Real-World Buffer Overflow Protection for Userspace & Kernelspace

Total Page:16

File Type:pdf, Size:1020Kb

Real-World Buffer Overflow Protection for Userspace & Kernelspace Real-World Buffer Overflow Protection for Userspace & Kernelspace Michael Dalton, Hari Kannan, Christos Kozyrakis Computer Systems Laboratory Stanford University mwdalton, hkannan, kozyraki @stanford.edu { } Abstract Despite decades of research, the available buffer over- Despite having been around for more than 25 years, flow protection mechanisms are partial at best. These buffer overflow attacks are still a major security threat for mechanisms provide protection only in limited situa- deployed software. Existing techniques for buffer over- tions [9], require source code access [51], cause false flow detection provide partial protection at best as they positives in real-world programs [28, 34], can be de- detect limited cases, suffer from many false positives, re- feated by brute force [44], or result in high runtime over- quire source code access, or introduce large performance heads [29]. Additionally, there is no practical mechanism overheads. Moreover, none of these techniques are easily to protect the OS kernel from buffer overflows or unsafe applicable to the operating system kernel. user pointer dereferences. This paper presents a practical security environment Recent research has established dynamic information for buffer overflow detection in userspace and ker- flow tracking (DIFT) as a promising platform for detect- nelspace code. Our techniques build upon dynamic in- ing a wide range of security attacks on unmodified bina- formation flow tracking (DIFT) and prevent the attacker ries. The idea behind DIFT is to tag (taint) untrusted data from overwriting pointers in the application or operat- and track its propagation through the system. DIFT as- ing system. Unlike previous work, our technique does sociates a tag with every memory location in the system. not have false positives on unmodified binaries, protects Any new data derived from untrusted data is also tagged. both data and control pointers, and allows for practi- If tainted data is used in a potentially unsafe manner, cal hardware support. Moreover, it is applicable to the such as dereferencing a tagged pointer, a security excep- kernel and provides robust detection of buffer overflows tion is raised. The generality of the DIFT model has led and user/kernel pointer dereferences. Using a full sys- to the development of several software [31, 32, 38, 51] tem prototype of a Linux workstation (hardware and soft- and hardware [5, 10, 13] implementations. ware), we demonstrate our security approach in practice Current DIFT systems use a security policy based on and discuss the major challenges for robust buffer over- bounds-check recognition (BR) in order to detect buffer flow protection in real-world software. overflows. Under this scheme, tainted information must receive a bounds check before it can be safely deref- 1 Introduction erenced as a pointer. While this technique has been used to defeat several exploits [5, 10, 10, 13], it suf- Buffer overflows remain one of the most critical threats fers from many false positives and false negatives. In to systems security, although they have been prevalent practice, bounds checks are ambiguously defined at best, for over 25 years. Successful exploitation of a buffer and may be completely omitted in perfectly safe situ- overflow attack often results in arbitrary code execu- ations [12, 13]. Thus, the applicability of a BR-based tion, and complete control of the vulnerable application. scheme is limited, rendering it hard to deploy. Many of the most damaging worms and viruses [8, 27] Recent work has proposed a new approach for pre- use buffer overflow attacks. Kernel buffer overflows venting buffer overflows using DIFT [19]. This novel are especially potent as they can override any protection technique prevents pointer injection (PI) by the attacker. mechanisms, such as Solaris jails or SELinux access con- Most buffer overflow attacks are exploited by corrupt- trols. Remotely exploitable buffer overflows have been ing and overwriting legitimate application pointers. This found in modern operating systems including Linux [23], technique prevents such pointer corruption and does not Windows XP and Vista [48], and OpenBSD [33]. rely on recognizing bounds checks, avoiding the false USENIX Association 17th USENIX Security Symposium 395 positives associated with BR-based analyses. However, 2.1 Existing Buffer Overflow Solutions this work has never been applied to a large application, or the operating system kernel. Moreover, this technique Many solutions have been proposed to prevent pointer or requires hardware that is extremely complex and imprac- code corruption by untrusted data. Unfortunately, the so- tical to build. lutions deployed in existing systems have drawbacks that This paper presents a practical approach for prevent- prevent them from providing comprehensive protection ing buffer overflows in userspace and kernelspace using against buffer overflows. a pointer injection-based DIFT analysis. Our approach Canary-based buffer overflow protection uses a ran- identifies and tracks all legitimate pointers in the appli- dom, word-sized canary value to detect overwrites of cation. Untrusted input must be combined with a legiti- protected data. Canaries are placed before the begin- mate pointer before being dereferenced. Failure to do so ning of protected data and the value of the canary is ver- will result in a security exception. ified each time protected data is used. A standard buffer The specific contributions of this work are: overflow attack will change the canary value before over- writing protected data, and thus canary checks provide We present the first DIFT policy for buffer overflow buffer overflow detection. Software implementations of • prevention that runs on stripped, unmodified bina- canaries typically require source code access and have ries, protects both code and data pointers, and runs been used to protect stack linking information [16] and on real-world applications such as GCC and Apache heap chunk metadata [39]. Related hardware canary im- without false positives. plementations [21, 46] have been proposed to protect the stack return address and work with unmodified binaries. We demonstrate that the same policy is applicable to • However, buffer overflows may be exploited with- the Linux kernel. It is the first security policy to dy- out overwriting canary values in many situations. For namically protect the kernel code from buffer over- example, in a system with stack canaries, buffer over- flows and user-kernel pointer dereferences without flows may overwrite local variables, even function point- introducing false positives. ers, because the stack canary only protects stack link- ing information. Similarly, heap overflows can overwrite We use a full-system DIFT prototype based on the • neighboring variables in the same heap chunk without SPARC V8 processor to demonstrate the integra- overwriting canaries. Additionally, this technique may tion of hardware and software techniques for robust change data structure layout by inserting canary words, protection against buffer overflows. Our results are breaking compatibility with legacy applications. Canary- evaluated on a Gentoo Linux platform. We show based approaches also do not protect other memory re- that hardware support requirements are reasonable gions such as the global data segment, BSS or custom and that the performance overhead is minimal. heap allocation arenas. Non-executable data protection prevents stack or We discuss practical shortcomings of our approach, • heap data from being executed as code. Modern hard- and discuss how flaws can be mitigated using addi- ware platforms, including the x86, support this technique tional security policies based on DIFT. by enforcing executable permissions on a per-page basis. The remainder of the paper is organized as follows. However, this approach breaks backwards compatibility Section 2 reviews related work. Section 3 summarizes with legacy applications that generate code at runtime the Raksha architecture and our full-system prototype. on the heap or stack. More importantly, this approach Section 4 presents our policy for buffer overflow protec- only prevents buffer overflow exploits that rely on code tion for userspace applications, while Section 5 extends injection. Rather than injecting new code, attackers can the protection to the operating system kernel. Section 6 take control of an application by using existing code in discusses weaknesses in our approach, and how they can the application or libraries. This form of attack, known be mitigated with other buffer overflow prevention poli- as a return-into-libc exploit, can perform arbitrary com- cies. Finally, Section 7 concludes the paper. putations and in practice is just as powerful as a code injection attack [43]. Address space layout randomization (ASLR) is a 2 Related Work buffer overflow defense that randomizes the memory lo- cations of system components [34]. In a system with Buffer overflow prevention is an active area of research ASLR, the base address of each memory region (stack, with decades of history. This section summarizes the executable, libraries, heap) is randomized at startup. A state of the art in buffer overflow prevention and the standard buffer overflow attack will not work reliably, shortcomings of currently available approaches. as the security-critical information is not easy to locate 396 17th USENIX Security Symposium USENIX Association in memory. ASLR has been adopted on both Linux whether tagged input can ever be validated by applica- and Windows platforms.
Recommended publications
  • Tesi Final Marco Oliverio.Pdf
    i Abstract Advancements in exploitation techniques call for the need of advanced defenses. Modern operating systems have to face new sophisticate attacks that do not rely on any programming mistake, rather they exploit leaking information from computational side effects (side-channel attacks) or hardware glitches (rowhammer attacks). Mitigating these new attacks poses new challanges and involves delicate trade-offs, balancing security on one side and performance, simplicity, and compatibility on the other. In this disseration we explore the attack surface exposed by page fusion, a memory saving optimization in modern operating systems and, after that, a secure page fusion implementation called VUsion is shown. We then propose a complete and compatible software solution to rowhammer attacks called ZebRAM. Lastly, we show OpenCAL, a free and general libray for the implementation of Cellular Automata, that can be used in several security scenarios. iii Acknowledgements I would like to thank my Supervisor prof. Andrea Pugliese for the encouragement and the extremely valuable advice that put me in a fruitful and exciting research direction. A hearty acknowledgment goes to Kaveh Razavi, Cristiano Giuffrida, Herbert Bos and all the VUSec group of the Vrije Universiteit of Amsterdam. I felt at home from day one and I found myself surrounded by brilliant researchers and good friends. v Contents Abstract i Acknowledgements iii Introduction1 1 VUsion3 1.1 Introduction...................................3 1.2 Page Fusion...................................5 1.2.1 Linux Kernel Same-page Merging...................5 1.2.2 Windows Page Fusion.........................7 1.3 Threat Model..................................8 1.4 Known Attack Vectors.............................8 1.4.1 Information Disclosure.........................8 1.4.2 Flip Feng Shui.............................9 1.5 New Attack Vectors..............................
    [Show full text]
  • An In-Depth Study with All Rust Cves
    Memory-Safety Challenge Considered Solved? An In-Depth Study with All Rust CVEs HUI XU, School of Computer Science, Fudan University ZHUANGBIN CHEN, Dept. of CSE, The Chinese University of Hong Kong MINGSHEN SUN, Baidu Security YANGFAN ZHOU, School of Computer Science, Fudan University MICHAEL R. LYU, Dept. of CSE, The Chinese University of Hong Kong Rust is an emerging programing language that aims at preventing memory-safety bugs without sacrificing much efficiency. The claimed property is very attractive to developers, and many projects start usingthe language. However, can Rust achieve the memory-safety promise? This paper studies the question by surveying 186 real-world bug reports collected from several origins which contain all existing Rust CVEs (common vulnerability and exposures) of memory-safety issues by 2020-12-31. We manually analyze each bug and extract their culprit patterns. Our analysis result shows that Rust can keep its promise that all memory-safety bugs require unsafe code, and many memory-safety bugs in our dataset are mild soundness issues that only leave a possibility to write memory-safety bugs without unsafe code. Furthermore, we summarize three typical categories of memory-safety bugs, including automatic memory reclaim, unsound function, and unsound generic or trait. While automatic memory claim bugs are related to the side effect of Rust newly-adopted ownership-based resource management scheme, unsound function reveals the essential challenge of Rust development for avoiding unsound code, and unsound generic or trait intensifies the risk of introducing unsoundness. Based on these findings, we propose two promising directions towards improving the security of Rust development, including several best practices of using specific APIs and methods to detect particular bugs involving unsafe code.
    [Show full text]
  • Ensuring the Spatial and Temporal Memory Safety of C at Runtime
    MemSafe: Ensuring the Spatial and Temporal Memory Safety of C at Runtime Matthew S. Simpson, Rajeev K. Barua Department of Electrical & Computer Engineering University of Maryland, College Park College Park, MD 20742-3256, USA fsimpsom, [email protected] Abstract—Memory access violations are a leading source of dereferencing pointers obtained from invalid pointer arith- unreliability in C programs. As evidence of this problem, a vari- metic; and dereferencing uninitialized, NULL or “manufac- ety of methods exist that retrofit C with software checks to detect tured” pointers.1 A temporal error is a violation caused by memory errors at runtime. However, these methods generally suffer from one or more drawbacks including the inability to using a pointer whose referent has been deallocated (e.g. with detect all errors, the use of incompatible metadata, the need for free) and is no longer a valid object. The most well-known manual code modifications, and high runtime overheads. temporal violations include dereferencing “dangling” point- In this paper, we present a compiler analysis and transforma- ers to dynamically allocated memory and freeing a pointer tion for ensuring the memory safety of C called MemSafe. Mem- more than once. Dereferencing pointers to automatically allo- Safe makes several novel contributions that improve upon previ- ous work and lower the cost of safety. These include (1) a method cated memory (stack variables) is also a concern if the address for modeling temporal errors as spatial errors, (2) a compati- of the referent “escapes” and is made available outside the ble metadata representation combining features of object- and function in which it was defined.
    [Show full text]
  • Improving Memory Management Security for C and C++
    Improving memory management security for C and C++ Yves Younan, Wouter Joosen, Frank Piessens, Hans Van den Eynden DistriNet, Katholieke Universiteit Leuven, Belgium Abstract Memory managers are an important part of any modern language: they are used to dynamically allocate memory for use in the program. Many managers exist and depending on the operating system and language. However, two major types of managers can be identified: manual memory allocators and garbage collectors. In the case of manual memory allocators, the programmer must manually release memory back to the system when it is no longer needed. Problems can occur when a programmer forgets to release it (memory leaks), releases it twice or keeps using freed memory. These problems are solved in garbage collectors. However, both manual memory allocators and garbage collectors store management information for the memory they manage. Often, this management information is stored where a buffer overflow could allow an attacker to overwrite this information, providing a reliable way to achieve code execution when exploiting these vulnerabilities. In this paper we describe several vulnerabilities for C and C++ and how these could be exploited by modifying the management information of a representative manual memory allocator and a garbage collector. Afterwards, we present an approach that, when applied to memory managers, will protect against these attack vectors. We implemented our approach by modifying an existing widely used memory allocator. Benchmarks show that this implementation has a negligible, sometimes even beneficial, impact on performance. 1 Introduction Security has become an important concern for all computer users. Worms and hackers are a part of every day internet life.
    [Show full text]
  • Buffer Overflows Buffer Overflows
    L15: Buffer Overflow CSE351, Spring 2017 Buffer Overflows CSE 351 Spring 2017 Instructor: Ruth Anderson Teaching Assistants: Dylan Johnson Kevin Bi Linxing Preston Jiang Cody Ohlsen Yufang Sun Joshua Curtis L15: Buffer Overflow CSE351, Spring 2017 Administrivia Homework 3, due next Friday May 5 Lab 3 coming soon 2 L15: Buffer Overflow CSE351, Spring 2017 Buffer overflows Address space layout (more details!) Input buffers on the stack Overflowing buffers and injecting code Defenses against buffer overflows 3 L15: Buffer Overflow CSE351, Spring 2017 not drawn to scale Review: General Memory Layout 2N‐1 Stack Stack . Local variables (procedure context) Heap . Dynamically allocated as needed . malloc(), calloc(), new, … Heap Statically allocated Data . Read/write: global variables (Static Data) Static Data . Read‐only: string literals (Literals) Code/Instructions Literals . Executable machine instructions Instructions . Read‐only 0 4 L15: Buffer Overflow CSE351, Spring 2017 not drawn to scale x86‐64 Linux Memory Layout 0x00007FFFFFFFFFFF Stack Stack . Runtime stack has 8 MiB limit Heap Heap . Dynamically allocated as needed . malloc(), calloc(), new, … Statically allocated data (Data) Shared Libraries . Read‐only: string literals . Read/write: global arrays and variables Code / Shared Libraries Heap . Executable machine instructions Data . Read‐only Instructions Hex Address 0x400000 0x000000 5 L15: Buffer Overflow CSE351, Spring 2017 not drawn to scale Memory Allocation Example Stack char big_array[1L<<24]; /* 16 MB */ char huge_array[1L<<31]; /* 2 GB */ int global = 0; Heap int useless() { return 0; } int main() { void *p1, *p2, *p3, *p4; Shared int local = 0; Libraries p1 = malloc(1L << 28); /* 256 MB */ p2 = malloc(1L << 8); /* 256 B */ p3 = malloc(1L << 32); /* 4 GB */ p4 = malloc(1L << 8); /* 256 B */ Heap /* Some print statements ..
    [Show full text]
  • Memory Vulnerability Diagnosis for Binary Program
    ITM Web of Conferences 7 03004 , (2016) DOI: 10.1051/itmconf/20160703004 ITA 2016 Memory Vulnerability Diagnosis for Binary Program Feng-Yi TANG, Chao FENG and Chao-Jing TANG College of Electronic Science and Engineering National University of Defense Technology Changsha, China Abstract. Vulnerability diagnosis is important for program security analysis. It is a further step to understand the vulnerability after it is detected, as well as a preparatory step for vulnerability repair or exploitation. This paper mainly analyses the inner theories of major memory vulnerabilities and the threats of them. And then suggests some methods to diagnose several types of memory vulnerabilities for the binary programs, which is a difficult task due to the lack of source code. The diagnosis methods target at buffer overflow, use after free (UAF) and format string vulnerabilities. We carried out some tests on the Linux platform to validate the effectiveness of the diagnosis methods. It is proved that the methods can judge the type of the vulnerability given a binary program. 1 Introduction (or both) the memory area. These headers can contain some information like size, used or not, and etc. Memory vulnerabilities are difficult to detect and diagnose Therefore, we can monitor the allocator so as to especially for those do not crash the program. Due to its determine the base address and the size of the allocation importance, vulnerability diagnosis problem has been areas. Then, check all STORE and LOAD accesses in intensively studied. Researchers have proposed different memory to see which one is outside the allocated area. techniques to diagnose memory vulnerabilities.
    [Show full text]
  • A Buffer Overflow Study
    A Bu®er Overflow Study Attacks & Defenses Pierre-Alain FAYOLLE, Vincent GLAUME ENSEIRB Networks and Distributed Systems 2002 Contents I Introduction to Bu®er Overflows 5 1 Generalities 6 1.1 Process memory . 6 1.1.1 Global organization . 6 1.1.2 Function calls . 8 1.2 Bu®ers, and how vulnerable they may be . 10 2 Stack overflows 12 2.1 Principle . 12 2.2 Illustration . 12 2.2.1 Basic example . 13 2.2.2 Attack via environment variables . 14 2.2.3 Attack using gets . 16 3 Heap overflows 18 3.1 Terminology . 18 3.1.1 Unix . 18 3.1.2 Windows . 18 3.2 Motivations and Overview . 18 3.3 Overwriting pointers . 19 3.3.1 Di±culties . 20 3.3.2 Interest of the attack . 20 3.3.3 Practical study . 20 3.4 Overwriting function pointers . 24 3.4.1 Pointer to function: short reminder . 24 3.4.2 Principle . 24 3.4.3 Example . 25 3.5 Trespassing the heap with C + + . 28 3.5.1 C++ Background . 28 3.5.2 Overwriting the VPTR . 31 3.5.3 Conclusions . 32 3.6 Exploiting the malloc library . 33 3.6.1 DLMALLOC: structure . 33 3.6.2 Corruption of DLMALLOC: principle . 34 II Protection solutions 37 4 Introduction 38 1 5 How does Libsafe work? 39 5.1 Presentation . 39 5.2 Why are the functions of the libC unsafe ? . 39 5.3 What does libsafe provide ? . 40 6 The Grsecurity Kernel patch 41 6.1 Open Wall: non-executable stack .
    [Show full text]
  • Buffer Overflow and Format String Overflow Vulnerabilities 3
    Syracuse University SURFACE Electrical Engineering and Computer Science College of Engineering and Computer Science 2002 Buffer Overflow and ormatF String Overflow ulnerV abilities Kyung-suk Lhee Syracuse University Steve J. Chapin Syracuse University Follow this and additional works at: https://surface.syr.edu/eecs Part of the Computer Sciences Commons Recommended Citation Lhee, Kyung-suk and Chapin, Steve J., "Buffer Overflow and ormatF String Overflow ulnerV abilities" (2002). Electrical Engineering and Computer Science. 96. https://surface.syr.edu/eecs/96 This Article is brought to you for free and open access by the College of Engineering and Computer Science at SURFACE. It has been accepted for inclusion in Electrical Engineering and Computer Science by an authorized administrator of SURFACE. For more information, please contact [email protected]. SOFTWARE|PRACTICE AND EXPERIENCE Softw. Pract. Exper. 2002; 00:1{7 Bu®er Overflow and Format String Overflow Vulnerabilities Kyung-Suk Lhee and Steve J. Chapin¤,y Center for Systems Assurance, Syracuse University, Syracuse, NY 13210 SUMMARY Bu®er overflow vulnerabilities are among the most widespread of security problems. Numerous incidents of bu®er overflow attacks have been reported and many solutions have been proposed, but a solution that is both complete and highly practical is yet to be found. Another kind of vulnerability called format string overflow has recently been found, and though not as popular as bu®er overflow, format string overflow attacks are no less dangerous. This article surveys representative techniques of exploiting bu®er overflow and format string overflow vulnerabilities and their currently available defensive measures. We also describe our bu®er overflow detection technique that range checks the referenced bu®ers at run time.
    [Show full text]
  • Chapter 10 Buffer Overflow Buffer Overflow
    Chapter 10 Buffer Overflow Buffer Overflow ● Common attack mechanism ○ first wide use by the Morris Worm in 1988 ● Prevention techniques known ○ NX bit, stack canaries, ASLR ● Still of major concern ○ Recent examples: Shellshock, Hearthbleed Buffer Overflow/Buffer Overrun Definition: A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system. Buffer Overflow Basics ● Programming error when a process attempts to store data beyond the limits of a fixed-sized buffer ● Overwrites adjacent memory locations ○ locations may hold other program variables, parameters, or program control flow data ○ buffer could be located on the stack, in the heap, or in the data section of the process ● Consequences: ○ corruption of program data ○ unexpected transfer of control ○ memory access violations Basic Buffer Overflow Example Basic Buffer Overflow Stack Values Buffer Overflow Attacks Attacker needs: ● To identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attacker’s control ● To understand how that buffer is stored in memory and determine potential for corruption Identifying vulnerable programs can be done by: ● inspection of program source ● tracing the execution of programs as they process oversized input ● using tools such as fuzzing to automatically identify
    [Show full text]
  • Towards Efficient Heap Overflow Discovery
    Towards Efficient Heap Overflow Discovery Xiangkun Jia, TCA/SKLCS, Institute of Software, Chinese Academy of Sciences; Chao Zhang, Institute for Network Science and Cyberspace, Tsinghua University; Purui Su, Yi Yang, Huafeng Huang, and Dengguo Feng, TCA/SKLCS, Institute of Software, Chinese Academy of Sciences https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/jia This paper is included in the Proceedings of the 26th USENIX Security Symposium August 16–18, 2017 • Vancouver, BC, Canada ISBN 978-1-931971-40-9 Open access to the Proceedings of the 26th USENIX Security Symposium is sponsored by USENIX Towards Efficient Heap Overflow Discovery Xiangkun Jia1;3, Chao Zhang2 , Purui Su1;3 , Yi Yang1, Huafeng Huang1, Dengguo Feng1 1TCA/SKLCS, Institute of Software, Chinese Academy of Sciences 2Institute for Network Science and Cyberspace 3University of Chinese Academy of Sciences Tsinghua University {jiaxiangkun, yangyi, huanghuafeng, feng}@tca.iscas.ac.cn [email protected] [email protected] Abstract to attack. As the heap layout is not deterministic, heap Heap overflow is a prevalent memory corruption vulner- overflow vulnerabilities are in general harder to exploit ability, playing an important role in recent attacks. Find- than stack corruption vulnerabilities. But attackers could ing such vulnerabilities in applications is thus critical for utilize techniques like heap spray [16] and heap feng- security. Many state-of-art solutions focus on runtime shui [43] to arrange the heap layout and reliably launch detection, requiring abundant inputs to explore program attacks, making heap overflow a realistic threat. paths in order to reach a high code coverage and luckily Several solutions are proposed to protect heap overflow trigger security violations.
    [Show full text]
  • Comprehensively and Efficiently Protecting the Heap ∗
    Appears in the Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XII), October 2006. Comprehensively and Efficiently Protecting the Heap ∗ Mazen Kharbutli Xiaowei Jiang Yan Solihin Guru Venkataramani Milos Prvulovic Jordan Univ. of Science and Technology North Carolina State University Georgia Institute of Technology [email protected] {xjiang,solihin}@ece.ncsu.edu {guru,milos}@cc.gatech.edu Abstract of altering the program behavior when it uses V . Attackers may use The goal of this paper is to propose a scheme that provides com- a variety of well-known techniques to overwrite M with V ,suchas prehensive security protection for the heap. Heap vulnerabilities are buffer overflows, integer overflows,andformat strings, typically by increasingly being exploited for attacks on computer programs. In supplying unexpected external input (e.g. network packets) to the most implementations, the heap management library keeps the heap application. The desired program behavior alteration may include meta-data (heap structure information) and the application’s heap direct control flow modifications in which M contains control flow data in an interleaved fashion and does not protect them against information such as function pointers, return addresses, and condi- each other. Such implementations are inherently unsafe: vulnera- tional branch target addresses. Alternatively, attackers may choose bilities in the application can cause the heap library to perform un- to indirectly change program behavior by modifying critical data intended actions to achieve control-flow and non-control attacks. that determines program behavior. Unfortunately, current heap protection techniques are limited Researchers have shown that the stack is vulnerable to over- in that they use too many assumptions on how the attacks will writes, so many protection schemes have been proposed to protect be performed, require new hardware support, or require too many it.
    [Show full text]
  • Memory Management
    Memory Management Advanced Operating System Lecture 5 Colin Perkins | https://csperkins.org/ | Copyright © 2017 | This work is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. Lecture Outline • Virtual memory • Layout of a processes address space • Stack • Heap • Program text, shared libraries, etc. • Memory management Colin Perkins | https://csperkins.org/ | Copyright © 2017 2 Virtual Memory (1) • Processes see virtual addresses – each process believes it has access to the entire address space • Kernel programs the MMU (“memory management unit”) to translate these into physical addresses, representing real memory – mapping changed each context switch to another process Main memory! CPU chip! 0:! Virtual! Address! Physical! 1:! address! translation! address! 2:! (VA)! (PA)! 3:! CPU! MMU! 4:! 4100 4 5:! 6:! 7:! ... ! Source: Bryant & O’Hallaron, “Computer Systems: A Programmer’s Perspective”, 3rd Edition, Pearson, 2016. Fig. 9.2. http://csapp.cs.cmu.edu/ M-1:! 3e/figures.html (website grants permission for lecture use with attribution) Data word! Colin Perkins | https://csperkins.org/ | Copyright © 2017 3 Virtual Memory (2) Virtual address spaces! Physical memory! • Virtual-to-physical memory mapping 0! 0! Address translation! can be unique or shared VP 1! Process i:! VP 2! • Unique mappings typical – physical memory N-1! owned by a single process Shared page! • Shared mappings allow one read-only copy 0! Process j:! VP 1! of a shared library to be accessed by many VP 2! processes N-1! M-1! Source: Bryant & O’Hallaron, “Computer Systems: A Programmer’s Perspective”, • Memory protection done at page level – each 3rd Edition, Pearson, 2016.
    [Show full text]