking for C


Richard Jones and Paul Kelly have developed a gcc patch [12] that does full array bounds checking for C programs. Programs compiled with this patch are compatible with ordinary gcc modules, because they have not changed the representation of pointers. Rather, they derive a ``base'' pointer from each pointer expression, and check the attributes of that pointer to determine whether the expression is within bounds.

The performance costs are substantial: a pointer-intensive program (ijk matrix multiply) experienced tex2html_wrap_inline879 slowdown. Since the slowdown is proportionate to pointer usage, which is quite common in privileged programs, this performance penalty is particularly unfortunate.

However, this method is strictly more secure than StackGuard, because it will prevent all buffer overflow attacks, not just those that attempt to alter return addresses, or other data structures that are perceived to be sensitive (see Section 5.4). Thus we propose that programs compiled with the bounds-checking compiler be treated as the ``backing store'' for MemGuard-protected programs, just as MemGuard-protected programs are the back-up plan for Canary-protected programs (see Section 3.3).

Crispin Cowan
Tue Dec 9 16:04:30 PST 1997