Advertisement

Memory Errors: The Past, the Present, and the Future

  • Victor van der Veen
  • Nitish dutt-Sharma
  • Lorenzo Cavallaro
  • Herbert Bos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7462)

Abstract

Memory error exploitations have been around for over 25 years and still rank among the top 3 most dangerous software errors. Why haven’t we been able to stop them? Given the host of security measures on modern machines, are we less vulnerable than before, and can we expect to eradicate memory error problems in the near future? In this paper, we present a quarter century worth of memory errors: attacks, defenses, and statistics. A historical overview provides insights in past trends and developments, while an investigation of real-world vulnerabilities and exploits allows us to answer on the significance of memory errors in the foreseeable future.

Keywords

Address Space Memory Error Mitigation Technique Format String USENIX Security Symposium 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Afek, J., Sharabani, A.: Dangling Pointer, Smashing the Pointer for Fun and Profit. In: Blackhat, USA (2007)Google Scholar
  2. 2.
    Akritidis, P.: Cling: A memory allocator to mitigate dangling pointers. In: Proceedings of the 19th USENIX Conference on Security (2010)Google Scholar
  3. 3.
    Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: Proceedings of the 18th Conference on USENIX Security Symposium (2009)Google Scholar
  4. 4.
    Aleph: Smashing The Stack For Fun And Profit. Phrack Magazine (November 1996)Google Scholar
  5. 5.
    Anderson, J.P.: Computer Security Technology Planning Study, vol. 2 (October 1972)Google Scholar
  6. 6.
    Anisimov, A.: Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass (January 2005)Google Scholar
  7. 7.
    Anonymous: Once Upon a Free. Phrack Magazine (August 2001)Google Scholar
  8. 8.
    Barrantes, E.G., Ackley, D.H., Forrest, S., Stefanovi, D.: Randomized instruction set emulation. ACM TISSEC (2005)Google Scholar
  9. 9.
    Basili, V.R., Perricone, B.T.: Software errors and complexity: an empirical investigation. CACM (1984)Google Scholar
  10. 10.
    Becher, M., Freiling, F.C., Hoffmann, J., Holz, T., Uellenbeck, S., Wolf, C.: Mobile security catching up? In: IEEE S&P (2011)Google Scholar
  11. 11.
    Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: USENIX Security Symposium (August 2005)Google Scholar
  12. 12.
    blackngel: Malloc Des-Maleficarum. Phrack Magazine (June 2009)Google Scholar
  13. 13.
    blackngel: The House Of Lore: Reloaded. Phrack Magazine (November 2010)Google Scholar
  14. 14.
    Blazakis, D.: Interpreter Exploitation. In: Proceedings of the 4th USENIX Conference on Offensive Technologies (2010)Google Scholar
  15. 15.
    BlueHat, M.: Microsoft BlueHat Prize Contest (2011)Google Scholar
  16. 16.
    Bosman, E., Slowinska, A., Bos, H.: Minemu: The World’s Fastest Taint Tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Bray, B.: Compiler Security Checks In Depth (February 2002)Google Scholar
  18. 18.
    Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: Techniques and implications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy (2008)Google Scholar
  19. 19.
    Bruschi, D., Cavallaro, L., Lanzi, A.: Diversified Process Replicae for Defeating Memory Error Exploits. In: Intern. Workshop on Assurance, WIA (2007)Google Scholar
  20. 20.
    BugTraq: Wu-Ftpd Remote Format String Stack Overwrite Vulnerability (June 2000)Google Scholar
  21. 21.
    Bulba, Kil3r: Bypassing StackGuard and StackShield. Phrack Magazine (January 2000)Google Scholar
  22. 22.
    CERT Coordination Center: The CERT FAQ (January 2011)Google Scholar
  23. 23.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Sec. Symposium (2005)Google Scholar
  24. 24.
    Christey, S., Martin, R.A.: Vulnerability Type Distributions in CVE (May 2007)Google Scholar
  25. 25.
    Cker Chiueh, T., Hau Hsu, F.: Rad: A compile-time solution to buffer overflow attacks. In: ICDCS (2001)Google Scholar
  26. 26.
    Conover, M., Horovitz, O.: Windows Heap Exploitation (Win2KSP0 through WinXPSP2). In: SyScan (December 2004)Google Scholar
  27. 27.
    Conover, M.: w00w00 Security Team: w00w00 on Heap Overflows (January 1999)Google Scholar
  28. 28.
    Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G.: FormatGuard: Automatic Protection From printf Format String Vulnerabilities. In: USENIX Security Symposium (August 2001)Google Scholar
  29. 29.
    Cowan, C., Pu, C., Maier, D., Hintongif, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: Proceedings of the 7th USENIX Security Symposium (January 1998)Google Scholar
  30. 30.
    Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-variant systems: a secretless framework for security through diversity. In: USENIX Security Symposium (2006)Google Scholar
  31. 31.
    Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege Escalation Attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  32. 32.
    de Raadt, T.: Exploit Mitigation Techniques (in OpenBSD, of course) (November 2005)Google Scholar
  33. 33.
    Designer, S.: Getting around non-executable stack (and fix) (August 1997)Google Scholar
  34. 34.
    Designer, S.: Linux kernel patch to remove stack exec permission (April 1997)Google Scholar
  35. 35.
    Designer, S.: JPEG COM Marker Processing Vulnerability (July 2000)Google Scholar
  36. 36.
    DilDog: L0pht Advisory MSIE4.0(1) (January 1998)Google Scholar
  37. 37.
    Dowd, M.: Application-Specific Attacks: Leveraging the ActionScript Virtual Machine (April 2008)Google Scholar
  38. 38.
    Durden, T.: Bypassing PaX ASLR Protection. Phrack Magazine (July 2002)Google Scholar
  39. 39.
    Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  40. 40.
    Etoh, H., Yoda, K.: Protecting from stack-smashing attacks (June 2000)Google Scholar
  41. 41.
    Fewer, S.: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities (May 2011)Google Scholar
  42. 42.
    Fisher, D.: Survey Shows Most Flaws Sold For $5,000 Or Less (May 2010)Google Scholar
  43. 43.
    Fisher, D.: Chaouki Bekrar: The Man Behind the Bugs (March 2012)Google Scholar
  44. 44.
    Fisher, D.: Offense is Being Pushed Underground (March 2012)Google Scholar
  45. 45.
    Flake, H.: Third Generation Exploits. In: Blackhat USA Windows Security (February 2002)Google Scholar
  46. 46.
    Flake, H.: Exploitation and State Machines: Programming the “weird machine” revisited (April 2011)Google Scholar
  47. 47.
    Fresi-Roglia, G., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: ACSAC (December 2009)Google Scholar
  48. 48.
    Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization. In: Proceedings of the 21th USENIX Conference on Security (2012)Google Scholar
  49. 49.
    Goodin, D.: Legal goons threaten researcher for reporting security bug (2011)Google Scholar
  50. 50.
    Guido, D.: Vulnerability Disclosure (2011)Google Scholar
  51. 51.
    Hawkes, B.: Attacking the Vista Heap. Blackhat, USA (August 2008)Google Scholar
  52. 52.
    Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d My Gadgets Go? In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)Google Scholar
  53. 53.
    Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., Wang, Y.: Cyclone: A safe dialect of c. In: USENIX ATC (2002)Google Scholar
  54. 54.
    Jones, R.W.M., Kelly, P.H.J., Most, C., Errors, U.: Backwards-compatible bounds checking for arrays and pointers in c programs. In: Third International Workshop on Automated Debugging (1997)Google Scholar
  55. 55.
    jp: Advanced Doug lea’s malloc exploits. Phrack Magazine (August 2003)Google Scholar
  56. 56.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization (October 2003)Google Scholar
  57. 57.
    Kononenko, S.: Remote root vulnerability in Exim (December 2010)Google Scholar
  58. 58.
    Krahmer, S.: x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique (September 2005)Google Scholar
  59. 59.
    Labs, M.S.: Security Labs Report, July - December 2011 Recap (Februay 2012)Google Scholar
  60. 60.
    Lemos, R.: Does Microsoft Need Bug Bounties? (May 2011)Google Scholar
  61. 61.
    Litchfield, D.: Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server. In: Blackhat, Asia (December 2003)Google Scholar
  62. 62.
    Litchfield, D.: Windows Heap Overflows. In: Blackhat USA Windows Security (January 2004)Google Scholar
  63. 63.
    Lopatic, T.: Vulnerability in NCSA HTTPD 1.3 (Februay 1995)Google Scholar
  64. 64.
    Marinescu, A.: Windows Vista Heap Management Enhancements. In: Blackhat, USA (August 2006)Google Scholar
  65. 65.
    MaXX: VUDO Malloc Tricks. Phrack Magazine (August 2001)Google Scholar
  66. 66.
    McDonald, J.: Defeating Solaris/SPARC Non-Executable Stack Protection) (March 1999)Google Scholar
  67. 67.
    McDonald, J., Valasek, C.: Practical Windows XP/2003 Heap Exploitation. Blackhat, USA (July 2009)Google Scholar
  68. 68.
    Meer, H.: Memory Corruption Attacks The (almost) Complete History. In: Blackhat, USA (July 2010)Google Scholar
  69. 69.
    Mein, A.: Celebrating one year of web vulnerability research (2012)Google Scholar
  70. 70.
    Microsoft: A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003 (September 2006)Google Scholar
  71. 71.
    Miller, M.: Preventing the Exploitation of SEH Overwrites (September 2006)Google Scholar
  72. 72.
    Necula, G.C., Condit, J., Harren, M., Mcpeak, S., Weimer, W.: Ccured: Type-safe retrofitting of legacy software. ACM Trans. on Progr. Lang. and Syst (2005)Google Scholar
  73. 73.
    Nergal: The Advanced Return-Into-Lib(c) exploits (PaX Case study). Phrack Magazine (December 2001)Google Scholar
  74. 74.
    NIST: The Second Static Analysis Tool Exposition (SATE) 2009 (June 2010)Google Scholar
  75. 75.
    Okun, V., Guthrie, W.F., Gaucher, R., Black, P.E.: Effect of static analysis tools on software security: preliminary investigation. In: Proceedings of the 2007 ACM Workshop on Quality of Protection (2007)Google Scholar
  76. 76.
    Ostrand, T.J., Weyuker, E.J.: The distribution of faults in a large industrial software system. In: ISSTA (2002)Google Scholar
  77. 77.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012) Google Scholar
  78. 78.
    Phantasmagoria, P.: The Malloc Maleficarum (October 2005)Google Scholar
  79. 79.
    Planet, C.: A Eulogy for Format Strings. Phrack (November 2010)Google Scholar
  80. 80.
    Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: ACSAC (2010)Google Scholar
  81. 81.
    Richarte, G.: Four different tricks to bypass StackShield and StackGuard protection (June 2002)Google Scholar
  82. 82.
    Ruwase, O., Lam, M.: A practical dynamic buffer overflow detector. In: Proceedings of NDSS Symposium (February 2004)Google Scholar
  83. 83.
    Roemer, R., Erik Buchanan, H.S., Savage, S.: Return-Oriented Programming: Systems, Languages, and Applications. ACM TISSEC (April 2010)Google Scholar
  84. 84.
    Salamat, B., Jackson, T., Gal, A., Franz, M.: Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space. In: EuroSys (2009)Google Scholar
  85. 85.
    SANS: CWE/SANS TOP 25 Most Dangerous Software Errors (June 2011)Google Scholar
  86. 86.
    Schmidt, C., Darby, T.: The What, Why, and How of the 1988 Internet Worm (July 2001)Google Scholar
  87. 87.
    Scut: Exploiting Format String Vulnerabilities (September 2001)Google Scholar
  88. 88.
    Seifried, K., Levy, E.: Interview with Elias Levy (Bugtraq) (2001)Google Scholar
  89. 89.
    Serna, F.J.: CVE-2012-0769, the case of the perfect info leak (February 2012)Google Scholar
  90. 90.
    Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the Effectiveness of Address-Space Randomization. In: ACM CCS (October 2004)Google Scholar
  91. 91.
    SkyLined: Internet Exploiter 3: Technical details (November 2004)Google Scholar
  92. 92.
    SkyLined: Internet Explorer IFRAME src&name parameter BoF remote compromise (October 2004)Google Scholar
  93. 93.
    SkyLined: Microsoft Internet Explorer DHTML Object handling vulnerabilities (MS05-20) (April 2005)Google Scholar
  94. 94.
    Slowinska, A., Stancescu, T., Bos, H.: Howard: a dynamic excavator for reverse engineering data structures. In: Proceedings of NDSS 2011, San Diego, CA (2011)Google Scholar
  95. 95.
    Slowinska, A., Stancescu, T., Bos, H.: Body armor for binaries: preventing buffer overflows without recompilation. In: Proceedings of the USENIX Security Symposium (2012)Google Scholar
  96. 96.
    StackShield: Stack Shield: A ”stack smashing” technique protection tool for Linux (December 1999)Google Scholar
  97. 97.
    Symantec: Symantec report on the underground economy (2008)Google Scholar
  98. 98.
    Team, P.: Address Space Layout Randomization (March 2003)Google Scholar
  99. 99.
    The Pax Team: Design & Implementation of PAGEEXEC (2000)Google Scholar
  100. 100.
    Theriault, C.: Why is a 14-month-old patched Microsoft vulnerability still being exploited? (February 2012)Google Scholar
  101. 101.
    Twillman, T.: Exploit for proftpd 1.2.0pre6 (September 1999)Google Scholar
  102. 102.
    van der Veen, V., dutt Sharma, N., Cavallaro, L., Bos, H.: Memory Errors: The Past, the Present, and the Future. Technical Report IR-CS-73 (November 2011)Google Scholar
  103. 103.
    Veracode: State of Software Security Report, vol. 4 (December 2011)Google Scholar
  104. 104.
    VUPEN: Safari/MacBook first to fall at Pwn2Own (March 2011)Google Scholar
  105. 105.
    VUPEN: Pwn2Own 2012: Google Chrome browser sandbox first to fall (March 2012)Google Scholar
  106. 106.
    VUPEN: Pwn2Own 2012: IE 9 hacked with two 0day vulnerabilities (March 2012)Google Scholar
  107. 107.
    Waisman, N.: Understanding and Bypassing Windows Heap Protection (June 2007)Google Scholar
  108. 108.
    Wei, T., Wang, T., Duan, L., Luo, J.: Secure dynamic code generation against spraying. In: ACM CCS (2010)Google Scholar
  109. 109.
    X-Force, I.: IBM X-Force 2011 Mid-year Trend and Risk Report (September 2011)Google Scholar
  110. 110.
    Younan, Y., Joosen, W., Piessens, F.: Code injection in C and C++: A Survey of Vulnerabilities and Countermeasures. Technical Report CW386 (July 2004)Google Scholar
  111. 111.
    Younan, Y., Philippaerts, P., Cavallaro, L., Sekar, R., Piessens, F., Joosen, W.: PAriCheck: an efficient pointer arithmetic checker for c programs. In: AsiaCCS (2010)Google Scholar
  112. 112.
    Zatko, P.: How to write Buffer Overflows (1995)Google Scholar
  113. 113.
    Zetter, K.: Three minutes with rain forrest puppy (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Victor van der Veen
    • 1
  • Nitish dutt-Sharma
    • 1
  • Lorenzo Cavallaro
    • 1
    • 2
  • Herbert Bos
    • 1
  1. 1.The Network InstituteVU University AmsterdamThe Netherlands
  2. 2.Royal Holloway, University of LondonUK

Personalised recommendations