Skip to main content

MPKAlloc: Efficient Heap Meta-data Integrity Through Hardware Memory Protection Keys

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13358)

Abstract

Memory corruption exploits continue to plague high profile applications such as web browsers, high performance servers, and mobile devices. Modern defenses for these targets have rendered classic attack vectors that execute shellcode directly on the stack impotent and obsolete. Instead, modern exploits frequently corrupt the data structures found in a program’s memory allocator in order to take control of running processes. These attacks against the heap are much harder to defend against versus classic stack-based buffer overflows because they often rely on an allocator acting on corrupted data in order to take control of a process. In this work, we introduce MPKAlloc, a memory allocator that utilizes memory protection keys (MPKs) found in recent Intel CPUs to effectively isolate heap meta-data from adversaries. We present our prototype implementation of MPKAlloc which hardens the tcmalloc and PartitionAlloc memory allocators used by the popular Chrome web browser. MPKAlloc protects each page containing heap meta-data with a key that provides an allocator exclusive access to the page. Effectively, MPKAlloc thwarts an adversary’s ability to access or corrupt heap meta-data at the hardware level. We embed the MPKAlloc defense in the open-source Chromium web browser, and demonstrate MPKAlloc stopping realistic attack vectors. Furthermore, we evaluate the performance overhead of Chromium configured with MPKAlloc on the top 50 web sites contained in the Alexa site ranking. Our evaluation shows that MPKAlloc introduces a geometric mean of 1.71% performance overhead (2.44% on average) when browsing the most popular web sites, in exchange for a significant increase in security against heap meta-data exploitation.

Keywords

  • Memory protection keys
  • Hardened memory allocators
  • Hardware security

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-09484-2_8
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-031-09484-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.

Notes

  1. 1.

    https://github.com/BUseclab/mpkalloc.

References

  1. jemalloc. http://jemalloc.net/. Accessed 31 Mar 2021

  2. A memory allocator. http://gee.cs.oswego.edu/dl/html/malloc.html. Accessed 31 Mar 2021

  3. Storage protect keys. https://www.ibm.com/docs/en/aix/7.2?topic=concepts-storage-protect-keys. Accessed 16 Aug 2021

  4. CVE-2016-10195 (2016). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10195. Accessed 04 May 2022

  5. Memory tagging extension: Enhancing memory safety through architecture (2019). https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enhancing-memory-safety. Accessed 27 Feb 2022

  6. Educational heap exploitation (2021). https://github.com/shellphish/how2heap. Accessed 31 Mar 2021

  7. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 1–40 (2009)

    CrossRef  Google Scholar 

  8. Ainsworth, S., Jones, T.M.: MarkUs: drop-in use-after-free prevention for low-level languages. In: IEEE Symposium on Security and Privacy (2020)

    Google Scholar 

  9. Anonymous: Once upon a free(). http://phrack.org/issues/57/9.html. Accessed 14 Mar 2021

  10. Avgerinos, T., Cha, S.K., Rebert, A., Schwartz, E.J., Woo, M., Brumley, D.: Automatic exploit generation. Commun. ACM 57(2), 74–84 (2014)

    CrossRef  Google Scholar 

  11. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM ASIA Conference on Computer and Communications Security (2011)

    Google Scholar 

  12. Cha, M.H., Lee, S.M., An, B.S., Kim, H.Y., Kim, K.H.: Fast and secure global-heap for memory-centric computing. J. Supercomputing 77, 13262–13291 (2021). https://doi.org/10.1007/s11227-021-03806-4

    CrossRef  Google Scholar 

  13. Chromium authors: Catapult. https://chromium.googlesource.com/catapult. Accessed 12 Oct 2021

  14. Chromium Authors: Deploy PartitionAlloc-Everywhere. https://bugs.chromium.org/p/chromium/issues/detail?id=1121427. Accessed 12 Oct 2021

  15. Connor, R.J., McDaniel, T., Smith, J.M., Schuchard, M.: PKU pitfalls: attacks on PKU-based memory isolation systems. In: USENIX Security Symposium (2020)

    Google Scholar 

  16. Delshadtehrani, L., Canakci, S., Blair, W., Egele, M., Joshi, A.: FlexFilt: towards flexible instruction filtering for security. In: Annual Computer Security Applications Conference (2021)

    Google Scholar 

  17. Demeri, A., Kim, W.H., Krishnan, R.M., Kim, J., Ismail, M., Min, C.: POSEIDON: safe, fast and scalable persistent memory allocator. In: International Middleware Conference (2020)

    Google Scholar 

  18. Farkhani, R.M., Ahmadi, M., Lu, L.: PTAuth: temporal memory safety via robust points-to authentication. In: USENIX Security Symposium (2021)

    Google Scholar 

  19. Hedayati, M., et al.: Hodor: intra-process isolation for high-throughput data plane libraries. In: USENIX Security Symposium (2019)

    Google Scholar 

  20. Heelan, S., Melham, T., Kroening, D.: Automatic heap layout manipulation for exploitation. In: USENIX Security Symposium (2018)

    Google Scholar 

  21. IBM Corporation: Power ISA version 3.0b (2017)

    Google Scholar 

  22. Intel Corporation: Intel 64 and IA-32 Architectures Software Developer’s Manual: Volume 3 (2016)

    Google Scholar 

  23. Kim, Y., Lee, J., Kim, H.: Hardware-based always-on heap memory safety. In: IEEE/ACM International Symposium on Microarchitecture (2020)

    Google Scholar 

  24. Kirth, P., et al.: PKRU-safe: automatically locking down the heap between safe and unsafe languages. In: European Conference on Computer Systems (2022)

    Google Scholar 

  25. Koning, K., Chen, X., Bos, H., Giuffrida, C., Athanasopoulos, E.: No need to hide: protecting safe regions on commodity hardware. In: European Conference on Computer systems (2017)

    Google Scholar 

  26. Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN Not. 40(6), 190–200 (2005)

    CrossRef  Google Scholar 

  27. Otto Moerbeek: A new malloc(3) for openBSD. http://www.openbsd.nl/papers/eurobsdcon2009/otto-malloc.pdf. Accessed 23 Mar 2021

  28. Park, S., Lee, S., Xu, W., Moon, H., Kim, T.: libmpk: Software abstraction for intel memory protection keys (intel MPK). In: USENIX Annual Technical Conference (2019)

    Google Scholar 

  29. Park, T., Dhondt, K., Gens, D., Na, Y., Volckaert, S., Franz, M.: NOJITSU: locking down javascript engines. In: Network and Distributed System Security Symposium (2020)

    Google Scholar 

  30. Reis, C., Moshchuk, A., Oskov, N.: Site isolation: process separation for web sites within the browser. In: USENIX Security Symposium (2019)

    Google Scholar 

  31. Robertson, W.K., Kruegel, C., Mutz, D., Valeur, F.: Run-time detection of heap-based overflows. In: Conference on Systems Administration (2003)

    Google Scholar 

  32. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the \(\times \)86). In: ACM Conference on Computer and Communications Security (2007)

    Google Scholar 

  33. Solar Designer: JPEG COM Marker Processing Vulnerability. https://www.openwall.com/articles/JPEG-COM-Marker-Vulnerability. Accessed 23 Mar 2021

  34. Vahldiek-Oberwagner, A., Elnikety, E., Duarte, N.O., Sammler, M., Druschel, P., Garg, D.: ERIM: secure, efficient in-process isolation with protection keys (MPK). In: USENIX Security Symposium (2019)

    Google Scholar 

  35. Yun, I., Kapil, D., Kim, T.: Automatic techniques to systematically discover new heap exploitation primitives. In: USENIX Security Symposium (2020)

    Google Scholar 

  36. Yun, I., Song, W., Min, S., Kim, T.: HardsHeap: a universal and extensible framework for evaluating secure allocators. In: ACM Conference on Computer and Communications Security (2021)

    Google Scholar 

  37. Zhao, Z., Wang, Y., Gong, X.: HAEPG: an automatic multi-hop exploitation generation framework. In: Maurice, C., Bilge, L., Stringhini, G., Neves, N. (eds.) DIMVA 2020. LNCS, vol. 12223, pp. 89–109. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-52683-2_5

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to William Blair .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Blair, W., Robertson, W., Egele, M. (2022). MPKAlloc: Efficient Heap Meta-data Integrity Through Hardware Memory Protection Keys. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-09484-2_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-09483-5

  • Online ISBN: 978-3-031-09484-2

  • eBook Packages: Computer ScienceComputer Science (R0)