Abstract
Memory error exploitations have been around for over 25 years and still rank among the top 3 most dangerous software errors. Why haven’t we been able to stop them? Given the host of security measures on modern machines, are we less vulnerable than before, and can we expect to eradicate memory error problems in the near future? In this paper, we present a quarter century worth of memory errors: attacks, defenses, and statistics. A historical overview provides insights in past trends and developments, while an investigation of real-world vulnerabilities and exploits allows us to answer on the significance of memory errors in the foreseeable future.
This work was partially sponsored by the EU FP7 SysSec project and by an ERC Starting Grant project (“Rosetta”).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Afek, J., Sharabani, A.: Dangling Pointer, Smashing the Pointer for Fun and Profit. In: Blackhat, USA (2007)
Akritidis, P.: Cling: A memory allocator to mitigate dangling pointers. In: Proceedings of the 19th USENIX Conference on Security (2010)
Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: Proceedings of the 18th Conference on USENIX Security Symposium (2009)
Aleph: Smashing The Stack For Fun And Profit. Phrack Magazine (November 1996)
Anderson, J.P.: Computer Security Technology Planning Study, vol. 2 (October 1972)
Anisimov, A.: Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass (January 2005)
Anonymous: Once Upon a Free. Phrack Magazine (August 2001)
Barrantes, E.G., Ackley, D.H., Forrest, S., Stefanovi, D.: Randomized instruction set emulation. ACM TISSEC (2005)
Basili, V.R., Perricone, B.T.: Software errors and complexity: an empirical investigation. CACM (1984)
Becher, M., Freiling, F.C., Hoffmann, J., Holz, T., Uellenbeck, S., Wolf, C.: Mobile security catching up? In: IEEE S&P (2011)
Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: USENIX Security Symposium (August 2005)
blackngel: Malloc Des-Maleficarum. Phrack Magazine (June 2009)
blackngel: The House Of Lore: Reloaded. Phrack Magazine (November 2010)
Blazakis, D.: Interpreter Exploitation. In: Proceedings of the 4th USENIX Conference on Offensive Technologies (2010)
BlueHat, M.: Microsoft BlueHat Prize Contest (2011)
Bosman, E., Slowinska, A., Bos, H.: Minemu: The World’s Fastest Taint Tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011)
Bray, B.: Compiler Security Checks In Depth (February 2002)
Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: Techniques and implications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy (2008)
Bruschi, D., Cavallaro, L., Lanzi, A.: Diversified Process Replicae for Defeating Memory Error Exploits. In: Intern. Workshop on Assurance, WIA (2007)
BugTraq: Wu-Ftpd Remote Format String Stack Overwrite Vulnerability (June 2000)
Bulba, Kil3r: Bypassing StackGuard and StackShield. Phrack Magazine (January 2000)
CERT Coordination Center: The CERT FAQ (January 2011)
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Sec. Symposium (2005)
Christey, S., Martin, R.A.: Vulnerability Type Distributions in CVE (May 2007)
Cker Chiueh, T., Hau Hsu, F.: Rad: A compile-time solution to buffer overflow attacks. In: ICDCS (2001)
Conover, M., Horovitz, O.: Windows Heap Exploitation (Win2KSP0 through WinXPSP2). In: SyScan (December 2004)
Conover, M.: w00w00 Security Team: w00w00 on Heap Overflows (January 1999)
Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G.: FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In: USENIX Security Symposium (August 2001)
Cowan, C., Pu, C., Maier, D., Hintongif, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: Proceedings of the 7th USENIX Security Symposium (January 1998)
Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-variant systems: a secretless framework for security through diversity. In: USENIX Security Symposium (2006)
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege Escalation Attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)
de Raadt, T.: Exploit Mitigation Techniques (in OpenBSD, of course) (November 2005)
Designer, S.: Getting around non-executable stack (and fix) (August 1997)
Designer, S.: Linux kernel patch to remove stack exec permission (April 1997)
Designer, S.: JPEG COM Marker Processing Vulnerability (July 2000)
DilDog: L0pht Advisory MSIE4.0(1) (January 1998)
Dowd, M.: Application-Specific Attacks: Leveraging the ActionScript Virtual Machine (April 2008)
Durden, T.: Bypassing PaX ASLR Protection. Phrack Magazine (July 2002)
Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)
Etoh, H., Yoda, K.: Protecting from stack-smashing attacks (June 2000)
Fewer, S.: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities (May 2011)
Fisher, D.: Survey Shows Most Flaws Sold For $5,000 Or Less (May 2010)
Fisher, D.: Chaouki Bekrar: The Man Behind the Bugs (March 2012)
Fisher, D.: Offense is Being Pushed Underground (March 2012)
Flake, H.: Third Generation Exploits. In: Blackhat USA Windows Security (February 2002)
Flake, H.: Exploitation and State Machines: Programming the “weird machine” revisited (April 2011)
Fresi-Roglia, G., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: ACSAC (December 2009)
Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization. In: Proceedings of the 21th USENIX Conference on Security (2012)
Goodin, D.: Legal goons threaten researcher for reporting security bug (2011)
Guido, D.: Vulnerability Disclosure (2011)
Hawkes, B.: Attacking the Vista Heap. Blackhat, USA (August 2008)
Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d My Gadgets Go? In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)
Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., Wang, Y.: Cyclone: A safe dialect of c. In: USENIX ATC (2002)
Jones, R.W.M., Kelly, P.H.J., Most, C., Errors, U.: Backwards-compatible bounds checking for arrays and pointers in c programs. In: Third International Workshop on Automated Debugging (1997)
jp: Advanced Doug lea’s malloc exploits. Phrack Magazine (August 2003)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization (October 2003)
Kononenko, S.: Remote root vulnerability in Exim (December 2010)
Krahmer, S.: x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique (September 2005)
Labs, M.S.: Security Labs Report, July - December 2011 Recap (Februay 2012)
Lemos, R.: Does Microsoft Need Bug Bounties? (May 2011)
Litchfield, D.: Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server. In: Blackhat, Asia (December 2003)
Litchfield, D.: Windows Heap Overflows. In: Blackhat USA Windows Security (January 2004)
Lopatic, T.: Vulnerability in NCSA HTTPD 1.3 (Februay 1995)
Marinescu, A.: Windows Vista Heap Management Enhancements. In: Blackhat, USA (August 2006)
MaXX: VUDO Malloc Tricks. Phrack Magazine (August 2001)
McDonald, J.: Defeating Solaris/SPARC Non-Executable Stack Protection) (March 1999)
McDonald, J., Valasek, C.: Practical Windows XP/2003 Heap Exploitation. Blackhat, USA (July 2009)
Meer, H.: Memory Corruption Attacks The (almost) Complete History. In: Blackhat, USA (July 2010)
Mein, A.: Celebrating one year of web vulnerability research (2012)
Microsoft: A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003 (September 2006)
Miller, M.: Preventing the Exploitation of SEH Overwrites (September 2006)
Necula, G.C., Condit, J., Harren, M., Mcpeak, S., Weimer, W.: Ccured: Type-safe retrofitting of legacy software. ACM Trans. on Progr. Lang. and Syst (2005)
Nergal: The Advanced Return-Into-Lib(c) exploits (PaX Case study). Phrack Magazine (December 2001)
NIST: The Second Static Analysis Tool Exposition (SATE) 2009 (June 2010)
Okun, V., Guthrie, W.F., Gaucher, R., Black, P.E.: Effect of static analysis tools on software security: preliminary investigation. In: Proceedings of the 2007 ACM Workshop on Quality of Protection (2007)
Ostrand, T.J., Weyuker, E.J.: The distribution of faults in a large industrial software system. In: ISSTA (2002)
Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)
Phantasmagoria, P.: The Malloc Maleficarum (October 2005)
Planet, C.: A Eulogy for Format Strings. Phrack (November 2010)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: ACSAC (2010)
Richarte, G.: Four different tricks to bypass StackShield and StackGuard protection (June 2002)
Ruwase, O., Lam, M.: A practical dynamic buffer overflow detector. In: Proceedings of NDSS Symposium (February 2004)
Roemer, R., Erik Buchanan, H.S., Savage, S.: Return-Oriented Programming: Systems, Languages, and Applications. ACM TISSEC (April 2010)
Salamat, B., Jackson, T., Gal, A., Franz, M.: Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space. In: EuroSys (2009)
SANS: CWE/SANS TOP 25 Most Dangerous Software Errors (June 2011)
Schmidt, C., Darby, T.: The What, Why, and How of the 1988 Internet Worm (July 2001)
Scut: Exploiting Format String Vulnerabilities (September 2001)
Seifried, K., Levy, E.: Interview with Elias Levy (Bugtraq) (2001)
Serna, F.J.: CVE-2012-0769, the case of the perfect info leak (February 2012)
Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the Effectiveness of Address-Space Randomization. In: ACM CCS (October 2004)
SkyLined: Internet Exploiter 3: Technical details (November 2004)
SkyLined: Internet Explorer IFRAME src&name parameter BoF remote compromise (October 2004)
SkyLined: Microsoft Internet Explorer DHTML Object handling vulnerabilities (MS05-20) (April 2005)
Slowinska, A., Stancescu, T., Bos, H.: Howard: a dynamic excavator for reverse engineering data structures. In: Proceedings of NDSS 2011, San Diego, CA (2011)
Slowinska, A., Stancescu, T., Bos, H.: Body armor for binaries: preventing buffer overflows without recompilation. In: Proceedings of the USENIX Security Symposium (2012)
StackShield: Stack Shield: A ”stack smashing” technique protection tool for Linux (December 1999)
Symantec: Symantec report on the underground economy (2008)
Team, P.: Address Space Layout Randomization (March 2003)
The Pax Team: Design & Implementation of PAGEEXEC (2000)
Theriault, C.: Why is a 14-month-old patched Microsoft vulnerability still being exploited? (February 2012)
Twillman, T.: Exploit for proftpd 1.2.0pre6 (September 1999)
van der Veen, V., dutt Sharma, N., Cavallaro, L., Bos, H.: Memory Errors: The Past, the Present, and the Future. Technical Report IR-CS-73 (November 2011)
Veracode: State of Software Security Report, vol. 4 (December 2011)
VUPEN: Safari/MacBook first to fall at Pwn2Own (March 2011)
VUPEN: Pwn2Own 2012: Google Chrome browser sandbox first to fall (March 2012)
VUPEN: Pwn2Own 2012: IE 9 hacked with two 0day vulnerabilities (March 2012)
Waisman, N.: Understanding and Bypassing Windows Heap Protection (June 2007)
Wei, T., Wang, T., Duan, L., Luo, J.: Secure dynamic code generation against spraying. In: ACM CCS (2010)
X-Force, I.: IBM X-Force 2011 Mid-year Trend and Risk Report (September 2011)
Younan, Y., Joosen, W., Piessens, F.: Code injection in C and C++: A Survey of Vulnerabilities and Countermeasures. Technical Report CW386 (July 2004)
Younan, Y., Philippaerts, P., Cavallaro, L., Sekar, R., Piessens, F., Joosen, W.: PAriCheck: an efficient pointer arithmetic checker for c programs. In: AsiaCCS (2010)
Zatko, P.: How to write Buffer Overflows (1995)
Zetter, K.: Three minutes with rain forrest puppy (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H. (2012). Memory Errors: The Past, the Present, and the Future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-33338-5_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33337-8
Online ISBN: 978-3-642-33338-5
eBook Packages: Computer ScienceComputer Science (R0)