{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T16:37:53Z","timestamp":1773247073952,"version":"3.50.1"},"reference-count":52,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2022,1,23]],"date-time":"2022-01-23T00:00:00Z","timestamp":1642896000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Archit. Code Optim."],"published-print":{"date-parts":[[2022,3,31]]},"abstract":"<jats:p>Programs written in C\/C++ are vulnerable to memory-safety errors like buffer-overflows and use-after-free. While several mechanisms to detect such errors have been previously proposed, they suffer from a variety of drawbacks, including poor performance, imprecise or probabilistic detection of errors, or requiring invasive changes to the ISA, binary-layout, or source-code that results in compatibility issues. As a result, memory-safety errors continue to be hard to detect and a principal cause of security problems.<\/jats:p>\n          <jats:p>In this work, we present a minimally invasive and low-cost hardware-based memory-safety checking framework for detecting out-of-bounds accesses and use-after-free errors. The key idea of our mechanism is to re-purpose some of the \u201cunused bits\u201d in a pointer in 64-bit architectures to store an index into a bounds information table that can be used to catch out-bounds errors and use-after-free errors without any change to the binary layout. Using this memory-safety checking framework, we enable HeapCheck, a design for detecting Out-of-bounds and Use-after-free accesses for heap-objects, that are responsible for the majority of memory-safety errors in the wild. Our evaluations using C\/C++ SPEC CPU 2017 workloads on Gem5 show that our solution incurs 1.5% slowdown on average, using an 8 KB on-chip SRAM cache for caching bounds-information. Our mechanism allows detection of out-of-bounds errors in user-code as well as in unmodified shared-library functions. Our mechanism has detected out-of-bounds accesses in 87 lines of code in the SPEC CPU 2017 benchmarks, primarily in Glibc\u00a0v2.27 functions, that, to our knowledge, have not been previously detected even with popular tools like Address Sanitizer.<\/jats:p>","DOI":"10.1145\/3495152","type":"journal-article","created":{"date-parts":[[2022,1,24]],"date-time":"2022-01-24T05:49:00Z","timestamp":1643003340000},"page":"1-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["HeapCheck: Low-cost Hardware Support for Memory Safety"],"prefix":"10.1145","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3542-2548","authenticated-orcid":false,"given":"Gururaj","family":"Saileshwar","sequence":"first","affiliation":[{"name":"Georgia Tech, Georgia, USA"}]},{"given":"Rick","family":"Boivie","sequence":"additional","affiliation":[{"name":"IBM Research, New York, USA"}]},{"given":"Tong","family":"Chen","sequence":"additional","affiliation":[{"name":"IBM Research, New York, USA"}]},{"given":"Benjamin","family":"Segal","sequence":"additional","affiliation":[{"name":"IBM Research, New York, USA"}]},{"given":"Alper","family":"Buyuktosunoglu","sequence":"additional","affiliation":[{"name":"IBM Research, New York, USA"}]}],"member":"320","published-online":{"date-parts":[[2022,1,23]]},"reference":[{"key":"e_1_3_2_2_2","article-title":"Buffer Overflow (BOF) Examples\u2014Heartbleed","author":"NIST.","year":"2014","unstructured":"NIST. 2014. Buffer Overflow (BOF) Examples\u2014Heartbleed. Retrieved from https:\/\/samate.nist.gov\/BF\/Examples\/BOF.html.","journal-title":"https:\/\/samate.nist.gov\/BF\/Examples\/BOF.html"},{"key":"e_1_3_2_3_2","article-title":"2019 CWE Top 25 Most Dangerous Software Errors","author":"CWE.","year":"2019","unstructured":"CWE. 2019. 2019 CWE Top 25 Most Dangerous Software Errors. Retrieved from https:\/\/cwe.mitre.org\/top25\/archive\/2019\/2019_cwe_top25.html.","journal-title":"https:\/\/cwe.mitre.org\/top25\/archive\/2019\/2019_cwe_top25.html"},{"key":"e_1_3_2_4_2","first-page":"51","volume-title":"Proceedings of the 18th USENIX Security Symposium","author":"Akritidis Periklis","year":"2009","unstructured":"Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. 2009. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In Proceedings of the 18th USENIX Security Symposium, Fabian Monrose (Ed.). USENIX Association, 51\u201366. Retrieved from http:\/\/www.usenix.org\/events\/sec09\/tech\/full_papers\/akritidis.pdf."},{"key":"e_1_3_2_5_2","article-title":"Armv8.5-A Memory Tagging Extension","year":"2019","unstructured":"ARM. 2019. Armv8.5-A Memory Tagging Extension. Retrieved from https:\/\/developer.arm.com\/-\/media\/Arm%20Developer%20Community\/PDF\/Arm_Memory_Tagging_Extension_Whitepaper.pdf.","journal-title":"https:\/\/developer.arm.com\/-\/media\/Arm%20Developer%20Community\/PDF\/Arm_Memory_Tagging_Extension_Whitepaper.pdf"},{"key":"e_1_3_2_6_2","article-title":"Calling free() on a NULL pointer","author":"Bigham Jeffrey P.","year":"2006","unstructured":"Jeffrey P. Bigham. 2006. Calling free() on a NULL pointer. Retrieved from http:\/\/www.manticmoo.com\/articles\/jeff\/programming\/c\/free-with-null-pointer.php.","journal-title":"http:\/\/www.manticmoo.com\/articles\/jeff\/programming\/c\/free-with-null-pointer.php"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/CGO.2011.5764689"},{"key":"e_1_3_2_8_2","article-title":"Vectorized strlen getting away with reading unallocated memory","author":"Canon Stephen","unstructured":"Stephen Canon. 2020. Vectorized strlen getting away with reading unallocated memory. Retrieved from https:\/\/stackoverflow.com\/a\/25574201\/1011788.","journal-title":"https:\/\/stackoverflow.com\/a\/25574201\/1011788"},{"key":"e_1_3_2_9_2","article-title":"SPEC CPU 2017","author":"Corporation Standard Performance Evaluation","unstructured":"Standard Performance Evaluation Corporation. SPEC CPU 2017. Retrieved from https:\/\/www.spec.org\/cpu2017\/.","journal-title":"https:\/\/www.spec.org\/cpu2017\/"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/1346281.1346295"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1145\/2892208.2892212"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23287"},{"key":"e_1_3_2_13_2","article-title":"There\u2019s a Hole in the Boot\u2014Boothole (CVE-2020-10713)","year":"2020","unstructured":"Eclypsium. 2020. There\u2019s a Hole in the Boot\u2014Boothole (CVE-2020-10713). Retrieved from https:\/\/eclypsium.com\/2020\/07\/29\/theres-a-hole-in-the-boot\/.","journal-title":"https:\/\/eclypsium.com\/2020\/07\/29\/theres-a-hole-in-the-boot\/"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00098"},{"key":"e_1_3_2_15_2","first-page":"916","volume-title":"Proceedings of the ACM\/IEEE 48th Annual International Symposium on Computer Architecture (ISCA\u201921)","author":"Ziad Mohamed Tarek Ibn","year":"2021","unstructured":"Mohamed Tarek Ibn Ziad, Miguel A. Arroyo, Evgeny Manzhosov, Ryan Piersma, and Simha Sethumadhavan. 2021. No-FAT: Architectural support for low overhead memory-safety checks. In Proceedings of the ACM\/IEEE 48th Annual International Symposium on Computer Architecture (ISCA\u201921). 916\u2013929. https:\/\/doi.org\/10.1109\/ISCA52012.2021.00076"},{"key":"e_1_3_2_16_2","first-page":"999","volume-title":"Proceedings of the ACM\/IEEE 48th Annual International Symposium on Computer Architecture (ISCA\u201921)","author":"Ziad Mohamed Tarek Ibn","year":"2021","unstructured":"Mohamed Tarek Ibn Ziad, Miguel A. Arroyo, Evgeny Manzhosov, and Simha Sethumadhavan. 2021. ZeRO: Zero-overhead resilient operation under pointer integrity attacks. In Proceedings of the ACM\/IEEE 48th Annual International Symposium on Computer Architecture (ISCA\u201921). 999\u20131012. https:\/\/doi.org\/10.1109\/ISCA52012.2021.00082"},{"key":"e_1_3_2_17_2","volume-title":"Proceedings of the USENIX Annual Technical Conference (USENIX-ATC\u201920)","author":"Jeon Yuseok","year":"2020","unstructured":"Yuseok Jeon, Wookhyun Han, Nathan Burow, and Mathias Payer. 2020. FuZZan: Efficient sanitizer metadata design for fuzzing. In Proceedings of the USENIX Annual Technical Conference (USENIX-ATC\u201920)."},{"key":"e_1_3_2_18_2","first-page":"275","volume-title":"Proceedings of the General Track USENIX Annual Technical Conference","author":"Jim Trevor","year":"2002","unstructured":"Trevor Jim, J. Gregory Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A safe dialect of C. In Proceedings of the General Track USENIX Annual Technical Conference, Carla Schlatter Ellis (Ed.). USENIX, 275\u2013288. Retrieved from http:\/\/www.usenix.org\/publications\/library\/proceedings\/usenix02\/jim.html."},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO50266.2020.00095"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516713"},{"key":"e_1_3_2_21_2","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security\u201921)","author":"Loughlin Kevin","year":"2021","unstructured":"Kevin Loughlin, Ian Neal, Jiacheng Ma, Elisa Tsai, Ofir Weisse, Satish Narayanasamy, and Baris Kasikci. 2021. DOLMA: Securing speculation with the principle of transient non-observability. In Proceedings of the 30th USENIX Security Symposium (USENIX Security\u201921)."},{"key":"e_1_3_2_22_2","unstructured":"Jason Lowe-Power Abdul Mutaal Ahmad Ayaz Akram Mohammad Alian Rico Amslinger Matteo Andreozzi Adri\u00e0 Armejach Nils Asmussen Srikant Bharadwaj Gabe Black Gedare Bloom Bobby R. Bruce Daniel Rodrigues Carvalho Jer\u00f3nimo Castrill\u00f3n Lizhong Chen Nicolas Derumigny Stephan Diestelhorst Wendy Elsasser Marjan Fariborz Amin Farmahini Farahani Pouya Fotouhi Ryan Gambord Jayneel Gandhi Dibakar Gope Thomas Grass Bagus Hanindhito Andreas Hansson Swapnil Haria Austin Harris Timothy Hayes Adrian Herrera Matthew Horsnell Syed Ali Raza Jafri Radhika Jagtap Hanhwi Jang Reiley Jeyapaul Timothy M. Jones Matthias Jung Subash Kannoth Hamidreza Khaleghzadeh Yuetsu Kodama Tushar Krishna Tommaso Marinelli Christian Menard Andrea Mondelli Tiago Mck Omar Naji Krishnendra Nathella Hoa Nguyen Nikos Nikoleris Lena E. Olson Marc S. Orr Binh Pham Pablo Prieto Trivikram Reddy Alec Roelke Mahyar Samani Andreas Sandberg Javier Setoain Boris Shingarov Matthew D. Sinclair Tuan Ta Rahul Thakur Giacomo Travaglini Michael Upton Nilay Vaish Ilias Vougioukas Zhengrong Wang Norbert Wehn Christian Weis David A. Wood Hongil Yoon ander F. Zulian. 2020. The gem5 Simulator: Version 20.0+. Retrieved from https:\/\/arxiv.org\/abs\/2007.03152."},{"key":"e_1_3_2_23_2","article-title":"SSTIC-2020. Pursuing Durably Safe Systems Software","author":"Miller Matt","year":"2020","unstructured":"Matt Miller. 2020. SSTIC-2020. Pursuing Durably Safe Systems Software. Retrieved from https:\/\/github.com\/microsoft\/MSRC-Security-Resea rch\/tree\/master\/presentations\/2020_06_SSTIC.","journal-title":"https:\/\/github.com\/microsoft\/MSRC-Security-Resea rch\/tree\/master\/presentations\/2020_06_SSTIC"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/2366231.2337181"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/1542476.1542504"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/1806651.1806657"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/503272.503286"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/1250734.1250746"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/3224423"},{"key":"e_1_3_2_30_2","article-title":"Hardware-Assisted Checking Using Silicon Secured Memory (SSM)","year":"2015","unstructured":"Oracle. 2015. Hardware-Assisted Checking Using Silicon Secured Memory (SSM). Retrieved from https:\/\/docs.oracle.com\/cd\/E37069_01\/html\/E37085\/gphwb.html.","journal-title":"https:\/\/docs.oracle.com\/cd\/E37069_01\/html\/E37085\/gphwb.html"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2003.1236233"},{"key":"e_1_3_2_32_2","first-page":"241","volume-title":"Proceedings of the USENIX Annual Technical Conference (USENIX ATC\u201919)","author":"Park Soyeon","year":"2019","unstructured":"Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon, and Taesoo Kim. 2019. libmpk: Software abstraction for Intel memory protection keys (intel MPK). In Proceedings of the USENIX Annual Technical Conference (USENIX ATC\u201919). 241\u2013254."},{"key":"e_1_3_2_33_2","article-title":"Address Sanitizer Algorithm","author":"Phillips Mitch","year":"2012","unstructured":"Mitch Phillips. 2012. Address Sanitizer Algorithm. Retrieved from https:\/\/github.com\/google\/sanitizers\/wiki\/AddressSanitizerAlgorithm.","journal-title":"https:\/\/github.com\/google\/sanitizers\/wiki\/AddressSanitizerAlgorithm"},{"key":"e_1_3_2_34_2","unstructured":"Qualcomm. 2017. Pointer Authentication on ARMv8.3. Retrieved from https:\/\/www.qualcomm.com\/media\/documents\/files\/whitepaper-pointer-authentication-on-armv8-3.pdf."},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/2133375.2133377"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358299"},{"key":"e_1_3_2_37_2","unstructured":"Kostya Serebryany. 2017. OSS-fuzz\u2014Google\u2019s continuous fuzzing service for open source software. USENIX Association Vancouver BC."},{"key":"e_1_3_2_38_2","first-page":"309","volume-title":"Proceedings of the USENIX Annual Technical Conference","author":"Serebryany Konstantin","year":"2012","unstructured":"Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. Address sanitizer: A fast address sanity checker. In Proceedings of the USENIX Annual Technical Conference, Gernot Heiser and Wilson C. Hsieh (Eds.). USENIX Association, 309\u2013318. Retrieved from https:\/\/www.usenix.org\/conference\/atc12\/technical-sessions\/presentation\/serebryany."},{"key":"e_1_3_2_39_2","article-title":"Adopting the Arm Memory Tagging Extension in Android","author":"Serebryany Kostya","year":"2019","unstructured":"Kostya Serebryany and Sudhi Herle. 2019. Adopting the Arm Memory Tagging Extension in Android. Retrieved from https:\/\/security.googleblog.com\/2019\/08\/adopting-arm-memory-tagging-extension.html.","journal-title":"https:\/\/security.googleblog.com\/2019\/08\/adopting-arm-memory-tagging-extension.html"},{"key":"e_1_3_2_40_2","unstructured":"Kostya Serebryany Evgenii Stepanov Aleksey Shlyapnikov Vlad Tsyrklevich and Dmitry Vyukov. 2018. Memory Tagging and how it improves C\/C++ memory safety. Retrieved from https:\/\/arxiv:cs.CR\/1802.09517."},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA45697.2020.00068"},{"key":"e_1_3_2_42_2","article-title":"How2Heap Github Repository","year":"2020","unstructured":"Shellphish. 2020. How2Heap Github Repository. Retrieved from https:\/\/github.com\/shellphish\/how2heap.","journal-title":"https:\/\/github.com\/shellphish\/how2heap"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2018.00056"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00010"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2014.44"},{"key":"e_1_3_2_46_2","article-title":"SoK: The progress, challenges, and perspectives of directed greybox fuzzing","author":"Wang Pengfei","year":"2020","unstructured":"Pengfei Wang and Xu Zhou. 2020. SoK: The progress, challenges, and perspectives of directed greybox fuzzing. Retrieved from https:\/\/arXiv:2005.11907.","journal-title":"Retrieved from https:\/\/arXiv:2005.11907"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2019.2914037"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2014.6853201"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358288"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1145\/3445814.3446761"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/1755688.1755707"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358274"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304017"}],"container-title":["ACM Transactions on Architecture and Code Optimization"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3495152","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3495152","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:12:02Z","timestamp":1750191122000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3495152"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,1,23]]},"references-count":52,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,3,31]]}},"alternative-id":["10.1145\/3495152"],"URL":"https:\/\/doi.org\/10.1145\/3495152","relation":{},"ISSN":["1544-3566","1544-3973"],"issn-type":[{"value":"1544-3566","type":"print"},{"value":"1544-3973","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,1,23]]},"assertion":[{"value":"2021-05-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-10-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-01-23","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}