Johannes Bouché
ABSTRACT
In the past, stack smashing attacks and buffer overflows were some of the most insidious data-dependent bugs leading to malicious code execution or other unwanted behavior in the targeted application. Since reliable mitigations such as fuzzing or static code analysis are readily available, attackers have shifted towards heap-based exploitation techniques. Therefore, robust methods are required which ensure application security even in the presence of such intrusions, but existing mitigations are not yet adequate in terms of convenience, reliability, and performance overhead.
We present a novel method to prevent heap corruption at runtime: by maintaining a copy of heap metadata in a shadow-heap and verifying the heap integrity upon each call to the underlying allocator we can detect most heap metadata manipulation techniques. The results demonstrate that Shadow-Heap is a practical mitigation approach, that our prototypical implementation only requires reasonable overhead due to a user-configurable performance-security tradeoff, and that existing programs can be protected without recompilation.
- Matthew S Simpson and Rajeev K Barua. Memsafe: ensuring the spatial and temporal memory safety of c at runtime. Software: Practice and Experience, 43(1):93--128, 2013.Google Scholar
Digital Library
- Justin N Ferguson. Understanding the heap by breaking it. black Hat USA, pages 1--39, 2007.Google Scholar
- Phantsmal Phantasmagoria. The malloc maleficarum. Bugtraq mailinglist, 2005.Google Scholar
- Mathias Frits Rørvik. Investigation of x64 glibc heap exploitation techniques on linux. Master's thesis, 2019.Google Scholar
- Bob Martin, Mason Brown, Alan Paller, Dennis Kirby, and Steve Christey. 2011 cwe/sans top 25 most dangerous software errors. CommonWeakness Enumeration, 7515, 2011.Google Scholar
- Doug Lea and Wolfram Gloger. A memory allocator, 1996.Google Scholar
- Guy Lewis Steele Jr. Data representations in pdp-10 maclisp. Technical report, MASSACHUSETTS INST OF TECH CAMBRIDGE ARTIFICIAL INTELLIGENCE LAB, 1977.Google Scholar
- Emery D Berger, Kathryn S McKinley, Robert D Blumofe, and Paul R Wilson. Hoard: A scalable memory allocator for multithreaded applications. In ACM SIGARCH Computer Architecture News, volume 28, pages 117--128. ACM, 2000.Google ScholarDigital Library
- Julian Seward and Nicholas Nethercote. Using valgrind to detect undefined value errors with bit-precision. In USENIX Annual Technical Conference, pages 17--30, 2005.Google ScholarDigital Library
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. Addresssanitizer: A fast address sanity checker. In USENIX Annual Technical Conference (USENIX ATC 12), pages 309--318, 2012.Google Scholar
- Moritz Eckert, Antonio Bianchi, Ruoyu Wang, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. Heaphopper: Bringing bounded model checking to heap implementation security. In 27th USENIX Security Symposium (USENIX Security 18), pages 99--116, 2018.Google Scholar
- Todd M Austin, Scott E Breach, and Gurindar S Sohi. Efficient detection of all pointer and array access errors, volume 29. ACM, 1994.Google Scholar
- Gregory J Duck and Roland HC Yap. Heap bounds protection with lowfat pointers. In Proceedings of the 25th International Conference on Compiler Construction, pages 132--142. ACM, 2016.Google ScholarDigital Library
- Yves Younan, Wouter Joosen, and Frank Piessens. Efficient protection against heap-based buffer overflows without resorting to magic. In International Conference on Information and Communications Security, pages 379--398. Springer, 2006.Google ScholarDigital Library
- Karthik Pattabiraman, Vinod Grover, and Benjamin G Zorn. Samurai: protecting critical data in unsafe languages. In ACM SIGOPS Operating Systems Review, volume 42, pages 219--232. ACM, 2008.Google ScholarDigital Library
- Saman Zonouz, Mingbo Zhang, Pengfei Sun, Luis Garcia, and Xiruo Liu. Dynamic memory protection via intel sgx-supported heap allocation. pages 608--617, 08 2018.Google Scholar
- Emery D Berger and Benjamin G Zorn. Diehard: probabilistic memory safety for unsafe languages. In Acm sigplan notices, volume 41, pages 158--168. ACM, 2006.Google ScholarDigital Library
- Gene Novark and Emery D Berger. Dieharder: securing the heap. In Proceedings of the 17th ACM conference on Computer and communications security, pages 573--584, 2010.Google ScholarDigital Library
- Sam Silvestro, Hongyu Liu, Corey Crosser, Zhiqiang Lin, and Tongping Liu. Freeguard: A faster secure heap allocator. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2389--2403. ACM, 2017.Google ScholarDigital Library
- Emery D Berger. Heapshield: Library-based heap overflow protection for free. UMass CS TR, pages 06--28, 2006.Google Scholar
- Nick Nikiforakis, Frank Piessens, andWouter Joosen. Heapsentry: kernel-assisted protection against heap overflows. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 177--196. Springer, 2013.Google ScholarDigital Library
- Mazen Kharbutli, Xiaowei Jiang, Yan Solihin, Guru Venkataramani, and Milos Prvulovic. Comprehensively and efficiently protecting the heap. ACM SIGOPS Operating Systems Review, 40(5):207--218, 2006.Google ScholarDigital Library
- Qiang Zeng, Golam Kayas, Emil Mohammed, Lannan Luo, Xiaojiang Du, and Junghwan Rhee. Heaptherapy+: Efficient handling of (almost) all heap vulnerabilities using targeted calling-context encoding. In 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 530--542. IEEE, 2019.Google ScholarCross Ref
- Team Shellphish. How2heap. https://github.com/shellphish/how2heap, 2017.Google Scholar
- Doug Lea. A memory allocator. http://gee.cs.oswego.edu/dl/html/malloc.html, 1996.Google Scholar
- Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. Softbound: Highly compatible and complete spatial memory safety for c. ACM Sigplan Notices, 44(6):245--258, 2009.Google ScholarDigital Library
- Dinakar Dhurjati, Sumant Kowshik, Vikram Adve, and Chris Lattner. Memory safety without runtime checks or garbage collection. ACM SIGPLAN Notices, 38(7):69--80, 2003.Google ScholarDigital Library
- Pieter H Hartel and Luc Moreau. Formalizing the safety of java, the java virtual machine, and java card. ACM Computing Surveys (CSUR), 33(4):517--558, 2001.Google Scholar
- Nicholas Nethercote and Julian Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In ACM Sigplan notices, volume 42, pages 89--100. ACM, 2007.Google ScholarDigital Library
- Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Rhongai Yang, and Kehuan Zhang. IoTFuzzer: Discovering memory corruptions in IoT through app-based fuzzing. In Network and Distributed Systems Security (NDSS) Symposium 2018, 2018.Google ScholarCross Ref
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. SoK: Eternal war in memory. In IEEE Symposium on Security and Privacy, pages 48--62. IEEE, 2013.Google Scholar
- Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security Symposium, volume 98, pages 63--78. San Antonio, TX, 1998.Google ScholarDigital Library
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13(1):4, 2009.Google Scholar
Recommendations
Heap Taichi: exploiting memory allocation granularity in heap-spraying attacks
ACSAC '10: Proceedings of the 26th Annual Computer Security Applications ConferenceHeap spraying is an attack technique commonly used in hijacking browsers to download and execute malicious code. In this attack, attackers first fill a large portion of the victim process's heap with malicious code. Then they exploit a vulnerability to ...
Shadow attacks: automatically evading system-call-behavior based malware detection
Contemporary malware makes extensive use of different techniques such as packing, code obfuscation, polymorphism, and metamorphism, to evade signature-based detection. Traditional signature-based detection technique is hard to catch up with latest ...
Comprehensively and efficiently protecting the heap
Proceedings of the 2006 ASPLOS ConferenceThe goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library ...
Comments