DOCSLIB.ORG

Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities 1 Who are We? • Wei Wu @wu_xiao_wei • Visiting scholar at JD.com • Conducting research on software security in Enterprise Settings • Visiting Scholar at Penn State University • Vulnerability analysis • Reverse engineering • Memory forensics • Symbolic execution • Malware dissection • Static analysis • Final year PhD candidate at UCAS • Knowledge-driven vulnerability analysis • Co-founder of CTF team Never Stop Exploiting.(2015) • ctftime 2017 ranking 4th team in China • I am on market. 2 Who are We? (cont) Xinyu Xing • Jimmy Su • Visiting scholar at JD.com • Head of JD security research center • Conducting research on software • Vulnerability identification and exploitation and hardware security in in Enterprise Settings Enterprise Settings • Red Team • Assistant Professor at Penn State • JD IoT device security assessments University • Risk control • Advising PhD students and • Data security conducting many research projects • Container security on • Vulnerability identification • Vulnerability analysis • Exploit development facilitation • Memory forensics • Deep learning for software security • Binary analysis 3 • … What are We Talking about? • Discuss the challenge of exploit development • Introduce an automated approach to facilitate exploit development • Demonstrate how the new technique facilitate mitigation circumvention 4 Background • All software contain bugs, and # of bugs grows with the increase of software complexity • E.g., Syzkaller/Syzbot reports 800+ Linux kernel bugs in 8 months • Due to the lack of manpower, it is very rare that a software development team could patch all the bugs timely • E.g., A Linux kernel bug could be patched in a single day or more than 8 months; on average, it takes 42 days to fix one kernel bug • The best strategy for software development team is to prioritize their remediation efforts for bug fix • E.g. based on its influence upon usability • E.g., based on its influence upon software security • E.g., based on the types of the bugs • … … 5 Background (cont.) • Most common strategy is to fix a bug based on its exploitability • To determine the exploitability of a bug, analysts generally have to write a working exploit, which needs 1) Significant manual efforts 2) Sufficient security expertise 3) Extensive experience in target software 6 Crafting an Exploit for Kernel Use-After-Free Dangling ptr syscall_A(…) syscall_M(…) occurrence Object carefully Proper time selected window to perform Freed heap spray object syscall_B(…) Dangling ptr 1. Use control over program counter (rip) to dereference hijack control flow 2. Use the ability to write arbitrary content to arbitrary address to escalate privilege kernel panic 3. … 7 Challenge 1: Needs Intensive Manual Efforts Dangling ptr syscall_A(…) • Analyze the kernel panic occurrence • Manually track down 1. The site of dangling pointer Freed occurrence and the corresponding object system call 2. The site of dangling pointer dereference and the corresponding syscall_B(…) system call Dangling ptr dereference kernel panic 8 Challenge 2: Needs Extensive Expertise in Kernel • Identify all the candidate objects that syscall_M(…) can be sprayed to the region of the Object freed object carefully • Pinpoint the proper system calls that selected allow an analyst to perform heap spray Freed • Figure out the proper arguments and object context for the system call to allocate the candidate objects 9 Challenge 3: Needs Security Expertise • Find proper approaches to accomplish 1. Use control over program arbitrary code execution or privilege counter (rip) to perform arbitrary code execution escalation or memory leakage 2. Use the ability to write • E.g., chaining ROP arbitrary content to arbitrary • E.g., crafting shellcode address to escalate • … privilege 3. … kernel panic 10 Some Past Research Potentially Tackling the Challenges • Approaches for Challenge 1 • Nothing I am aware of, but simply extending KASAN could potentially solve this problem • Approaches for Challenge 2 • [Blackhat07] [Blackhat15] [USENIX-SEC18] • Approaches for Challenge 3 • [NDSS’11] [S&P16], [S&P17] [NDSS11] Avgerinos et al., AEG: Automatic Exploit Generation. [Blackhat 15] Xu et al., Ah! Universal android rooting is back. [S&P16] Shoshitaishvili et al., Sok:(state of) the art of war: Offensive techniques in binary analysis. [USENIX-SEC18] Heelan et al., Automatic Heap Layout Manipulation for Exploitation. [S&P17] Bao et al., Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. [Blackhat07] Sotirov, Heap Feng Shui in JavaScript 11 12 Roadmap • Unsolved challenges in exploitation facilitation • Our techniques -- FUZE • Demonstration with real-world Linux kernel vulnerabilities • Conclusion 13 A Real-World Example (CVE-2017-15649) setsockopt(…) insert a node Head node next next next prev prev prev 14 A Real-World Example (CVE 2017-15649) close(…) free node but not completely removed from the list Head node next next next prev prev prev dangling ptr 15 Challenge 4: No Primitive Needed for Exploitation Obtain an ability to write Node newly unmanageable data to crafted Head node unmanageable address next next next prev prev prev next dangling ptr prev 16 No Useful Primitive == Unexploitable?? Dangling ptr Obtain the primitive – write occurrence unmanageable data to unmanageable region Obtain the primitive – hijack Dangling ptr control flow (control over rip) dereference sendmsg(…) kernel panic 17 Roadmap • Unsolved challenges in exploitation facilitation • Our techniques -- FUZE • Evaluation with real-world Linux kernel vulnerabilities • Conclusion 18 FUZE – Extracting Critical Info. User space • Identifying the site of dangling pointer occurrence, and that of its Kernel space dereference; pinpointing the corresponding system calls syscall_B Freed object syscall_A CR4 19 FUZE – Performing Kernel Fuzzing User space • Identifying the site of dangling pointer occurrence, and that of its Kernel space dereference; pinpointing the corresponding system calls syscall_B • Performing kernel fuzzing between syscall_C the two sites and exploring other syscall_D syscall_E panic contexts (i.e., different sites syscall_M where the vulnerable object is dereferenced) syscall_A 20 FUZE – Performing Symbolic Execution User space • Identifying the site of dangling pointer occurrence, and that of its Kernel space dereference; pinpointing the corresponding system calls syscall_B • Performing kernel fuzzing between ? the two sites and exploring other syscall_C panic contexts (i.e., different sites syscall_D syscall_E where the vulnerable object is syscall_M dereferenced) ? • Symbolically execute at the sites of ? the dangling pointer dereference ? Freed Set symbolic value object for each byte ? ? 21 ? Crafting Working Exploits Step by Step Identifying Critical Info. Performing Kernel Fuzzing Symbolic Execution 22 Critical Information Extraction • Goal: identifying following critical information • Vulnerable object syscall_B • Free site • Dereference site Freed • Syscalls in PoC tied to corresponding free and object time dereference window • Time window between free and dereference • Methodology: syscall_A • Instrument the PoC with ftrace and generate ftrace log • instrument kernel with KASAN • Combining both ftrace and KASAN log for analysis 23 Critical Information Extraction (cont) void *task1(void *unused) { • ... Goal: identifying following critical information write_ftrace_marker(1); • Vulnerable object int err = setsockopt(...); Unique ID for each • Free site write_ftrace_marker(1); syscallin PoC • } Dereference site void *task2(void *unused) { • Syscalls in PoC tied to corresponding free and write_ftrace_marker(2); dereference int err = bind(...); • Time window between free and dereference write_ftrace_marker(2); } • Methodology: … • Instrument the PoC with ftrace[1] and generate void loop_race(){ ... ftrace log } • instrument kernel with KASAN[2] int main(){ • Combining both ftrace and KASAN log for analysis ftrace_kmem_trace_enable(); loop_race(); [1] ftrace. https://www.kernel.org/doc/Documentation/trace/ftrace.txt } 24 [2] kasan. https://github.com/google/kasan/wiki Critical Information Extraction (cont) ... BUG: KASAN: use-after-free poc-7271 : tracing_mark_write: executing syscall: setsockopt in dev_add_pack+0x304/0x310 poc-7272 : tracing_mark_write: executing syscall: bind Write of size 8 at addr poc-7271 : kmalloc: call_site=... ptr=ffff88003280e600 ffff88003280ee70 bytes_req=2176 bytes_alloc=4352 gfp_flags=GFP_KERNEL by task poc/2678 ... Call Trace: poc-7271 : tracing_mark_write: finished syscall: setsockopt ... ... poc-7272 : tracing_mark_write: finished syscall: bind Allocated by task 7271: ... ...(allocation trace) poc-2678 : tracing_mark_write: executing syscall: close Freed by task 2678: poc-2678 : kfree: call_site=... ptr=ffff88003280e600 ...(free trace) ... The buggy address belongs poc-2678 : tracing_mark_write: finished syscall: close to the object at poc-2678 : tracing_mark_write: executing syscall: socket ffff88003280e600 ... end of ftrace which belongs to the cache KASAN warning kmalloc-4096 of size 4096 close socket pid:2678 dangling pointer setsockopt free site dereference site pid:7271 allocation site bind pid:7272 25 Critical Information Extraction (cont) void loop_race() { void *task1(void *unused) { ... ... while(1) { int err = setsockopt(fd, fd = socket(AF_PACKET, SOCK_RAW, 0x107, 18, ..., ...); htons(ETH_P_ALL)); } ..
Load more

Recommended publications
  • Memory Safety Without Garbage Collection for Embedded Applications
    Memory Safety Without Garbage Collection for Embedded Applications DINAKAR DHURJATI, SUMANT KOWSHIK, VIKRAM ADVE, and CHRIS LATTNER University of Illinois at Urbana-Champaign Traditional approaches to enforcing memory safety of programs rely heavily on run-time checks of memory accesses and on garbage collection, both of which are unattractive for embedded ap- plications. The goal of our work is to develop advanced compiler techniques for enforcing memory safety with minimal run-time overheads. In this paper, we describe a set of compiler techniques that, together with minor semantic restrictions on C programs and no new syntax, ensure memory safety and provide most of the error-detection capabilities of type-safe languages, without using garbage collection, and with no run-time software checks, (on systems with standard hardware support for memory management). The language permits arbitrary pointer-based data structures, explicit deallocation of dynamically allocated memory, and restricted array operations. One of the key results of this paper is a compiler technique that ensures that dereferencing dangling pointers to freed memory does not violate memory safety, without annotations, run-time checks, or garbage collection, and works for arbitrary type-safe C programs. Furthermore, we present a new inter- procedural analysis for static array bounds checking under certain assumptions. For a diverse set of embedded C programs, we show that we are able to ensure memory safety of pointer and dy- namic memory usage in all these programs with no run-time software checks (on systems with standard hardware memory protection), requiring only minor restructuring to conform to simple type restrictions. Static array bounds checking fails for roughly half the programs we study due to complex array references, and these are the only cases where explicit run-time software checks would be needed under our language and system assumptions.
    [Show full text]
  • Memory Leak Or Dangling Pointer
    Modern C++ for Computer Vision and Image Processing Igor Bogoslavskyi Outline Using pointers Pointers are polymorphic Pointer “this” Using const with pointers Stack and Heap Memory leaks and dangling pointers Memory leak Dangling pointer RAII 2 Using pointers in real world Using pointers for classes Pointers can point to objects of custom classes: 1 std::vector<int> vector_int; 2 std::vector<int >* vec_ptr = &vector_int; 3 MyClass obj; 4 MyClass* obj_ptr = &obj; Call object functions from pointer with -> 1 MyClass obj; 2 obj.MyFunc(); 3 MyClass* obj_ptr = &obj; 4 obj_ptr->MyFunc(); obj->Func() (*obj).Func() ↔ 4 Pointers are polymorphic Pointers are just like references, but have additional useful properties: Can be reassigned Can point to ‘‘nothing’’ (nullptr) Can be stored in a vector or an array Use pointers for polymorphism 1 Derived derived; 2 Base* ptr = &derived; Example: for implementing strategy store a pointer to the strategy interface and initialize it with nullptr and check if it is set before calling its methods 5 1 #include <iostream > 2 #include <vector > 3 using std::cout; 4 struct AbstractShape { 5 virtual void Print() const = 0; 6 }; 7 struct Square : public AbstractShape { 8 void Print() const override { cout << "Square\n";} 9 }; 10 struct Triangle : public AbstractShape { 11 void Print() const override { cout << "Triangle\n";} 12 }; 13 int main() { 14 std::vector<AbstractShape*> shapes; 15 Square square; 16 Triangle triangle; 17 shapes.push_back(&square); 18 shapes.push_back(&triangle); 19 for (const auto* shape : shapes) { shape->Print(); } 20 return 0; 21 } 6 this pointer Every object of a class or a struct holds a pointer to itself This pointer is called this Allows the objects to: Return a reference to themselves: return *this; Create copies of themselves within a function Explicitly show that a member belongs to the current object: this->x(); 7 Using const with pointers Pointers can point to a const variable: 1 // Cannot change value , can reassign pointer.
    [Show full text]
  • An Evolutionary Study of Linux Memory Management for Fun and Profit Jian Huang, Moinuddin K
    An Evolutionary Study of Linux Memory Management for Fun and Profit Jian Huang, Moinuddin K. Qureshi, and Karsten Schwan, Georgia Institute of Technology https://www.usenix.org/conference/atc16/technical-sessions/presentation/huang This paper is included in the Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC ’16). June 22–24, 2016 • Denver, CO, USA 978-1-931971-30-0 Open access to the Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC ’16) is sponsored by USENIX. An Evolutionary Study of inu emory anagement for Fun and rofit Jian Huang, Moinuddin K. ureshi, Karsten Schwan Georgia Institute of Technology Astract the patches committed over the last five years from 2009 to 2015. The study covers 4587 patches across Linux We present a comprehensive and uantitative study on versions from 2.6.32.1 to 4.0-rc4. We manually label the development of the Linux memory manager. The each patch after carefully checking the patch, its descrip- study examines 4587 committed patches over the last tions, and follow-up discussions posted by developers. five years (2009-2015) since Linux version 2.6.32. In- To further understand patch distribution over memory se- sights derived from this study concern the development mantics, we build a tool called MChecker to identify the process of the virtual memory system, including its patch changes to the key functions in mm. MChecker matches distribution and patterns, and techniues for memory op- the patches with the source code to track the hot func- timizations and semantics. Specifically, we find that tions that have been updated intensively.
    [Show full text]
  • Diehard: Probabilistic Memory Safety for Unsafe Languages
    DieHard: Probabilistic Memory Safety for Unsafe Languages Emery D. Berger Benjamin G. Zorn Dept. of Computer Science Microsoft Research University of Massachusetts Amherst One Microsoft Way Amherst, MA 01003 Redmond, WA 98052 [email protected] [email protected] Abstract Invalid frees: Passing illegal addresses to free can corrupt the Applications written in unsafe languages like C and C++ are vul- heap or lead to undefined behavior. nerable to memory errors such as buffer overflows, dangling point- Double frees: Repeated calls to free of objects that have already ers, and reads of uninitialized data. Such errors can lead to program been freed undermine the integrity of freelist-based allocators. crashes, security vulnerabilities, and unpredictable behavior. We present DieHard, a runtime system that tolerates these errors while Tools like Purify [17] and Valgrind [28, 34] allow programmers to probabilistically maintaining soundness. DieHard uses randomiza- pinpoint the exact location of these memory errors (at the cost of a tion and replication to achieve probabilistic memory safety through 2-25X performance penalty), but only reveal those bugs found dur- the illusion of an infinite-sized heap. DieHard’s memory manager ing testing. Deployed programs thus remain vulnerable to crashes randomizes the location of objects in a heap that is at least twice or attack. Conservative garbage collectors can, at the cost of in- as large as required. This algorithm not only prevents heap corrup- creased runtime and additional memory [10, 20], disable calls to tion but also provides a probabilistic guarantee of avoiding memory free and so eliminate three of the above errors (invalid frees, dou- errors.
    [Show full text]
  • Simple, Fast and Safe Manual Memory Management
    Simple, Fast and Safe Manual Memory Management Piyus Kedia Manuel Costa Matthew Aaron Blankstein ∗ Microsoft Research, India Parkinson Kapil Vaswani Princeton University, USA [email protected] Dimitrios Vytiniotis [email protected] Microsoft Research, UK manuelc,mattpark,kapilv,[email protected] Abstract cause the latter are more efficient. As a consequence, many Safe programming languages are readily available, but many applications continue to have exploitable memory safety applications continue to be written in unsafe languages be- bugs. One of the main reasons behind the higher efficiency cause of efficiency. As a consequence, many applications of unsafe languages is that they typically use manual mem- continue to have exploitable memory safety bugs. Since ory management, which has been shown to be more efficient garbage collection is a major source of inefficiency in the than garbage collection [19, 21, 24, 33, 34, 45]. Thus, replac- implementation of safe languages, replacing it with safe ing garbage collection with manual memory management in manual memory management would be an important step safe languages would be an important step towards solv- towards solving this problem. ing this problem. The challenge is how to implement man- Previous approaches to safe manual memory manage- ual memory management efficiently, without compromising ment use programming models based on regions, unique safety. pointers, borrowing of references, and ownership types. We Previous approaches to safe manual memory manage- propose a much simpler programming model that does not ment use programming models based on regions [20, 40], require any of these concepts. Starting from the design of an unique pointers [22, 38], borrowing of references [11, 12, imperative type safe language (like Java or C#), we just add 42], and ownership types [10, 12, 13].
    [Show full text]
  • Efficient High Frequency Checkpointing for Recovery and Debugging Vogt, D
    VU Research Portal Efficient High Frequency Checkpointing for Recovery and Debugging Vogt, D. 2019 document version Publisher's PDF, also known as Version of record Link to publication in VU Research Portal citation for published version (APA) Vogt, D. (2019). Efficient High Frequency Checkpointing for Recovery and Debugging. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal ? Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. E-mail address: [email protected] Download date: 30. Sep. 2021 Efficient High Frequency Checkpointing for Recovery and Debugging Ph.D. Thesis Dirk Vogt Vrije Universiteit Amsterdam, 2019 This research was funded by the European Research Council under the ERC Advanced Grant 227874. Copyright © 2019 by Dirk Vogt ISBN 978-94-028-1388-3 Printed by Ipskamp Printing BV VRIJE UNIVERSITEIT Efficient High Frequency Checkpointing for Recovery and Debugging ACADEMISCH PROEFSCHRIFT ter verkrijging van de graad Doctor aan de Vrije Universiteit Amsterdam, op gezag van de rector magnificus prof.dr.
    [Show full text]
  • 6.828: Virtual Memory for User Programs
    6.828: Virtual Memory for User Programs Adam Belay <[email protected]> Plan for today • Previously: Discussed using virtual memory tricks to optimize the kernel • This lecture is about virtual memory for user programs: • Concurrent garbage collection • Generational garbage collection • Concurrent checkpointing • Data-compression paging • Persistent stores What primitives do we need? • Trap: handle page-fault traps in usermode • Prot1: decrease the accessibility of a page • ProtN: decrease the accessibility of N pages • Unprot: increase the accessibility of a page • Dirty: returns a list of dirtied pages since previous call • Map2: map the same physical page at two different virtual addresses, at different levels of protection, in the same address space What about UNIX? • Processes manage virtual memory through higher- level abstractions • An address space consists of a non-overlapping list of Virtual Memory Areas (VMAs) and a page table • Each VMA is a contiguous range of virtual addresses that shares the same permissions and is backed by the same object (e.g. a file or anonymous memory) • VMAs help the kernel decide how to handle page faults Unix: mmap() • Maps memory into the address space • Many flags and options • Example: mapping a file mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, offset); • Example: mapping anonymous memory mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); Unix: mprotect() • Changes the permissions of a mapping • PROT_READ, PROT_WRITE, and PROT_EXEC • Example: make mapping read-only mprotect(addr, len, PROT_READ); • Example: make mapping trap on any acCess mprotect(addr, len, PROT_NONE); Unix: munmap() • Removes a mapping • Example: munmap(addr, len); Unix: sigaction() • Configures a signal handler • Example: get signals for memory access violations act.sa_sigaction = handle_sigsegv; act.sa_flags = SA_SIGINFO; sigemptyset(&act.sa_mask); sigaction(SIGSEGV, &act, NULL); Unix: Modern implementations are very complex e.g.
    [Show full text]
  • Memory Error Detection for Large-Scale Applications and Fuzz Testing
    Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee*, Chengyu Song†, Insik Shin KAIST, *Purdue, †UCR 1 Memory error glibc: getaddrinfo Heartbleed Shellshock stack-based buffer overflow • Information leakage – Heartbleed • Privilege escalation – Shellshock • Remote code execution – Shellshock, glibc, Conficker 2 Memory error detection • Pointer-based [SoftBound+CETS, Intel MPX] • Hardware support (cannot detect temporal memory errors) • Challenges to support complex applications • Redzone-based [AddressSanitizer (ASan)] • Compatible to complex applications • Most popular in practice Google Chrome, Mozilla Firefox, Linux Kernel American Fuzzy Lop (AFL), ClusterFuzz, OSS-Fuzz 3 Redzone-based memory error detection • Buffer overflow (spatial memory errors) ptrX Shadow memory: a bitmap to validate all addresses objX Check before access Shadow memory Accessible 4 Redzone-based memory error detection • Buffer overflow (spatial memory errors) ptrX Shadow memory: a bitmap to validate all addresses objX Check before access Redzone: inaccessible region between objects Shadow memory Accessible Inaccessible (redzone) 4 Redzone-based memory error detection • Buffer overflow (spatial memory errors) ptrX Shadow memory: a bitmap to validate all addresses objX Error! Redzone: inaccessible region between objects Shadow memory Accessible Inaccessible (redzone) 4 Redzone-based memory error detection • Use-after-free (temporal memory errors) ptrX objX Accessible Inaccessible Shadow memory
    [Show full text]
  • Optimization Techniques for Memory Virtualization-Based Resource Management
    SSStttooonnnyyy BBBrrrooooookkk UUUnnniiivvveeerrrsssiiitttyyy The official electronic file of this thesis or dissertation is maintained by the University Libraries on behalf of The Graduate School at Stony Brook University. ©©© AAAllllll RRRiiiggghhhtttsss RRReeessseeerrrvvveeeddd bbbyyy AAAuuuttthhhooorrr... Optimization Techniques for Memory Virtualization-based Resource Management A Dissertation Presented by Jui-Hao Chiang to The Graduate School in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy in Computer Science Stony Brook University December 2012 Stony Brook University The Graduate School Jui-Hao Chiang We, the dissertation committee for the above candidate for the Doctor of Philosophy degree, hereby recommend acceptance of this dissertation. Tzi-cker Chiueh { Dissertation Advisor Professor, Department of Computer Science Jie Gao { Chairperson of Defense Associate Professor, Department of Computer Science Rob Johnson Assistant Professor, Department of Computer Science Ted Teng Professor, Department of Technology and Society This dissertation is accepted by the Graduate School. Charles Taber Interim Dean of the Graduate School ii Abstract of the Dissertation Optimization Techniques for Memory Virtualization-based Resource Management by Jui-Hao Chiang Doctor of Philosophy in Computer Science Stony Brook University 2012 Memory virtualization abstracts the physical memory resources in a virtualized server in such a way that offers many resource man- agement advantages, such as consolidation, sharing,
    [Show full text]
  • Experience with Safe Manual Memory-Management in Cyclone
    Experience With Safe Manual Memory-Management in Cyclone Michael Hicks Greg Morrisett University of Maryland, College Park Harvard University [email protected] [email protected] Dan Grossman Trevor Jim University of Washington AT&T Labs Research [email protected] [email protected] ABSTRACT bring the “Mohammad of type safety” to the “mountain of existing The goal of the Cyclone project is to investigate type safety for low- C code.” level languages such as C. Our most difficult challenge has been Toward that end, we have been developing Cyclone, a type-safe providing programmers control over memory management while dialect of C [23]. Cyclone uses a combination of programmer- retaining type safety. This paper reports on our experience trying supplied annotations, an advanced type system, a flow analysis, to integrate and effectively use two previously proposed, type-safe and run-time checks to ensure that programs are type safe. When memory management mechanisms: statically-scoped regions and we started the project, we relied entirely on heap allocation and unique pointers. We found that these typing mechanisms can be the Boehm-Demers-Weiser (BDW) conservative garbage collector combined to build alternative memory-management abstractions, (GC) to recycle memory safely. BDW provides convenient inter- such as reference counted objects and arenas with dynamic life- operability with legacy libraries and makes it easy to support poly- times, and thus provide a flexible basis. Our experience—porting morphism without needing run-time type tags. C programs and building new applications for resource-constrained While the BDW collector provides convenience, it does not al- systems—confirms that experts can use these features to improve ways provide the performance or control needed by low-level sys- memory footprint and sometimes to improve throughput when used tems applications.
    [Show full text]
  • Dangling Pointer
    Dangling Pointer Jonathan Afek, 1/8/07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 2 What is a Dangling Pointer? Invalid Pointer: Real Life Example Dangling Dangerous Pointer1 Pointer2 Pointer3 Pointer Exploitable Common Application Code: Pointer3 = new Object(); … delete Pointer3; Overwrite Deleted … Object Object NewObject Data the object Object Pointer3->func(); 3 What is a Dangling Pointer? Assembly – Memory Layout – Registers – Assembly code 4 Where are We What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 5 Code Injection – The Layout of an Object Class_A: Instance_A memory Class_A VFTable vfunc_A1 Code classVFTABLE PointerClass_A vfunc_A1 address Assembly code {member_of_A vfunc_A2 address int member_of_A;vfunc_A 3 address public : vfunc_A2 Code virtual long vfunc_A1(); { Assembly code ... virtual long vfunc_A2(); MOV EAX,… [ECX] this.vfunc_A3();virtual long vfunc_A3(); ... static void sfunc_A();CALL [EAX + 8] vfunc_A3 Code } void funcA(); … Assembly code }; 6 Code Injection – The Double Reference Exploit Exploit Overview: – Free the Object – Overwrite the Object – Execute a Virtual Function 77 Code Injection – The Double Reference Exploit Object Allocated Object De-allocated Shellcode Overwriting Object Finding a “VFTable” VFunc3 Executed Application Code: ECX – Original Object EAX – “VFTABLE” a->v_func3();a =delete new a;A(); “VFTABLE” “VFTABLE” Pointer Memory Junk MOV EAX,… [ECX] Memory Junk CALL [EAX + 8] Pointer OriginalFreed Space Object … SHELLCODE Memory Junk Memory Junk CALL/JMP ECX 8 Where are We What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 9 Object Overriding Allocation Implementation – C-Runtime heap – C-Runtime functions • Malloc • Free • New • Delete • Etc.
    [Show full text]
  • Garbage Collection (1)
    Garbage Collection (1) Advanced Operating Systems Lecture 8 Lecture Outline • Introduction • Reference counting • Garbage collection • Mark-sweep • Mark-compact • Copying collectors • … "2 Introduction • Wide distrust of automatic memory management in real-time, embedded, and systems programming • Perception of high processor and memory overheads, unpredictable poor timing behaviour • But, memory management problems are common in code with manual memory management! • Memory leaks and unpredictable memory allocation performance (calls to malloc() can vary in execution time by several orders of magnitude) • Memory corruption and buffer overflows • Performance of automatic memory management is much better than in the past • Not all problems solved, but there are garbage collectors with predictable timing, suitable for real-time applications • Moore’s law makes the overheads more acceptable !3 Automatic Memory Management • Memory/object allocation and deallocation may be manual or automatic • Automatic allocation/deallocation of variables on the stack is common • In the example code, memory for di is int saveDataForKey(char *key, FILE *outf)! automatically allocated when the function {! executes, and freed when it completes struct DataItem di;! ! • Extremely simple and efficient memory if (findData(&di, key)) {! management for languages like C/C++ saveData(&di, outf);! that have complex value types return 1;! • Useless for Java-like languages, where }! objects are allocated on the heap return 0;! } ! • Memory allocated on the heap is allocated
    [Show full text]