Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities

Caballero, Juan; Grieco, Gustavo; Marron, Mark; Nappa, Antonio

doi:10.1145/2338965.2336769

Cited by 123 publications

(94 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Dynamic heap monitoring, like that used in Undangle [39] and Valgrind [40], can help discover memory errors during testing, but are not suitable for deployment as they can impose up to 25x performance overhead, which is unacceptable for the applications we aim to protect. The DieHard [3], [41] custom memory manager has proven effective at providing probabilistic guarantees against several classes of memory errors, including heap-based buffer overflows and use-afterfree errors by randomizing and spreading out the heap.…”

Section: Memory Allocators and Dynamic Heap Monitoringmentioning

confidence: 99%

SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks

Jang

Tatlock

Lerner

2014

Proceedings 2014 Network and Distributed System Security Symposium

103

View full text Add to dashboard Cite

Abstract-Several defenses have increased the cost of traditional, low-level attacks that corrupt control data, e.g. return addresses saved on the stack, to compromise program execution. In response, creative adversaries have begun circumventing these defenses by exploiting programming errors to manipulate pointers to virtual tables, or vtables, of C++ objects. These attacks can hijack program control flow whenever a virtual method of a corrupted object is called, potentially allowing the attacker to gain complete control of the underlying system. In this paper we present SAFEDISPATCH, a novel defense to prevent such vtable hijacking by statically analyzing C++ programs and inserting sufficient runtime checks to ensure that control flow at virtual method call sites cannot be arbitrarily influenced by an attacker. We implemented SAFEDISPATCH as a Clang++/LLVM extension, used our enhanced compiler to build a vtable-safe version of the Google Chromium browser, and measured the performance overhead of our approach on popular browser benchmark suites. By carefully crafting a handful of optimizations, we were able to reduce average runtime overhead to just 2.1%.

show abstract

Section: Memory Allocators and Dynamic Heap Monitoringmentioning

confidence: 99%

SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks

Jang

Tatlock

Lerner

2014

Proceedings 2014 Network and Distributed System Security Symposium

103

View full text Add to dashboard Cite

show abstract

“…Many approaches that detect buffer overflows, use-after-free or double-free attacks (Valgrind, http://valgrind.org; Hastings and Joyce 1992;Dhurjati and Adve 2006;Caballero et al 2012;Slowinska et al 2012) rely on information about the programs' data structures-specifically, the buffers that they should protect. Thus, in the presence of CMAs, their scope is limited to memory chunks obtained from the general-purpose allocators.…”

Section: Custom Memory Allocationmentioning

confidence: 99%

“…In addition, researchers have shown that knowledge of memory allocation and deallocation routines is useful for retrofitting security in existing binaries-for instance to protect against memory corruption (valgrind, http://valgrind.org;Hastings and Joyce 1992;Dhurjati and Adve 2006;Caballero et al 2012; Perence, B: Electric Fence, http://perens.com/FreeSoftware/ ElectricFence; Slowinska et al 2012). Currently, these security measures are powerless if the application uses CMAs.…”

Section: Introductionmentioning

confidence: 99%

On the detection of custom memory allocators in C binaries

2015

View full text Add to dashboard Cite

Many reverse engineering techniques for data structures rely on the knowledge of memory allocation routines. Typically, they interpose on the system's malloc and free functions, and track each chunk of memory thus allocated as a data structure. However, many performance-critical applications implement their own custom memory allocators. Examples include webservers, database management systems, and compilers like gcc and clang. As a result, current binary analysis techniques for tracking data structures fail on such binaries. We present MemBrush, a new tool to detect memory allocation and deallocation functions in stripped binaries with high accuracy. We evaluated the technique on a large number of real world applications that use custom memory allocators. We demonstrate that MemBrush can detect allocators/deallocators with a high accuracy which is 52 out of 59 for allocators, and 29 out of 31 for deallocators in SPECINT 2006. As we show, we can furnish existing reverse engineering tools with detailed information about the memory management API, and as a result perform an analysis of the actual application specific data structures designed by the programmer. Our system uses dynamic analysis and detects memory allocation and deallocation routines by searching for functions that comply with a set of generic characteristics of allocators and deallocators.

show abstract

“…• Detection modules: 7 8 9 10 The detection modules identify the actual CMA API: c malloc, c free, and c realloc. MemBrush's algorithms check for the characteristic features discussed in Section II-B, and search for the routines in turn.…”

Section: A Bird's Eye View Of Membrushmentioning

confidence: 99%

Who allocated my memory? Detecting custom memory allocators in C binaries

Chen

Slowinska

Bos

2013

2013 20th Working Conference on Reverse Engineering (WCRE)

View full text Add to dashboard Cite

Abstract-Many reversing techniques for data structures rely on the knowledge of memory allocation routines. Typically, they interpose on the system's malloc and free functions, and track each chunk of memory thus allocated as a data structure. However, many performance-critical applications implement their own custom memory allocators. Examples include webservers, database management systems, and compilers like gcc and clang. As a result, current binary analysis techniques for tracking data structures fail on such binaries.We present MemBrush, a new tool to detect memory allocation and deallocation functions in stripped binaries with high accuracy. We evaluated the technique on a large number of real world applications that use custom memory allocators. As we show, we can furnish existing reversing tools with detailed information about the memory management API, and as a result perform an analysis of the actual application specific data structures designed by the programmer. Our system uses dynamic analysis and detects memory allocation and deallocation routines by searching for functions that comply with a set of generic characteristics of allocators and deallocators.

show abstract

Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities

Cited by 123 publications

References 18 publications

SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks

SAFEDISPATCH: Securing C++ Virtual Calls from Memory Corruption Attacks

On the detection of custom memory allocators in C binaries

Who allocated my memory? Detecting custom memory allocators in C binaries

Contact Info

Product

Resources

About