Abstract
Memory corruption attacks against software written in C or C++ are still prevalent and remain a significant cause of security breaches. Defenses providing full memory safety remain expensive, and leaner defenses only addressing control-flow data are insufficient.
We introduce memory categorization, an approach to separate data based on attacker control to mitigate the exploitation of memory corruption vulnerabilities such as use-after-free and use-after-return. MemCat implements this approach by: (i) providing separate memory allocators for different data categories, (ii) categorizing the use of memory allocations, (iii) changing allocations to take advantage of the categorization.
We demonstrate the effectiveness of MemCat in a case study on actual vulnerabilities in real-world programs. We further show that, although our prototype implementation causes a high overhead in two edge cases, in most cases the performance hit remains negligible, with a median overhead of less than 3% on the SPEC benchmark suite.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, M., Budiu, M., Erlingsson, Ú, Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)
Akritidis, P.: Cling: a memory allocator to mitigate dangling pointers. In: USENIX Security Symposium (2010)
Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: IEEE Symposium on Security and Privacy (2008)
LAndersen, L.O.: Program Analysis and Specialization for the C Programming Language. Carnegie Mellon University (1994)
Bosman, E., Slowinska, A., Bos, H.: Minemu: the world’s fastest taint tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_1
Brand, M., Evans, C.: Significant flash exploit mitigations are live in v18.0.0.209 (2015). https://googleprojectzero.blogspot.com/2015/07/significant-flash-exploit-mitigations16.html
busybox. https://busybox.net/
Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX Security Symposium (USENIX SEC) (2015)
Carr, S.A., Payer, M.: DataShield: configurable data confidentiality and integrity. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ASIA CCS 2017 (2017)
Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Symposium on Operating Systems Design and Implementation (2006)
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14, p. 12 (2005)
Chen, X., Slowinska, A., Bos, H.: Who allocated my memory? Detecting custom memory allocators in C binaries. In: Proceedings of the Working Conference on Reverse Engineering (WCRE) (2013)
Disassembler Library for x86 and x86–64. https://github.com/vmt/udis86
Electric Fence. https://github.com/kallisti5/ElectricFence
Goktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control- flow integrity. In: IEEE Symposium on Security and Privacy (Oakland) (2014)
Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: dynamic taint analysis with targeted control-flow propagation. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2011)
Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: Libdft: practical dynamic data flow tracking for commodity systems. In: ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (2012)
Kroes, T., et al.: BinRec: attack surface reduction through dynamic binary recovery. In: Proceedings of the 2018 Workshop on Forming an Ecosystem Around Software Transformation, FEAST 2018 (2018)
Kurmus, A., Zippel, R.: A tale of two kernels: towards ending kernel hardening wars with split kernel. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014 (2014)
Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014)
Lee, B., et al.: Preventing use-after-free with dangling pointers nullification. In: NDSS (2015)
Lettner, J., Song, D., Park, T., Larsen, P., Volckaert, S., Franz, M.: PartiSan: fast and flexible sanitization via run-time partitioning. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 403–422. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_19
Moerbeek, O.: A new malloc(3) for OpenBSD. In: EuroBSDCon (2009)
MWR. Isolated Heap & Friends: Object Allocation Hardening in Web Browsers (2014). https://labs.mwrinfosecurity.com/blog/isolated-heap-friends-object-allocation-hardening-in-web-browsers/
Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: Proceedings of the 2010 International Symposium on Memory Management, ISMM 2010 (2010)
Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009 (2009)
Nikiforakis, N., Piessens, F., Joosen, W.: HeapSentry: kernel-assisted protection against heap overflows. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 177–196. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39235-1_11
Novark, G., Berger, E.D.: DieHarder: securing the heap. In: ACM Conference on Computer and Communications Security (2010)
OpenSSL. https://www.openssl.org/
Page Heap. https://msdn.microsoft.com/en-us/library/ms220938(v=vs.90).aspx
Pereira, F.M.Q., Berlin, D.: Wave propagation and deep propagation for pointer analysis. In: IEEE/ACM International Symposium on Code Generation and Optimization (2009)
Qin, F., Wang, C., Li, Z., Kim, H.S., Zhou, Y., Wu, Y.: LIFT: a low-overhead practical information flow tracking system for detecting security attacks. In: IEEE/ACM International Symposium on Microarchitecture (2006)
SafeStack (2017). http://clang.llvm.org/docs/SafeStack.html
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE Symposium on Security and Privacy (Oakland) (2015)
Silvanovich, N.: Life After the Isolated Heap (2016). https://googleprojectzero.blogspot.com/2016/03/lifeafter-isolated-heap.html
Slowinska, A., Bos, H.: Pointless tainting?: Evaluating the practicality of pointer tainting. In: ACM European Conference on Computer Systems (2009)
SPEC (2006). https://www.spec.org/cpu2006/
Sui, Y., Xue, J.: SVF: interprocedural static value-flow analysis in LLVM. In: International Conference on Compiler Construction (2016)
Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: IEEE Symposium on Security and Privacy (Oakland) (2013)
Wagner, J., Kuznetsov, V., Candea, G., Kinder, J.: High system-code security with low overhead. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 866–879 (2015)
Younan, Y.: FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In: Internet Society Symposium on Network and Distributed Systems Security (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Neugschwandtner, M., Sorniotti, A., Kurmus, A. (2019). Memory Categorization: Separating Attacker-Controlled Data. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)