Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata...
Transcript of Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata...
![Page 1: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/1.jpg)
Cling: A Memory Allocator to Mitigate Dangling Pointers
Periklis Akritidis --2010
![Page 2: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/2.jpg)
Use-after-free Vulnerabilities
Accessing Memory Through Dangling Pointers
Techniques : Heap Spraying, Feng Shui
Manual memory management is error prone
Existing techniques have several disadvantages
2
![Page 3: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/3.jpg)
Dangling Pointer Attacks
Use-after-free errors are temporal memory
safety violations
Access the contents of some other object that happens to occupy the memory at the time
Placing a buffer with attacker data is complicated
Solution is the use of Heap Spraying.
3
![Page 4: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/4.jpg)
Dangling Pointer Attacks II
C++ objects contain pointers to virtual tables (vtables)
Obstacle: freed object's pointer aligned with new object's pointer
Solution: Use of multiple inheritance objects
Attacks not limited to control flow
Hijacking Data Fields
Writing to an arbitrary memory location
Information Leaks
4
![Page 5: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/5.jpg)
Naive Defence
Avoiding Address Space Reuse
Has 3 Major Disadvantages:
Address space exhaustion.
Limited reuseable physical memory. Memory overhead of solving this is too high.
High rate of system calls. Redusing this leads to higher memory consumption.
5
![Page 6: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/6.jpg)
Type-Safe Memory Reuse
• Allows dangling pointers only to objects of same type and alignment
• Shared vtable pointers are at the same offsets
6
![Page 7: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/7.jpg)
Example of type-safe memory reuse
7
![Page 8: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/8.jpg)
Type-safe memory reuse still enables attacks
• Data structures holding credentials or access control information
• Buffer size stored separately from data
can be detected through spatial protection mechanisms
8
![Page 9: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/9.jpg)
Cling Memory Allocator
• Does not use free memory for metadata
• Only allows type-safe address reuse
• Achieves these without sacrificing performance
9
![Page 10: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/10.jpg)
Heap Metadata
In-band attack:
• Heap based overflows can corrupt
allocator metadata
Defense:
• Sanity checks on free list pointers
• Using heap canaries
Cannot prevent use-after-free
vulnerabilities
10
![Page 11: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/11.jpg)
Out-of-Band Heap Metadata
• Cling: Two-level allocation scheme
• Non-intrusive linked lists chain
large memory chunks
• Small allocations carved
out of buckets using bitmaps
11
![Page 12: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/12.jpg)
Type-Safe Address Space Reuse
Two challenges need to be addressed:
• Semantic gap between runtime and compile time availability of type info
• Memory overhead caused by pools
12
![Page 13: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/13.jpg)
Pools
Group of memory addresses dedicated for the allocation of a single type
13
![Page 14: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/14.jpg)
Type-Safe Address Space Reuse
Observations towards solution:
• security maintained even if memory reuse is over-constrained
• in C/C++ programs, an allocation site typically allocates objects of a single type or arrays of objects of a single type, which can safely share a pool
14
![Page 15: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/15.jpg)
One complication
• Array elements not aligned if block size not multiple of object size
• Solution: pool allocations according to size
15
![Page 16: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/16.jpg)
Type-Safe Address Space Reuse
What about overhead?
• physical memory, unlike address space, can be safely reused across pools
• Cling returns individual blocks of memory to the operating system once completely free
• Deallocated memory accessed through a dangling pointer will either continue to hold the data of the intended object, or will be zero-filled by the OS
16
![Page 17: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/17.jpg)
Heap organization
17
![Page 18: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/18.jpg)
Cling Architecture
18
![Page 19: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/19.jpg)
Wrappers
• A wrapper function ’s main purpose is to call a subroutine or a system call (like malloc) with little or no additional computation.
• Wrappers obscure real allocation site
• Cling cannot associate it with a distinct pool
/* This function wraps the real malloc */
void * __wrap_malloc (size_t size) {
void *lptr = __real_malloc(size);
printf("Malloc: %lu bytes @%p\n", size, lptr);
return lptr;
}
19
![Page 20: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/20.jpg)
Clings’ challenges:
1. Discover wrappers • Cling initiates a probing mechanism after observing a single allocation
site requesting multiple allocation sizes
• interpose on return of potential wrapper
• check if returned value matches most recent allocation
• allocation sites identified as potential wrappers are marked
20
![Page 21: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/21.jpg)
Clings’ challenges:
2. Unwinding malloc wrappers • Cling unwinds one more stack level
• Stores the stack offset of wrappers’ return addresses
• When a new allocation site is that was retrieved using a stored stack offset is found, unwind (using libunwind) is performed to confirm the allocation site’s validity
21
![Page 22: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/22.jpg)
Limitations
• Cannot prevent use-after-free attacks targeting data such as credentials a dangling pointer that used to point to the credentials of one user may
end up pointing to the credentials of another user
• Cling cannot prevent unsafe reuse of stack allocated objects a function erroneously returns a pointer to a local variable
22
![Page 23: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/23.jpg)
Limitations ΙΙ
• Cling relies on mapping allocation sites to object types. When a program has contrived flow of control, that is obscured. int size = condition ? sizeof( struct A) : sizeof(struct B);
void *obj = malloc(size);
• Usability in 32-bit platforms with scarce address space is limited
23
![Page 24: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/24.jpg)
Implementation
• Cling comes as a shared library providing implementations for malloc and new
• It can be preloaded with platform specific mechanisms to override the system’s memory allocation routines at program load time
If you set LD_PRELOAD to the path of a shared object, that file will be
loaded before any other library (including the C runtime, libc.so).
$ LD_PRELOAD=/path/to/my/malloc.so/bin/ls)
24
![Page 25: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/25.jpg)
Experimental Evaluation
• Goal: CPU, physical memory & virtual address space overheads of Cling vs GNU libc allocator
• Two variations of Cling
• Without wrapper unwinding
• Using single pool
25
![Page 26: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/26.jpg)
Testbeds
• SPEC CPU 2000 & 2006
• Results with at least 100K allocations
• espresso
• Mozilla Firefox
• Browsers prime target of use-after-free attacks)
26
![Page 27: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/27.jpg)
Execution time
27
![Page 28: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/28.jpg)
One vs. many pools
28
![Page 29: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/29.jpg)
Memory
29
![Page 30: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/30.jpg)
One vs. many pools
30
![Page 31: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/31.jpg)
Address space
31
![Page 32: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/32.jpg)
Effects of unwinding
32
![Page 33: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/33.jpg)
Firefox memory
33
![Page 34: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/34.jpg)
Firefox VM
34
![Page 35: Cling: A Memory Allocator to Mitigate Dangling Pointershy457/reports/cling-slides.pdfHeap Metadata In-band attack: •Heap based overflows can corrupt allocator metadata Defense: •Sanity](https://reader034.fdocuments.in/reader034/viewer/2022051804/5fed8c9cf9af1318ff385d89/html5/thumbnails/35.jpg)
References
• Wikipedia
• http://en.wikipedia.org/wiki/Wrapper_function
• Stack overflow
• http://stackoverflow.com/questions/426230/what-is-the-ld-preload-trick
• Paper
• Cling: A Memory Allocator to Mitigate Dangling Pointers , Periklis Akritidis
• Rest
• http://www.cs.cmu.edu/afs/cs/academic/class/15213-s03/src/interposition/mymalloc.c
• http://savannah.nongnu.org/projects/libunwind/
35