skip to main content
article

Comprehensively and efficiently protecting the heap

Published:20 October 2006Publication History
Skip Abstract Section

Abstract

The goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library keeps the heap meta-data (heap structure information) and the application's heap data in an interleaved fashion and does not protect them against each other. Such implementations are inherently unsafe: vulnerabilities in the application can cause the heap library to perform unintended actions to achieve control-flow and non-control attacks.Unfortunately, current heap protection techniques are limited in that they use too many assumptions on how the attacks will be performed, require new hardware support, or require too many changes to the software developers' toolchain. We propose Heap Server, a new solution that does not have such drawbacks. Through existing virtual memory and inter-process protection mechanisms, Heap Server prevents the heap meta-data from being illegally overwritten, and heap data from being meaningfully overwritten. We show that through aggressive optimizations and parallelism, Heap Server protects the heap with nearly-negligible performance overheads even on heap-intensive applications. We also verify the protection against several real-world exploits and attack kernels.

References

  1. Alexander Anisimov, Positive Technologies. Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass. http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm, 2005.Google ScholarGoogle Scholar
  2. Anonymous. Once upon a free(). Phrack Magazine, 57(9), 2001.Google ScholarGoogle Scholar
  3. E. Berger and B. Zorn. Diehard: Probabilistic memory safety for unsafe languages. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. E.D. Berger, K.S. McKinley, R.D. Blumofe, and P.R.Wilson. Hoard: A Scalable Memory Allocator for Multithreaded Applications. in Proc. of the 9th Intl. Conf. on Architectural Support for Programming Languages and Operating Systems (ASPLOS-IX), pages 117--128, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. S. Bhatkar, D.C. DuVarney, and R. Sekar. Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. in Proc. of the 12th USENIX Security Symp., pages 105--120, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. S. Chen, J. Xu, E.C. Sezer, P. Gauriar, and R.K. Iyer. Non-Control-Data Attacks Are Realistic Threats. in Proc. of the 14th USENIX Security Symp., pages 177--192, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities. in Proc. of the 12th USENIX Security Symp., pages 91--104, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. in Proc. of the 7th USENIX Security Symp., pages 63--78, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Darkeagle. Mozzila GIF Image Processing Library Remote Heap Overflow Vulnerability. http://www.securityfocus.com/bid/12881/exploit, 2005.Google ScholarGoogle Scholar
  10. D.L. Detlefs, A. Dosser, and B. Zorn. Memory Allocation Costs in Large C and C++ Programs. Software Practice and Experience, pages 527--542, 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Doug Lea. A Memory Allocator. http://gee.cs.oswego.edu/dl/html/malloc.html, 2000.Google ScholarGoogle Scholar
  12. G. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proc. of the 11th Intl. Conf. on Architectural Support for Programming Languages and Operating Systems. Boston, MA, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address space randomization. In Proc. of the ACM Conf. on Computer and Communications Security, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. J.R. Crandall and F.T. Chong. Minos: Control data attack prevention orthogonal to memory model. To appear in Proc. of the 37th Intl. Symp. on Microarchitecture. Portland, OR, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Jones, Richard, and Rafael Lins. Garbage Collection: Algorithms for Automatic Dynamic Memory Management. John Wiley & Sons, New York, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution via Program Shepherding. In 11th USENIX Security Symp., 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Linux Programmer's Manual. Man Pages MSGOP(2). 2002.Google ScholarGoogle Scholar
  18. Matt Conover and w00w00 Security Team. w00w00 on Heap Overflows. http://www.w00w00.org/files/articles/heaptut.txt, 1999.Google ScholarGoogle Scholar
  19. Nathan Tuck, Brad Calder and George Varghese. Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow. Proc. of the 37th annual IEEE/ACM Intl. Symp. on Microarchitecture, pages 209--220, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. PaX Team. PaX Address Space Layout Randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt, 2003.Google ScholarGoogle Scholar
  21. F. Perriot and P. Szor. An Analysis of the Slapper Worm Exploit. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf, 2003.Google ScholarGoogle Scholar
  22. R. Wojtczuk. Defeating Solar Designer Non-executable Stack Patch. http://seclists.org/lists/bugtraq, experimental study of security vulnerabilities caused by errors. In Proc. of the IEEE Intl. Conf, 1998.Google ScholarGoogle Scholar
  23. S. Andersen and V. Abella. Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx,2004.Google ScholarGoogle Scholar
  24. Security Focus. Wu-Ftpd File Globbing Heap Corruption Vulnerability. http://www.securityfocus.com/bid/3581, 2002.Google ScholarGoogle Scholar
  25. Security Focus. Sudo Password Prompt Heap Overflow Vulnerability. http://www.securityfocus.com/bid/4593, 2003.Google ScholarGoogle Scholar
  26. Security Focus. Microsoft Windows winhlp32.exe Heap Overflow Vulnerability. http://www.securityfocus.com/archive/1/385332/2004-12-20/2004-12-26/2, 2004.Google ScholarGoogle Scholar
  27. Standard Performance Evaluation Corporation. SPEC CPU2000 Benchmarks. http://www.spec.org/osg/cpu2000/, 2000.Google ScholarGoogle Scholar
  28. US-CERT. CVS Heap Overflow Vulnerability. www.uscert.gov/cas/techalerts/index.html, pages TA04-147A, 2004.Google ScholarGoogle Scholar
  29. US-CERT. HTTP Parsing Vulnerabilities in Check Point Firewall-1. www.uscert.gov/cas/techalerts/index.html, pages TA04-036A, 2004.Google ScholarGoogle Scholar
  30. US-CERT. Microsoft Internet Explorer vulnerable to buffer overflow via FRAME and IFRAME elements. http://www.kb.cert.org/vuls/id/842160, page VU 842160, 2004.Google ScholarGoogle Scholar
  31. J. Xu, Z. Kalbarczyk, and R.K. Iyer. Transparent Runtime Randomization for Security. in Proc. of the 22nd Intl. Symp. on Reliable Distributed Systems, pages 260--269, 2003.Google ScholarGoogle Scholar

Index Terms

  1. Comprehensively and efficiently protecting the heap

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 41, Issue 11
      Proceedings of the 2006 ASPLOS Conference
      November 2006
      425 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/1168918
      Issue’s Table of Contents
      • cover image ACM Conferences
        ASPLOS XII: Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
        October 2006
        440 pages
        ISBN:1595934510
        DOI:10.1145/1168857

      Copyright © 2006 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 20 October 2006

      Check for updates

      Qualifiers

      • article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!