Safelnit: Comprehensive and Practical Mitigation of Uninitialized Read Vulnerabilities

Usage of uninitialized values remains a common error in C/C++ code. This results not only in undefined and generally undesired behavior, but is also a cause of information disclosure and other security vulnerabilities. Existing solutions for mitigating such errors are not used in practice as they are either limited in scope (for example, only protecting the heap), or incur high runtime overhead. In this paper, we propose SafeInit, a practical protection system which hardens applications against such undefined behavior by guaranteeing initialization of all values on the heap and stack, every time they are allocated or come into scope. Doing so provides comprehensive protection against this class of vulnerabilities in generic programs, including both information disclosure and re-use/logic vulnerabilities. We show that, with carefully designed compiler optimizations, our implementation achieves sufficiently low overhead (<5% for typical server applications and SPEC CPU2006) to serve as a standard hardening protection in practical settings. Moreover, we show that we can effortlessly apply it to harden non-standard code, such as the Linux kernel, with low runtime overhead.

[1]  Kevin W. Hamlen,et al.  Compiler-instrumented, Dynamic Secret-Redaction of Legacy Processes for Attacker Deception , 2015, USENIX Security Symposium.

[2]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[3]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[4]  Robert N. M. Watson,et al.  Into the depths of C: elaborating the de facto standards , 2016, PLDI.

[5]  Ayal Zaks,et al.  Contributions to the GNU Compiler Collection , 2005, IBM Syst. J..

[6]  Shouhuai Xu,et al.  Protecting Cryptographic Keys from Memory Disclosure Attacks , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[7]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[8]  Jason Evans April A Scalable Concurrent malloc(3) Implementation for FreeBSD , 2006 .

[9]  Bradley C. Kuszmaul SuperMalloc: a super fast multithreaded malloc for 64-bit machines , 2015, ISMM.

[10]  Tal Garfinkel,et al.  Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation , 2005, USENIX Security Symposium.

[11]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[12]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[13]  Yutao Zhong,et al.  Predicting whole-program locality through reuse distance analysis , 2003, PLDI.

[14]  Koen Koning,et al.  Secure and Efficient Multi-Variant Execution Using Hardware-Assisted Process Virtualization , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[15]  Emery D. Berger,et al.  DieHarder: securing the heap , 2010, CCS '10.

[16]  Jack W. Davidson,et al.  ILR: Where'd My Gadgets Go? , 2012, 2012 IEEE Symposium on Security and Privacy.

[17]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[18]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[19]  Martin Hopkins,et al.  An overview of the PL.8 compiler , 1982, SIGP.

[20]  Xi Chen,et al.  StackArmor: Comprehensive Protection From Stack-based Memory Error Vulnerabilities for Binaries , 2015, NDSS.

[21]  Wenke Lee,et al.  UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages , 2016, CCS.

[22]  Per Larsen,et al.  Readactor: Practical Code Randomization Resilient to Memory Disclosure , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[24]  Dawn Xiaodong Song,et al.  TaintEraser: protecting sensitive data leaks using application-level taint tracking , 2011, OPSR.

[25]  Ben Elliston,et al.  The integrated register allocator for GCC , 2008 .

[26]  Nicholas Nethercote,et al.  Using Valgrind to Detect Undefined Value Errors with Bit-Precision , 2005, USENIX Annual Technical Conference, General Track.

[27]  Kedar S. Namjoshi,et al.  Securing a Compiler Transformation , 2016, SAS.

[28]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[29]  Wenke Lee,et al.  Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying , 2017, NDSS.

[30]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[31]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[32]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[33]  Wenke Lee,et al.  ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks , 2015, CCS.

[34]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[35]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[36]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[37]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[38]  Qin Zhao,et al.  Practical memory checking with Dr. Memory , 2011, International Symposium on Code Generation and Optimization (CGO 2011).

[39]  A. Prasad Sistla,et al.  SWIPE: eager erasure of sensitive data in large scale systems software , 2012, CODASPY '12.

[40]  Jingling Xue,et al.  Accelerating Dynamic Detection of Uses of Undefined Values with Static Value-Flow Analysis , 2014, CGO '14.

[41]  Xi Wang,et al.  Linux kernel vulnerabilities: state-of-the-art defenses and open problems , 2011, APSys.

[42]  Santosh Nagarakatte,et al.  Formal verification of SSA-based optimizations for LLVM , 2013, PLDI.

[43]  Emery D. Berger,et al.  Archipelago: trading address space for reliability and security , 2008, ASPLOS.

[44]  Alfons Crespo,et al.  An analysis on the impact and detection of kernel stack infoleaks , 2016, Log. J. IGPL.

[45]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[46]  Alvin Cheung,et al.  Undefined behavior: what happened to my code? , 2012, APSys.

[47]  Zhendong Su,et al.  Finding and Analyzing Compiler Warning Defects , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[48]  Jeff Seibert,et al.  Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code , 2014, CCS.

[49]  Jun Wang,et al.  Risk Assessment of Buffer "Heartbleed" Over-Read Vulnerabilities , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[50]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.