Abstract
The goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library keeps the heap meta-data (heap structure information) and the application's heap data in an interleaved fashion and does not protect them against each other. Such implementations are inherently unsafe: vulnerabilities in the application can cause the heap library to perform unintended actions to achieve control-flow and non-control attacks.Unfortunately, current heap protection techniques are limited in that they use too many assumptions on how the attacks will be performed, require new hardware support, or require too many changes to the software developers' toolchain. We propose Heap Server, a new solution that does not have such drawbacks. Through existing virtual memory and inter-process protection mechanisms, Heap Server prevents the heap meta-data from being illegally overwritten, and heap data from being meaningfully overwritten. We show that through aggressive optimizations and parallelism, Heap Server protects the heap with nearly-negligible performance overheads even on heap-intensive applications. We also verify the protection against several real-world exploits and attack kernels.
- Alexander Anisimov, Positive Technologies. Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass. http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm, 2005.Google Scholar
- Anonymous. Once upon a free(). Phrack Magazine, 57(9), 2001.Google Scholar
- E. Berger and B. Zorn. Diehard: Probabilistic memory safety for unsafe languages. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, 2006. Google Scholar
Digital Library
- E.D. Berger, K.S. McKinley, R.D. Blumofe, and P.R.Wilson. Hoard: A Scalable Memory Allocator for Multithreaded Applications. in Proc. of the 9th Intl. Conf. on Architectural Support for Programming Languages and Operating Systems (ASPLOS-IX), pages 117--128, 2000. Google Scholar
Digital Library
- S. Bhatkar, D.C. DuVarney, and R. Sekar. Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. in Proc. of the 12th USENIX Security Symp., pages 105--120, 2003. Google Scholar
Digital Library
- S. Chen, J. Xu, E.C. Sezer, P. Gauriar, and R.K. Iyer. Non-Control-Data Attacks Are Realistic Threats. in Proc. of the 14th USENIX Security Symp., pages 177--192, 2005. Google Scholar
Digital Library
- C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities. in Proc. of the 12th USENIX Security Symp., pages 91--104, 2003. Google Scholar
Digital Library
- C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. in Proc. of the 7th USENIX Security Symp., pages 63--78, 1998. Google Scholar
Digital Library
- Darkeagle. Mozzila GIF Image Processing Library Remote Heap Overflow Vulnerability. http://www.securityfocus.com/bid/12881/exploit, 2005.Google Scholar
- D.L. Detlefs, A. Dosser, and B. Zorn. Memory Allocation Costs in Large C and C++ Programs. Software Practice and Experience, pages 527--542, 1994. Google Scholar
Digital Library
- Doug Lea. A Memory Allocator. http://gee.cs.oswego.edu/dl/html/malloc.html, 2000.Google Scholar
- G. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proc. of the 11th Intl. Conf. on Architectural Support for Programming Languages and Operating Systems. Boston, MA, 2004. Google Scholar
Digital Library
- H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address space randomization. In Proc. of the ACM Conf. on Computer and Communications Security, 2004. Google Scholar
Digital Library
- J.R. Crandall and F.T. Chong. Minos: Control data attack prevention orthogonal to memory model. To appear in Proc. of the 37th Intl. Symp. on Microarchitecture. Portland, OR, 2004. Google Scholar
Digital Library
- Jones, Richard, and Rafael Lins. Garbage Collection: Algorithms for Automatic Dynamic Memory Management. John Wiley & Sons, New York, 1996. Google Scholar
Digital Library
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution via Program Shepherding. In 11th USENIX Security Symp., 2002. Google Scholar
Digital Library
- Linux Programmer's Manual. Man Pages MSGOP(2). 2002.Google Scholar
- Matt Conover and w00w00 Security Team. w00w00 on Heap Overflows. http://www.w00w00.org/files/articles/heaptut.txt, 1999.Google Scholar
- Nathan Tuck, Brad Calder and George Varghese. Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow. Proc. of the 37th annual IEEE/ACM Intl. Symp. on Microarchitecture, pages 209--220, 2004. Google Scholar
Digital Library
- PaX Team. PaX Address Space Layout Randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt, 2003.Google Scholar
- F. Perriot and P. Szor. An Analysis of the Slapper Worm Exploit. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf, 2003.Google Scholar
- R. Wojtczuk. Defeating Solar Designer Non-executable Stack Patch. http://seclists.org/lists/bugtraq, experimental study of security vulnerabilities caused by errors. In Proc. of the IEEE Intl. Conf, 1998.Google Scholar
- S. Andersen and V. Abella. Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx,2004.Google Scholar
- Security Focus. Wu-Ftpd File Globbing Heap Corruption Vulnerability. http://www.securityfocus.com/bid/3581, 2002.Google Scholar
- Security Focus. Sudo Password Prompt Heap Overflow Vulnerability. http://www.securityfocus.com/bid/4593, 2003.Google Scholar
- Security Focus. Microsoft Windows winhlp32.exe Heap Overflow Vulnerability. http://www.securityfocus.com/archive/1/385332/2004-12-20/2004-12-26/2, 2004.Google Scholar
- Standard Performance Evaluation Corporation. SPEC CPU2000 Benchmarks. http://www.spec.org/osg/cpu2000/, 2000.Google Scholar
- US-CERT. CVS Heap Overflow Vulnerability. www.uscert.gov/cas/techalerts/index.html, pages TA04-147A, 2004.Google Scholar
- US-CERT. HTTP Parsing Vulnerabilities in Check Point Firewall-1. www.uscert.gov/cas/techalerts/index.html, pages TA04-036A, 2004.Google Scholar
- US-CERT. Microsoft Internet Explorer vulnerable to buffer overflow via FRAME and IFRAME elements. http://www.kb.cert.org/vuls/id/842160, page VU 842160, 2004.Google Scholar
- J. Xu, Z. Kalbarczyk, and R.K. Iyer. Transparent Runtime Randomization for Security. in Proc. of the 22nd Intl. Symp. on Reliable Distributed Systems, pages 260--269, 2003.Google Scholar
Index Terms
Comprehensively and efficiently protecting the heap
Recommendations
Comprehensively and efficiently protecting the heap
Proceedings of the 2006 ASPLOS ConferenceThe goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library ...
Comprehensively and efficiently protecting the heap
Proceedings of the 2006 ASPLOS ConferenceThe goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library ...
Comprehensively and efficiently protecting the heap
ASPLOS XII: Proceedings of the 12th international conference on Architectural support for programming languages and operating systemsThe goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library ...






Comments