automatic techniques to systematically discover new heap
play

Automatic Techniques to Systematically Discover New Heap - PowerPoint PPT Presentation

Mar 24, 2024 •47 likes •387 views

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu Yun , Dhaval Kapil, and Taesoo Kim Georgia Institute of Technology 1 Heap vulnerabilities are the most common, yet serious security issues. %

  1. Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu Yun , Dhaval Kapil, and Taesoo Kim Georgia Institute of Technology 1

  2. Heap vulnerabilities are the most common, yet serious security issues. % 𝑝𝑔 ℎ𝑓𝑏𝑞 𝑤𝑣𝑚𝑜𝑓𝑠𝑏𝑐𝑗𝑚𝑗𝑢𝑗𝑓𝑡 = 233 604 = 39% From “Killing Uninitialized Memory: Protecting the OS Without Destroying Performance”, Joe Bialek and Shayne Hiet-Block, CppCon 2019 2

  3. Heap exploitation techniques (HETs) are preferable methods to exploit heap vulnerabilities • Abuse underlying allocator to achieve more powerful primitives (e.g., arbitrary write) for control hijacking • Application-agnostic: rely on only underlying allocators • Powerful: e.g., off-by-one null byte overflow à arbitrary code execution • Used to compromise (in 2019) 3

  4. Example: unlink() in ptmalloc2 fd fd bk bk fd fd bk bk fd fd bk bk Chunk Chunk Chunk Chunk Chunk Chunk unlink(): P->fd->bk = P->bk P->bk->fd = P->fd 4

  5. Example: unlink() in ptmalloc2 fd fd bk bk fd fd bk bk fd fd bk bk Chunk Chunk Chunk Chunk Chunk Chunk unlink(): P->fd->bk = P->bk P->bk->fd = P->fd 5

  6. Example: Unsafe unlink() in the presence of memory corruptions (e.g., overflow) fp fptr tr Obje bject ct fd fd bk bk addr ddr fd fd evi bk bk vil fd fd bk bk Chunk Chunk Chunk Chunk Chunk Chunk unlink(): P->fd->bk = P->bk => fptr = evil 6

  7. Security checks are introduced in the allocator to prevent such exploitations unlink(): assert(P->fd->bk == P); P->fd->bk = P->bk This check is still by bypassable , but it makes HET more co complicated 7

  8. Researchers have been studied reusable HETs to handle such complexities All analyses are manual, ad-hoc, and allocator-specific! 8

  9. Problem 1: Existing analyses are highly biased to certain allocators ptmalloc2 (Linux allocator) tcmalloc DieHarder mimalloc mesh jemalloc scudo Freeguard 9

  10. Problem2: A manual re-analysis is required in the changes of an allocator’s implementation ptmalloc2 (Linux allocator) A new feature: thread-local cache (tcache) Question: How to find HETs automatically? 10

  11. Our key idea: ArcHeap autonomously explore spaces similar to fuzzing! “ ” HET 11

  12. Technical challenges Lack of an efficient way to evaluate HETs Large search space HET 12

  13. Technical challenges Lack of an efficient way to evaluate HETs Large search space HET 13

  14. Search space consisting of heap actions is enormous size(p) x 2 64 2 64 malloc(sz) free(p) p[i]=v buf[i]=v Allocation Deallocation Heap write Buffer write Legitimate actions Search space can be reduced using model-based search common designs of allocators! based on co p[i overflow ]=v p freed [i]=v free(p freed ) free(p non-heap ) Overflow Write-after-free Double free Arbitrary free Buggy actions 14

  15. Common design 1: Binning • Specially managing chunks in different size groups • Small chunks: Performance is more important • Large chunks: Memory footprint is more important • e.g., ptmalloc • fast bin (< 128 bytes): no merging in free chunks • small bin ( < 1024 bytes): merging is enabled • Sampling a size uniformly in the 2 64 space è P(fast bin) = 2 -57 15

  16. ArcHeap selects an allocation size aware of binning • Sampling in exponentially distant size groups • ArcHeap partitions an allocation size into four groups: (2 0 , 2 5 ], (2 5 , 2 10 ], (2 10 , 2 15 ], and (2 15 , 2 20 ] • Then, it selects a group and then selects a size in the group uniformly • e.g., P(fast bin) > P(selecting a first group) = ¼ 16

  17. Other common designs: Cardinal data and In-place metadata • Cardinal data: Metadata in a chunk are either sizes or pointers, but not other random values • In-place metadata: Allocators place metadata near its chunk’s start or end for locality 17

  18. Cardinal data and In-place metadata reduce search space in data writes Random size Size Other chunk’s size Other chunk p[i]=v Pointer Heap write Buffer 0xdeadbeef Container An array that stores chunks -8 ~ 8 1337 18

  19. Technical challenges Lack of an efficient way to evaluate HETs Large search space HET 19

  20. Automatically synthesizing full exploits is inappropriate in evaluating HETs • Difficult: e.g., In the DAPRA CGC competition, on only on one e hea eap bug was successfully exploited by the-state-of-the-art systems • Inefficient: Takes a few seconds, minutes, or even hours for one try • Application-dependent: A HET, which is not useful in a certain application, may be useful in general 20

  21. Our idea: Evaluating impacts of exploitations (i.e., detecting broken invariants that have security implications) 1. Allocated memory should not be overlapped with pre-allocated memory Easy to detect: Check • Overlapping chunks: Can corrupt other chunk’s data this at every allocation • Arbitrary chunks: Can corrupt global data 2. An allocator should not modify memory, which is not under its control (i.e., heap) • Arbitrary writes How about this? • Restricted writes (NOTE: should be efficient) 21

  22. Shadow memory can detect arbitrary writes and restricted writes • Maintain external consistency • Check divergence container[i] = malloc(sz) malloc(sz) free(p) Allocation container shadow [i] = malloc(sz) Deallocation Divergence can only happen Allocation p[i]=v in the internal of allocators buf[i]=v Heap write buf[i]=v Buffer write buf shadow [i]=v CHECK: equal(container, container shadow ) Buffer write equal(buf, buf shadow ) 22

  23. ArcHeap provides a minimized PoC code for further analysis • Proof-of-Concept code: Converting actions into C code • Trivial, because they have one-to-one mapping • Minimize the PoC code using delta-debugging • Idea: Eliminate an action, which is not necessary for triggering the impact of exploitations • Details can be found in our paper 23

  24. Evaluation questions 1. How effective is ArcHeap in finding new HETs, compared to the existing tool, HeapHopper? 2. How general is ArcHeap’s approach? 24

  25. ArcHeap discovered five new HETs in ptmalloc2, which cannot be found by HeapHopper • Unsorted bin into stack: Write-after-free à Arbitrary chunk • Requires fewer steps (5 steps vs 9 steps) • House of unsorted einherjar: Off-by-one write à Arbitrary chunk • No require heap address leak • Unaligned double free: Double free à Overlapping chunk cannot be discovered by HeapHopper because of its All HETS ca • First HET targets small bin chunks, which have more checks than fast bin scalability issue (i.e., symbolic execution + model checking) • Overlapping chunks using a small bin : Overflow à Overlapping chunk • Fast bin into other bin: Write-after-free à Arbitrary chunk 25

  26. ArcHeap is generic enough to test various allocators • Tested 10 different allocators • Cannot find HETs in LLVM Scudo, FreeGuard, and Guarder, which are “secure allocators” Even found HETs in Works for ptmalloc2- “secure” allocators unrelated allocators 26

  27. Case study1: Double free à Overlapping chunks in DieHarder and mimalloc-secure // [PRE-CONDITION] // lsz : large size (> 64 KB) // xlsz: more large size (>= lsz + 4KB) // [BUG] double free Double free large chunk è // [POST-CONDITION] Overlapping chunk // p2 == malloc(lsz); void* p0 = malloc(lsz); free(p0); void* p1 = malloc(xlsz); // [BUG] free 'p0' again free(p0); Same thing happens in both void* p2 = malloc(lsz); free(p1); DieHarder and mimalloc assert(p2 == malloc(lsz)); 27

  28. Interestingly, these issues are irrelevant Me: Is mimalloc free(p large ) related to DieHarder? DieHarder unmap(p large ) No No ch check eck! Mimalloc developer: mimalloc Wr Wrong check(p large ) No! ch check eck! 28

  29. Our PoC has been added in a mimalloc’s regression test 29

  30. Case study 2: Overflow à Arbitrary chunk in dlmalloc-2.8.6 • dlmalloc: ancestor of ptmalloc2 but has been diverged after its fork void* p0 = malloc(sz); void* p1 = malloc(xlsz); void* p2 = malloc(lsz); Looks complicated… void* p3 = malloc(sz); // [BUG] overflowing p3 to overwrite top chunk struct malloc_chunk *tc = raw_to_chunk(p3 + chunk_size(sz)); tc->size = 0; void* p4 = malloc(fsz); void* p5 = malloc(dst - p4 - chunk_size(fsz) \ - offsetof( struct malloc_chunk, fd)); assert(dst == malloc(sz)); 30

  31. Its root cause is more complicated! // Make top chunk available void* p0 = malloc(sz); // Set mr.mflags |= USE_NONCONTIGUOUS_BIT void* p1 = malloc(xlsz); // Current top size < lsz (4096) and no available bins, so dlmalloc calls sys_alloc // Instead of using sbrk(), it inserts current top chunk into treebins // and set mmapped area as a new top chunk because of the non-continous bit void* p2 = malloc(lsz); Easy to miss by manual analysis void* p3 = malloc(sz); è Shows benefits of // [BUG] overflowing p3 to overwrite treebins struct malloc_chunk *tc = raw_to_chunk(p3 + chunk_size(sz)); automated methods! tc->size = 0; // dlmalloc believes that treebins (i.e., top chunk) has enough size // However, underflow happens because its size is actually zero void* p4 = malloc(fsz); // Similar to house-of-force, we can allocate an arbitrary chunk void* p5 = malloc(dst - p4 - chunk_size(fsz) \ - offsetof( struct malloc_chunk, fd)); assert(dst == malloc(sz)); 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure through non-traditional exploitation techniques Justin N. Ferguson // BH2007 The heap, what is it? Globally scoped data structure

906 views • 58 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Automatic Defect Detection Andrzej Wasylkowski Overview Automatic Defect Detection

Automatic Defect Detection Andrzej Wasylkowski Overview Automatic Defect Detection

Automatic Defect Detection Andrzej Wasylkowski Overview Automatic Defect Detection Horizontal Techniques Specification-checking Techniques Mining-based Techniques Mining Repositories Mining Traces Mining Source Code Mining

683 views • 44 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
GC Assertions: Using the Garbage Collector to check heap properties Shirley Gracelyn February

GC Assertions: Using the Garbage Collector to check heap properties Shirley Gracelyn February

GC Assertions: Using the Garbage Collector to check heap properties Shirley Gracelyn February 16, 2011 Motivation 1 Automatic memory management frees some burden from programmers 2 Fewer memory management errors Motivation 1 Automatic memory

278 views • 26 slides
Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
Compilation Techniques for Automatic Extraction of Parallelism and Locality in Heterogeneous

Compilation Techniques for Automatic Extraction of Parallelism and Locality in Heterogeneous

Compilation Techniques for Automatic Extraction of Parallelism and Locality in Heterogeneous Architectures Jos M. Andin P H D A DVISORS : Gabriel Rodrguez and Manuel Arenaz Outline 1. Introduction 2. A Novel Compiler Support for

1.55k views • 122 slides
When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's first hire in July, 2013. Previously an engineer at Palantir. Studied Math &amp; CS at Stanford. What we'll talk about: 1. What is Heap? 2.

695 views • 47 slides
heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O ( n ) analysis via picture (learn) or using summations (know result) data structures and algorithms building a heap one-by-one in O ( n log n ) 2020

672 views • 7 slides
Dynamic Memory Allocation in the Heap (malloc and free) Now: Explicit allocators (a.k.a. manual

Dynamic Memory Allocation in the Heap (malloc and free) Now: Explicit allocators (a.k.a. manual

Dynamic Memory Allocation in the Heap (malloc and free) Now: Explicit allocators (a.k.a. manual memory management) Later: implicit allocators (a.k.a. automatic memory management) Heap Allocation Addr Perm Contents Managed by Initialized

420 views • 31 slides
Collaborative feature location in models through automatic query expansion Human-Competitive

Collaborative feature location in models through automatic query expansion Human-Competitive

Collaborative feature location in models through automatic query expansion Human-Competitive Awards 2019 GECCO 2019 Francisca Prez Jaime Font Lorena Arcega Carlos Cetina The EA locates Features (building blocks) for systematically

274 views • 14 slides
Towards a semi-automatic functional annotation tool based on decision tree techniques J. Az 1 L.

Towards a semi-automatic functional annotation tool based on decision tree techniques J. Az 1 L.

Towards a semi-automatic functional annotation tool based on decision tree techniques J. Az 1 L. Gentils 1 C. Toffano-Nioche 1 V. Loux 2 J-F. Gibrat 2 . Bessires 2 C. Rouveirol 3 A. Poupon 4 P C. Froidevaux 1 1 LRI UMR 8623 CNRS, Univ.

624 views • 51 slides
Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7 7 11 8 8 9 7 7 11 8 10 10 input array = [-, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11] Start at rightmost array position that has a child.

522 views • 9 slides
10 Years After: Automatic Software Generation and Improvement Through Search Based Techniques

10 Years After: Automatic Software Generation and Improvement Through Search Based Techniques

10 Years After: Automatic Software Generation and Improvement Through Search Based Techniques Dr. Andrea Arcuri Westerdals Oslo ACT University of Luxembourg arcand@westerdals.no While in my first year of PhD in 2006-2007 Working on SBST

214 views • 19 slides
Welcome tEa Session 14 14 Se Sept ptembe mber r 20 2020 20 Discover Victoria Discover

Welcome tEa Session 14 14 Se Sept ptembe mber r 20 2020 20 Discover Victoria Discover

Discover Victoria Discover You Direct School Admission Welcome tEa Session 14 14 Se Sept ptembe mber r 20 2020 20 Discover Victoria Discover You The Curriculum &amp; Learning Experience Broad-Based Holistic

600 views • 33 slides
TREATMENT FOR PTSD/SUD The Fear Structure A fear structure is a program for escaping danger

TREATMENT FOR PTSD/SUD The Fear Structure A fear structure is a program for escaping danger

PROLONGED EXPOSURE AS A TREATMENT FOR PTSD/SUD The Fear Structure A fear structure is a program for escaping danger It includes information about: The feared stimuli The fear response The meaning of stimuli and responses

488 views • 12 slides
The Institute for Advanced Architectures and Algorithms (IAA) David H. Rogers Sudip Dosanjh

The Institute for Advanced Architectures and Algorithms (IAA) David H. Rogers Sudip Dosanjh

The Institute for Advanced Architectures and Algorithms (IAA) David H. Rogers Sudip Dosanjh Sandia National Laboratories Sandia is a Multiprogram Laboratory Operated by Sandia Corporation, a Lockheed Martin Company, for the United States

665 views • 22 slides
Postoperative Cognitive Decline Noise or Signals? Jacqueline M. Leung, MD, MPH Professor

Postoperative Cognitive Decline Noise or Signals? Jacqueline M. Leung, MD, MPH Professor

1 Postoperative Cognitive Decline Noise or Signals? Jacqueline M. Leung, MD, MPH Professor &amp; Vice Chair of Academic Affairs Department of Anesthesia &amp; Perioperative Care University of California, San Francisco 1 Disclosures

508 views • 23 slides
THE DATACENTER NEEDS AN OPERATING SYSTEM MATEI ZAHARIA, BENJAMIN HINDMAN, ANDY KONWINSKI, ALI

THE DATACENTER NEEDS AN OPERATING SYSTEM MATEI ZAHARIA, BENJAMIN HINDMAN, ANDY KONWINSKI, ALI

THE DATACENTER NEEDS AN OPERATING SYSTEM MATEI ZAHARIA, BENJAMIN HINDMAN, ANDY KONWINSKI, ALI GHODSI, ANTHONY JOSEPH, RANDY KATZ, SCOTT SHENKER, ION STOICA UC BERKELEY THE DATACENTER IS THE NEW COMPUTER Running todays most popular

182 views • 14 slides
0DAF F9H:8AIF

0DAF F9H:8AIF

0DAF F9H:8AIF HD9HLDFDCJDA8HA.DFL 1CFI -I ,DMF8AJHM 3DC - .98A-39DHH

805 views • 19 slides
in Virtual Memory Systems Presented by Michael Jantz Contributions from Carl Strickland, Kshitij

in Virtual Memory Systems Presented by Michael Jantz Contributions from Carl Strickland, Kshitij

A Framework for Application Guidance in Virtual Memory Systems Presented by Michael Jantz Contributions from Carl Strickland, Kshitij Doshi, Martin Dimitrov, and Karthik Kumar 1 Executive Summary Memory has become a significant player in

667 views • 33 slides
st st r tr

st st r tr

st st r tr rst r r rst tr Ps

362 views • 22 slides
Main Memory Prof. Bracy and Van Renesse CS 4410 Cornell University based on slides designed by

Main Memory Prof. Bracy and Van Renesse CS 4410 Cornell University based on slides designed by

Main Memory Prof. Bracy and Van Renesse CS 4410 Cornell University based on slides designed by Prof. Sirer Agenda Review Address Translation Caching and Virtual Memory Virtualizing Resources Physical Reality: different

1.29k views • 79 slides

More recommend