Advertisement

HeapRevolver: Delaying and Randomizing Timing of Release of Freed Memory Area to Prevent Use-After-Free Attacks

  • Toshihiro YamauchiEmail author
  • Yuta Ikegami
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9955)

Abstract

Recently, there has been an increase in use-after-free (UAF) vulnerabilities, which are exploited using a dangling pointer that refers to a freed memory. Various methods to prevent UAF attacks have been proposed. However, only a few methods can effectively prevent UAF attacks during runtime with low overhead. In this paper, we propose HeapRevolver, which is a novel UAF attack-prevention method that delays and randomizes the timing of release of freed memory area by using a memory-reuse-prohibited library, which prohibits a freed memory area from being reused for a certain period. In this paper, we describe the design and implementation of HeapRevolver in Linux and Windows, and report its evaluation results. The results show that HeapRevolver can prevent attacks that exploit existing UAF vulnerabilities. In addition, the overhead is small.

Keywords

Use-after-free (UAF) vulnerabilities UAF attack-prevention Memory-reuse-prohibited library System security 

Notes

Acknowledgement

This research was partially supported by Grant-in-Aid for Scientific Research 16H02829.

References

  1. 1.
    Common Vulnerabilities and Exposures. https://cve.mitre.org/index.html
  2. 2.
    Microsoft Security Intelligence Report, vol. 16. http://www.microsoft.com/en-us/download/details.aspx?id=42646
  3. 3.
    Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: a fast address sanity checker. In: 2012 USENIX Conference on Annual Technical Conference (USENIX ATC 2012), pp. 309–318 (2012)Google Scholar
  4. 4.
    Caballero, J., et al.: Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities. In: 2012 International Symposium on Software Testing and Analysis (ISSTA 2012), pp. 133–143 (2012)Google Scholar
  5. 5.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2007), pp. 89–100 (2007)Google Scholar
  6. 6.
    Bruening, D., Zhao, Q.: Practical memory checking with Dr. memory. In: 9th Annual IEEE/ACM International Symposium on Code Generation and Optimization, pp. 213–223 (2011)Google Scholar
  7. 7.
    Lee, B., et al.: Preventing use-after-free with dangling pointers nullification. In: 2015 Network and Distributed System Security Symposium (NDSS) (2015)Google Scholar
  8. 8.
  9. 9.
  10. 10.
    D.U.M.A. - Detect Unintended Memory Access. http://duma.sourceforge.net/
  11. 11.
    Younan, Y.: FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In: 2015 Network and Distributed System Security Symposium (NDSS) (2015)Google Scholar
  12. 12.
    Zhang, C., et al.: VTint: protecting virtual function tables’ integrity. In: 22nd Annual Network and Distributed System Security Symposium (NDSS) (2015)Google Scholar
  13. 13.
    Gawlik, R., Holz, T.: Towards automated integrity protection of C++ virtual function tables in binary programs. In: 30th Annual Computer Security Applications Conference (ACSAC 2014), pp. 396–405 (2014)Google Scholar
  14. 14.
    Novark, G., Berger, E.D.: DieHarder: securing the heap. In: 17th ACM Conference on Computer and Communications Security (CCS 2010), pp. 573–584 (2010)Google Scholar
  15. 15.
  16. 16.
  17. 17.
    Security Intelligence, Understanding IE’s New Exploit Mitigations: The Memory Protector and the Isolated Heap. https://securityintelligence.com/understanding-ies-new-exploit-mitigations-the-memory-protector-and-the-isolated-heap/
  18. 18.
    Security Week: Microsoft’s Use-After-Free Mitigations Can Be Bypassed: Researcher. http://www.securityweek.com/microsofts-use-after-free-mitigations-can-be-bypassed-researcher
  19. 19.
    Hariri, A.-A., et al.: Abusing Silent Mitigations - Understanding Weaknesses Within Internet Explorers Isolated Heap and MemoryProtection. https://www.blackhat.com/us-15/briefings.html

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Graduate School of Natural Science and TechnologyOkayama UniversityOkayamaJapan

Personalised recommendations