BOGO: Buy Spatial Memory Safety, Get Temporal Memory Safety (Almost) Free

Abstract

A memory safety violation occurs when a program has an out-of-bound (spatial safety) or use-after-free (temporal safety) memory access. Given its importance as a security vulnerability, recent Intel processors support hardwareaccelerated bound checks, called Memory Protection Extensions (MPX). Unfortunately, MPX provides no temporal safety. This paper presents BOGO, a lightweight full memory safety enforcement scheme that transparently guarantees temporal safety on top of MPX's spatial safety. Instead of tracking separate metadata for temporal safety, BOGO reuses the bounds metadata maintained by MPX for both spatial and temporal safety. On free, BOGO scans the MPX bound tables to invalidate the bound of dangling pointers; any following use-after-free error can be detected by MPX as an out-ofbound error. Since scanning the entire MPX bound tables could be expensive, BOGO tracks a small set of hot MPX bound table pages to check on free, and relies on the page fault mechanism to detect any potentially missing dangling pointer, ensuring sound temporal safety protection. Our evaluation shows that BOGO provides full memory safety at 60% runtime overhead and 36% memory overhead for SPEC CPU 2006 benchmarks. We also show that BOGO incurs a reasonable 2.7x slowdown for the worst-case mallocfree intensive benchmarks; and moderate 1.34x overhead for real-world applications.