cling: a memory allocator to mitigate dangling pointershy457/reports/cling-slides.pdfheap metadata...
TRANSCRIPT
Cling: A Memory Allocator to Mitigate Dangling Pointers
Periklis Akritidis --2010
Use-after-free Vulnerabilities
Accessing Memory Through Dangling Pointers
Techniques : Heap Spraying, Feng Shui
Manual memory management is error prone
Existing techniques have several disadvantages
2
Dangling Pointer Attacks
Use-after-free errors are temporal memory
safety violations
Access the contents of some other object that happens to occupy the memory at the time
Placing a buffer with attacker data is complicated
Solution is the use of Heap Spraying.
3
Dangling Pointer Attacks II
C++ objects contain pointers to virtual tables (vtables)
Obstacle: freed object's pointer aligned with new object's pointer
Solution: Use of multiple inheritance objects
Attacks not limited to control flow
Hijacking Data Fields
Writing to an arbitrary memory location
Information Leaks
4
Naive Defence
Avoiding Address Space Reuse
Has 3 Major Disadvantages:
Address space exhaustion.
Limited reuseable physical memory. Memory overhead of solving this is too high.
High rate of system calls. Redusing this leads to higher memory consumption.
5
Type-Safe Memory Reuse
• Allows dangling pointers only to objects of same type and alignment
• Shared vtable pointers are at the same offsets
6
Example of type-safe memory reuse
7
Type-safe memory reuse still enables attacks
• Data structures holding credentials or access control information
• Buffer size stored separately from data
can be detected through spatial protection mechanisms
8
Cling Memory Allocator
• Does not use free memory for metadata
• Only allows type-safe address reuse
• Achieves these without sacrificing performance
9
Heap Metadata
In-band attack:
• Heap based overflows can corrupt
allocator metadata
Defense:
• Sanity checks on free list pointers
• Using heap canaries
Cannot prevent use-after-free
vulnerabilities
10
Out-of-Band Heap Metadata
• Cling: Two-level allocation scheme
• Non-intrusive linked lists chain
large memory chunks
• Small allocations carved
out of buckets using bitmaps
11
Type-Safe Address Space Reuse
Two challenges need to be addressed:
• Semantic gap between runtime and compile time availability of type info
• Memory overhead caused by pools
12
Pools
Group of memory addresses dedicated for the allocation of a single type
13
Type-Safe Address Space Reuse
Observations towards solution:
• security maintained even if memory reuse is over-constrained
• in C/C++ programs, an allocation site typically allocates objects of a single type or arrays of objects of a single type, which can safely share a pool
14
One complication
• Array elements not aligned if block size not multiple of object size
• Solution: pool allocations according to size
15
Type-Safe Address Space Reuse
What about overhead?
• physical memory, unlike address space, can be safely reused across pools
• Cling returns individual blocks of memory to the operating system once completely free
• Deallocated memory accessed through a dangling pointer will either continue to hold the data of the intended object, or will be zero-filled by the OS
16
Heap organization
17
Cling Architecture
18
Wrappers
• A wrapper function ’s main purpose is to call a subroutine or a system call (like malloc) with little or no additional computation.
• Wrappers obscure real allocation site
• Cling cannot associate it with a distinct pool
/* This function wraps the real malloc */
void * __wrap_malloc (size_t size) {
void *lptr = __real_malloc(size);
printf("Malloc: %lu bytes @%p\n", size, lptr);
return lptr;
}
19
Clings’ challenges:
1. Discover wrappers • Cling initiates a probing mechanism after observing a single allocation
site requesting multiple allocation sizes
• interpose on return of potential wrapper
• check if returned value matches most recent allocation
• allocation sites identified as potential wrappers are marked
20
Clings’ challenges:
2. Unwinding malloc wrappers • Cling unwinds one more stack level
• Stores the stack offset of wrappers’ return addresses
• When a new allocation site is that was retrieved using a stored stack offset is found, unwind (using libunwind) is performed to confirm the allocation site’s validity
21
Limitations
• Cannot prevent use-after-free attacks targeting data such as credentials a dangling pointer that used to point to the credentials of one user may
end up pointing to the credentials of another user
• Cling cannot prevent unsafe reuse of stack allocated objects a function erroneously returns a pointer to a local variable
22
Limitations ΙΙ
• Cling relies on mapping allocation sites to object types. When a program has contrived flow of control, that is obscured. int size = condition ? sizeof( struct A) : sizeof(struct B);
void *obj = malloc(size);
• Usability in 32-bit platforms with scarce address space is limited
23
Implementation
• Cling comes as a shared library providing implementations for malloc and new
• It can be preloaded with platform specific mechanisms to override the system’s memory allocation routines at program load time
If you set LD_PRELOAD to the path of a shared object, that file will be
loaded before any other library (including the C runtime, libc.so).
$ LD_PRELOAD=/path/to/my/malloc.so/bin/ls)
24
Experimental Evaluation
• Goal: CPU, physical memory & virtual address space overheads of Cling vs GNU libc allocator
• Two variations of Cling
• Without wrapper unwinding
• Using single pool
25
Testbeds
• SPEC CPU 2000 & 2006
• Results with at least 100K allocations
• espresso
• Mozilla Firefox
• Browsers prime target of use-after-free attacks)
26
Execution time
27
One vs. many pools
28
Memory
29
One vs. many pools
30
Address space
31
Effects of unwinding
32
Firefox memory
33
Firefox VM
34
References
• Wikipedia
• http://en.wikipedia.org/wiki/Wrapper_function
• Stack overflow
• http://stackoverflow.com/questions/426230/what-is-the-ld-preload-trick
• Paper
• Cling: A Memory Allocator to Mitigate Dangling Pointers , Periklis Akritidis
• Rest
• http://www.cs.cmu.edu/afs/cs/academic/class/15213-s03/src/interposition/mymalloc.c
• http://savannah.nongnu.org/projects/libunwind/
35