Gene Novark
Emery D. Berger
ABSTRACT
Heap-based attacks depend on a combination of memory management error and an exploitable memory allocator. Many allocators include ad hoc countermeasures against particular exploits but their effectiveness against future exploits has been uncertain. This paper presents the first formal treatment of the impact of allocator design on security. It analyzes a range of widely-deployed memory allocators, including those used by Windows, Linux, FreeBSD and OpenBSD, and shows that they remain vulnerable to attack. It them presents DieHarder, a new allocator whose design was guided by this analysis. DieHarder provides the highest degree of security from heap-based attacks of any practical allocator of which we are aware while imposing modest performance overhead. In particular, the Firefox web browser runs as fast with DieHarder as with the Linux allocator.
- }}J. Afek and A. Sharabani. Dangling pointer: Smashing the pointer for fun and profit. In Black Hat USA, 2007.Google Scholar
- }}P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with wit. In SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 263--277, Washington, DC, USA, 2008. IEEE Computer Society. Google ScholarDigital Library
- }}P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In Proceedings of the 18th USENIX Security Symposium, pages 51--66. USENIX, Aug. 2009. Google ScholarDigital Library
- }}A. Anisimov. Defeating Microsoft Windows XP SP2 heap protection and DEP bypass, 2005.Google Scholar
- }}K. Avijit, P. Gupta, and D. Gupta. Tied, libsafeplus: Tools for runtime buffer overflow protection. In Proceedings of the 13th USENIX Security Symposium. USENIX, Aug. 2004. Google ScholarDigital Library
- }}BBP. BSD heap smashing. http://www.ouah.org/BSD-heap-smashing.txt.Google Scholar
- }}E. D. Berger. HeapShield: Library-based heap overflow protection for free. Technical Report UMCS TR-2006--28, Department of Computer Science, University of Massachusetts Amherst, May 2006.Google Scholar
- }}E. D. Berger and B. G. Zorn. DieHard: Probabilistic memory safety for unsafe languages. In Proceedings of the 2006 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 158--168, New York, NY, USA, 2006. ACM Press. Google ScholarDigital Library
- }}E. D. Berger and B. G. Zorn. Efficient probabilistic memory safety. Technical Report UMCS TR-2007--17, Department of Computer Science, University of Massachusetts Amherst, Mar. 2007.Google Scholar
- }}S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium, pages 105--120. USENIX, Aug. 2003. Google ScholarDigital Library
- }}S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, pages 271--286. USENIX, Aug. 2005. Google ScholarDigital Library
- }}M. Conover and the w00w00 Security Team. w00w00 on heap overflows. http://www.w00w00.org/files/articles/heaptut.txt, January 1999.Google Scholar
- }}J. N. Ferguson. Understanding the heap by breaking it. In Black Hat USA, 2007.Google Scholar
- }}S. Gonchigar. Ani vulnerability: History repeats. http://www.sans.org/reading_room/whitepapers/threats/ani-vulnerability-%history-repeats_1926, 2007.Google Scholar
- }}D. R. Hanson. A portable storage management system for the Icon programming language. Software Practice and Experience, 10(6):489--500, 1980.Google ScholarCross Ref
- }}P.-H. Kamp. Malloc(3) revisited. http://phk.freebsd.dk/pubs/malloc.pdf. Google ScholarDigital Library
- }}M. Kharbutli, X. Jiang, Y. Solihin, G. Venkataramani, and M. Prvulovic. Comprehensively and efficiently protecting the heap. In ASPLOS-XII: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 207--218, New York, NY, USA, 2006. ACM Press. Google ScholarDigital Library
- }}D. Lea. A memory allocator. http://gee.cs.oswego.edu/dl/html/malloc.html, 1997.Google Scholar
- }}V. B. Lvin, G. Novark, E. D. Berger, and B. G. Zorn. Archipelago: trading address space for reliability and security. In ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, pages 115--124, New York, NY, USA, Mar. 2008. ACM. Google ScholarDigital Library
- }}J. McDonald and C. Valasek. Practical Windows XP/2003 heap exploitation. In Black Hat USA, 2009.Google Scholar
- }}Microsoft Corporation. Pageheap. http://support.microsoft.com/kb/286470.Google Scholar
- }}O. Moerbeek. A new malloc(3) for OpenBSD. In EuroBSDCon, 2009.Google Scholar
- }}G. C. Necula, S. McPeak, and W. Weimer. Ccured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 128--139. ACM Press, Jan. 2002. Google ScholarDigital Library
- }}G. Novark, E. D. Berger, and B. G. Zorn. Exterminator: automatically correcting memory errors with high probability. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 1--11, New York, NY, USA, 2007. ACM Press. Google ScholarDigital Library
- }}G. Novark, E. D. Berger, and B. G. Zorn. Exterminator: Automatically correcting memory errors with high probability. Communications of the ACM, 51(12):87--95, 2008. Google ScholarDigital Library
- }}PaX Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
- }}B. Perens. Electric Fence v2.1. http://perens.com/FreeSoftware/ElectricFence/.Google Scholar
- }}J. H. Perkins, S. Kim, S. Larsen, S. P. Amarasinghe, J. Bachrach, M. Carbin, C. Pacheco, F. Sherwood, S. Sidiroglou, G. Sullivan, W.-F. Wong, Y. Zibin, M. D. Ernst, and M. C. Rinard. Automatically patching errors in deployed software. In J. N. Matthews and T. E. Anderson, editors, SOSP, pages 87--102. ACM, 2009. Google ScholarDigital Library
- }}F. Qin, J. Tucek, J. Sundaresan, and Y. Zhou. Rx: Treating bugs as allergies: A safe method to survive software failures. In Proceedings of the Twentieth Symposium on Operating Systems Principles, volume XX of Operating Systems Review, Brighton, UK, Oct. 2005. ACM. Google ScholarDigital Library
- }}P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. In Proceedings of the 18th USENIX Security Symposium, pages 169--186. USENIX, Aug. 2009. Google ScholarDigital Library
- }}W. Robertson, C. Kruegel, D. Mutz, and F. Valeur. Run-time detection of heap-based overflows. In LISA '03: Proceedings of the 17th Large Installation Systems Administration Conference, pages 51--60. USENIX, 2003. Google ScholarDigital Library
- }}H. Shacham, M. Page, B. Pfaff, E. Jin Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, 2004. Google ScholarDigital Library
- }}Solar Designer. JPEG COM marker processing vulnerability in Netscape browsers. http://www.openwall.com/advisories/OW-002-netscape-jpeg/, 2000.Google Scholar
- }}A. Sotirov. Heap Feng Shui in JavaScript. In Black Hat Europe, 2007.Google Scholar
- }}O. Whitehouse. An analysis of address space layout randomization on Windows Vista. http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomi%zation.pdf, 2007.Google Scholar
- }}Wikipedia. Dangling pointer -- Wikipedia, the free encyclopedia, 2010. {Online; accessed 16-April-2010}.Google Scholar
- }}P. R. Wilson, M. S. Johnstone, M. Neely, and D. Boles. Dynamic storage allocation: A survey and critical review. In Proceedings of the International Workshop on Memory Management, volume 986 of Lecture Notes in Computer Science, pages 1--116, Kinross, Scotland, Sept. 1995. Springer-Verlag. Google ScholarDigital Library
- }}Y. Younan, W. Joosen, F. Piessens, and H. V. den Eynden. Security of memory allocators for C and C+. Technical Report CW 419, Department of Computer Science, Katholieke Universiteit Leuven, Belgium, July 2005.Google Scholar
Index Terms
- DieHarder: securing the heap
Recommendations
Archipelago: trading address space for reliability and security
ASPLOS '08Memory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users ...
Archipelago: trading address space for reliability and security
ASPLOS '08Memory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users ...
Archipelago: trading address space for reliability and security
ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systemsMemory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users ...
Comments