Classic Papers on Memory Safety

This page compiles a list of classic and (I believe) to-be classic papers and articles on memory safety. All these publications are worth reading and re-reading. The definition of “classic” in this context is essentially impactful. However, classic/impactful does not necessarily mean the best of their class at the time. There are varied reasons for a work to be impactful, such as having strong support from a large organization. In addition, as you may have noticed, the lists are highly selective and somewhat (and inevitably) subjective. For a more comprehensive compilation of good papers to read, please see this. (I confess that I have not read many of the papers in the GitHub repo, so use it with caution. :-)

The publications are categorized as follows:

  • Literature Review: Surveys and overview of the memory safety literature
  • Offense: How memory safety bugs can be exploited and turned into vulnerabilities
  • Safe Systems Languages: Mainly Safe dialects of C
  • Safe Implementations: Retrofitting memory safety into C/C++ during compilation or binary rewriting
  • Run-time Mitigations: Run-time mitigations against exploitations of memory safety errors
  • Program Analysis: Static and dynamic analysis to detect memory safety errors

The classification of defenses mainly follows the Checked C paper. Note that many classic papers have an extended or revised version published later than the original. For these papers, I use the latest version.

Literature Review

2013 Oakland SoK: Eternal War in Memory

Offenses

1996 Phrack Smashing The Stack For Fun And Profit
2005 Security Non-Control-Data Attacks Are Realistic Threats
2007 CCS The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
2010 CCS Return-Oriented Programming without Returns
2014 Oakland Out Of Control: Overcoming Control-Flow Integrity
2014 Oakland Hacking Blind
2015 Security Control-Flow Bending: On the Effectiveness of Control-Flow Integrity
2015 Oakland Missing the Point(er): On the Effectiveness of Code Pointer Integrity
2016 Oakland Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks
2019 CSET Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating

Safe Systems Languages

2002 ATC Cyclone: A Safe Dialect of C
2007 ESOP Dependent Types for Low-Level Programming
2018 SecDev Checked C: Making C Safe by Extension

Safe Implementations

1994 PLDI Efficient Detection of All Pointer and Array Access Errors
1997 SPE Low-cost, Concurrent Checking of Pointer and Array Accesses in C Programs
1997 AADEBUG Backwards-compatible Bounds Checking for Arrays and Pointers in C Programs
2004 NDSS A Practical Dynamic Buffer Overflow Detector
2005 TOPLAS CCured: Type-Safe Retrofitting of Legacy Software
2006 PLDI SAFECode: Enforcing Alias Analysis for Weakly Typed Languages
2006 PLDI DieHard: Probabilistic Memory Safety for Unsafe Languages
2007 PLDI Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation
2007 SOSP Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems
2008 OSDI Preventing Memory Error Exploits with WIT
2009 Security Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors
2010 AsiaCCS PAriCheck: An Efficient Pointer Arithmetic Checker for C Programs
2012 ISCA Watchdog: Hardware for Safe and Secure Manual Memory Management and Full Memory Safety
2012 ATC AddressSanitizer: A Fast Address Sanity Checker
2014 OSDI Code-Pointer Integrity
2015 SNAPL Everything You Want to Know About Pointer-Based Checking
2016 CC Heap Bounds Protection with Low Fat Pointers

Run-time Mitigations

1993 SOSP Efficient Software-Based Fault Isolation
1998 Security StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
2003 PaX ASLR
2004 CCS On the Effectiveness of Address-Space Randomization
2006 OSDI XFI: Software Guards for System Address Spaces
2009 Oakland Native Client: A Sandbox for Portable, Untrusted x86 Native Code
2009 TISSec Control-Flow Integrity Principles, Implementations, and Applications
2010 Security Adapting Software Fault Isolation to Contemporary CPU Architectures
2015 AsiaCCS The Performance Cost of Shadow Stacks and Stack Canaries
2019 Okaland SoK: Shining Light on Shadow Stacks
2019 ATC Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries

Program Analysis

2004 NDSS A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities
2004 NDSS Model Checking One Million Lines of C Code
2005 NDSS Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software

I also sorted all the papers in chronological order to provide a high-level overview for the development of the memory safety war.

All Papers by Publication Year

1993 SOSP Efficient Software-Based Fault Isolation
1994 PLDI Efficient Detection of All Pointer and Array Access Errors
1996 Phrack Smashing The Stack For Fun And Profit
1997 SPE Low-cost, Concurrent Checking of Pointer and Array Accesses in C Programs
1997 AADEBUG Backwards-compatible Bounds Checking for Arrays and Pointers in C Programs
1998 Security StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
2002 ATC Cyclone: A Safe Dialect of C
2003 PaX ASLR
2004 CCS On the Effectiveness of Address-Space Randomization
2004 NDSS A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities
2004 NDSS Model Checking One Million Lines of C Code
2004 NDSS A Practical Dynamic Buffer Overflow Detector
2005 Security Non-Control-Data Attacks Are Realistic Threats
2005 NDSS Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
2005 TOPLAS CCured: Type-Safe Retrofitting of Legacy Software
2006 OSDI XFI: Software Guards for System Address Spaces
2006 Security Evaluating SFI for a CISC Architecture
2006 PLDI SAFECode: Enforcing Alias Analysis for Weakly Typed Languages
2006 PLDI DieHard: Probabilistic Memory Safety for Unsafe Languages
2007 CCS The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
2007 ESOP Dependent Types for Low-Level Programming
2007 PLDI Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation
2007 SOSP Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems
2008 OSDI Preventing Memory Error Exploits with WIT
2009 Oakland Native Client: A Sandbox for Portable, Untrusted x86 Native Code
2009 TISSec Control-Flow Integrity Principles, Implementations, and Applications
2009 Security Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors
2010 CCS Return-Oriented Programming without Returns
2010 Security Adapting Software Fault Isolation to Contemporary CPU Architectures
2010 AsiaCCS PAriCheck: An Efficient Pointer Arithmetic Checker for C Programs
2012 ISCA Watchdog: Hardware for Safe and Secure Manual Memory Management and Full Memory Safety
2012 ATC AddressSanitizer: A Fast Address Sanity Checker
2013 Oakland SoK: Eternal War in Memory
2014 Oakland Out Of Control: Overcoming Control-Flow Integrity
2014 Oakland Hacking Blind
2014 OSDI Code-Pointer Integrity
2015 Security Control-Flow Bending: On the Effectiveness of Control-Flow Integrity
2015 Oakland Missing the Point(er): On the Effectiveness of Code Pointer Integrity
2015 AsiaCCS The Performance Cost of Shadow Stacks and Stack Canaries
2015 SNAPL Everything You Want to Know About Pointer-Based Checking
2016 Oakland Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks
2016 CC Heap Bounds Protection with Low Fat Pointers
2018 SecDev Checked C: Making C Safe by Extension
2019 CSET Is Less Really More? Towards Better Metrics for Measuring Security Improvements Realized Through Software Debloating
2019 Okaland SoK: Shining Light on Shadow Stacks
2019 ATC Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries