Preventing Use-after-free with Dangling Pointers Nullification

Published on Jan 1, 2015 in NDSS (Network and Distributed System Security Symposium)
· DOI :10.14722/ndss.2015.23238
Byoungyoung Lee13
Estimated H-index: 13
(Georgia Institute of Technology),
Chengyu Song19
Estimated H-index: 19
(Georgia Institute of Technology)
+ 4 AuthorsWenke Lee70
Estimated H-index: 70
(Georgia Institute of Technology)
Many system components and network applications are written in languages that are prone to memory corruption vulnerabilities. There have been countless cases where simple mistakes by developers resulted in memory corruption vulnerabilities and consequently security exploits. While there have been tremendous research efforts to mitigate these vulnerabilities, useafter-free still remains one of the most critical and popular attack vectors because existing proposals have not adequately addressed the challenging program analysis and runtime performance issues. In this paper we present DANGNULL, a system that detects temporal memory safety violations—in particular, use-after-free and double-free—during runtime. DANGNULL relies on the key observation that the root cause of these violations is that pointers are not nullified after the target object is freed. Based on this observation, DANGNULL automatically traces the object’s relationships via pointers and automatically nullifies all pointers when the target object is freed. DANGNULL offers several benefits. First, DANGNULL addresses the root cause of temporal memory safety violations. It does not rely on the side effects of violations, which can vary and may be masked by attacks. Thus, DANGNULL is effective against even the most sophisticated exploitation techniques. Second, DANGNULL checks object relationship information using runtime object range analysis on pointers, and thus is able to keep track of pointer semantics more robustly even in complex and large scale software. Lastly, DANGNULL does not require numerous explicit sanity checks on memory accesses because it can detect a violation with implicit exception handling, and thus its detection capabilities only incur moderate performance overhead.
  • References (30)
  • Citations (42)
📖 Papers frequently viewed together
2015NDSS: Network and Distributed System Security Symposium
1 Author (Yves Younan)
40 Citations
305 Citations
2010ISMM: International Symposium on Memory Management
172 Citations
78% of Scinapse members use related papers. After signing in, all features are FREE.
#1Nicholas Carlini (University of California, Berkeley)H-Index: 21
#2David Wagner (University of California, Berkeley)H-Index: 78
Return Oriented Programming (ROP) has become the exploitation technique of choice for modern memory-safety vulnerability attacks. Recently, there have been multiple attempts at defenses to prevent ROP attacks. In this paper, we introduce three new attack methods that break many existing ROP defenses. Then we show how to break kBouncer and ROPecker, two recent low-overhead defenses that can be applied to legacy software on existing hardware. We examine several recent ROP attacks seen in the wild ...
172 Citations
#1Enes Goktas (VU: VU University Amsterdam)H-Index: 6
Last. Georgios Portokalidis (Stevens Institute of Technology)H-Index: 19
view all 5 authors...
Code-reuse attacks based on return oriented programming are among the most popular exploitation techniques used by attackers today. Few practical defenses are able to stop such attacks on arbitrary binaries without access to source code. A notable exception are the techniques that employ new hardware, such as Intel's Last Branch Record (LBR) registers, to track all indirect branches and raise an alert when a sensitive system call is reached by means of too many indirect branches to short gadgets...
87 Citations
#1Lucas Davi (Technische Universität Darmstadt)H-Index: 23
#2Ahmad-Reza Sadeghi (Technische Universität Darmstadt)H-Index: 58
Last. Fabian Monrose (UNC: University of North Carolina at Chapel Hill)H-Index: 38
view all 4 authors...
Return-oriented programming (ROP) offers a robust attack technique that has, not surprisingly, been extensively used to exploit bugs in modern software programs (e.g., web browsers and PDF readers). ROP attacks require no code injection, and have already been shown to be powerful enough to bypass fine-grained memory randomization (ASLR) defenses. To counter this ingenious attack strategy, several proposals for enforcement of (coarse-grained) control-flow integrity (CFI) have emerged. The key arg...
169 Citations
Jun 9, 2014 in PLDI (Programming Language Design and Implementation)
#1Fan Long (MIT: Massachusetts Institute of Technology)H-Index: 16
#2Stelios Sidiroglou-Douskos (MIT: Massachusetts Institute of Technology)H-Index: 9
Last. Martin Rinard (MIT: Massachusetts Institute of Technology)H-Index: 57
view all 3 authors...
We present a system, RCV, for enabling software applications to survive divide-by-zero and null-dereference errors. RCV operates directly on off-the-shelf, production, stripped x86 binary executables. RCV implements recovery shepherding, which attaches to the application process when an error occurs, repairs the execution, tracks the repair effects as the execution continues, contains the repair effects within the application process, and detaches from the process after all repair effects are fl...
60 CitationsSource
May 1, 2014 in S&P (IEEE Symposium on Security and Privacy)
#1Enes Goktas (UvA: University of Amsterdam)H-Index: 6
Last. Georgios Portokalidis (Stevens Institute of Technology)H-Index: 19
view all 4 authors...
As existing defenses like ASLR, DEP, and stack cookies are not sufficient to stop determined attackers from exploiting our software, interest in Control Flow Integrity (CFI) is growing. In its ideal form, CFI prevents flows of control that were not intended by the original program, effectively putting a stop to exploitation based on return oriented programming (and many other attacks besides). Two main problems have prevented CFI from being deployed in practice. First, many CFI implementations r...
199 CitationsSource
#1Josselin Feist (UGA: University of Grenoble)H-Index: 4
#2Laurent Mounier (UGA: University of Grenoble)H-Index: 6
Last. Marie-Laure Potet (UGA: University of Grenoble)H-Index: 12
view all 3 authors...
We present GUEB a static tool detecting Use after Free vulnerabilities on disassembled code. This tool has been evaluated on a real vulnerability in the ProFTPD application (CVE-2011-4130).
28 CitationsSource
Jan 1, 2014 in NDSS (Network and Distributed System Security Symposium)
#1Dongseok Jang (UCSD: University of California, San Diego)H-Index: 5
#2Zachary Tatlock (UW: University of Washington)H-Index: 13
Last. Sorin Lerner (UCSD: University of California, San Diego)H-Index: 23
view all 3 authors...
Several defenses have increased the cost of traditional, low-level attacks that corrupt control data, e.g. return addresses saved on the stack, to compromise program execution. In response, creative adversaries have begun circumventing these defenses by exploiting programming errors to manipulate pointers to virtual tables, or vtables, of C++ objects. These attacks can hijack program control flow whenever a virtual method of a corrupted object is called, potentially allowing the attacker to gain...
77 CitationsSource
Nov 4, 2013 in CCS (Computer and Communications Security)
#1Kangkook Jee (Columbia University)H-Index: 7
#2Vasileios P. Kemerlis (Columbia University)H-Index: 15
Last. Georgios Portokalidis (Stevens Institute of Technology)H-Index: 19
view all 4 authors...
Dynamic data flow tracking (DFT) is a technique broadly used in a variety of security applications that, unfortunately, exhibits poor performance, preventing its adoption in production systems. We present ShadowReplica, a new and efficient approach for accelerating DFT and other shadow memory-based analyses, by decoupling analysis from execution and utilizing spare CPU cores to run them in parallel. Our approach enables us to run a heavyweight technique, like dynamic taint analysis (DTA), twice ...
36 CitationsSource
#1Mingwei Zhang (SBU: Stony Brook University)H-Index: 6
#2R. C. Sekar (SBU: Stony Brook University)H-Index: 39
Control-Flow Integrity (CFI) has been recognized as an important low-level security property. Its enforcement can defeat most injected and existing code attacks, including those based on Return-Oriented Programming (ROP). Previous implementations of CFI have required compiler support or the presence of relocation or debug information in the binary. In contrast, we present a technique for applying CFI to stripped binaries on ×86/Linux. Ours is the first work to apply CFI to complex shared librari...
246 Citations
May 1, 2013 in S&P (IEEE Symposium on Security and Privacy)
#1Chao Zhang (PKU: Peking University)H-Index: 9
#2Tao Wei (PKU: Peking University)H-Index: 14
Last. Wei Zou (PKU: Peking University)H-Index: 11
view all 8 authors...
Control Flow Integrity (CFI) provides a strong protection against modern control-flow hijacking attacks. However, performance and compatibility issues limit its adoption. We propose a new practical and realistic protection method called CCFIR (Compact Control Flow Integrity and Randomization), which addresses the main barriers to CFI adoption. CCFIR collects all legal targets of indirect control-transfer instructions, puts them into a dedicated "Springboard section" in a random order, and then l...
279 CitationsSource
Cited By42
#1Houssem Daoud (École Polytechnique de Montréal)H-Index: 1
#2Michel Dagenais (École Polytechnique de Montréal)H-Index: 23
Abstract Performance analysis of Java applications requires a deep understanding of the Java virtual machine and the system on which it is running. An unexpected latency can be caused by a bug in the source code, a misconfiguration or an external factor like CPU or disk contention. Existing tools have difficulties finding the root cause of some latencies because they do not efficiently collect performance data from the different layers of the system. In this paper, we propose a multilevel analys...
#1Daliang Xu (PKU: Peking University)
#2Dongwei Chen (PKU: Peking University)
Last. Dong Tong (PKU: Peking University)H-Index: 8
view all 6 authors...
Use-After-Free vulnerabilities, allowing the attacker to access unintended memory via dangling pointers, are more threatening. However, most detection schemes can only detect dangling pointers and invalid them, but not provide a tolerance mechanism to repair the errors at runtime. Also, these techniques obtain and manage the metadata inefficiently with complex structures and too much scan (sweep). The goal of this paper is to use compiler instrumentation to eliminate dangling pointers automatica...
#1Manh-Dung Nguyen (Commissariat à l'énergie atomique et aux énergies alternatives)
#2Sébastien Bardin (Commissariat à l'énergie atomique et aux énergies alternatives)H-Index: 2
Last. Matthieu Lemerre (Commissariat à l'énergie atomique et aux énergies alternatives)
view all 5 authors...
Directed fuzzing focuses on automatically testing specific parts of the code by taking advantage of additional information such as (partial) bug stack trace, patches or risky operations. Key applications include bug reproduction, patch testing and static analysis report verification. Although directed fuzzing has received a lot of attention recently, hard-to-detect vulnerabilities such as Use-Afer-Free (UAF) are still not well addressed, more especially at the binary level. We propose UAFuzz, th...
#1Reza Mirzazade Farkhani (NU: Northeastern University)
#2Mansour Ahmadi (NU: Northeastern University)H-Index: 8
Last. Long Lu (NU: Northeastern University)H-Index: 11
view all 3 authors...
Temporal memory corruptions are commonly exploited software vulnerabilities that can lead to powerful attacks. Despite significant progress made by decades of research on mitigation techniques, existing countermeasures fall short due to either limited coverage or overly high overhead. Furthermore, they require external mechanisms (e.g., spatial memory safety) to protect their metadata. Otherwise, their protection can be bypassed or disabled. To address these limitations, we present robust points...
#1Beichen Liu (VT: Virginia Tech)
#2Pierre Olivier (VT: Virginia Tech)H-Index: 8
Last. Binoy Ravindran (VT: Virginia Tech)H-Index: 24
view all 3 authors...
Attacks on the heap are an increasingly severe threat. State-of-the-art secure dynamic memory allocators can offer protection, however their memory footprint is high, making them suboptimal in many situations. We introduce Slim-Guard, a secure allocator whose design is driven by memory efficiency. Among other features, SlimGuard uses an efficient fine-grain size classes indexing mechanism and implements a novel dynamic canary scheme. It offers a low memory overhead due its size classes optimized...
#1Tapti Palit (SBU: Stony Brook University)H-Index: 3
#2Fabian Monrose (UNC: University of North Carolina at Chapel Hill)H-Index: 38
Last. Michalis Polychronakis (SBU: Stony Brook University)H-Index: 28
view all 3 authors...
Gaining reliable arbitrary code execution through the exploitation of memory corruption vulnerabilities is becoming increasingly more difficult in the face of modern exploit mitigations. Facing this challenge, adversaries have started shifting their attention to data leakage attacks, which can lead to equally damaging outcomes, such as the disclosure of private keys or other sensitive data. In this work, we present a compiler-level defense against data leakage attacks for user-space applications...
Oct 12, 2019 in MICRO (International Symposium on Microarchitecture)
#1Hongyan Xia (University of Cambridge)H-Index: 3
#2Jonathan Woodruff (University of Cambridge)H-Index: 7
Last. Timothy M. Jones (University of Cambridge)H-Index: 14
view all 11 authors...
A lack of temporal safety in low-level languages has led to an epidemic of use-after-free exploits. These have surpassed in number and severity even the infamous buffer-overflow exploits violating spatial safety. Capability addressing can directly enforce spatial safety for the C language by enforcing bounds on pointers and by rendering pointers unforgeable. Nevertheless, an efficient solution for strong temporal memory safety remains elusive. CHERI is an architectural extension to provide hardw...
1 CitationsSource
#1Hua Yan (UNSW: University of New South Wales)H-Index: 4
#2Shiping Chen (CSIRO: Commonwealth Scientific and Industrial Research Organisation)H-Index: 21
Last. Jingling Xiie (UNSW: University of New South Wales)H-Index: 26
view all 6 authors...
We address the problem of verifying the temporal safety of heap memory at each pointer dereference. Our whole-program analysis approach is undertaken from the perspective of pointer analysis, allowing us to leverage the advantages of and advances in pointer analysis to improve precision and scalability. A dereference \(\omega \), say, via pointer q is unsafe iff there exists a deallocation \(\psi \), say, via pointer p such that on a control-flow path \(\rho \),p aliases with q (with both pointi...
#1Lingyun Situ (NU: Nanjing University)H-Index: 2
#2Linzhang Wang (NU: Nanjing University)H-Index: 14
Last. Xuandong Li (NU: Nanjing University)H-Index: 12
view all 5 authors...
Missing checks for untrusted inputs used in security-sensitive operations is one of the major causes of various vulnerabilities. Efficiently detecting and repairing missing checks are essential for prognosticating potential vulnerabilities and improving code reliability. We propose a systematic static analysis approach to detect missing checks for manipulable data used in security-sensitive operations of C/C++ programs and recommend repair references. First, customized securitysensitive operatio...
Aug 12, 2019 in FSE (Foundations of Software Engineering)
#1Yan Cai (CAS: Chinese Academy of Sciences)H-Index: 13
#2Biyun Zhu (CAS: Chinese Academy of Sciences)H-Index: 1
Last. Bin Liang (RUC: Renmin University of China)H-Index: 10
view all 7 authors...
Memory corruption vulnerabilities can occur in multithreaded executions, known as concurrency vulnerabilities in this paper. Due to non-deterministic multithreaded executions, they are extremely difficult to detect. Recently, researchers tried to apply data race detectors to detect concurrency vulnerabilities. Unfortunately, these detectors are ineffective on detecting concurrency vulnerabilities. For example, most (90%) of data races are benign. However, concurrency vulnerabilities are harmful ...
1 CitationsSource