Memory Errors: The Past, the Present, and the Future

Memory error exploitations have been around for over 25 years and still rank among the top 3 most dangerous software errors. Why haven't we been able to stop them? Given the host of security measures on modern machines, are we less vulnerable than before, and can we expect to eradicate memory error problems in the near future? In this paper, we present a quarter century worth of memory errors: attacks, defenses, and statistics. A historical overview provides insights in past trends and developments, while an investigation of real-world vulnerabilities and exploits allows us to answer on the significance of memory errors in the foreseeable future.

[1]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[2]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[3]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[4]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[5]  David Brumley,et al.  RICH: Automatically Protecting Against Integer-Based Vulnerabilities , 2007, NDSS.

[6]  Ollie Whitehouse An Analysis of Address Space Layout Randomization on Windows Vista , 2007 .

[7]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[8]  Glen McCluskey Working with C# Serialization , 2005, login Usenix Mag..

[9]  Herbert Bos,et al.  Body Armor for Binaries: Preventing Buffer Overflows Without Recompilation , 2012, USENIX Annual Technical Conference.

[10]  Periklis Akritidis,et al.  Cling: A Memory Allocator to Mitigate Dangling Pointers , 2010, USENIX Security Symposium.

[11]  Exploiting the Otherwise Non-exploitable on Windows , 2006 .

[12]  Victor R. Basili,et al.  Software errors and complexity: an empirical investigation , 1993 .

[13]  Christopher Krügel,et al.  Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks , 2009, DIMVA.

[14]  Wouter Joosen,et al.  PAriCheck: an efficient pointer arithmetic checker for C programs , 2010, ASIACCS '10.

[15]  Elaine J. Weyuker,et al.  The distribution of faults in a large industrial software system , 2002, ISSTA '02.

[16]  Gerardo Richarte Four dierent tricks to bypass StackShield and StackGuard protection , 2002, WWW 2002.

[17]  Felix C. Freiling,et al.  Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices , 2011, 2011 IEEE Symposium on Security and Privacy.

[18]  Victor R. Basili,et al.  Software errors and complexity: an empirical investigation0 , 1984, CACM.

[19]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[20]  Michael Franz,et al.  Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space , 2009, EuroSys '09.

[21]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[22]  Jing Luo,et al.  Secure dynamic code generation against spraying , 2010, CCS '10.

[23]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[24]  Lorenzo Martignoni,et al.  Surgically Returning to Randomized lib(c) , 2009, 2009 Annual Computer Security Applications Conference.

[25]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[26]  James P Anderson Computer Security Technology Planning Study. Volume 2 , 1972 .

[27]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[28]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[29]  Herbert Bos,et al.  Minemu: The World's Fastest Taint Tracker , 2011, RAID.

[30]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[31]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[32]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[33]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[34]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[35]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[36]  Wouter Joosen,et al.  Code injection in C and C++: a survey of vulnerabilities and countermeasures , 2004 .

[37]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[38]  Thomas W. Reps,et al.  WYSINWYX: What you see is not what you eXecute , 2005, TOPL.

[39]  Herbert Bos,et al.  Howard: A Dynamic Excavator for Reverse Engineering Data Structures , 2011, NDSS.

[40]  Steven Alexander,et al.  Defeating Compiler-level Buffer Overflow Protection , 2005, Login: The Usenix Magazine.

[41]  Dionysus Blazakis Interpreter Exploitation , 2010, WOOT.

[42]  Aurelien Delaitre,et al.  The Second Static Analysis Tool Exposition (SATE) 2009 , 2010 .

[43]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[44]  David H. Ackley,et al.  Randomized instruction set emulation , 2005, TSEC.

[45]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[46]  Tao Wei,et al.  IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution , 2009, NDSS.

[47]  David Litchfield Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server , 2003 .

[48]  Preventing the Exploitation of SEH Overwrites , 2006 .

[49]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[50]  Arash Baratloo,et al.  Libsafe: Protecting Critical Elements of Stacks , 2003 .

[51]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[52]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[53]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[54]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[55]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[56]  Vadim Okun,et al.  Effect of static analysis tools on software security: preliminary investigation , 2007, QoP '07.

[57]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[58]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[59]  Lorenzo Cavallaro,et al.  Diversified Process Replicæ for Defeating Memory Error Exploits , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[60]  Mudge How to write buffer overflows , 1997 .

[61]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[62]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[63]  Evangelos P. Markatos,et al.  Comprehensive shellcode detection using runtime heuristics , 2010, ACSAC '10.

[64]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).