Applications written in unsafe languages like C and C++ are vulnerable to memory errors such as buffer overflows, dangling pointers, and reads of uninitialized data. Such errors can lead to program crashes, security vulnerabilities, and unpredictable behavior. We present DieHard, a runtime system that tolerates these errors while probabilistically maintaining soundness. DieHard uses randomization and replication to achieve probabilistic memory safety by approximating an infinite-sized heap. DieHard’s memory manager randomizes the location of objects in a heap that is at least twice as large as required. This algorithm prevents heap corruption and provides a probabilistic guarantee of avoiding memory errors. For additional safety, DieHard can operate in a replicated mode where multiple replicas of the same application are run simultaneously. By initializing each replica with a different random seed and requiring agreement on output, the replicated version of Die-Hard increases the likelihood of correct execution because errors are unlikely to have the same effect across all replicas. We present analytical and experimental results that show DieHard’s resilience to a wide range of memory errors, including a heap-based buffer overflow in an actual application.

Abstract not found

The goal of the Cyclone project is to investigate how to make a low-level C-like language safe. Our most difficult challenge has been providing programmers control over memory management while retaining safety. This paper describes our experience trying to integrate and use effectively two previously-proposed, safe memory-management mechanisms: statically-scoped regions and tracked pointers. We found that these typing mechanisms can be combined to build alternative memory-management abstractions, such as reference counted objects and arenas with dynamic lifetimes, and thus provide a flexible basis. Our experience—porting C programs and device drivers, and building new applications for resource-constrained systems—confirms that experts can use these features to improve memory footprint and sometimes to improve throughput when used instead of, or in combination with, conservative garbage collection.

The Real-time Specification for Java extends the Java platform

Abstract. A generational collection strategy utilizing a single nursery cannot efficiently manage objects in application servers due to variance in their lifespans. In this paper, we introduce an optimization technique designed for application servers that exploits an observation that remotable objects are commonly used as gateways for client requests. Objects instantiated as part of these requests (remote objects) often live longer than objects not created to serve these remote requests (local objects). Thus, our scheme creates remote and local objects in two separate nurseries; each is properly sized to match the lifetime characteristic of the residing objects. We extended the generational collector in HotSpot to support the proposed optimization and found that given the same heap size, the proposed scheme can improve the maximum throughput of an application server by 14% over the default collector. It also allows the application server to handle 10% higher workload prior to memory exhaustion. 1

Out-of-memory errors are a serious source of unreliability in most embedded systems. Applications run out of main memory because of the frequent difficulty of estimating the memory requirement before deployment, either because it depends on input data, or because certain language features prevent estimation. The typical lack of disks and virtual memory in embedded systems has a serious consequence when an out-of-memory error occurs. Without swap space, the system crashes if its memory footprint exceeds the available memory by even one byte. This work improves reliability for multi-tasking embedded systems by proposing MTSS, a multi-task stack sharing technique. If a task attempts to overflow the bounds of its allocated stack space, MTSS grows its stack into the stack memory space allocated for other tasks. This technique can avoid the out-of-memory error if the extra space recovered is enough to complete execution. Experiments show that MTSS is able to recover an average of 54 % of the stack space allocated to the overflowing task in the free space of other tasks. In addition, unlike conventional systems, MTSS detects memory overflows, allowing the possibility of remedial action or a graceful exit if the recovered space is not enough. Alternatively, MTSS can be used for decreasing the required physical memory of an embedded system by reducing the initial memory allocated to each of the tasks and recovering the deficit by sharing stack with other tasks. The overheads of MTSS are low: the run-time and energy overheads are 3.1 % and 3.2 % on an average. These are tolerable given reliability is the most important concern in virtually all systems, ahead of other concerns such as run-time and energy.

Languages such as C and C++ use unsafe manual memory management, allowing simple bugs (i.e., accesses to an object after deallocation) to become the root cause of exploitable security vulnerabilities. This paper proposes Watchdog, a hardware-based approach for ensuring safe and secure manual memory management. Inspired by prior software-only proposals, Watchdog generates a unique identifier for each memory allocation, associates these identifiers with pointers, and checks to ensure that the identifier is still valid on every memory access. This use of identifiers and checks enables Watchdog to detect errors even in the presence of reallocations. Watchdog stores these pointer identifiers in a disjoint shadow space to provide comprehensive protection and ensure compatibility with existing code. To streamline the implementation and reduce runtime overhead: Watchdog (1) uses micro-ops to access metadata and perform checks, (2) eliminates metadata copies among registers via modified register renaming, and (3) uses a dedicated metadata cache to reduce checking overhead. Furthermore, this paper extends Watchdog’s mechanisms to detect bounds errors, thereby providing full hardware-enforced memory safety at low overheads. 1.

Region-based memory management is a scheme for managing dynamically allocated data. A defining characteristic of region-based memory management is the bulk deallocation of data, which avoids both the tedium of malloc/free and the overheads of a garbage collector. Type systems for region-based memory manag-ment enhance the utility of this scheme by statically determining when a program is guaranteed to not perform any erroneous region operations. We describe three type systems for region-based memory management: • a type-and-effect system (à la the Tofte-Talpin region calculus); • a novel monadic type system; • a novel substructural type system. We demonstrate how to successively encode the type-and-effect system into the monadic type system and the monadic type system into the substructural type system. These type systems and encodings support the argument that the type-and-effect systems that have traditionally been used to ensure the safety of region-based memory management are neither the simplest nor the most expressive type

Memory leaks remain a significant challenge for C and C++ developers. Leaky applications become slower over time as their working set grows, triggering paging, and can eventually become unresponsive. At the same time, memory leaks remain notoriously difficult to debug, and comprise a large number of reported bugs in mature applications. Existing approaches like conservative garbage collection can only remedy leaks of unreachable objects. In addition, they can impose unacceptable runtime or space overheads, or cause legal C/C++ applications to fail or retain excessive memory. This paper presents Plug, a runtime system for C/C++ applications that allows applications to deliver high performance in the face of both reachable and unreachable memory leaks. It uses a novel heap layout that isolates leaked objects from non-leaked objects, allowing them to be completely paged out to disk. Plug further reduces the space impact of leaks by employing virtual compaction, an approach that leverages virtual memory primitives to allow physical memory compaction without moving objects. We demonstrate Plug’s low overhead and its effectiveness at tolerating real memory leaks. 1.

Currently, the most adopted criterion to invoke garbage collection is heap space exhaustion. In other words, garbage collection is invoked when the heap space (either the entire space or generational space) runs out. A possible alternative but much more difficult approach is to invoke garbage collection when good garbage collection efficiencies can be obtained. To do so, we need to know number of garbage objects that can be collected before the collection actually takes place. In this short abstract, we introduce a predictive approach that can provide an accurate estimation of the number of dead objects at any specific point of execution. The proposed estimation model relies on the information obtained from partial reference counting. Our plan is to use this information as a criterion to invoke garbage collection. We have conducted a preliminary study to determine the feasibility of this idea and found that the model is sufficiently accurate in three SPECjvm98 benchmark applications.