research-article

DieHarder: securing the heap

Authors:

Emery D. BergerAuthors Info & Claims

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Pages 573 - 584

https://doi.org/10.1145/1866307.1866371

Published: 04 October 2010 Publication History

Abstract

Heap-based attacks depend on a combination of memory management error and an exploitable memory allocator. Many allocators include ad hoc countermeasures against particular exploits but their effectiveness against future exploits has been uncertain. This paper presents the first formal treatment of the impact of allocator design on security. It analyzes a range of widely-deployed memory allocators, including those used by Windows, Linux, FreeBSD and OpenBSD, and shows that they remain vulnerable to attack. It them presents DieHarder, a new allocator whose design was guided by this analysis. DieHarder provides the highest degree of security from heap-based attacks of any practical allocator of which we are aware while imposing modest performance overhead. In particular, the Firefox web browser runs as fast with DieHarder as with the Linux allocator.

References

[1]

}}J. Afek and A. Sharabani. Dangling pointer: Smashing the pointer for fun and profit. In Black Hat USA, 2007.

[2]

}}P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with wit. In SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 263--277, Washington, DC, USA, 2008. IEEE Computer Society.

Digital Library

[3]

}}P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In Proceedings of the 18th USENIX Security Symposium, pages 51--66. USENIX, Aug. 2009.

Digital Library

[4]

}}A. Anisimov. Defeating Microsoft Windows XP SP2 heap protection and DEP bypass, 2005.

[5]

}}K. Avijit, P. Gupta, and D. Gupta. Tied, libsafeplus: Tools for runtime buffer overflow protection. In Proceedings of the 13th USENIX Security Symposium. USENIX, Aug. 2004.

Digital Library

[6]

}}BBP. BSD heap smashing. http://www.ouah.org/BSD-heap-smashing.txt.

[7]

}}E. D. Berger. HeapShield: Library-based heap overflow protection for free. Technical Report UMCS TR-2006--28, Department of Computer Science, University of Massachusetts Amherst, May 2006.

[8]

}}E. D. Berger and B. G. Zorn. DieHard: Probabilistic memory safety for unsafe languages. In Proceedings of the 2006 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 158--168, New York, NY, USA, 2006. ACM Press.

Digital Library

[9]

}}E. D. Berger and B. G. Zorn. Efficient probabilistic memory safety. Technical Report UMCS TR-2007--17, Department of Computer Science, University of Massachusetts Amherst, Mar. 2007.

[10]

}}S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium, pages 105--120. USENIX, Aug. 2003.

Digital Library

[11]

}}S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, pages 271--286. USENIX, Aug. 2005.

Digital Library

[12]

}}M. Conover and the w00w00 Security Team. w00w00 on heap overflows. http://www.w00w00.org/files/articles/heaptut.txt, January 1999.

[13]

}}J. N. Ferguson. Understanding the heap by breaking it. In Black Hat USA, 2007.

[14]

}}S. Gonchigar. Ani vulnerability: History repeats. http://www.sans.org/reading_room/whitepapers/threats/ani-vulnerability-%history-repeats_1926, 2007.

[15]

}}D. R. Hanson. A portable storage management system for the Icon programming language. Software Practice and Experience, 10(6):489--500, 1980.

[16]

}}P.-H. Kamp. Malloc(3) revisited. http://phk.freebsd.dk/pubs/malloc.pdf.

Digital Library

[17]

}}M. Kharbutli, X. Jiang, Y. Solihin, G. Venkataramani, and M. Prvulovic. Comprehensively and efficiently protecting the heap. In ASPLOS-XII: Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 207--218, New York, NY, USA, 2006. ACM Press.

Digital Library

[18]

}}D. Lea. A memory allocator. http://gee.cs.oswego.edu/dl/html/malloc.html, 1997.

[19]

}}V. B. Lvin, G. Novark, E. D. Berger, and B. G. Zorn. Archipelago: trading address space for reliability and security. In ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, pages 115--124, New York, NY, USA, Mar. 2008. ACM.

Digital Library

[20]

}}J. McDonald and C. Valasek. Practical Windows XP/2003 heap exploitation. In Black Hat USA, 2009.

[21]

}}Microsoft Corporation. Pageheap. http://support.microsoft.com/kb/286470.

[22]

}}O. Moerbeek. A new malloc(3) for OpenBSD. In EuroBSDCon, 2009.

[23]

}}G. C. Necula, S. McPeak, and W. Weimer. Ccured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 128--139. ACM Press, Jan. 2002.

Digital Library

[24]

}}G. Novark, E. D. Berger, and B. G. Zorn. Exterminator: automatically correcting memory errors with high probability. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 1--11, New York, NY, USA, 2007. ACM Press.

Digital Library

[25]

}}G. Novark, E. D. Berger, and B. G. Zorn. Exterminator: Automatically correcting memory errors with high probability. Communications of the ACM, 51(12):87--95, 2008.

Digital Library

[26]

}}PaX Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.

[27]

}}B. Perens. Electric Fence v2.1. http://perens.com/FreeSoftware/ElectricFence/.

[28]

}}J. H. Perkins, S. Kim, S. Larsen, S. P. Amarasinghe, J. Bachrach, M. Carbin, C. Pacheco, F. Sherwood, S. Sidiroglou, G. Sullivan, W.-F. Wong, Y. Zibin, M. D. Ernst, and M. C. Rinard. Automatically patching errors in deployed software. In J. N. Matthews and T. E. Anderson, editors, SOSP, pages 87--102. ACM, 2009.

Digital Library

[29]

}}F. Qin, J. Tucek, J. Sundaresan, and Y. Zhou. Rx: Treating bugs as allergies: A safe method to survive software failures. In Proceedings of the Twentieth Symposium on Operating Systems Principles, volume XX of Operating Systems Review, Brighton, UK, Oct. 2005. ACM.

Digital Library

[30]

}}P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. In Proceedings of the 18th USENIX Security Symposium, pages 169--186. USENIX, Aug. 2009.

Digital Library

[31]

}}W. Robertson, C. Kruegel, D. Mutz, and F. Valeur. Run-time detection of heap-based overflows. In LISA '03: Proceedings of the 17th Large Installation Systems Administration Conference, pages 51--60. USENIX, 2003.

Digital Library

[32]

}}H. Shacham, M. Page, B. Pfaff, E. Jin Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, 2004.

Digital Library

[33]

}}Solar Designer. JPEG COM marker processing vulnerability in Netscape browsers. http://www.openwall.com/advisories/OW-002-netscape-jpeg/, 2000.

[34]

}}A. Sotirov. Heap Feng Shui in JavaScript. In Black Hat Europe, 2007.

[35]

}}O. Whitehouse. An analysis of address space layout randomization on Windows Vista. http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomi%zation.pdf, 2007.

[36]

}}Wikipedia. Dangling pointer -- Wikipedia, the free encyclopedia, 2010. {Online; accessed 16-April-2010}.

[37]

}}P. R. Wilson, M. S. Johnstone, M. Neely, and D. Boles. Dynamic storage allocation: A survey and critical review. In Proceedings of the International Workshop on Memory Management, volume 986 of Lecture Notes in Computer Science, pages 1--116, Kinross, Scotland, Sept. 1995. Springer-Verlag.

Digital Library

[38]

}}Y. Younan, W. Joosen, F. Piessens, and H. V. den Eynden. Security of memory allocators for C and C+. Technical Report CW 419, Department of Computer Science, Katholieke Universiteit Leuven, Belgium, July 2005.

Cited By

Bitchebe SKone YOlivier PBoukhobza JBromberg YHagimont DTchana A(2024)GuaNary: Efficient Buffer Overflow Detection In Virtualized Clouds Using Intel EPT-based Sub-Page Write Protection SupportACM SIGMETRICS Performance Evaluation Review10.1145/3673660.365505652:1(65-66)Online publication date: 13-Jun-2024
https://dl.acm.org/doi/10.1145/3673660.3655056
Bitchebe SKone YOlivier PBoukhobza JBromberg YHagimont DTchana AGaretto MMarin ACiucu FFanti GRighter R(2024)GuaNary: Efficient Buffer Overflow Detection In Virtualized Clouds Using Intel EPT-based Sub-Page Write Protection SupportAbstracts of the 2024 ACM SIGMETRICS/IFIP PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems10.1145/3652963.3655056(65-66)Online publication date: 10-Jun-2024
https://dl.acm.org/doi/10.1145/3652963.3655056
Khan SChatterjee BPande STsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Pythia: Compiler-Guided Defense Against Non-Control Data AttacksProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651343(850-866)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651343
Show More Cited By

Index Terms

DieHarder: securing the heap
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software notations and tools
    1. Compilers
      1. Dynamic compilers
  2. Software organization and properties
    1. Contextual software domains
      1. Operating systems
        Memory management
    2. Software functional properties
      1. Correctness
        Access protection

Recommendations

Archipelago: trading address space for reliability and security
ASPLOS '08

Memory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users ...
Archipelago: trading address space for reliability and security
ASPLOS '08

Memory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users ...
Archipelago: trading address space for reliability and security
ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systems

Memory errors are a notorious source of security vulnerabilities that can lead to service interruptions, information leakage and unauthorized access. Because such errors are also difficult to debug, the absence of timely patches can leave users ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

October 2010

782 pages

ISBN:9781450302456

DOI:10.1145/1866307

General Chair:
Ehab Al-Shaer
University of North Carolina, Charlotte, USA
,
Program Chairs:
Angelos D. Keromytis
Columbia University, USA
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 4 - 8, 2010

Illinois, Chicago, USA

Acceptance Rates

CCS '10 Paper Acceptance Rate 55 of 325 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

139
Total Citations
View Citations
1,496
Total Downloads

Downloads (Last 12 months)99
Downloads (Last 6 weeks)15

Reflects downloads up to 01 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bitchebe SKone YOlivier PBoukhobza JBromberg YHagimont DTchana A(2024)GuaNary: Efficient Buffer Overflow Detection In Virtualized Clouds Using Intel EPT-based Sub-Page Write Protection SupportACM SIGMETRICS Performance Evaluation Review10.1145/3673660.365505652:1(65-66)Online publication date: 13-Jun-2024
https://dl.acm.org/doi/10.1145/3673660.3655056
Bitchebe SKone YOlivier PBoukhobza JBromberg YHagimont DTchana AGaretto MMarin ACiucu FFanti GRighter R(2024)GuaNary: Efficient Buffer Overflow Detection In Virtualized Clouds Using Intel EPT-based Sub-Page Write Protection SupportAbstracts of the 2024 ACM SIGMETRICS/IFIP PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems10.1145/3652963.3655056(65-66)Online publication date: 10-Jun-2024
https://dl.acm.org/doi/10.1145/3652963.3655056
Khan SChatterjee BPande STsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Pythia: Compiler-Guided Defense Against Non-Control Data AttacksProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651343(850-866)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620666.3651343
Bang IKayondo MYou JKwon DCho YPaek Y(2024)Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-FreesIEEE Access10.1109/ACCESS.2023.334377712(5462-5476)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3343777
Mongia VKumar APrabhakar SBanerji ASingh R(2024)Investigating a Device Independence Quantum Random Number GenerationPhysics Letters A10.1016/j.physleta.2024.129954(129954)Online publication date: Oct-2024
https://doi.org/10.1016/j.physleta.2024.129954
Jiang JWen CQin S(2024)CtxFuzz: Discovering Heap-Based Memory Vulnerabilities Through Context Heap Operation Sequence Guided FuzzingTheoretical Aspects of Software Engineering10.1007/978-3-031-64626-3_12(205-223)Online publication date: 14-Jul-2024
https://doi.org/10.1007/978-3-031-64626-3_12
Wang RXu MAsokan N(2024)S2malloc: Statistically Secure Allocator for Use-After-Free Protection and MoreDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_2(23-43)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_2
Shi LHu CZhuang YLu Y(2024)SdShield: Effectively Ensuring Heap Security via Shadow Page TableDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_8(114-131)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_8
Yagemann CChung SSaltaformaggio BLee WCalandrino JTroncoso C(2023)PUMMProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620284(823-840)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620284
Bitchebe SKone YOlivier PBoukhobza JBromberg YHagimont DTchana A(2023)GuaNary: Efficient Buffer Overflow Detection In Virtualized Clouds Using Intel EPT-based Sub-Page Write Protection SupportProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36267877:3(1-26)Online publication date: 7-Dec-2023
https://dl.acm.org/doi/10.1145/3626787
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents