sign in sign up

<<

Preventing Use-After-Free with Dangling Pointers Nullification

Preventing Use-After-Free with Dangling Pointers Nullification

Preventing Use-after-free with Dangling Pointers Nullification

Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee

Georgia Institute of Technology Stony Brook University Emerging Threat: Use-after-free

Software Vulnerability Exploitation Trends, Microsoft, 2013

2 Emerging Threat: Use-after-free

Software Vulnerability Exploitation Trends, Microsoft, 2013

2 Emerging Threat: Use-after-free

Software Vulnerability Exploitation Trends, Microsoft, 2013

2 Emerging Threat: Use-after-free

13 Security-Critical 582 Security-High

107 0 12 0 Use-after-free Stack Heap Overflow Overflow

The number of reported vulnerabilities in Chrome (2011-2013)

3 Emerging Threat: Use-after-free

13 Security-Critical 582 Security-High

107 0 12 0 Use-after-free Stack Heap Overflow Overflow

The number of reported vulnerabilities in Chrome (2011-2013)

3 Use-after-free

• A dangling pointer – A pointer points to a freed memory region

• Using a dangling pointer leads to undefined program states – Easy to achieve arbitrary code executions – so called use-after-free

Preventing Use-after-free with Dangling Pointers Nullification 4 Understanding Use-after-free

class Doc : public Element { Doc *doc = new Doc(); // … Body *body = new Body(); Element *child; }; doc->child = body; class Body : public Element { delete body; // … Element *child; if (doc->child) }; doc->child->getAlign();

Preventing Use-after-free with Dangling Pointers Nullification 5 Understanding Use-after-free

Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child doc->child = body; Body

delete body; *child *body if (doc->child) doc->child->getAlign();

Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free

Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body

delete body; *child *body if (doc->child) doc->child->getAlign();

Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free

Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body

delete body; *child *body if (doc->child) doc->child->getAlign();

Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free

Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body Free an object delete body; *child *body if (doc->child) doc->child->getAlign();

Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free

Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body Free an object delete body; freed *child *body if (doc->child) doc->child->getAlign();

Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free

Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body if (doc->child) doc->child->getAlign();

Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free

Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body Use a dangling pointer if (doc->child) doc->child->getAlign();

Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free

Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body Use a dangling pointer if (doc->child) doc->child->getAlign();

Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free

Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freedAttacker *childcontrol *body object Use a dangling pointer if (doc->child) doc->child->getAlign();

Preventing Use-after-free with Dangling Pointers Nullification 6 Related Work on Use-after-free

t free control objects use

Safe Allocators Vtable protection AddressSanitizer Control Flow Integrity Delayed free Memory Safety Use-after-free detector

Preventing Use-after-free with Dangling Pointers Nullification 7 Related Work on Use-after-free

t free control objects use

Safe Allocators Vtable protection AddressSanitizer Control Flow Integrity Delayed free Memory Safety Use-after-free detector Make exploitation harder, but still bypassable  or Difficult to support large-scale software  Preventing Use-after-free with Dangling Pointers Nullification 7 Related Work on Use-after-free

t free control objects use

DangNull Safe Allocators Vtable protection AddressSanitizer Control Flow Integrity Delayed free Memory Safety Use-after-free detector Make exploitation harder, but still bypassable  or Difficult to support large-scale software  Preventing Use-after-free with Dangling Pointers Nullification 7 DangNull: Use-after-free detector

• Tracking Object Relationships – Coarse grained pointer semantic tracking  Support large-scale software

• Nullify dangling pointers – Immediately eliminate all dangling pointers Non-bypassable to sophisticated attacks

Preventing Use-after-free with Dangling Pointers Nullification 8 Tracking Object Relationships

• Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair

Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships

• Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair

Doc *doc = new Doc();

Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships

• Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair

Doc *doc = new Doc();

Insert shadow obj: - Base address of allocation - Size of Doc

Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships

• Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair

Doc *doc = new Doc();

Insert shadow obj: - Base address of allocation

- Size of Doc delete body;

Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships

• Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair

Doc *doc = new Doc(); Remove shadow obj: - Using base address (body)

Insert shadow obj: - Base address of allocation

- Size of Doc delete body;

Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.

doc->child = body;

Doc

*doc *child

Body

*body

Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.

doc->child = body; trace(&doc->child, body);

Doc

*doc *child

Body

*body

Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.

Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body);

Doc

*doc *child Shadow obj. of Body

Body back fwd

*body

Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.

Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body);

Doc Forward

*doc *child Shadow obj. of Body

Body back fwd

*body

Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.

Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body);

Doc Forward

*doc *child Shadow obj. of Body

Body Backward back fwd

*body

Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.

Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body);

Forward Doc *docThis is coarse grained pointer semantic tracking, *child Shadow obj. of Body but enough to identify all dangling pointers. back fwd Body Backward

*body

Preventing Use-after-free with Dangling Pointers Nullification 10 Nullifying Dangling Pointers

• Nullify all backward pointers of Body, once it is deleted. – All backward pointers of Body are dangling pointers – Dangling pointers have no semantics

Doc

*doc *child

Body

Freed *body

Preventing Use-after-free with Dangling Pointers Nullification 11 Nullifying Dangling Pointers delete body;

Nullification doc->child = NULL if (doc->child) doc->child->getAlign(); Null-dereference is safely contained in pre-mapped nullpadding

Preventing Use-after-free with Dangling Pointers Nullification 12 Nullifying Dangling Pointers delete body;

Nullification docImmediately->child = NULL eliminate all dangling pointers! if (doc->child) doc->child->getAlign(); Null-dereference is safely contained in pre-mapped nullpadding

Preventing Use-after-free with Dangling Pointers Nullification 12 Implementation

• Prototype DangNull – Instrumentation: LLVM pass, +389 LoC – Runtime: compiler-rt, +3,955 LoC

• To build target applications, – SPEC CPU 2006: one extra compiler and linker flag – Chromium: +27 LoC to .gyp build configuration file

Preventing Use-after-free with Dangling Pointers Nullification 13 Performance Evaluation

• Chromium browser – Instrumented 140k/16,831k (0.8%) instructions – Passed all unit tests and layout tests – Overall 28.9% overheads on various benchmarks – A page loading time for the Alexa top 100 websites • 7% increased load time – While visiting http://google.com, • 123k shadow objects and 32k shadow pointers • 7k nullifications

Preventing Use-after-free with Dangling Pointers Nullification 14 Conclusion

• Presented DangNull, which detects use-after-free

• Supporting large-scale software

• Non-bypassable to sophisticated attacks

Preventing Use-after-free with Dangling Pointers Nullification 15 Demo

• Running Chromium browser (version 29.0.1547.65) – Hardened using DangNull – Testing use-after-free exploit (PoC) • CVE-2013-2909: Heap-use-after-free in WebCore::RenderBlock::determineStartPosition

Preventing Use-after-free with Dangling Pointers Nullification 16