Preventing Use-after-free with Dangling Pointers Nullification
Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee
Georgia Institute of Technology Stony Brook University Emerging Threat: Use-after-free
Software Vulnerability Exploitation Trends, Microsoft, 2013
2 Emerging Threat: Use-after-free
Software Vulnerability Exploitation Trends, Microsoft, 2013
2 Emerging Threat: Use-after-free
Software Vulnerability Exploitation Trends, Microsoft, 2013
2 Emerging Threat: Use-after-free
13 Security-Critical 582 Security-High
107 0 12 0 Use-after-free Stack Heap Overflow Overflow
The number of reported vulnerabilities in Chrome (2011-2013)
3 Emerging Threat: Use-after-free
13 Security-Critical 582 Security-High
107 0 12 0 Use-after-free Stack Heap Overflow Overflow
The number of reported vulnerabilities in Chrome (2011-2013)
3 Use-after-free
• A dangling pointer – A pointer points to a freed memory region
• Using a dangling pointer leads to undefined program states – Easy to achieve arbitrary code executions – so called use-after-free
Preventing Use-after-free with Dangling Pointers Nullification 4 Understanding Use-after-free
class Doc : public Element { Doc *doc = new Doc(); // … Body *body = new Body(); Element *child; }; doc->child = body; class Body : public Element { delete body; // … Element *child; if (doc->child) }; doc->child->getAlign();
Preventing Use-after-free with Dangling Pointers Nullification 5 Understanding Use-after-free
Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child doc->child = body; Body
delete body; *child *body if (doc->child) doc->child->getAlign();
Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free
Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body
delete body; *child *body if (doc->child) doc->child->getAlign();
Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free
Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body
delete body; *child *body if (doc->child) doc->child->getAlign();
Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free
Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body Free an object delete body; *child *body if (doc->child) doc->child->getAlign();
Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free
Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body Free an object delete body; freed *child *body if (doc->child) doc->child->getAlign();
Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free
Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body if (doc->child) doc->child->getAlign();
Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free
Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body Use a dangling pointer if (doc->child) doc->child->getAlign();
Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free
Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body Use a dangling pointer if (doc->child) doc->child->getAlign();
Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free
Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freedAttacker *childcontrol *body object Use a dangling pointer if (doc->child) doc->child->getAlign();
Preventing Use-after-free with Dangling Pointers Nullification 6 Related Work on Use-after-free
t free control objects use
Safe Allocators Vtable protection AddressSanitizer Control Flow Integrity Delayed free Memory Safety Use-after-free detector
Preventing Use-after-free with Dangling Pointers Nullification 7 Related Work on Use-after-free
t free control objects use
Safe Allocators Vtable protection AddressSanitizer Control Flow Integrity Delayed free Memory Safety Use-after-free detector Make exploitation harder, but still bypassable or Difficult to support large-scale software Preventing Use-after-free with Dangling Pointers Nullification 7 Related Work on Use-after-free
t free control objects use
DangNull Safe Allocators Vtable protection AddressSanitizer Control Flow Integrity Delayed free Memory Safety Use-after-free detector Make exploitation harder, but still bypassable or Difficult to support large-scale software Preventing Use-after-free with Dangling Pointers Nullification 7 DangNull: Use-after-free detector
• Tracking Object Relationships – Coarse grained pointer semantic tracking Support large-scale software
• Nullify dangling pointers – Immediately eliminate all dangling pointers Non-bypassable to sophisticated attacks
Preventing Use-after-free with Dangling Pointers Nullification 8 Tracking Object Relationships
• Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair
Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships
• Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair
Doc *doc = new Doc();
Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships
• Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair
Doc *doc = new Doc();
Insert shadow obj: - Base address of allocation - Size of Doc
Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships
• Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair
Doc *doc = new Doc();
Insert shadow obj: - Base address of allocation
- Size of Doc delete body;
Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships
• Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair
Doc *doc = new Doc(); Remove shadow obj: - Using base address (body)
Insert shadow obj: - Base address of allocation
- Size of Doc delete body;
Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.
doc->child = body;
Doc
*doc *child
Body
*body
Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.
doc->child = body; trace(&doc->child, body);
Doc
*doc *child
Body
*body
Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.
Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body);
Doc
*doc *child Shadow obj. of Body
Body back fwd
*body
Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.
Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body);
Doc Forward
*doc *child Shadow obj. of Body
Body back fwd
*body
Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.
Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body);
Doc Forward
*doc *child Shadow obj. of Body
Body Backward back fwd
*body
Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj.
Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body);
Forward Doc *docThis is coarse grained pointer semantic tracking, *child Shadow obj. of Body but enough to identify all dangling pointers. back fwd Body Backward
*body
Preventing Use-after-free with Dangling Pointers Nullification 10 Nullifying Dangling Pointers
• Nullify all backward pointers of Body, once it is deleted. – All backward pointers of Body are dangling pointers – Dangling pointers have no semantics
Doc
*doc *child
Body
Freed *body
Preventing Use-after-free with Dangling Pointers Nullification 11 Nullifying Dangling Pointers delete body;
Nullification doc->child = NULL if (doc->child) doc->child->getAlign(); Null-dereference is safely contained in pre-mapped nullpadding
Preventing Use-after-free with Dangling Pointers Nullification 12 Nullifying Dangling Pointers delete body;
Nullification docImmediately->child = NULL eliminate all dangling pointers! if (doc->child) doc->child->getAlign(); Null-dereference is safely contained in pre-mapped nullpadding
Preventing Use-after-free with Dangling Pointers Nullification 12 Implementation
• Prototype DangNull – Instrumentation: LLVM pass, +389 LoC – Runtime: compiler-rt, +3,955 LoC
• To build target applications, – SPEC CPU 2006: one extra compiler and linker flag – Chromium: +27 LoC to .gyp build configuration file
Preventing Use-after-free with Dangling Pointers Nullification 13 Performance Evaluation
• Chromium browser – Instrumented 140k/16,831k (0.8%) instructions – Passed all unit tests and layout tests – Overall 28.9% overheads on various benchmarks – A page loading time for the Alexa top 100 websites • 7% increased load time – While visiting http://google.com, • 123k shadow objects and 32k shadow pointers • 7k nullifications
Preventing Use-after-free with Dangling Pointers Nullification 14 Conclusion
• Presented DangNull, which detects use-after-free
• Supporting large-scale software
• Non-bypassable to sophisticated attacks
Preventing Use-after-free with Dangling Pointers Nullification 15 Demo
• Running Chromium browser (version 29.0.1547.65) – Hardened using DangNull – Testing use-after-free exploit (PoC) • CVE-2013-2909: Heap-use-after-free in WebCore::RenderBlock::determineStartPosition
Preventing Use-after-free with Dangling Pointers Nullification 16