Abstract
Recently, there has been an increase in use-after-free (UAF) vulnerabilities, which are exploited using a dangling pointer that refers to a freed memory. Various methods to prevent UAF attacks have been proposed. However, only a few methods can effectively prevent UAF attacks during runtime with low overhead. In this paper, we propose HeapRevolver, which is a novel UAF attack-prevention method that delays and randomizes the timing of release of freed memory area by using a memory-reuse-prohibited library, which prohibits a freed memory area from being reused for a certain period. In this paper, we describe the design and implementation of HeapRevolver in Linux and Windows, and report its evaluation results. The results show that HeapRevolver can prevent attacks that exploit existing UAF vulnerabilities. In addition, the overhead is small.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Common Vulnerabilities and Exposures. https://cve.mitre.org/index.html
Microsoft Security Intelligence Report, vol. 16. http://www.microsoft.com/en-us/download/details.aspx?id=42646
Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: a fast address sanity checker. In: 2012 USENIX Conference on Annual Technical Conference (USENIX ATC 2012), pp. 309–318 (2012)
Caballero, J., et al.: Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities. In: 2012 International Symposium on Software Testing and Analysis (ISSTA 2012), pp. 133–143 (2012)
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2007), pp. 89–100 (2007)
Bruening, D., Zhao, Q.: Practical memory checking with Dr. memory. In: 9th Annual IEEE/ACM International Symposium on Code Generation and Optimization, pp. 213–223 (2011)
Lee, B., et al.: Preventing use-after-free with dangling pointers nullification. In: 2015 Network and Distributed System Security Symposium (NDSS) (2015)
GFlags and PageHeap. https://msdn.microsoft.com/en-us/library/windows/hardware/ff549561%28v=vs.85%29.aspx
Electric Fence. http://elinux.org/Electric_Fence
D.U.M.A. - Detect Unintended Memory Access. http://duma.sourceforge.net/
Younan, Y.: FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In: 2015 Network and Distributed System Security Symposium (NDSS) (2015)
Zhang, C., et al.: VTint: protecting virtual function tables’ integrity. In: 22nd Annual Network and Distributed System Security Symposium (NDSS) (2015)
Gawlik, R., Holz, T.: Towards automated integrity protection of C++ virtual function tables in binary programs. In: 30th Annual Computer Security Applications Conference (ACSAC 2014), pp. 396–405 (2014)
Novark, G., Berger, E.D.: DieHarder: securing the heap. In: 17th ACM Conference on Computer and Communications Security (CCS 2010), pp. 573–584 (2010)
Tang, J.: Isolated heap for internet explorer helps mitigate uaf exploits. http://blog.trendmicro.com/trendlabs-security-intelligence/isolated-heap-for-internet-explorer-helps-mitigate-uaf-exploits/
Tang, J.: Mitigating uaf exploits with delay free for internet explorer. http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-uaf-exploits-with-delay-free-for-internet-explorer/
Security Intelligence, Understanding IE’s New Exploit Mitigations: The Memory Protector and the Isolated Heap. https://securityintelligence.com/understanding-ies-new-exploit-mitigations-the-memory-protector-and-the-isolated-heap/
Security Week: Microsoft’s Use-After-Free Mitigations Can Be Bypassed: Researcher. http://www.securityweek.com/microsofts-use-after-free-mitigations-can-be-bypassed-researcher
Hariri, A.-A., et al.: Abusing Silent Mitigations - Understanding Weaknesses Within Internet Explorers Isolated Heap and MemoryProtection. https://www.blackhat.com/us-15/briefings.html
Acknowledgement
This research was partially supported by Grant-in-Aid for Scientific Research 16H02829.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Yamauchi, T., Ikegami, Y. (2016). HeapRevolver: Delaying and Randomizing Timing of Release of Freed Memory Area to Prevent Use-After-Free Attacks. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds) Network and System Security. NSS 2016. Lecture Notes in Computer Science(), vol 9955. Springer, Cham. https://doi.org/10.1007/978-3-319-46298-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-46298-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46297-4
Online ISBN: 978-3-319-46298-1
eBook Packages: Computer ScienceComputer Science (R0)