preventing use after free with dangling pointers
play

Preventing Use-after-free with Dangling Pointers Nullification - PowerPoint PPT Presentation

Jul 22, 2023 •482 likes •923 views

Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee , Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University Emerging Threat: Use-after-free

  1. Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee , Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University

  2. Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft, 2013 2

  3. Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft, 2013 2

  4. Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft, 2013 2

  5. Emerging Threat: Use-after-free 13 Security-Critical 582 Security-High 107 12 0 0 Use-after-free Stack Heap Overflow Overflow The number of reported vulnerabilities in Chrome (2011-2013) 3

  6. Emerging Threat: Use-after-free 13 Security-Critical 582 Security-High 107 12 0 0 Use-after-free Stack Heap Overflow Overflow The number of reported vulnerabilities in Chrome (2011-2013) 3

  7. Use-after-free • A dangling pointer – A pointer points to a freed memory region • Using a dangling pointer leads to undefined program states – May lead to arbitrary code executions – so called use-after-free Preventing Use-after-free with Dangling Pointers Nullification 4

  8. Understanding Use-after-free class Doc : public Element { Doc *doc = new Doc(); // … Body *body = new Body(); Element *child; }; doc->child = body; class Body : public Element { delete body; // … Element *child; if (doc->child) }; doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 5

  9. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child doc->child = body; Body delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  10. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  11. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  12. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body Free an object delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  13. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body Free an object delete body; freed *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  14. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  15. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body Use a dangling pointer if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  16. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body Use a dangling pointer if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  17. Why use-after-free is challenging Doc *doc Doc *doc = new Doc(); *child Body *body = new Body(); Div *div = new Div(); doc->child = body; Body body->child = div; delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 7

  18. Why use-after-free is challenging Doc Doc *doc = new Doc(); *doc Doc *doc = new Doc(); *child Body *body = new Body(); if (doc->child) Div *div = new Div(); doc->child->getAlign(); doc->child = body; Body body->child = div; doc->child = body; delete body; *child delete body; *body if (doc->child) doc->child->getAlign(); Body *body = new Body(); Preventing Use-after-free with Dangling Pointers Nullification 7

  19. Why use-after-free is challenging Doc Doc *doc = new Doc(); *doc Doc *doc = new Doc(); *child Body *body = new Body(); if (doc->child) Div *div = new Div();  Reconstructing object relationships is challenging doc->child->getAlign(); doc->child = body; Body  Static analysis body->child = div; doc->child = body; delete body;  Modules are disconnected and scattered *child delete body; *body if (doc->child)  Difficult to serialize execution orders doc->child->getAlign(); Body *body = new Body();  Dynamic analysis  Tracing pointer semantics is non-trivial Preventing Use-after-free with Dangling Pointers Nullification 7

  20. Contributions • Present DangNull , which detects use-after-free – (sometimes) even surviving from use-after-free • Stop sophisticated attacks – Immediately eliminate security impacts of use-after-free • Support large-scale software – Protect popular apps including web browsers Preventing Use-after-free with Dangling Pointers Nullification 8

  21. Designs • Tracking Object Relationships – Intercept allocations/deallocations – Instrument pointer propagations • Nullify dangling pointers – A value in dangling pointers has no semantics – Dereferencing nullified pointers will turn into safe-null dereference Preventing Use-after-free with Dangling Pointers Nullification 9

  22. Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Preventing Use-after-free with Dangling Pointers Nullification 10

  23. Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Preventing Use-after-free with Dangling Pointers Nullification 10

  24. Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc Preventing Use-after-free with Dangling Pointers Nullification 10

  25. Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc delete body; Preventing Use-after-free with Dangling Pointers Nullification 10

  26. Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Remove shadow obj : - Using base address (body) Insert shadow obj: - Base address of allocation - Size of Doc delete body; Preventing Use-after-free with Dangling Pointers Nullification 10

  27. Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. doc->child = body; Doc *doc *child Body *body Preventing Use-after-free with Dangling Pointers Nullification 11

  28. Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. doc->child = body; doc->child = body; trace(&doc->child, body); Doc *doc *child Body *body Preventing Use-after-free with Dangling Pointers Nullification 11

  29. Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Doc *doc *child Shadow obj. of Body back fwd Body *body Preventing Use-after-free with Dangling Pointers Nullification 11

  30. Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body *body Preventing Use-after-free with Dangling Pointers Nullification 11

Recommend

Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual memory management is error prone

574 views • 35 slides
A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs Mentors: Artem Dergachev Etvs Lornd University, Budapest, Hungary Gbor Horvth rekanikolett@gmail.com Real-world example return

257 views • 9 slides
Automatic Garbage Collection Reference counting Automatically free dead objects For each

Automatic Garbage Collection Reference counting Automatically free dead objects For each

Automatic Garbage Collection Reference counting Automatically free dead objects For each heap-allocated object, maintain count of # of pointers to object no dangling pointers , no storage leaks (maybe) when create object, ref count = 0

246 views • 8 slides
Automatic Garbage Collection Reference counting Automatically free dead objects For each

Automatic Garbage Collection Reference counting Automatically free dead objects For each

Automatic Garbage Collection Reference counting Automatically free dead objects For each heap-allocated object, maintain count of # of pointers to object no dangling pointers , no storage leaks (maybe) when create object, ref count = 0

1.14k views • 5 slides
Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&A 2 What is a

543 views • 28 slides
The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June

The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June

The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June 30, 2011 Dangling nodes on the web Dangling nodes denote the nodes without outgoing links Some web pages do not contain any valid hyperlinks

467 views • 20 slides
Garbage collection Strategies for automatic memory management Memory management Explicit

Garbage collection Strategies for automatic memory management Memory management Explicit

Garbage collection Strategies for automatic memory management Memory management Explicit memory management: i.e., malloc(..) and free(..) are both explicit. A dangerous source of bugs (dangling pointers, leaks). Performance still

364 views • 18 slides
Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and

Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and

Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and included in the result. A tuple is dangling if it do esn't join with an y other tuple. = R A B 1 2 3 4 = S B C 2 5 2

185 views • 18 slides
Topic 7 1. Defining and using pointers 2. Arrays and pointers 3. C and C++ strings 4.

Topic 7 1. Defining and using pointers 2. Arrays and pointers 3. C and C++ strings 4.

Topic 7 1. Defining and using pointers 2. Arrays and pointers 3. C and C++ strings 4. Dynamic memory allocation 5. Arrays and vectors of pointers 6. Problem solving: draw a picture 7. Classes of objects 8. Pointers and objects

613 views • 21 slides
Class Five You havent run screaming yet... Lets do pointers! pointers are one of the

Class Five You havent run screaming yet... Lets do pointers! pointers are one of the

The Code Liberation Foundation Lecture 5 Pointers Class Five You havent run screaming yet... Lets do pointers! pointers are one of the most powerful things about c++ A pointer is a variable that holds the address of another

608 views • 22 slides
Vector and Free Store (Pointers and Memory Allocation) Marco Chiarandini Department of

Vector and Free Store (Pointers and Memory Allocation) Marco Chiarandini Department of

DM560 Introduction to Programming in C++ Vector and Free Store (Pointers and Memory Allocation) Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark [ Based on slides by Bjarne Stroustrup ] Outline

1.42k views • 39 slides
Pointers III: Struct & Pointers 1 Structures What is

Pointers III: Struct & Pointers 1 Structures What is

Pointers III: Struct & Pointers 1 Structures What is a structure? One or more values, called members, with possibly dissimilar types that are

444 views • 26 slides
Pointers III: Struct & Pointers 1 Structures What is

Pointers III: Struct & Pointers 1 Structures What is

Pointers III: Struct & Pointers 1 Structures What is a structure? One or more values, called members, with possibly dissimilar types that are

531 views • 25 slides
Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our LC-3

Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our LC-3

Chapter 16 Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our LC-3 programs; now we'll see them in C. Pointer Address of a variable in memory Allows us to indirectly access variables in other words,

1.1k views • 29 slides
Fundamentals of Programming Lecture 15 Hamed Rasifard 1 Outline Types of Pointers

Fundamentals of Programming Lecture 15 Hamed Rasifard 1 Outline Types of Pointers

Fundamentals of Programming Lecture 15 Hamed Rasifard 1 Outline Types of Pointers Arrays of Pointers Multiple Indirection Initializing Pointers Pointers to Functions Dynamic Memory Allocation 2 Types of Pointers

199 views • 19 slides
Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer Arithmetic When you add to or subtract from a pointer, the amount by which you do that is multiplied by the size of the type the pointer points

689 views • 33 slides
Today: C Pointers & Arrays Understand str / ldr Understand C pointers ARM

Today: C Pointers & Arrays Understand str / ldr Understand C pointers ARM

This week Assignment 1 due Tuesday: youll have proved your bare-metal mettle! Lab 2 prep do pre-lab reading! bring your tools Today: C Pointers & Arrays Understand str / ldr Understand C pointers ARM addressing

520 views • 38 slides
Pointers to Functions C doesn t require that pointers point only to data; it s also

Pointers to Functions C doesn t require that pointers point only to data; it s also

Pointers to Functions C doesn t require that pointers point only to data; it s also possible to have pointers to functions. Pointers to Functions Function pointers point to memory addresses where functions are stored. o int (*fp)

240 views • 5 slides
Pointers & Dynamic Memory Review C Pointers Introduce C++ Pointers Data Abstractions

Pointers & Dynamic Memory Review C Pointers Introduce C++ Pointers Data Abstractions

Pointers & Dynamic Memory Review C Pointers Introduce C++ Pointers Data Abstractions CSCI-2320 Dr. Tom Hicks Computer Science Department 2 Printing! Use Computer Science Printers Only For Your Computer Science Homework!!!! Print

1.19k views • 37 slides
Chapter 16 Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our

Chapter 16 Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our

Chapter 16 Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our C programs; now we'll see how they are implemented in LC-3. Pointer Address of a variable in memory Allows us to indirectly access

343 views • 16 slides
CS162 - POINTERS Lecture: Pointers and Dynamic Memory What are pointers Why dynamically

CS162 - POINTERS Lecture: Pointers and Dynamic Memory What are pointers Why dynamically

CS162 - POINTERS Lecture: Pointers and Dynamic Memory What are pointers Why dynamically allocate memory How to dynamically allocate memory What about deallocation? Walk thru pointer exercises CS162 Pointers 1 CS162 -

477 views • 27 slides
CPSC 213 New to C, Understanding Pointers, The malloc and free Functions, Why Dynamic Memory

CPSC 213 New to C, Understanding Pointers, The malloc and free Functions, Why Dynamic Memory

Reading Textbook CPSC 213 New to C, Understanding Pointers, The malloc and free Functions, Why Dynamic Memory Allocation 2ed: "New to C" sidebar of 3.4, 3.10, 9.9.1-9.9.2 1ed: "New to C" sidebar of 3.4,

610 views • 7 slides
C Programming for Engineers Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1 Pointers

C Programming for Engineers Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1 Pointers

C Programming for Engineers Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1 Pointers Pointers are variables whose values are memory addresses . A variable name directly references a value, and a pointer indirectly references a value.

730 views • 29 slides
Programming for Engineers Pointers ICEN 200 Spring 2018 Prof. Dola Saha 1 Pointers

Programming for Engineers Pointers ICEN 200 Spring 2018 Prof. Dola Saha 1 Pointers

Programming for Engineers Pointers ICEN 200 Spring 2018 Prof. Dola Saha 1 Pointers Pointers are variables whose values are memory addresses . A variable name directly references a value, and a pointer indirectly references a value.

738 views • 28 slides

More recommend