Skip to main content
SpringerLink
Log in

A Survey of Detection Methods for Software Use-After-Free Vulnerability

  • Conference paper
  • First Online:
Data Science (ICPCSEE 2022)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1629))

  • 891 Accesses

Abstract

Due to the absence of validity detection on pointers and automatic memory rubbish reclaim mechanisms in programming languages such as the C/C++ language, software developed in these languages may have many memory safety vulnerabilities, such as Use-After-Free (UAF) vulnerability. An UAF vulnerability occurs when a memory object has been freed, but it can still be accessed through a dangling pointer that points to the object before it is reclaimed. Since UAF vulnerabilities are frequently exploited by malware which may lead to memory data leakage or corruption, much research work has been carried out to detect UAF vulnerabilities. This paper investigates existing UAF detection methods. After comparing and categorizing these methods, an outlook on the future development of UAF detection methods is provided. This has an important reference value for subsequent research on UAF detection.

Spported by the Project supported by the National Natural Science Foundation, China (61602279), the Taishan Scholars Program of Shandong Province (No. ts20190936), the Excellent Youth Innovation Team Foundation of Shandong Higher School (2019KJN024), the Postdoctoral Innovation Foundation of Shandong Province (201603056), the Open Foundation of First Institute of Oceanography, China (2018002), and the Distinguished Teachers Training Plan Program of Shandong University of Science and Technology.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Ainsworth, S., Jones, T. M.: MarkUs: drop-in use-after-free prevention for low-level languages. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 578–591. IEEE (2020)

    Google Scholar 

  2. Allen, F.E.: Interprocedural data flow analysis. In: The 6th IFIP Congress 1974, pp. 398–402. North-Holland (1974)

    Google Scholar 

  3. Ayewah, N., Hovemeyer, D., Morgenthaler, J., et al.: Using static analysis to find bugs. IEEE Softw. 25(5), 22–29 (2008)

    Article  Google Scholar 

  4. Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24723-4_2

    Chapter  Google Scholar 

  5. Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: what you see is not what you execute. In: Meyer, B., Woodcock, J. (eds.) VSTTE 2005. LNCS, vol. 4171, pp. 202–213. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69149-5_22

    Chapter  Google Scholar 

  6. Bernhard, L., Rodler, M., Holz, T., & Davi, L.: Xtag: mitigating use-after-free vulnerabilities via software-based pointer tagging on intel x86-64. arXiv e-prints (2022)

    Google Scholar 

  7. Caballero, J., Grieco, G., Marron, M., et al.: Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities. In: The 2012 International Symposium on Software Testing and Analysis, pp. 133–143. ACM (2012)

    Google Scholar 

  8. Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Usenix Conference on Operating Systems Design & Implementation, pp. 209–224. USENIX Association (2009)

    Google Scholar 

  9. Cadar, C., Ganesh, V., Pawlowski, P. M., et al.: EXE: automatically generating inputs of death. In: ACM Conference on Computer & Communications Security, pp. 322–335. ACM (2006)

    Google Scholar 

  10. Cadar, C., Sen, K., et al.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)

    Article  Google Scholar 

  11. Cesare, S.: Bugalyze.com - detecting bugs using decompilation and data flow analysis

    Google Scholar 

  12. Cheng, W., Zhao, Q., Yu, B., et al.: TainTrace: efficient flow tracing with dynamic binary rewriting. In: The 11th IEEE Symposium on Computers and Communications, ISCC 2006, pp. 749–754. IEEE (2006)

    Google Scholar 

  13. Cherem, S., Princehouse, L., Rugina, R.: Practical memory leak detection using guarded value-flow analysis. ACM SIGPLAN Not. 42(6), 480–491 (2007)

    Article  Google Scholar 

  14. Costa, M., Crowcroft, J., Castro, M., et al.: Vigilante: end-to-end containment of Internet worms. In: The 20th ACM Symposium on Operating Systems Principles 2005, pp. 133–147. ACM (2005)

    Google Scholar 

  15. Common vulnerabilities and exposures. https://cve.mitre.org/index.html

  16. Dullien, T., Porst, S.: REIL: a platform-independent intermediate representation of disassembled code for static code analysis. CanSecWest (2009)

    Google Scholar 

  17. Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: The 11th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 85–96. ACM (2004)

    Google Scholar 

  18. Feist, J., Mounier, L., Bardin, S., et al.: Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free. In: The 6th Workshop on Software Security, Protection, and Reverse Engineering, pp. 1–12. ACM (2016)

    Google Scholar 

  19. Feist, J., Mounier, L., Potet, M.-L.: Statically detecting use after free on binary code. J. Comput. Virol. Hacking Tech. 10(3), 211–217 (2014)

    Article  Google Scholar 

  20. Godefroid, P., Levin, M.Y., Molnar, D.A.: SAGE: whitebox fuzzing for security testing. Queue 10(3), 20 (2012)

    Article  Google Scholar 

  21. Gui, B., Song, W., Xiong, H., et al.: Automated use-after-free detection and exploit mitigation: how far have we gone. IEEE Trans. Softw. Eng. (2012)

    Google Scholar 

  22. Hastings, R., Joyce, B.: Purify: fast detection of memory leaks and access errors. In: Proceedings of the Winter 1992 USENIX Conference, pp. 125–136. USENIX Association (1991)

    Google Scholar 

  23. Han, X., Wei, S., Ye, J., et al.: Detect use-after-free vulnerabilities in binaries. Qinghua Daxue Xuebao/J. Tsinghua Univ. 57(10), 1022–1029 (2017)

    Google Scholar 

  24. Hind, M., Burke, M., Carini, P., Choi, J.-D.: Interprocedural pointer alias analysis. ACM Trans. Program. Lang. Syst. 21(4), 848–894 (1999)

    Article  Google Scholar 

  25. Huang, J.: UFO: predictive concurrency use-after-free detection. In: 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE), pp. 609–619. IEEE Computer Society (2018)

    Google Scholar 

  26. Ye, J., Zhang, C., Han, X.: Poster: UAFchecker: scalable static detection of use-after-free vulnerabilities. In: The 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1529–1531. ACM (2014)

    Google Scholar 

  27. Kouwe, E.V.D., Nigade, V., Giuffrida, C.: DangSan: scalable use-after-free detection. In: 12th European Conference on Computer Systems. ACM (2017)

    Google Scholar 

  28. Lee, B., Song, C., Jang, Y., et al.: Preventing use-after-free with dangling pointers nullification. In: Network & Distributed System Security Symposium, Internet Society (2015)

    Google Scholar 

  29. Liu, D., Zhang, M., Wang, H.: A robust and efficient defense against use-after-free exploits via concurrent pointer sweeping. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1635–1648. ACM (2018)

    Google Scholar 

  30. Liu, T., Curtsinger, C., Berger, E.D.: DoubleTake: fast and precise error detection via evidence-based dynamic analysis. In: The 38th International Conference on Software Engineering, pp. 911–922. ACM (2016)

    Google Scholar 

  31. Livshits, V.B., Lam, M.S.: Tracking pointers with path and context sensitivity for bug detection in c programs. ACM SIGSOFT Softw. Eng. Notes 28(5), 317–326 (2003)

    Article  Google Scholar 

  32. Nguyen, M.D., Bardin, S., Bonichon, R., et al.: Binary-level directed fuzzing for use-after-free vulnerabilities. In: The 23rd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2020 (2020)

    Google Scholar 

  33. Nethercote, N.: Dynamic binary analysis and instrumentation. University of Cambridge (2004)

    Google Scholar 

  34. Nethercote, N., Seward, J., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM SIGPLAN Not. 42(6), 89–100 (2007)

    Article  Google Scholar 

  35. Newsome, J., Song D.X.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: 12th Annual Network and Distributed System Security Symposium, NDSS 2005 (2005)

    Google Scholar 

  36. Goodman, P.: Pointsto: static use-after-free detector for c/c++. https://blog.trailofbits.com/2016/03/09/the-problem-with-dynamic-program-analysis/

  37. Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation (2004)

    Google Scholar 

  38. Sanyal, A.: Data Flow Analysis, 1st edn. CRC Press, Boca Raton (2009)

    MATH  Google Scholar 

  39. Sen, K.: DART: directed automated random testing. In: The 5th International Haifa Verification Conference on Hardware and Software: Verification and Testing, pp. 213–223. ACM (2009)

    Google Scholar 

  40. Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: The 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2005, pp. 263–272. ACM (2005)

    Google Scholar 

  41. Serebryany, K., Bruening, D., Potapenko, A., et al.: AddressSanitizer: a fast address sanity checker. In: Usenix Conference on Technical Conference, p. 28. USENIX Association (2012)

    Google Scholar 

  42. Shi, Q., Xiao, X., Wu, R., et al.: Pinpoint: fast and precise sparse value flow analysis for million lines of code. ACM SIGPLAN Not. 53(4), 693–706 (2018)

    Article  Google Scholar 

  43. Singh, B., Soni, M.: Dynamic instrumentation: US, US20110154297 A1

    Google Scholar 

  44. Snelting, G., Robschink, T., Krinke, J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Trans. Softw. Eng. Methodol. 15(4), 410–457 (2006)

    Article  Google Scholar 

  45. The kernel address sanitizer. https://www.kernel.org/doc/html/latest/dev-tools/kasan.html

  46. Wang, X., Xue-Xin, L.I., Zhou, Z.P., et al.: Analysis of the software testing platform: S2E. Netinfo Secur. 2012(07), 16–19 (2012)

    Google Scholar 

  47. Williams, N., Marre, B., Mouy, P.: On-the-fly generation of K-path tests for C functions. In: The 19th IEEE International Conference on Automated Software Engineering, pp. 290–293. IEEE (2004)

    Google Scholar 

  48. Xu, G., et al.: Defending use-after-free via relationship between memory and pointer. In: Gao, H., Wang, X., Iqbal, M., Yin, Y., Yin, J., Gu, N. (eds.) CollaborateCom 2020. LNICSSITE, vol. 349, pp. 583–597. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-67537-0_35

    Chapter  Google Scholar 

  49. Yamauchi, T., Ikegami, Y., Ban, Y.: Mitigating use-after-free attacks using memory-reuse-prohibited library. IEICE Tras. Inf. Syst. E100.D(10), 2295–2306 (2017)

    Google Scholar 

  50. Younan, Y.: FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In: Network & Distributed System Security Symposium (2015)

    Google Scholar 

  51. Zhen, F., Nie, S., Wang, Y., Zhi, X.: Use-after-free vulnerabilities detection scheme based on S2E. Comput. Appl. Softw. 33(04), 273–276 (2016)

    Google Scholar 

  52. Zhu, K., Lu, Y., Huang, H.: Scalable static detection of use-after-free vulnerabilities in binary code. IEEE Access 8, 78713–78725 (2020). https://doi.org/10.1109/ACCESS.2020.2990197

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Shandong University of Science and Technology, Qingdao, 266590, Shandong, China

    Faming Lu, Mengfan Tang, Yunxia Bao & Xiaoyu Wang

Authors
  1. Faming Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mengfan Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yunxia Bao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xiaoyu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yunxia Bao .

Editor information

Editors and Affiliations

  1. Southwest Petroleum University, Chengdu, China

    Yang Wang

  2. University of Electronic Science and Technology of China, Chengdu, China

    Guobin Zhu

  3. Harbin Engineering University, Harbin, China

    Qilong Han

  4. Southwest Petroleum University, Chengdu, China

    Liehui Zhang

  5. Harbin University of Science and Technology, Harbin, China

    Xianhua Song

  6. National Academy of Guo Ding Institute of Data Sciences, Beijing, China

    Zeguang Lu

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lu, F., Tang, M., Bao, Y., Wang, X. (2022). A Survey of Detection Methods for Software Use-After-Free Vulnerability. In: Wang, Y., Zhu, G., Han, Q., Zhang, L., Song, X., Lu, Z. (eds) Data Science. ICPCSEE 2022. Communications in Computer and Information Science, vol 1629. Springer, Singapore. https://doi.org/10.1007/978-981-19-5209-8_19

Download citation

  • DOI: https://doi.org/10.1007/978-981-19-5209-8_19

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-19-5208-1

  • Online ISBN: 978-981-19-5209-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation