Papers
Topics
Authors
Recent
Search
2000 character limit reached

S2malloc: Statistically Secure Allocator for Use-After-Free Protection And More

Published 2 Feb 2024 in cs.CR | (2402.01894v2)

Abstract: Attacks on heap memory, encompassing memory overflow, double and invalid free, use-after-free (UAF), and various heap spraying techniques are ever-increasing. Existing entropy-based secure memory allocators provide statistical defenses against virtually all of these attack vectors. Although they claim protections against UAF attacks, their designs are not tailored to detect (failed) attempts. Consequently, to beat this entropy-based protection, an attacker can simply launch the same attack repeatedly with the potential use of heap spraying to further improve their chance of success. We introduce S2malloc, aiming to enhance UAF-attempt detection without compromising other security guarantees or introducing significant performance overhead. To achieve this, we use three innovative constructs in secure allocator design: free block canaries (FBC) to detect UAF attempts, random in-block offset (RIO) to stop the attacker from accurately overwriting the victim object, and random bag layout (RBL) to impede attackers from estimating the block size based on its address. We show that (a) by reserving 25% of the object size for the RIO offset, an 8-byte canary offers a 69% protection rate if the attacker reuses the same pointer and 96% protection rate if the attacker does not, against UAF exploitation attempts targeting a 64 bytes object, with equal or higher security guarantees against all other attacks; and (b) S2malloc is practical, with only a 2.8% run-time overhead on PARSEC and an 11.5% overhead on SPEC. Compared to state-of-the-art entropy-based allocators, S2malloc improves UAF-protection without incurring additional performance overhead. Compared to UAF-mitigating allocators, S2malloc trades off a minuscule probability of failed protection for significantly lower overhead.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (42)
  1. [n. d.]. Standalone Glibc-Benchtests. https://github.com/xCuri0/glibc-benchtests.
  2. Hajime Tazaki. [n. d.]. sqlite-bench — SQLite Benchmark. https://github.com/ukontainer/sqlite-bench/tree/master.
  3. Sam Ainsworth and Timothy M. Jones. 2020. MarkUs: Drop-in Use-After-Free Prevention for Low-level Languages. In Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA.
  4. Periklis Akritidis. 2010. Cling: A Memory Allocator to Mitigate Dangling Pointers. In 19th USENIX Security Symposium. 177–192.
  5. ARM Developer. [n. d.]. Neon. https://developer.arm.com/Architectures/Neon.
  6. Arm Limited. [n. d.]. Armv8.1-M Pointer Authentication and Branch Target Identification Extension. https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/armv8-1-m-pointer-authentication-and-branch-target-identification-extension.
  7. The PARSEC Benchmark Suite: Characterization and Architectural Implications. Technical Report TR-811-08. Princeton University.
  8. Practical seed-recovery for the PCG Pseudo-Random Number Generator. https://tosc.iacr.org/index.php/ToSC/article/view/8700. IACR Transactions on Symmetric Cryptology 2020, 3 (Sept. 2020), 175–196. https://doi.org/10.13154/tosc.v2020.i3.175-196
  9. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th Conference on USENIX Security Symposium - Volume 7 (San Antonio, Texas) (SSYM’98). USENIX Association, USA, 5.
  10. daanx. [n. d.]. mimalloc-bench — Suite for benchmarking malloc implementations. https://github.com/daanx/mimalloc-bench.
  11. Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers. In Proceedings of the 26th USENIX Conference on Security Symposium (Vancouver, BC, Canada) (SEC’17). USENIX Association, USA, 815–832.
  12. Use after free in File#initilializecopy. https://github.com/mruby/mruby/issues/4001.
  13. MineSweeper: A “Clean Sweep” for Drop-in Use-after-Free Prevention. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). Vancouver, Canada.
  14. PTAuth: Temporal Memory Safety via Robust Points-to Authentication. https://arxiv.org/abs/2002.07936. CoRR (March 2020). arXiv:2002.07936
  15. Cornucopia: Temporal Safety for CHERI Heaps. In Proceedings of the 41st IEEE Symposium on Security and Privacy. IEEE Computer Society. https://doi.org/10.1109/SP40000.2020.00098
  16. DangZero: Efficient Use-After-Free Detection via Direct Page Table Access. In Proceedings of the 29th ACM Conference on Computer and Communications Security (CCS). Los Angeles, CA.
  17. GrapheneOS. [n. d.]. GrapheneOS: the private and secure OS. https://grapheneos.org/.
  18. GrapheneOS. 2024. Hardened malloc. https://github.com/GrapheneOS/hardened_malloc.
  19. David R. Hanson. 1980. A Portable Storage Management System for The ICON Programming Language. Software: Practice and Experience 10, 6 (1980), 489–500.
  20. Intel Corporation. [n. d.]. Intel Advanced Encryption Standard Instructions (AES-NI). https://www.intel.com/content/www/us/en/developer/articles/technical/advanced-encryption-standard-instructions-aes-ni.html.
  21. Preventing Use-after-free with Dangling Pointers Nullification. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.
  22. Protecting the Stack with PACed Canaries. In Proceedings of the 4th Workshop on System Software for Trusted Execution (Huntsville, Ontario, Canada) (SysTEX ’19). Association for Computing Machinery, New York, NY, USA, Article 4, 6 pages. https://doi.org/10.1145/3342559.3365336
  23. Linux Foundation. 2023a. mmap(2) - Linux manual page. https://man7.org/linux/man-pages/man2/mmap.2.html.
  24. Linux Foundation. 2023b. time(1) - Linux manual page. https://man7.org/linux/man-pages/man1/time.1.html.
  25. SlimGuard: A Secure and Memory-Efficient Heap Allocator. In Proceedings of the 20th International Middleware Conference (Middleware). Davis, CA.
  26. LLVM Project. [n. d.]. Clang: a C language family frontend for LLVM. https://clang.llvm.org/.
  27. LLVM Project. 1024. Scudo Hardened Allocator. https://llvm.org/docs/ScudoHardenedAllocator.html.
  28. CCFI: Cryptographically Enforced Control Flow Integrity. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS ’15). Association for Computing Machinery, New York, NY, USA, 941–951. https://doi.org/10.1145/2810103.2813676
  29. National Vulnerability Database. [n. d.]. 2022 CWE Top 25 Most Dangerous Software Weaknesses. https://cwe.mitre.org/top25/archive/2022/2022cwetop25.html.
  30. HeapSentry: Kernel-assisted protection against heap overflows. In Detection of Intrusions and Malware & Vulnerability Assessment, Konrad Rieck, Patrick Stewin, and Jean-Pierre Seifert (Eds.), Vol. 7967 LNCS. Springer, 177–196. https://doi.org/10.1007/978-3-642-39235-1_11
  31. Gene Novark and Emery D Berger. 2010. DieHarder: Securing The Heap. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS). Chicago, IL.
  32. Melissa E. O’Neill. 2014. PCG: A Family of Simple Fast Space-Efficient Statistically Good Algorithms for Random Number Generation. Technical Report HMC-CS-2014-0905. Harvey Mudd College.
  33. Shellphish. [n. d.]. shellphish/how2heap: A repository for learning various heap exploitation techniques. https://github.com/shellphish/how2heap.
  34. Guarder: A Tunable Secure Allocator. In Proceedings of the 27th USENIX Security Symposium (Security). Baltimore, MD.
  35. Alexander Sotirov. 2007. Heap Feng Shui in Javascript. Black Hat Europe (2007).
  36. Standard Performance Evaluation Corporation. [n. d.]. SPEC CPU® 2017. https://www.spec.org/cpu2017/.
  37. The Apache Software Foundation. 2023. Apache HTTP Server Documentation: ab - Apache HTTP Server Benchmarking Tool. https://httpd.apache.org/docs/2.4/programs/ab.html.
  38. The Chromium Projects. [n. d.]. Memory safety. https://www.chromium.org/Home/chromium-security/memory-safety/.
  39. The GNU Project. [n. d.]. Aligned Memory Blocks (The GNU C Library). https://www.gnu.org/software/libc/manual/html_node/Aligned-Memory-Blocks.html
  40. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In 2015 IEEE Symposium on Security and Privacy. 20–37. https://doi.org/10.1109/SP.2015.9
  41. Preventing Use-After-Free Attacks with Fast Forward Allocation. In Proceedings of the 30th USENIX Security Symposium (Security). Online.
  42. {{\{{PUMM}}\}}: Preventing {{\{{Use-After-Free}}\}} Using Execution Unit Partitioning. In 32nd USENIX Security Symposium (USENIX Security 23). 823–840.

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Authors (3)

  1. Ruizhe Wang 
  2. Meng Xu 
  3. N. Asokan 

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Tweets

Sign up for free to view the 3 tweets with 32 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free