Efficient Protection Against Heap-Based Buffer Overflows Without Resorting to Magic

  • Yves Younan
  • Wouter Joosen
  • Frank Piessens
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4307)


Bugs in dynamic memory management, including for instance heap-based buffer overflows and dangling pointers, are an important source of vulnerabilities in C and C++. Overwriting the management information of the memory allocation library is often a source of attack on these vulnerabilities. All existing countermeasures with low performance overhead rely on magic values or canaries. A secret value is placed before a crucial memory location and by monitoring whether the value has changed, overruns can be detected. Hence, if attackers are able to read arbitrary memory locations, they can bypass the countermeasure. In this paper we present an approach that, when applied to a memory allocator, will protect against this attack vector without resorting to magic. We implemented our approach by modifying an existing widely-used memory allocator. Benchmarks show that this implementation has a negligible, sometimes even beneficial, impact on performance.


Management Information Lookup Table Chunk Size Performance Overhead Memory Region 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aleph One: Smashing the stack for fun and profit. Phrack 49 (1996)Google Scholar
  2. 2.
    Younan, Y., Joosen, W., Piessens, F.: Code injection in C and C++: A survey of vulnerabilities and countermeasures. Technical Report CW386, Departement Computerwetenschappen, Katholieke Universiteit Leuven (2004)Google Scholar
  3. 3.
    Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: Proc. of the ACM 1994 Conf. on Programming Language Design and Implementation, Orlando, FL (1994)Google Scholar
  4. 4.
    Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: Proc. of the 3rd Int. Workshop on Automatic Debugging, Linköping, Sweden (1997)Google Scholar
  5. 5.
    Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: Proc. of the 11th Network and Distributed System Security Symp., San Diego, CA (2004)Google Scholar
  6. 6.
    Xu, W., DuVarney, D.C., Sekar, R.: An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs. In: Proc. of the 12th ACM Int. Symp. on Foundations of Software Engineering, Newport Beach, CA (2004)Google Scholar
  7. 7.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proc. of the 7th USENIX Security Symp., San Antonio, TX (1998)Google Scholar
  8. 8.
    Etoh, H., Yoda, K.: Protecting from stack-smashing attacks. Technical report, IBM Research Divison, Tokyo Research Laboratory (2000)Google Scholar
  9. 9.
    Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: USENIX 2000 Technical Conf. Proc., San Diego, CA (2000)Google Scholar
  10. 10.
    Xu, J., Kalbarczyk, Z., Patel, S., Ravishankar, K.I.: Architecture support for defending against buffer overflow attacks. In: Second Workshop on Evaluating and Architecting System dependabilitY, San Jose, CA (2002)Google Scholar
  11. 11.
    Younan, Y., Pozza, D., Joosen, W., Piessens, F.: Extended protection against stack smashing attacks without performance loss. In: Proc. of the Annual Computer Security Apps. Conf., Miami, FL (2006)Google Scholar
  12. 12.
    Robertson, W., Kruegel, C., Mutz, D., Valeur, F.: Run-time detection of heap-based overflows. In: Proc. of the 17th Large Installation Systems Administrators Conf., San Diego, CA (2003)Google Scholar
  13. 13.
    Krennmair, A.: ContraPolice: a libc extension for protecting applications from heap-smashing attacks (2003), http://www.synflood.at/contrapolice/
  14. 14.
    Perens, B.: Electric fence 2.0.5 (1999), http://perens.com/FreeSoftware/
  15. 15.
    Free Software Foundation: GNU C library (2004), http://www.gnu.org/software/libc
  16. 16.
    Younan, Y.: Dnmalloc 1.0 (2005), http://www.fort-knox.org
  17. 17.
    Kamp, P.H.: Malloc(3) revisted. In: Proc. of the USENIX 1998 Anual technical conference, New Orleans, LA (1998)Google Scholar
  18. 18.
    Summit, S.: Re: One of your c.l.c faq question. Comp.lang.C newsgroup (2001)Google Scholar
  19. 19.
    Bulba, Kil3r: Bypassing Stackguard and stackshield. Phrack 56 (2000)Google Scholar
  20. 20.
    anonymous: Once upon a free(). Phrack 57 (2001)Google Scholar
  21. 21.
    Kaempf, M.: Vudo - an object superstitiously believed to embody magical powers. Phrack 57 (2001)Google Scholar
  22. 22.
    Solar Designer: JPEG COM marker processing vulnerability in netscape browsers (2000), http://www.openwall.com/advisories/OW-002-netscape-jpeg.txt
  23. 23.
    Lea, D., Gloger, W.: malloc-2.7.2.c. Comments in source code (2001)Google Scholar
  24. 24.
    Gloger, W.: ptmalloc (1999), http://www.malloc.de/en/
  25. 25.
    Dobrovitski, I.: Exploit for CVS double free() for linux pserver (2003), http://seclists.org/lists/bugtraq/2003/Feb/0042.html
  26. 26.
    Stevens, W.R.: Advanced Programming in the UNIX env. Addison-Wesley, Reading (1993)Google Scholar
  27. 27.
    The PaX Team: Documentation for PaX (2000), http://pax.grsecurity.net
  28. 28.
    Henning, J.L.: Spec cpu2000: Measuring cpu performance in the new millennium. Computer 33(7) (2000)Google Scholar
  29. 29.
    Grunwald, D., Zorn, B., Henderson, R.: Improving the cache locality of memory allocation. In: Proc. of the ACM 1993 Conf. on Programming Language Design and Implementation, New York, NY (1993)Google Scholar
  30. 30.
    Johnstone, M.S., Wilson, P.R.: The memory fragmentation problem: Solved? In: Proc. of the 1st ACM Int. Symp. on Memory Management, Vancouver, BC (1998)Google Scholar
  31. 31.
    Berger, E.D., Zorn, B.G., McKinley, K.S.: Composing high-performance memory allocators. In: Proc. of the ACM Conf. on Programming Language Design and Implementation, Snowbird, UT (2001)Google Scholar
  32. 32.
    Berger, E.D., Zorn, B.G., McKinley, K.S.: Reconsidering custom memory allocation. In: Proc. of the ACM Conf. on Object-Oriented Programming Systems, Languages and Apps., Seattle, WA (2002)Google Scholar
  33. 33.
    van der Pas, R.: Memory hierarchy in cache-based systems. Technical Report 817-0742-10, Sun Microsystems, Sant a Clara, CA (2002)Google Scholar
  34. 34.
    Zen-parse: Wu-ftpd 2.6.1 exploit. Vuln-dev mailinglist (2001)Google Scholar
  35. 35.
    Kaempf, M.: Sudo exploit. Bugtraq mailinglist (2001)Google Scholar
  36. 36.
    Phantasmagoria, P.: The malloc maleficarum. Bugtraq mailinglist (2005)Google Scholar
  37. 37.
    Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: protecting pointers from buffer overflow vulnerabilities. In: Proc. of the 12th USENIX Security Symp., Washington, DC (2003)Google Scholar
  38. 38.
    Alexander, S.: Defeating compiler-level buffer overflow protection. The USENIX Magazine 30 (2005)Google Scholar
  39. 39.
    Solar Designer: Non-executable stack patch (1998), http://www.openwall.com
  40. 40.
    Wojtczuk, R.: Defeating Solar Designer’s Non-executable Stack Patch. Bugtraq mailinglist (1998)Google Scholar
  41. 41.
    Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proc. of the 12th USENIX Security Symp., Washington, DC (2003)Google Scholar
  42. 42.
    Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the Effectiveness of Address-Space Randomization. In: Proc. of the 11th ACM Conf. on Computer and communications security, Washington, DC (2004)Google Scholar
  43. 43.
    Avijit, K., Gupta, P., Gupta, D.: Tied, libsafeplus: Tools for runtime buffer overflow protection. In: Proc. of the 13th USENIX Security Symp., San Diego, CA (2004)Google Scholar
  44. 44.
    Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure execution via program shepherding. In: Proc. of the 11th USENIX Security Symp., San Francisco, CA (2002)Google Scholar
  45. 45.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proc. of the 12th ACM Conf. on Computer and Communications Security, Alexandria, VA (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Yves Younan
    • 1
  • Wouter Joosen
    • 1
  • Frank Piessens
    • 1
  1. 1.DistriNet, Dept. of Computer ScienceKatholieke Universiteit LeuvenHeverleeBelgium

Personalised recommendations