DieHarder: securing the heap

Heap-based attacks depend on a combination of memory management error and an exploitable memory allocator. Many allocators include ad hoc countermeasures against particular exploits but their effectiveness against future exploits has been uncertain. This paper presents the first formal treatment of the impact of allocator design on security. It analyzes a range of widely-deployed memory allocators, including those used by Windows, Linux, FreeBSD and OpenBSD, and shows that they remain vulnerable to attack. It them presents DieHarder, a new allocator whose design was guided by this analysis. DieHarder provides the highest degree of security from heap-based attacks of any practical allocator of which we are aware while imposing modest performance overhead. In particular, the Firefox web browser runs as fast with DieHarder as with the Linux allocator.

[1]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[2]  Ollie Whitehouse An Analysis of Address Space Layout Randomization on Windows Vista , 2007 .

[3]  Emery D. Berger,et al.  Exterminator: automatically correcting memory errors with high probability , 2007, PLDI '07.

[4]  E. Berger HeapShield : Library-Based Heap Overflow Protection for Free , 2006 .

[5]  Paul R. Wilson,et al.  Dynamic Storage Allocation: A Survey and Critical Review , 1995, IWMM.

[6]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[7]  Deepak Gupta,et al.  TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection , 2004, USENIX Security Symposium.

[8]  Guru Venkataramani,et al.  Comprehensively and efficiently protecting the heap , 2006, ASPLOS XII.

[9]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[10]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[11]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[12]  Michael D. Ernst,et al.  Automatically patching errors in deployed software , 2009, SOSP '09.

[13]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Poul-Henning Kamp malloc(3) Revisited , 1998, USENIX Annual Technical Conference.

[15]  Yuanyuan Zhou,et al.  Rx: treating bugs as allergies---a safe method to survive software failures , 2005, SOSP '05.

[16]  David R. Hanson A portable storage management system for the icon programming language , 1980, Softw. Pract. Exp..

[17]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[18]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[19]  Christopher Krügel,et al.  Run-time Detection of Heap-based Overflows , 2003, LISA.

[20]  Emery D. Berger,et al.  Archipelago: trading address space for reliability and security , 2008, ASPLOS.

[21]  Wouter Joosen,et al.  Security of memory allocators for C and C , 2005 .