Top

Published in:

2019 | OriginalPaper | Chapter

Memory Categorization: Separating Attacker-Controlled Data

Authors : Matthias Neugschwandtner, Alessandro Sorniotti, Anil Kurmus

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Memory corruption attacks against software written in C or C++ are still prevalent and remain a significant cause of security breaches. Defenses providing full memory safety remain expensive, and leaner defenses only addressing control-flow data are insufficient.

We introduce memory categorization, an approach to separate data based on attacker control to mitigate the exploitation of memory corruption vulnerabilities such as use-after-free and use-after-return. MemCat implements this approach by: (i) providing separate memory allocators for different data categories, (ii) categorizing the use of memory allocations, (iii) changing allocations to take advantage of the categorization.

We demonstrate the effectiveness of MemCat in a case study on actual vulnerabilities in real-world programs. We further show that, although our prototype implementation causes a high overhead in two edge cases, in most cases the performance hit remains negligible, with a median overhead of less than 3% on the SPEC benchmark suite.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware

next chapter TypeMiner: Recovering Types in Binary Programs Using Machine Learning

Abadi, M., Budiu, M., Erlingsson, Ú, Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)

Akritidis, P.: Cling: a memory allocator to mitigate dangling pointers. In: USENIX Security Symposium (2010)

Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: IEEE Symposium on Security and Privacy (2008)

LAndersen, L.O.: Program Analysis and Specialization for the C Programming Language. Carnegie Mellon University (1994)

Bosman, E., Slowinska, A., Bos, H.: Minemu: the world’s fastest taint tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_1CrossRef

Brand, M., Evans, C.: Significant flash exploit mitigations are live in v18.0.0.209 (2015). https://googleprojectzero.blogspot.com/2015/07/significant-flash-exploit-mitigations16.html

busybox. https://busybox.net/

Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX Security Symposium (USENIX SEC) (2015)

Carr, S.A., Payer, M.: DataShield: configurable data confidentiality and integrity. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ASIA CCS 2017 (2017)

10.

Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Symposium on Operating Systems Design and Implementation (2006)

11.

Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14, p. 12 (2005)

12.

Chen, X., Slowinska, A., Bos, H.: Who allocated my memory? Detecting custom memory allocators in C binaries. In: Proceedings of the Working Conference on Reverse Engineering (WCRE) (2013)

13.

Disassembler Library for x86 and x86–64. https://github.com/vmt/udis86

14.

Dropbear. https://matt.ucc.asn.au/dropbear/dropbear.html

15.

Electric Fence. https://github.com/kallisti5/ElectricFence

16.

Goktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control- flow integrity. In: IEEE Symposium on Security and Privacy (Oakland) (2014)

17.

Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: dynamic taint analysis with targeted control-flow propagation. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2011)

18.

Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: Libdft: practical dynamic data flow tracking for commodity systems. In: ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (2012)

19.

Kroes, T., et al.: BinRec: attack surface reduction through dynamic binary recovery. In: Proceedings of the 2018 Workshop on Forming an Ecosystem Around Software Transformation, FEAST 2018 (2018)

20.

Kurmus, A., Zippel, R.: A tale of two kernels: towards ending kernel hardening wars with split kernel. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014 (2014)

21.

Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014)

22.

Lee, B., et al.: Preventing use-after-free with dangling pointers nullification. In: NDSS (2015)

23.

Lettner, J., Song, D., Park, T., Larsen, P., Volckaert, S., Franz, M.: PartiSan: fast and flexible sanitization via run-time partitioning. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 403–422. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_19CrossRef

24.

Moerbeek, O.: A new malloc(3) for OpenBSD. In: EuroBSDCon (2009)

25.

MWR. Isolated Heap & Friends: Object Allocation Hardening in Web Browsers (2014). https://labs.mwrinfosecurity.com/blog/isolated-heap-friends-object-allocation-hardening-in-web-browsers/

26.

Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: Proceedings of the 2010 International Symposium on Memory Management, ISMM 2010 (2010)

27.

Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009 (2009)

28.

Nikiforakis, N., Piessens, F., Joosen, W.: HeapSentry: kernel-assisted protection against heap overflows. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 177–196. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39235-1_11CrossRef

29.

Novark, G., Berger, E.D.: DieHarder: securing the heap. In: ACM Conference on Computer and Communications Security (2010)

30.

OpenSSL. https://www.openssl.org/

31.

Page Heap. https://msdn.microsoft.com/en-us/library/ms220938(v=vs.90).aspx

32.

Pereira, F.M.Q., Berlin, D.: Wave propagation and deep propagation for pointer analysis. In: IEEE/ACM International Symposium on Code Generation and Optimization (2009)

33.

perf. https://perf.wiki.kernel.org

34.

Qin, F., Wang, C., Li, Z., Kim, H.S., Zhou, Y., Wu, Y.: LIFT: a low-overhead practical information flow tracking system for detecting security attacks. In: IEEE/ACM International Symposium on Microarchitecture (2006)

35.

SafeStack (2017). http://clang.llvm.org/docs/SafeStack.html

36.

Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE Symposium on Security and Privacy (Oakland) (2015)

37.

Silvanovich, N.: Life After the Isolated Heap (2016). https://googleprojectzero.blogspot.com/2016/03/lifeafter-isolated-heap.html

38.

Slowinska, A., Bos, H.: Pointless tainting?: Evaluating the practicality of pointer tainting. In: ACM European Conference on Computer Systems (2009)

39.

SPEC (2006). https://www.spec.org/cpu2006/

40.

Sui, Y., Xue, J.: SVF: interprocedural static value-flow analysis in LLVM. In: International Conference on Compiler Construction (2016)

41.

Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: IEEE Symposium on Security and Privacy (Oakland) (2013)

42.

Wagner, J., Kuznetsov, V., Candea, G., Kinder, J.: High system-code security with low overhead. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 866–879 (2015)

43.

Younan, Y.: FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In: Internet Society Symposium on Network and Distributed Systems Security (2015)

Title: Memory Categorization: Separating Attacker-Controlled Data
Authors: Matthias Neugschwandtner
Alessandro Sorniotti
Anil Kurmus
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_13

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner