preventing use after free with dangling pointers
play

Preventing Use-after-free with Dangling Pointers Nullification - PowerPoint PPT Presentation

Jul 22, 2023 •482 likes •923 views

Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee , Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University Emerging Threat: Use-after-free

  1. Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee , Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University

  2. Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft, 2013 2

  3. Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft, 2013 2

  4. Emerging Threat: Use-after-free Software Vulnerability Exploitation Trends, Microsoft, 2013 2

  5. Emerging Threat: Use-after-free 13 Security-Critical 582 Security-High 107 12 0 0 Use-after-free Stack Heap Overflow Overflow The number of reported vulnerabilities in Chrome (2011-2013) 3

  6. Emerging Threat: Use-after-free 13 Security-Critical 582 Security-High 107 12 0 0 Use-after-free Stack Heap Overflow Overflow The number of reported vulnerabilities in Chrome (2011-2013) 3

  7. Use-after-free • A dangling pointer – A pointer points to a freed memory region • Using a dangling pointer leads to undefined program states – May lead to arbitrary code executions – so called use-after-free Preventing Use-after-free with Dangling Pointers Nullification 4

  8. Understanding Use-after-free class Doc : public Element { Doc *doc = new Doc(); // … Body *body = new Body(); Element *child; }; doc->child = body; class Body : public Element { delete body; // … Element *child; if (doc->child) }; doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 5

  9. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child doc->child = body; Body delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  10. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  11. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  12. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body Free an object delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  13. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; Body Free an object delete body; freed *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  14. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  15. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body Use a dangling pointer if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  16. Understanding Use-after-free Allocate objects Doc Doc *doc = new Doc(); Body *body = new Body(); *doc *child Propagate pointers doc->child = body; a dangling pointer Body Free an object delete body; freed *child *body Use a dangling pointer if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 6

  17. Why use-after-free is challenging Doc *doc Doc *doc = new Doc(); *child Body *body = new Body(); Div *div = new Div(); doc->child = body; Body body->child = div; delete body; *child *body if (doc->child) doc->child->getAlign(); Preventing Use-after-free with Dangling Pointers Nullification 7

  18. Why use-after-free is challenging Doc Doc *doc = new Doc(); *doc Doc *doc = new Doc(); *child Body *body = new Body(); if (doc->child) Div *div = new Div(); doc->child->getAlign(); doc->child = body; Body body->child = div; doc->child = body; delete body; *child delete body; *body if (doc->child) doc->child->getAlign(); Body *body = new Body(); Preventing Use-after-free with Dangling Pointers Nullification 7

  19. Why use-after-free is challenging Doc Doc *doc = new Doc(); *doc Doc *doc = new Doc(); *child Body *body = new Body(); if (doc->child) Div *div = new Div();  Reconstructing object relationships is challenging doc->child->getAlign(); doc->child = body; Body  Static analysis body->child = div; doc->child = body; delete body;  Modules are disconnected and scattered *child delete body; *body if (doc->child)  Difficult to serialize execution orders doc->child->getAlign(); Body *body = new Body();  Dynamic analysis  Tracing pointer semantics is non-trivial Preventing Use-after-free with Dangling Pointers Nullification 7

  20. Contributions • Present DangNull , which detects use-after-free – (sometimes) even surviving from use-after-free • Stop sophisticated attacks – Immediately eliminate security impacts of use-after-free • Support large-scale software – Protect popular apps including web browsers Preventing Use-after-free with Dangling Pointers Nullification 8

  21. Designs • Tracking Object Relationships – Intercept allocations/deallocations – Instrument pointer propagations • Nullify dangling pointers – A value in dangling pointers has no semantics – Dereferencing nullified pointers will turn into safe-null dereference Preventing Use-after-free with Dangling Pointers Nullification 9

  22. Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Preventing Use-after-free with Dangling Pointers Nullification 10

  23. Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Preventing Use-after-free with Dangling Pointers Nullification 10

  24. Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc Preventing Use-after-free with Dangling Pointers Nullification 10

  25. Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Insert shadow obj: - Base address of allocation - Size of Doc delete body; Preventing Use-after-free with Dangling Pointers Nullification 10

  26. Tracking Object Relationships • Intercept allocations/deallocations in runtime – Maintain Shadow Object Tree • Red-Black tree to efficiently keep object layout information • Node: (base address, size) pair Doc *doc = new Doc(); Remove shadow obj : - Using base address (body) Insert shadow obj: - Base address of allocation - Size of Doc delete body; Preventing Use-after-free with Dangling Pointers Nullification 10

  27. Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. doc->child = body; Doc *doc *child Body *body Preventing Use-after-free with Dangling Pointers Nullification 11

  28. Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. doc->child = body; doc->child = body; trace(&doc->child, body); Doc *doc *child Body *body Preventing Use-after-free with Dangling Pointers Nullification 11

  29. Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Doc *doc *child Shadow obj. of Body back fwd Body *body Preventing Use-after-free with Dangling Pointers Nullification 11

  30. Tracking Object Relationships • Instrument pointer propagations – Maintain backward/forward pointer trees for a shadow obj. Shadow obj. of Doc doc->child = body; doc->child = body; back fwd trace(&doc->child, body); Forward Doc *doc *child Shadow obj. of Body back fwd Body *body Preventing Use-after-free with Dangling Pointers Nullification 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual memory management is error prone

574 views • 35 slides
A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs

A checker for dangling string pointers in C++ in the Clang Static Analyzer Rka Kovcs Mentors: Artem Dergachev Etvs Lornd University, Budapest, Hungary Gbor Horvth rekanikolett@gmail.com Real-world example return

257 views • 9 slides
Automatic Garbage Collection Reference counting Automatically free dead objects For each

Automatic Garbage Collection Reference counting Automatically free dead objects For each

Automatic Garbage Collection Reference counting Automatically free dead objects For each heap-allocated object, maintain count of # of pointers to object no dangling pointers , no storage leaks (maybe) when create object, ref count = 0

246 views • 8 slides
Automatic Garbage Collection Reference counting Automatically free dead objects For each

Automatic Garbage Collection Reference counting Automatically free dead objects For each

Automatic Garbage Collection Reference counting Automatically free dead objects For each heap-allocated object, maintain count of # of pointers to object no dangling pointers , no storage leaks (maybe) when create object, ref count = 0

1.14k views • 5 slides
Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&A 2 What is a

543 views • 28 slides
The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June

The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June

The effects of dangling nodes on citation networks Erjia Yan & Ying Ding ISSI 2011 - June 30, 2011 Dangling nodes on the web Dangling nodes denote the nodes without outgoing links Some web pages do not contain any valid hyperlinks

467 views • 20 slides
Garbage collection Strategies for automatic memory management Memory management Explicit

Garbage collection Strategies for automatic memory management Memory management Explicit

Garbage collection Strategies for automatic memory management Memory management Explicit memory management: i.e., malloc(..) and free(..) are both explicit. A dangerous source of bugs (dangling pointers, leaks). Performance still

364 views • 18 slides
Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and

Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and

Outerjoin = with tuples padded with R S R . / S dangling . / n ulls and included in the result. A tuple is dangling if it do esn't join with an y other tuple. = R A B 1 2 3 4 = S B C 2 5 2

185 views • 18 slides
Topic 7 1. Defining and using pointers 2. Arrays and pointers 3. C and C++ strings 4.

Topic 7 1. Defining and using pointers 2. Arrays and pointers 3. C and C++ strings 4.

Topic 7 1. Defining and using pointers 2. Arrays and pointers 3. C and C++ strings 4. Dynamic memory allocation 5. Arrays and vectors of pointers 6. Problem solving: draw a picture 7. Classes of objects 8. Pointers and objects

613 views • 21 slides
Class Five You havent run screaming yet... Lets do pointers! pointers are one of the

Class Five You havent run screaming yet... Lets do pointers! pointers are one of the

The Code Liberation Foundation Lecture 5 Pointers Class Five You havent run screaming yet... Lets do pointers! pointers are one of the most powerful things about c++ A pointer is a variable that holds the address of another

608 views • 22 slides
Vector and Free Store (Pointers and Memory Allocation) Marco Chiarandini Department of

Vector and Free Store (Pointers and Memory Allocation) Marco Chiarandini Department of

DM560 Introduction to Programming in C++ Vector and Free Store (Pointers and Memory Allocation) Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark [ Based on slides by Bjarne Stroustrup ] Outline

1.42k views • 39 slides
Pointers III: Struct & Pointers 1 Structures What is

Pointers III: Struct & Pointers 1 Structures What is

Pointers III: Struct & Pointers 1 Structures What is a structure? One or more values, called members, with possibly dissimilar types that are

444 views • 26 slides
Pointers III: Struct & Pointers 1 Structures What is

Pointers III: Struct & Pointers 1 Structures What is

Pointers III: Struct & Pointers 1 Structures What is a structure? One or more values, called members, with possibly dissimilar types that are

531 views • 25 slides
Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our LC-3

Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our LC-3

Chapter 16 Pointers and Arrays Pointers and Arrays We've seen examples of both of these in our LC-3 programs; now we'll see them in C. Pointer Address of a variable in memory Allows us to indirectly access variables in other words,

1.1k views • 29 slides
Fundamentals of Programming Lecture 15 Hamed Rasifard 1 Outline Types of Pointers

Fundamentals of Programming Lecture 15 Hamed Rasifard 1 Outline Types of Pointers

Fundamentals of Programming Lecture 15 Hamed Rasifard 1 Outline Types of Pointers Arrays of Pointers Multiple Indirection Initializing Pointers Pointers to Functions Dynamic Memory Allocation 2 Types of Pointers

199 views • 19 slides
Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer

Pointers II 1 Outline Pointers arithmetic and others Functions & pointers 2 Pointer Arithmetic When you add to or subtract from a pointer, the amount by which you do that is multiplied by the size of the type the pointer points

689 views • 33 slides
Advanced Reactors and New Reactors Topics Briefing Commission Meeting February 6, 2020 1

Advanced Reactors and New Reactors Topics Briefing Commission Meeting February 6, 2020 1

Advanced Reactors and New Reactors Topics Briefing Commission Meeting February 6, 2020 1 Opening Remarks Margaret Doane Executive Director for Operations Vision and Direction for Regulatory Reviews of New and Advanced Reactors Robert

720 views • 32 slides
tinyurl.com/s382q4f Doing More with Google: Utilizing Google Products in Your Classroom Phoebe

tinyurl.com/s382q4f Doing More with Google: Utilizing Google Products in Your Classroom Phoebe

Google Workshop 1/10/20 Phoebe Li Chen & Andrew Shapira Welcome to our workshop! If you havent already filled out the pre-workshop survey, please do so now by going to this link: tinyurl.com/s382q4f Doing More with Google: Utilizing

476 views • 34 slides
Generating Embed Code from a Google Doc To get the code for embedding your slides: 1. Choose

Generating Embed Code from a Google Doc To get the code for embedding your slides: 1. Choose

Generating Embed Code from a Google Doc To get the code for embedding your slides: 1. Choose Publish to the web from the File menu. 2. From here, you can select the checkbox for Require viewers to sign in with their Pima Community College account

329 views • 4 slides
County 9-1-1 Cellular Surcharge Webinar June 15, 2017 Presented by: NYS Department of Taxation

County 9-1-1 Cellular Surcharge Webinar June 15, 2017 Presented by: NYS Department of Taxation

Establishing and Continuing Your County 9-1-1 Cellular Surcharge Webinar June 15, 2017 Presented by: NYS Department of Taxation and Finance New York State Association of Counties NYSAC | 540 Broadway, Fifth Floor | Albany, New York Current

305 views • 12 slides
LAW AND JUSTICE INTERIM COMMITTEE UPDATE September 14, 2020 The DOCs sentinel testing

LAW AND JUSTICE INTERIM COMMITTEE UPDATE September 14, 2020 The DOCs sentinel testing

MONTANA DEPARTMENT OF CORRECTIONS LAW AND JUSTICE INTERIM COMMITTEE UPDATE September 14, 2020 The DOCs sentinel testing efforts have resumed at DOC-run and DOC-contracted facilities (30-50 sentinel tests per week) Symptomatic testing

275 views • 12 slides
DISCUSS, PRESENT, REVIEW, REFLECT HOW TOS FOR ONLINE COLLABORATION Crystal Akers

DISCUSS, PRESENT, REVIEW, REFLECT HOW TOS FOR ONLINE COLLABORATION Crystal Akers

C. Akers DISCUSS, PRESENT, REVIEW, REFLECT HOW TOS FOR ONLINE COLLABORATION Crystal Akers cakers@linguistics.rutgers.edu C. Akers Why Collaborate Online? Because you teach online Because you teach face-to-face and want: More

517 views • 12 slides
Fedora Classroom Writing Fedora documentation 101 Presented by Adam Samalik Agenda

Fedora Classroom Writing Fedora documentation 101 Presented by Adam Samalik Agenda

Fedora Classroom Writing Fedora documentation 101 Presented by Adam Samalik Agenda Introduction The new site Antora The build engine Git The source control How The complete workflow Q&A Introduction The

349 views • 23 slides
Admixture of Poisson MRFs (APM): A Topic Model with Word Dependencies David Inouye*, Pradeep

Admixture of Poisson MRFs (APM): A Topic Model with Word Dependencies David Inouye*, Pradeep

Admixture of Poisson MRFs (APM): A Topic Model with Word Dependencies David Inouye*, Pradeep Ravikumar, Inderjit Dhillon Tuesday, June 24, 2014 * Presenter David Inouye*, Pradeep Ravikumar, Inderjit Dhillon Admixture of Poisson MRFs (ICML

672 views • 18 slides

More recommend