skip to main content
10.1145/3424954.3424956acmotherconferencesArticle/Chapter ViewAbstractPublication PageseiccConference Proceedingsconference-collections
research-article

Shadow-Heap: Preventing Heap-based Memory Corruptions by Metadata Validation

Published: 12 January 2021 Publication History

Abstract

In the past, stack smashing attacks and buffer overflows were some of the most insidious data-dependent bugs leading to malicious code execution or other unwanted behavior in the targeted application. Since reliable mitigations such as fuzzing or static code analysis are readily available, attackers have shifted towards heap-based exploitation techniques. Therefore, robust methods are required which ensure application security even in the presence of such intrusions, but existing mitigations are not yet adequate in terms of convenience, reliability, and performance overhead.
We present a novel method to prevent heap corruption at runtime: by maintaining a copy of heap metadata in a shadow-heap and verifying the heap integrity upon each call to the underlying allocator we can detect most heap metadata manipulation techniques. The results demonstrate that Shadow-Heap is a practical mitigation approach, that our prototypical implementation only requires reasonable overhead due to a user-configurable performance-security tradeoff, and that existing programs can be protected without recompilation.

References

[1]
Matthew S Simpson and Rajeev K Barua. Memsafe: ensuring the spatial and temporal memory safety of c at runtime. Software: Practice and Experience, 43(1):93--128, 2013.
[2]
Justin N Ferguson. Understanding the heap by breaking it. black Hat USA, pages 1--39, 2007.
[3]
Phantsmal Phantasmagoria. The malloc maleficarum. Bugtraq mailinglist, 2005.
[4]
Mathias Frits Rørvik. Investigation of x64 glibc heap exploitation techniques on linux. Master's thesis, 2019.
[5]
Bob Martin, Mason Brown, Alan Paller, Dennis Kirby, and Steve Christey. 2011 cwe/sans top 25 most dangerous software errors. CommonWeakness Enumeration, 7515, 2011.
[6]
Doug Lea and Wolfram Gloger. A memory allocator, 1996.
[7]
Guy Lewis Steele Jr. Data representations in pdp-10 maclisp. Technical report, MASSACHUSETTS INST OF TECH CAMBRIDGE ARTIFICIAL INTELLIGENCE LAB, 1977.
[8]
Emery D Berger, Kathryn S McKinley, Robert D Blumofe, and Paul R Wilson. Hoard: A scalable memory allocator for multithreaded applications. In ACM SIGARCH Computer Architecture News, volume 28, pages 117--128. ACM, 2000.
[9]
Julian Seward and Nicholas Nethercote. Using valgrind to detect undefined value errors with bit-precision. In USENIX Annual Technical Conference, pages 17--30, 2005.
[10]
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. Addresssanitizer: A fast address sanity checker. In USENIX Annual Technical Conference (USENIX ATC 12), pages 309--318, 2012.
[11]
Moritz Eckert, Antonio Bianchi, Ruoyu Wang, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. Heaphopper: Bringing bounded model checking to heap implementation security. In 27th USENIX Security Symposium (USENIX Security 18), pages 99--116, 2018.
[12]
Todd M Austin, Scott E Breach, and Gurindar S Sohi. Efficient detection of all pointer and array access errors, volume 29. ACM, 1994.
[13]
Gregory J Duck and Roland HC Yap. Heap bounds protection with lowfat pointers. In Proceedings of the 25th International Conference on Compiler Construction, pages 132--142. ACM, 2016.
[14]
Yves Younan, Wouter Joosen, and Frank Piessens. Efficient protection against heap-based buffer overflows without resorting to magic. In International Conference on Information and Communications Security, pages 379--398. Springer, 2006.
[15]
Karthik Pattabiraman, Vinod Grover, and Benjamin G Zorn. Samurai: protecting critical data in unsafe languages. In ACM SIGOPS Operating Systems Review, volume 42, pages 219--232. ACM, 2008.
[16]
Saman Zonouz, Mingbo Zhang, Pengfei Sun, Luis Garcia, and Xiruo Liu. Dynamic memory protection via intel sgx-supported heap allocation. pages 608--617, 08 2018.
[17]
Emery D Berger and Benjamin G Zorn. Diehard: probabilistic memory safety for unsafe languages. In Acm sigplan notices, volume 41, pages 158--168. ACM, 2006.
[18]
Gene Novark and Emery D Berger. Dieharder: securing the heap. In Proceedings of the 17th ACM conference on Computer and communications security, pages 573--584, 2010.
[19]
Sam Silvestro, Hongyu Liu, Corey Crosser, Zhiqiang Lin, and Tongping Liu. Freeguard: A faster secure heap allocator. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2389--2403. ACM, 2017.
[20]
Emery D Berger. Heapshield: Library-based heap overflow protection for free. UMass CS TR, pages 06--28, 2006.
[21]
Nick Nikiforakis, Frank Piessens, andWouter Joosen. Heapsentry: kernel-assisted protection against heap overflows. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 177--196. Springer, 2013.
[22]
Mazen Kharbutli, Xiaowei Jiang, Yan Solihin, Guru Venkataramani, and Milos Prvulovic. Comprehensively and efficiently protecting the heap. ACM SIGOPS Operating Systems Review, 40(5):207--218, 2006.
[23]
Qiang Zeng, Golam Kayas, Emil Mohammed, Lannan Luo, Xiaojiang Du, and Junghwan Rhee. Heaptherapy+: Efficient handling of (almost) all heap vulnerabilities using targeted calling-context encoding. In 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 530--542. IEEE, 2019.
[24]
Team Shellphish. How2heap. https://github.com/shellphish/how2heap, 2017.
[25]
Doug Lea. A memory allocator. http://gee.cs.oswego.edu/dl/html/malloc.html, 1996.
[26]
Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. Softbound: Highly compatible and complete spatial memory safety for c. ACM Sigplan Notices, 44(6):245--258, 2009.
[27]
Dinakar Dhurjati, Sumant Kowshik, Vikram Adve, and Chris Lattner. Memory safety without runtime checks or garbage collection. ACM SIGPLAN Notices, 38(7):69--80, 2003.
[28]
Pieter H Hartel and Luc Moreau. Formalizing the safety of java, the java virtual machine, and java card. ACM Computing Surveys (CSUR), 33(4):517--558, 2001.
[29]
Nicholas Nethercote and Julian Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In ACM Sigplan notices, volume 42, pages 89--100. ACM, 2007.
[30]
Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Rhongai Yang, and Kehuan Zhang. IoTFuzzer: Discovering memory corruptions in IoT through app-based fuzzing. In Network and Distributed Systems Security (NDSS) Symposium 2018, 2018.
[31]
Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. SoK: Eternal war in memory. In IEEE Symposium on Security and Privacy, pages 48--62. IEEE, 2013.
[32]
Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security Symposium, volume 98, pages 63--78. San Antonio, TX, 1998.
[33]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13(1):4, 2009.

Cited By

View all
  • (2024)ISLAB: Immutable Memory Management Metadata for Commodity Operating System KernelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644994(1159-1172)Online publication date: 1-Jul-2024

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
EICC '20: Proceedings of the 2020 European Interdisciplinary Cybersecurity Conference
November 2020
72 pages
ISBN:9781450375993
DOI:10.1145/3424954
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 January 2021

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

  • Bundesministerium für Wirtschaft und Energie

Conference

EICC 2020

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)11
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)ISLAB: Immutable Memory Management Metadata for Commodity Operating System KernelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644994(1159-1172)Online publication date: 1-Jul-2024

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media