Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft, 2013 2 Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft, 2013 2 Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft, 2013 2 Emerging Threat: Use-after-free 13 Security-Critical 582 Security-High 107 0 12 0 Use-after-free Stack Heap Overflow Overflow The number of reported vulnerabilities in Chrome (2011-2013) 3 Emerging Threat: Use-after-free 13 Security-Critical 582 Security-High 107 0 12 0 Use-after-free Stack Heap Overflow Overflow The number of reported vulnerabilities in Chrome (2011-2013) 3 Use-after-free • A dangling pointer – A pointer points to a freed memory region • Using a dangling pointer leads to undefined program states – Easy to achieve arbitrary code executions – so called use-after-free Preventing Use-after-free with Dangling Pointers Nullification 4 Understanding Use-after-free class Doc : public Element { Doc *doc = new Doc(); // … Body *body = new Body(); Element *child; }; doc->child = body; class Body : public Element { delete body; // … Element *child; if (doc->child) }; doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 5 Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child doc->child = body; Body delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body Free an object delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body Free an object delete body; freed *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body Use a dangling pointer if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body Use a dangling pointer if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6 Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freedAttacker *childcontrol *body object Use a dangling pointer if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6 Related Work on Use-after-free t free control objects use Safe Allocators Vtable protection AddressSanitizer Control Flow Integrity Delayed free Memory Safety Use-after-free detector Preventing Use-after-free with Dangling Pointers Nullification 7 Related Work on Use-after-free t free control objects use Safe Allocators Vtable protection AddressSanitizer Control Flow Integrity Delayed free Memory Safety Use-after-free detector Make exploitation harder, but still bypassable or Difficult to support large-scale software Preventing Use-after-free with Dangling Pointers Nullification 7 Related Work on Use-after-free t free control objects use DangNull Safe Allocators Vtable protection AddressSanitizer Control Flow Integrity Delayed free Memory Safety Use-after-free detector Make exploitation harder, but still bypassable or Difficult to support large-scale software Preventing Use-after-free with Dangling Pointers Nullification 7 DangNull: Use-after-free detector • Tracking Object Relationships – Coarse grained pointer semantic tracking Support large-scale software • Nullify dangling pointers – Immediately eliminate all dangling pointers Non-bypassable to sophisticated attacks Preventing Use-after-free with Dangling Pointers Nullification 8 Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc delete body; Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Remove shadow obj: - Using base address (body) Insert shadow obj: - Base address of allocation - Size of Doc delete body; Preventing Use-after-free with Dangling Pointers Nullification 9 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. doc->child = body; Doc *doc *child Body *body Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. doc->child = body; trace(&doc->child, body); Doc *doc *child Body *body Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body); Doc *doc *child Shadow obj. of Body Body back fwd *body Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body); Doc Forward *doc *child Shadow obj. of Body Body back fwd *body Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body); Doc Forward *doc *child Shadow obj. of Body Body Backward back fwd *body Preventing Use-after-free with Dangling Pointers Nullification 10 Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; back fwd trace(&doc->child, body); Forward Doc *docThis is coarse grained pointer semantic tracking, *child Shadow obj. of Body but enough to identify all dangling pointers. Body Backward back fwd *body Preventing Use-after-free with Dangling Pointers Nullification 10 Nullifying Dangling Pointers • Nullify all backward pointers of Body, once it is deleted. – All backward pointers of Body are dangling pointers – Dangling pointers have no semantics Doc *doc *child Body Freed *body Preventing Use-after-free with Dangling Pointers Nullification 11 Nullifying Dangling Pointers delete body; Nullification doc->child = NULL if (doc->child) doc->child->getAlign(); Null-dereference is safely contained in pre-mapped nullpadding