heaptherapy efficient handling of almost all heap
play

HeapTherapy+: Efficient Handling of (Almost) All Heap - PowerPoint PPT Presentation

Apr 25, 2023 •352 likes •661 views

HeapTherapy+: Efficient Handling of (Almost) All Heap Vulnerabilities Using Targeted Calling-Context Encoding Qiang Zeng , Golam Kayas, Emil Mohammed, Lannan Luo, Xiaojiang Du, and Junghwan Rhee DSN 2019 2 Trend of Memory Vulnerability

  1. HeapTherapy+: Efficient Handling of (Almost) All Heap Vulnerabilities Using Targeted Calling-Context Encoding Qiang Zeng , Golam Kayas, Emil Mohammed, Lannan Luo, Xiaojiang Du, and Junghwan Rhee DSN 2019

  2. 2 Trend of Memory Vulnerability Exploitation • Memory vulnerability exploitation • Stack-based • Heap-based • Many effective protection for call stacks • Stack canaries • Reordering local variables • Safe SEH (Structured Exception Handling) • Heap vulnerability exploitation becomes the trend • Heartbleed : heap buffer overread • WannaCry : heap buffer overwrite • Popular ROP (return oriented programming) attack [1] : Heap overflow => overwrite a function pointer => stack pivoting [1] McAfee, “Emerging ‘Stack Pivoting’ Exploits Bypass Common Security”, 2013

  3. 3 “Because the success of stack-based exploits has been reduced by the numerous security measures, heap-based attacks are now common” [Ratanaworabhan 2009] [Ratanaworabhan 2009] Ratanaworabhan, et al.."NOZZLE: A Defense Against Heap-spraying Code Injection Attacks." USENIX Security . 2009.

  4. 4 Types of Heap Vulnerabilities • Uninitialized read str = (char*) malloc(128); … // str is not initialized • Information leakage; … cout << str;

  5. 5 Types of Heap Vulnerabilities • Uninitialized read (1) D *p = new D(); … • Information leakage; … (2) delete p; • Use-after-free // buffer re-allocated and used (3) … (4) p->foo(); // use-after-free • Control-flow hijacking; … Virtual function this p table foo() bar() “More than 50% of known attacks targeting Windows 7 exploit use-after-free” [Zhang 2016] malicious virtual function table [Zhang 2016] Zhang, Chao, et al. "VTrust: Regaining Trust on Virtual Calls." NDSS . 2016.

  6. 6 Types of Heap Vulnerabilities • Uninitialized read • Information leakage; … • Use-after-free • Control-flow hijacking; … • Buffer overflow Ø Over-write • Manipulating data; control-flow hijacking; … Ø Over-read • Information leakage; …

  7. 7 Existing Measures • Checking every buffer access is great … but expensive • SoftBound (handle overflow and use-after-free): 67% • AddressSanitizer (handle overflow and use-after-free): 73% • MemorySanitizer (handle uninitialized read): 2.5x • SFI (software fault isolation), CFI (control-flow integrity), XFI, CPI (code pointer integrity), … • Challenges when working with existing shared libs (legacy code) • Some (like XFI) are still very expensive • Our previous work • Cruiser [PLDI’11], Kruiser [NDSS’12]: only handle overwrite • HeapTherapy [DSN’15]: only handle overwrite and overread

  8. 8 A Patching Perspective • Patching is an indispensable step throughout the life of a software system; however, • 153 days on average for delivering a patch [1] • Only 65% of vulnerabilities have patches available [2] • Fresh patches break systems frequently • Our goals • Handle heap overflow, uninitialized read, and use-after-free • Generate patches instantly with zero manual diagnosis efforts • Install patches without altering code, i.e., code-less patching • A very small overhead [1] S. Frei, “The Known Unknowns,” 2013. [2] S. frei, “” “End-point security failures, insight gained from secunia psi scans,” 2011.

  9. 9 Hypotheses Given a heap buffer overflow bug, the vulnerable buffers share the same calling context when they are allocated More generally, for a use-after-free or uninitialized-read vulnerability, the vulnerable buffers share the same calling context when they are allocated

  10. 10 → Verifying Hypotheses clone Given this vulnerability, many different exploits were collected and replayed start_thread handle_one_connection do_handle_one_connection thd_prepare_connection do_command MDL_key::mdl_key_init my_malloc malloc stpcpy Pathogen buffers are allocated. Vulnerable buffers are allocated Pathogen buffers are overflowed. Vulnerable buffers are exploited

  11. 11 Main Approach Using allocation-time calling context to characterize vulnerable buffers 1. When replaying the attack, record the allocation-time calling context of each buffer. When the offending operation (e.g., overflow) is detected, output the allocation-time calling context of the vulnerable buffer 2. During runtime, if a buffer being allocated has that allocation-time calling context, enhance it

  12. 12 Challenges • How to retrieve and compare calling contexts efficiently? • Retrieving calling context via stack walking is too expensive • ASLR makes the collected RAs useless • How to bridge offline attack analysis and online defense generation? • How to achieve code-less patching? • How to handle the diverse vulnerabilities in a uniform way?

  13. 13 • Targeted Calling Context Encoding • Offline Attack Analysis and Patch Generation • Online Defense Generation

  14. 14 Calling Context Encoding • Using an integer (or very few integers) to encode the calling context The integer is updated at each function call and return ; using • simple arithmetic operations • <3% slowdown; concise representation • Wide applications: testing coverage, anomaly detection, compilation optimization, logging, … PCC PCCE DeltaPath [Bond 2007] [Sumner 2010 ] [Zeng 2014] Support Object-Oriented ✔ ✗ ✔ Decoding ✗ ✔ ✔ Scalability ✗ ✗ ✔

  15. 15 Example: PCC • Goal: each unique ID represents a unique calling context ID = 0 t = ID 1 B() { 2 C(); ID = t * 3 + 2 B 3 D(); 4 } ID = t * 3 + 3 5 C 6 C() { t = ID ID = 2 7 D(); D 8 } ID = t * 3 + 7 9 ID = 3 ID = 13 10 D() { 11 Sensitive API! // calling context? 12 } Answer: Read the variable “ID” to get the calling context ID

  16. 16 Targeted Calling Context Encoding • A set of ideas that can minimize the encoding overhead • Key insight : When the target functions , whose calling contexts are of interest, are known, many call sites do no need to be instrumented • E.g., some functions never appear in the calling contexts that lead to the target functions • Target functions in our work: • malloc, calloc, realloc, memalign, aligned_alloc

  17. 17 (a) FCS (full-call-site instrumentation): original PCC encoding (b) TCS (targeted-call-site): H and I cannot reach the targets T1 and T2 (c) Slim: B , E and G each has only one out-going edge that reaches the targets (d) Incremental: F-T 1 and F-G-T 2 can be distinguished through the target

  18. 18 Encoding overhead • Implementation: added an LLVM pass for instrumentation • Evaluation: SPEC CPU2006 Integer • Size overhead • PCC: 12% • Targeted Calling context Encoding: 4.4% • 2.7x of improvement • Speed overhead • PCC: 2.4% • Targeted Calling Context Encoding: 0.4% • 6x of speed up

  19. 19 • Targeted Calling Context Encoding • Offline Attack Analysis and Patch Generation • Online Defense Generation

  20. 20 One-time program Patch generation instrumentation Program Attack inputs Program Instrumentation Tool Instrumented Offline Patch Generator program Patches Patched program execution Online Defense Configuration file Generator

  21. 21 Application Byte 1 Byte 2 Byte 2 ………… .. Byte n Memory … Shadow Shadow Shadow Shadow Shadow ………… .. Memory Information Information Information Information 1 0 A bit A bit V bits 1 1 1 1 1 1 1 1 V bits 0 0 0 0 0 0 0 0 • Accessibility-bit (A-bit): whether the byte can be accessed • If a buffer has been free-ed, all its A-bits are 0 … … … • Each buffer is surrounded by two red zones (16B each), whose A-bits are 0 • Validity-bit (V-bit): whether the bit is initialized • When a fresh buffer is malloc-ed, all it V-bits are 0 • Each buffer’s alloc-API and CCID are recorded (1) Detect overflow: an overflow will touch the inaccessible red zone (2) Detect use-after-free: a free-ed buffer is set as inaccessible and then added to a queue to delay the space reuse (3) Detect uninitialized read: more complex, but mainly relies on V-bits

  22. 22 Patches as a configuration file • Each patch is simply a tuple <alloc-API, CCID, vul-type> • Code-less patching: to “install” a patch, just add one line in the config file Configuration file <API, CCID, Vulnerability> ………… <memalign, 1854955292, OVERFLOW> <calloc, 8643565443, USE-AFTER-FREE> <malloc, 2598251483, UNINITIALIZED-READ> … ... ………… Read by Online … … …

  23. 23 • Targeted Calling Context Encoding • Offline Attack Analysis and Patch Generation • Online Defense Generation

  24. 24 Patches read into a hash table Configuration file <API, CCID, Vulnerability> ………… <memalign, 1854955292, OVERFLOW> <calloc, 8643565443, USE-AFTER-FREE> <malloc, 2598251483, UNINITIALIZED-READ> … ... ………… Read by Online Defense Generator Hash table Key Value A shared lib <MEMALIGN, 1854955292> (001) 2 <CALLOC, 8643565443> (010) 2 <MALLOC, 2598251483> (100) 2 … .. … …

  25. 25 Vulnerability Handling • Handle overflow • Append a guard page to each vulnerable buffer • Handle use-after-free • Delay the deallocation of the free-ed vulnerable buffers • Handle uninitialized read • Initialize the newly allocated vulnerable buffer with zeros

  26. 26

Recommend

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
ad -heap: an Efficient Heap Data Structure for Asymmetric Multicore Processors Weifeng Liu and

ad -heap: an Efficient Heap Data Structure for Asymmetric Multicore Processors Weifeng Liu and

ad -heap: an Efficient Heap Data Structure for Asymmetric Multicore Processors Weifeng Liu and Brian Vinter Niels Bohr Institute University of Copenhagen Denmark { weifeng, vinter } @nbi.dk March 1, 2014 Weifeng Liu and Brian Vinter (NBI) ad

711 views • 52 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
CSCI261 Lecture 27: Events, Interrupts &amp; Event Handling Memory, Stack, Stack Frames, The Heap

CSCI261 Lecture 27: Events, Interrupts &amp; Event Handling Memory, Stack, Stack Frames, The Heap

CSCI261 Lecture 27: Events, Interrupts &amp; Event Handling Memory, Stack, Stack Frames, The Heap Attribution: http://123rf.com keypress Keyboard Interface (Serial USB) Bus CPU Operating System Application keypress Keyboard Interface

357 views • 25 slides
When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's first hire in July, 2013. Previously an engineer at Palantir. Studied Math &amp; CS at Stanford. What we'll talk about: 1. What is Heap? 2.

695 views • 47 slides
heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O ( n ) analysis via picture (learn) or using summations (know result) data structures and algorithms building a heap one-by-one in O ( n log n ) 2020

672 views • 7 slides
Efficient and Precise Points-to Analysis: Modeling the Heap by Merging Equivalent Automata Tian

Efficient and Precise Points-to Analysis: Modeling the Heap by Merging Equivalent Automata Tian

Efficient and Precise Points-to Analysis: Modeling the Heap by Merging Equivalent Automata Tian Tan, Yue Li and Jingling Xue PLDI 2017 June, 2017 1 A New Points-to Analysis T echnique for Object-Oriented Programs 2 Points-to Analysis

800 views • 68 slides
Efficient Handling of Obligation Constraints in Synthesis from Omega-Regular Specifications Saqib

Efficient Handling of Obligation Constraints in Synthesis from Omega-Regular Specifications Saqib

Introduction: Synthesis from -regular properties The Challenges in improving Quality of Results R -Generable languages Experimental Results Conclusions Efficient Handling of Obligation Constraints in Synthesis from Omega-Regular

924 views • 74 slides
Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image

Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image

Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image Processing M. Akif zkan, Oliver Reiche, Frank Hannig, and Jrgen Teich Hardware/Software Co-Design, Friedrich-Alexander University Erlangen-Nrnberg

891 views • 65 slides
Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7 7 11 8 8 9 7 7 11 8 10 10 input array = [-, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11] Start at rightmost array position that has a child.

522 views • 9 slides
Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure through non-traditional exploitation techniques Justin N. Ferguson // BH2007 The heap, what is it? Globally scoped data structure

906 views • 58 slides
Flexible and efficient site constraint handling for wind farm layout optimization Erik

Flexible and efficient site constraint handling for wind farm layout optimization Erik

Flexible and efficient site constraint handling for wind farm layout optimization Erik Quaeghebeur Wind Energy Group Delft University of Technology WESC 2019 20 June 2019 [4C Offshore: https://www.4coffshore.com/] [Netherlands Enterprise

904 views • 46 slides
In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word s.heap@uq.edu.au Stephen Heap s.heap@uq.edu.au Reading skill is based on three kinds of knowledge A fluent reader must have knowledge of: Language : word

480 views • 46 slides
A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three segments are: code , read-only data and global data for the running process gurka. Then there is a segment for the heap . The segment marked with

399 views • 10 slides
Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why

Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why

Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why it called Fibonacci (the proof) Priority Queue in Dijkstra Fibonacci Heap Operation Binary Heap Fibonacci Heap Find-Min O (1) O (1) Insert O (

465 views • 21 slides
6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

Heap Menu Implementation of a priority queue Priority Queues An array, visualized as a nearly complete binary tree Max Heap Property: The key of a node is than the keys of Heaps its children (Min Heap defined

202 views • 7 slides
Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of

Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of

Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of operations: Initialize Heap : creates new empty heap Is Empty : returns true if heap is empty Insert ( key,data ): inserts ( key,data

956 views • 51 slides
Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 ,

Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 ,

Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 , Anastasios Papagiannis 1 , Foivos Zakkak 2 , Polyvios Pratikakis 1 , and Angelos Bilas 1 1 University of Crete &amp; Foundation of Research and

457 views • 19 slides
CS 241 Data Organization Heapsort February 15, 2018 Heapsort algorithm Make heap While

CS 241 Data Organization Heapsort February 15, 2018 Heapsort algorithm Make heap While

CS 241 Data Organization Heapsort February 15, 2018 Heapsort algorithm Make heap While heap is not empty Remove largest item Restore heap property What is a heap? Complete Binary Tree Binary Tree: Each node has at most 2

142 views • 12 slides
Week 14 - Monday What did we talk about last time? Heap implementation Heap sort

Week 14 - Monday What did we talk about last time? Heap implementation Heap sort

Week 14 - Monday What did we talk about last time? Heap implementation Heap sort Lab hours Wednesdays at 5 p.m. in The Point 113 Saturdays at noon in The Point 113 (Cancelled this Saturday for Thanksgiving!) CS Club

451 views • 24 slides
The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601.

The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601.

The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601. Its a very neat implementation of the binary tree idea, using an array. We can use the binary heap to sort an array, and we can use it to make a

304 views • 15 slides
Heap Heap Sometimes called the free store Dynamically

Heap Heap Sometimes called the free store Dynamically

Heap Heap Sometimes called the free store Dynamically allocated area of memory Stores global variables Stores large variables Stores dynamic

899 views • 42 slides

More recommend