DOI: 10.1145/3637227 ISSN: 1049-331X
A Smart Status Based Monitoring Algorithm for the Dynamic Analysis of Memory Safety
Zhe Chen, Rui Yan, Yingzi Ma, Yulei Sui, Jingling Xue- Software
C is a dominant programming language for implementing system and low-level embedded software. Unfortunately, the unsafe nature of its low-level control of memory often leads to memory errors. Dynamic analysis has been widely used to detect memory errors at runtime. However, existing monitoring algorithms for dynamic analysis are not yet satisfactory as they cannot deterministically and completely detect some types of errors, e.g., segment confusion errors, sub-object overflows, use-after-frees and memory leaks.
We propose a new monitoring algorithm, namely
Smatus
, short for
smart status
, that improves memory safety by performing comprehensive dynamic analysis. The key innovation is to maintain at runtime a small
status node
for each memory object. A status node records the
status value
and
reference count
of an object, where the status value denotes the liveness and segment type of this object, and the reference count tracks the number of pointer variables pointing to this object.
Smatus
maintains at runtime a pointer metadata for each pointer variable, to record not only the base and bound of a pointer’s referent but also the address of the referent’s status node. All the pointers pointing to the same referent share the same status node in their pointer metadata. A status node is
smart
in the sense that it is automatically deleted when it becomes useless (indicated by its reference count reaching zero). To the best of our knowledge,
Smatus
represents the most comprehensive approach of its kind.
We have evaluated
Smatus
by using a large set of programs including the NIST Software Assurance Reference Dataset, MSBench, MiBench, SPEC and stress testing benchmarks. In terms of effectiveness (detecting different types of memory errors),
Smatus
outperforms state-of-the-art tools, Google’s AddressSanitizer, SoftBoundCETS and Valgrind, as it is capable of detecting more errors. In terms of performance (the time and memory overheads),
Smatus
outperforms SoftBoundCETS and Valgrind in terms of both lower time and memory overheads incurred, and is on par with AddressSanitizer in terms of the time and memory overhead tradeoff made (with much lower memory overheads incurred).