FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers

Use-after-free vulnerabilities have become an important class of security problems due to the existence of mitigations that protect against other types of vulnerabilities. The effects of their exploitation can be just as devastating as exploiting a buffer overflow, potentially resulting in full code execution within the vulnerable program. Few protections exist against these types of vulnerabilities and they are particularly hard to discover through manual code inspection. In this paper we present FreeSentry: a mitigation that protects against use-after-free vulnerabilities by inserting dynamic runtime checks that invalidate pointers when the associated memory is released. If such an invalidated pointer is accessed, the program will subsequently crash, preventing an attacker from exploiting the vulnerability. When checking dynamically allocated memory, our approach has a moderate performance overhead on the SPEC CPU benchmarks: running with a geometric mean performance impact of around 25%. It has no overhead when deployed on widely used server side daemons such as OpenSSH or the Apache HTTP daemon. FreeSentry also discovered a previously unknown use-after-free vulnerability in one of the programs in SPEC CPU2000 benchmarks: perlbmk. This vulnerability seems to have been missed by other mitigations.

[1]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[2]  Hans-Juergen Boehm,et al.  Garbage collection in an uncooperative environment , 1988, Softw. Pract. Exp..

[3]  Wouter Joosen,et al.  Runtime countermeasures for code injection attacks against C and C++ programs , 2012, CSUR.

[4]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[5]  Wei Xu,et al.  An efficient and backwards-compatible transformation to ensure memory safety of C programs , 2004, SIGSOFT '04/FSE-12.

[6]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[7]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[8]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[9]  Juan Caballero,et al.  Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities , 2012, ISSTA 2012.

[10]  Emery D. Berger,et al.  DieHarder: securing the heap , 2010, CCS '10.

[11]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[12]  Periklis Akritidis,et al.  Cling: A Memory Allocator to Mitigate Dangling Pointers , 2010, USENIX Security Symposium.

[13]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[14]  James R. Larus,et al.  Righting software , 2004, IEEE Software.

[15]  George C. Necula,et al.  CCured in the real world , 2003, PLDI '03.

[16]  Wouter Joosen,et al.  PAriCheck: an efficient pointer arithmetic checker for C programs , 2010, ASIACCS '10.

[17]  Sorin Lerner,et al.  SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks , 2014, NDSS.

[18]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[19]  Yutaka Oiwa,et al.  Implementation of the memory-safe full ANSI-C compiler , 2009, PLDI '09.

[20]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[21]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[22]  Dinakar Dhurjati,et al.  Memory safety without runtime checks or garbage collection , 2003, LCTES '03.

[23]  Dinakar Dhurjati,et al.  Efficiently Detecting All Dangling Pointer Uses in Production Servers , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[24]  Dinakar Dhurjati,et al.  Ensuring code safety without runtime checks for real-time control systems , 2002, CASES '02.