The downgrading semantics of memory safety

Abstract: Memory safety is traditionally characterized in terms of bad things that cannot happen, an approach that is often criticized as unprincipled. Prior work suggest a connection between memory safety and noninterference, but no satisfactory semantic notion of memory safety is currently known. This work proposes a notion of gradual allocator independence that accurately captures many allocator-specific aspects of memory safety. We consider a low-level language with access to an allocator that provides malloc and free primitives in a flat memory model. Pointers are just integers, and as such it is trivial to write memory-unsafe programs. The basic intuition of gradual allocator independence is that of noninterference, namely that allocators must not influence program execution. This intuition is refined in two important ways to account for the allocators running out-of-memory and for programs to have pointer-to-integer casts. The key insight of the definition is to treat these extensions as forms of downgrading and give them satisfactory technical treatment using the state-of-the-art information flow machinery.