The Watchdog Approach Efficiently Eliminates an Entire Class of Security Vulnerabilities by Enforcing Memory Safety in Hardware. Watchdog Maintains Per-pointer Bounds and Identifier Metadata in a Disjoint Shadow Space to Ensure Compatibility with Existing

......Low-level systems software— such as operating systems, virtual machines, language runtimes, embedded software, and performance-critical applications—is commonly written in unsafe languages, notably C and C++. These low-level languages remain prevalent because they provide high performance, direct access to the underlying hardware, and explicit control over memory management. Moreover, because such systems often consist of millions of lines of code, transitioning the computing ecosystem away from C and its variants is not feasible any time soon. Unfortunately, C and its variants do not enforce memory safety. Informally, memory safety requires that all memory accesses performed by a program adhere to the language specification (that is, all accesses refer only to allocated memory within the prescribed object bounds). Violations of memory safety arise in two ways. First, a spatial memory safety violation, or buffer overflow, occurs when a program accesses a memory location outside of the allocated region of an object or array. Second, a temporal memory safety violation (also called a dangling pointer dereference or use-after-free error) occurs when a program accesses a memory location that has already been deallocated. See Figure 1 for examples of spatial and temporal safety violations. Without memory safety, seemingly benign program bugs anywhere in the code base can cause silent memory corruption, difficultto-diagnose crashes, and incorrect results. Worse yet, lack of memory safety enforcement is the root cause of a multitude of security vulnerabilities because it allows attackers to exploit a memory safety error to corrupt program execution by giving the vulnerable program a suitably crafted input. Buffer overflows, use-after-free errors, and other lowlevel vulnerabilities stemming from the lack of memory safety compromise the security of the computing ecosystem as a whole. Over the last few years, we’ve embarked on a research project focused on bringing memory safety enforcement to C and C++. The goal is to retrofit unmodified C and C++ code with memory safety so that the code is as safe as code written in [3B2-9] mmi2013030038.3d 17/5/013 17:45 Page 38