Abstract
Existing approaches to defending Use-After-Free (UAF) exploits are usually done using static or dynamic analysis. However, both static and dynamic analysis suffer from intrinsic deficiencies. The existing static analysis is limited in handling loops, optimization of memory representation. The existing dynamic analysis, which is characterized by lacking the maintenance of pointer information, may lead to flaws that the relationships between pointers and memory cannot be precisely identified.
In this work, we propose a new method called UAF-GUARD without the above barriers, in the aim to defending against UAF exploits using fine-grained memory permission management. In particular, we design a key data structure to support the fine-grained memory permission management, which can maintain more information to capture the relationship between pointers and memory. Moreover, we design code instrumentation to enable UAF-GUARD to precisely locate the position of UAF vulnerabilities to further terminate malicious programs when anomalies are detected.
We implement UAF-GUARD on a 64-bit Linux system. We carry out experiments to compare UAF-GUARD with the main existing approaches. The experimental results demonstrate that UAF-GUARD is able to effectively and efficiently defend against three types of UAF exploits with acceptable space overhead and time overhead.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
CWE-416: Use After Free. https://cwe.mitre.org/data/definitions/416.html. Accessed 11 Oct 2019
Ratanaworabhan, P., Livshits, V.B., Zorn, B.G.: NOZZLE: a defense against heap-spraying code injection attacks. In: Proceedings of the 18th Conference on USENIX Security Symposium (SSYM 2009), Berkeley, CA, USA, pp. 169–186 (2009)
Canary (buffer overflow). http://www.cbi.umn.edu/securitywiki/CBI_ComputerSecurity/MechanismCanary.html. Accessed 11 Oct 2019
Position Independent Executables (PIE). https://access.redhat.com/blogs/766093/posts/1975793. Accessed 11 Oct 2019
Address space layout randomization (ASLR). https://searchsecurity.techtarget.com/definition/address-space-layout-randomization-ASLR. Accessed 11 Oct 2019
Dullien, T., Porst, S.: REIL: a platform-independent intermediate representation of disassembled code for static code analysis. In: Proceedings of Cansecwest, Vancouver (2009)
Bardin, S., Herrmann, P., Leroux, J., Ly, O., Tabary, R., Vincent, A.: The BINCOA framework for binary code analysis. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 165–170. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_13
Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: a binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463–469. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_37
Ye, J., Zhang, C., Han, X.: POSTER: UAFChecker: scalable static detection of use-after-free vulnerabilities, New York, NY, USA, pp. 1529–1531 (2014)
Dolan-Gavitt, B., Hulin, P., et al.: LAVA: large-scale automated vulnerability addition. In: 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, pp. 110–121 (2016)
Hex-Rays. https://www.hex-rays.com/. Accessed 11 Oct 2019
Lee, B., Song, C., Jand, Y., et al.: Preventing use-after-free with dangling pointers nullification. In: Symposium on Network and Distributed System Security (NDSS), San Diego, CA, USA, pp. 8–11 (2015)
Caballero, J., Grieco, G., Marron, M., Nappa, A.: Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis, New York, NY, USA, pp. 133–143 (2012)
Kouwe, E., Nigade, V., Giuffrida, C.: DangSan: scalable use-after-free detection. In: Proceedings of the Twelfth European Conference on Computer Systems, New York, NY, USA, pp. 405–419 (2017)
Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: AddressSanitizer: a fast address sanity checker. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, Berkeley, CA, USA, p. 28 (2012)
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, New York, NY, USA, pp. 89–100 (2007)
Nagarakatte, S., Zhao, J., Martin, Milo M.K., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: Proceedings of the 2010 International Symposium on Memory Management, New York, NY, USA, pp. 31–40 (2010)
The LLVM Compiler Infrastructure. https://llvm.org/. Accessed 11 Oct 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Xu, G. et al. (2021). Defending Use-After-Free via Relationship Between Memory and Pointer. In: Gao, H., Wang, X., Iqbal, M., Yin, Y., Yin, J., Gu, N. (eds) Collaborative Computing: Networking, Applications and Worksharing. CollaborateCom 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 349. Springer, Cham. https://doi.org/10.1007/978-3-030-67537-0_35
Download citation
DOI: https://doi.org/10.1007/978-3-030-67537-0_35
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-67536-3
Online ISBN: 978-3-030-67537-0
eBook Packages: Computer ScienceComputer Science (R0)