UFO: Predictive Concurrency Use-After-Free Detection

Use-After-Free (UAF) vulnerabilities are caused by the program operating on a dangling pointer and can be exploited to compromise critical software systems. While there have been many tools to mitigate UAF vulnerabilities, UAF remains one of the most common attack vectors. UAF is particularly di cult to detect in concurrent programs, in which a UAF may only occur with rare thread schedules. In this paper, we present a novel technique, UFO, that can precisely predict UAFs based on a single observed execution trace with a provably higher detection capability than existing techniques with no false positives. The key technical advancement of UFO is an extended maximal thread causality model that captures the largest possible set of feasible traces that can be inferred from a given multithreaded execution trace. By formulating UAF detection as a constraint solving problem atop this model, we can explore a much larger thread scheduling space than classical happens-before based techniques. We have evaluated UFO on several real-world large complex C/C++ programs including Chromium and FireFox. UFO scales to real-world systems with hundreds of millions of events in their execution and has detected a large number of real concurrency UAFs.

[1]  Chao Zhang,et al.  POSTER: UAFChecker: Scalable Static Detection of Use-After-Free Vulnerabilities , 2014, CCS.

[2]  Yannis Smaragdakis,et al.  Sound predictive race detection in polynomial time , 2012, POPL '12.

[3]  Jeff Huang,et al.  Maximal causality reduction for TSO and PSO , 2016, OOPSLA.

[4]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[5]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[6]  Marie-Laure Potet,et al.  Statically detecting use after free on binary code , 2014, Journal of Computer Virology and Hacking Techniques.

[7]  Milo M. K. Martin,et al.  Ironclad C++: a library-augmented type-safe subset of c++ , 2013, OOPSLA.

[8]  Grigore Rosu,et al.  Maximal sound predictive race detection with control flow abstraction , 2014, PLDI.

[9]  Yves Younan,et al.  FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers , 2015, NDSS.

[10]  Satish Narayanasamy,et al.  A case for an interleaving constrained shared-memory multi-processor , 2009, ISCA '09.

[11]  Juan Caballero,et al.  Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities , 2012, ISSTA 2012.

[12]  Qin Zhao,et al.  Practical memory checking with Dr. Memory , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[13]  Erik van der Kouwe,et al.  DangSan: Scalable Use-after-free Detection , 2017, EuroSys.

[14]  Wenke Lee,et al.  Preventing Use-after-free with Dangling Pointers Nullification , 2015, NDSS.

[15]  Lei Xu,et al.  Attacking the Brain: Races in the SDN Control Plane , 2017, USENIX Security Symposium.

[16]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[17]  Emery D. Berger,et al.  DoubleTake: Fast and Precise Error Detection via Evidence-Based Dynamic Analysis , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[18]  Thorsten Holz,et al.  Towards automated integrity protection of C++ virtual function tables in binary programs , 2014, ACSAC.