Classic Papers on Memory Safety

This page compiles a list of classic and (I believe) to-be classic papers and articles on memory safety. All these publications are worth reading and re-reading. The definition of “classic” in this context is essentially impactful. However, classic/impactful does not necessarily mean the best of their class at the time. There are varied reasons for a work to be impactful, such as having strong support from a large organization. In addition, as you may have noticed, the lists are highly selective and somewhat (and inevitably) subjective. For a more comprehensive compilation of good papers to read, please see this. (I confess that I have not read many of the papers in the GitHub repo, so use it with caution. :-)

The publications are categorized as follows:

Literature Review: Surveys and overview of the memory safety literature
Offense: How memory safety bugs can be exploited and turned into vulnerabilities
Safe Systems Languages: Mainly Safe dialects of C
Safe Implementations: Retrofitting memory safety into C/C++ during compilation or binary rewriting
Run-time Mitigations: Run-time mitigations against exploitations of memory safety errors
Program Analysis: Static and dynamic analysis to detect memory safety errors

The classification of defenses mainly follows the Checked C paper. Note that many classic papers have an extended or revised version published later than the original. For these papers, I use the latest version.

Literature Review

2013	Oakland	SoK: Eternal War in Memory

Offenses

1996	Phrack	Smashing The Stack For Fun And Profit
2005	Security	Non-Control-Data Attacks Are Realistic Threats
2007	CCS	The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
2014	Oakland	Out Of Control: Overcoming Control-Flow Integrity
2015	Oakland	Missing the Point(er): On the Effectiveness of Code Pointer Integrity
2016	Oakland	Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks
2019	CSET	Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating

Safe Systems Languages

2002	ATC	Cyclone: A Safe Dialect of C
2007	ESOP	Dependent Types for Low-Level Programming
2018	SecDev	Checked C: Making C Safe by Extension

Safe Implementations

1994	PLDI	Efficient Detection of All Pointer and Array Access Errors
1997	SPE	Low-cost, Concurrent Checking of Pointer and Array Accesses in C Programs
2005	TOPLAS	CCured: Type-Safe Retrofitting of Legacy Software
2006	PLDI	SAFECode: Enforcing Alias Analysis for Weakly Typed Languages
2006	PLDI	DieHard: Probabilistic Memory Safety for Unsafe Languages
2007	PLDI	Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation
2009	Security	Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors
2012	ATC	AddressSanitizer: A Fast Address Sanity Checker
2014	OSDI	Code-Pointer Integrity
2015	SNAPL	Everything You Want to Know About Pointer-Based Checking
2019	ATC	Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries

Run-time Mitigations

1993	SOSP	Efficient Software-Based Fault Isolation
1998	Security	StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
2003	PaX	ASLR
2009	TISSec	Control-Flow Integrity Principles, Implementations, and Applications
2010	Security	Adapting Software Fault Isolation to Contemporary CPU Architectures
2015	AsiaCCS	The Performance Cost of Shadow Stacks and Stack Canaries
2019	Okaland	SoK: Shining Light on Shadow Stacks

Program Analysis

2005	NDSS	Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software

I also sorted all the papers in chronological order. This is intended to provide a high-level overview for the development of the memory safety war.

All Papers by Publication Year

1993	SOSP	Efficient Software-Based Fault Isolation
1994	PLDI	Efficient Detection of All Pointer and Array Access Errors
1996	Phrack	Smashing The Stack For Fun And Profit
1997	SPE	Low-cost, Concurrent Checking of Pointer and Array Accesses in C Programs
1998	Security	StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
2002	ATC	Cyclone: A Safe Dialect of C
2003	PaX	ASLR
2005	Security	Non-Control-Data Attacks Are Realistic Threats
2005	NDSS	Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
2005	TOPLAS	CCured: Type-Safe Retrofitting of Legacy Software
2006	PLDI	SAFECode: Enforcing Alias Analysis for Weakly Typed Languages
2006	PLDI	DieHard: Probabilistic Memory Safety for Unsafe Languages
2007	CCS	The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
2007	ESOP	Dependent Types for Low-Level Programming
2007	PLDI	Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation
2009	TISSec	Control-Flow Integrity Principles, Implementations, and Applications
2009	Security	Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors
2010	Security	Adapting Software Fault Isolation to Contemporary CPU Architectures
2012	ATC	AddressSanitizer: A Fast Address Sanity Checker
2013	Oakland	SoK: Eternal War in Memory
2014	Oakland	Out Of Control: Overcoming Control-Flow Integrity
2014	OSDI	Code-Pointer Integrity
2015	Oakland	Missing the Point(er): On the Effectiveness of Code Pointer Integrity
2015	AsiaCCS	The Performance Cost of Shadow Stacks and Stack Canaries
2015	SNAPL	Everything You Want to Know About Pointer-Based Checking
2016	Oakland	Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks
2018	SecDev	Checked C: Making C Safe by Extension
2019	CSET	Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating
2019	Okaland	SoK: Shining Light on Shadow Stacks
2019	ATC	Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries