Article

Cling: A memory allocator to mitigate dangling pointers

Author:

Periklis AkritidisAuthors Info & Claims

USENIX Security'10: Proceedings of the 19th USENIX conference on Security

Page 12

Published: 11 August 2010 Publication History

Abstract

Use-after-free vulnerabilities exploiting so-called dangling pointers to deallocated objects are just as dangerous as buffer overflows: they may enable arbitrary code execution. Unfortunately, state-of-the-art defenses against use-after-free vulnerabilities require compiler support, pervasive source code modifications, or incur high performance overheads. This paper presents and evaluates Cling, a memory allocator designed to thwart these attacks at runtime. Cling utilizes more address space, a plentiful resource on modern machines, to prevent type-unsafe address space reuse among objects of different types. It infers type information about allocated objects at runtime by inspecting the call stack of memory allocation routines. Cling disrupts a large class of attacks against use-after-free vulnerabilities, notably including those hijacking the C++ virtual function dispatch mechanism, with low CPU and physical memory overhead even for allocation intensive applications.

References

[1]

AFEK, J., AND SHARABANI, A. Dangling pointer: Smashing the pointer for fun and profit. In Black Hat USA Briefings (Aug. 2007).

[2]

AKRITIDIS, P., CADAR, C., RAICIU, C., COSTA, M., AND CASTRO, M. Preventing memory error exploits with WIT. In Proceedings of the IEEE Symposium on Security and Privacy (Los Alamitos, CA, USA, 2008), IEEE Computer Society, pp. 263-277.

[3]

AUSTIN, T. M., BREACH, S. E., AND SOHI, G. S. Efficient detection of all pointer and array access errors. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (New York, NY, USA, 1994), ACM, pp. 290-301.

[4]

BERGER, E. D., AND ZORN, B. G. DieHard: probabilistic memory safety for unsafe languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (New York, NY, USA, 2006), ACM, pp. 158- 168.

[5]

BERGER, E. D., ZORN, B. G., AND MCKINLEY, K. S. Reconsidering custom memory allocation. SIGPLAN Not. 37, 11 (2002), 1-12.

[6]

BOEHM, H.-J., AND WEISER, M. Garbage collection in an uncooperative environment. In Software Practice & Experience (New York, NY, USA, 1988), vol. 18, John Wiley & Sons, Inc., pp. 807-820.

[7]

CHEN, S., XU, J., SEZER, E. C., GAURIAR, P., AND IYER, R. K. Non-control-data attacks are realistic threats. In Proceedings of the 14th USENIX Security Symposium (Berkeley, CA, USA, 2005), USENIX Association, pp. 177-192.

[8]

DHURJATI, D., AND ADVE, V. Efficiently detecting all dangling pointer uses in production servers. In Proceedings of the International Conference on Dependable Systems and Networks (DSN) (Washington, DC, USA, 2006), IEEE Computer Society, pp. 269-280.

[9]

DHURJATI, D., KOWSHIK, S., ADVE, V., AND LATTNER, C. Memory safety without runtime checks or garbage collection. In Proceedings of the ACM SIGPLAN Conference on Language, Compiler, and Tool for Embedded Systems (LCTES) (2003), pp. 69-80.

[10]

EVANS, J. A scalable concurrent malloc(3) implementation for FreeBSD. BSDCan, Apr. 2006.

[11]

FENG, Y., AND BERGER, E. D. A locality-improving dynamic memory allocator. In Proceedings of the Workshop on Memory System Performance (MSP) (New York, NY, USA, 2005), ACM, pp. 68-77.

[12]

GAY, D., ENNALS, R., AND BREWER, E. Safe manual memory management. In Proceedings of the 6th International Symposium on Memory Management (ISMM) (New York, NY, USA, 2007), ACM, pp. 2-14.

[13]

GREENWALD, M., AND CHERITON, D. The synergy between non-blocking synchronization and operating system structure. SIGOPS Oper. Syst. Rev. 30, SI (1996), 123-136.

[14]

GROSSMAN, D., MORRISETT, G., JIM, T., HICKS, M., WANG, Y., AND CHENEY, J. Region-based memory management in Cyclone. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (New York, NY, USA, 2002), ACM, pp. 282-293.

[15]

JONES, R. W. M., AND KELLY, P. H. J. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the 3rd International Workshop on Automatic Debugging (AADEBUG) (1997), pp. 13-26.

[16]

LVIN, V. B., NOVARK, G., BERGER, E. D., AND ZORN, B. G. Archipelago: trading address space for reliability and security. SIGOPS Oper. Syst. Rev. 42, 2 (2008), 115-124.

[17]

MITRE CORPORATION. Common vulnerabilities and exposures (CVE). http://cve.mitre.org.

[18]

MITRE CORPORATION. CWE-416: Use After Free. http: //cwe.mitre.org/data/definitions/416.html.

[19]

ROBERTSON, W., KRUEGEL, C., MUTZ, D., AND VALEUR, F. Run-time detection of heap-based overflows. In Proceedings of the 17th USENIX Conference on System Administration (LISA) (Berkeley, CA, USA, 2003), USENIX Association, pp. 51-60.

[20]

SOLAR DESIGNER. "return-to-libc" attack. Bugtraq, Aug. 1997.

[21]

SOTIROV, A. Heap feng shui in JavaScript. In Black Hat Europe Briefings (Feb. 2007).

[22]

STANDARD PERFORMANCE EVALUATION CORPORATION. SPEC Benchmarks. http://www.spec.org.

[23]

STRACKX, R., YOUNAN, Y., PHILIPPAERTS, P., PIESSENS, F., LACHMUND, S., AND WALTER, T. Breaking the memory secrecy assumption. In Proceedings of the Second European Workshop on System Security (EUROSEC) (New York, NY, USA, 2009), ACM, pp. 1-8.

[24]

XU, W., DUVARNEY, D. C., AND SEKAR, R. An efficient and backwards-compatible transformation to ensure memory safety of C programs. In Proceedings of the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering (SIGSOFT/FSE) (New York, NY, USA, 2004), ACM, pp. 117- 126.

[25]

ZHAO, Q., RABBAH, R., AND WONG, W.-F. Dynamic memory optimization using pool allocation and prefetching. SIGARCH Comput. Archit. News 33, 5 (2005), 27-32.

Cited By

Huang KPayer MQian ZSampson JTan GJaeger TLuo BLiao XXu JKirda ELie D(2024)Top of the Heap: Efficient Memory Error Protection of Safe Heap ObjectsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690310(1330-1344)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690310
Gorter FKoning KBos HGiuffrida CYin HStavrou ACremers CShi E(2022)DangZeroProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560625(1307-1322)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560625
Papaevripides MAthanasopoulos E(2021)Exploiting Mixed BinariesACM Transactions on Privacy and Security10.1145/341889824:2(1-29)Online publication date: 2-Jan-2021
https://dl.acm.org/doi/10.1145/3418898
Show More Cited By

Cling: A memory allocator to mitigate dangling pointers
1. Information systems
  1. Information retrieval
    1. Specialized information retrieval

Recommendations

ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS'16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

USENIX Security'10: Proceedings of the 19th USENIX conference on Security

August 2010

30 pages

ISBN:8887666655554

Program Chair:
Ian Goldberg
University of Waterloo

Sponsors

NSF: National Science Foundation
Google Inc.
IBMR: IBM Research
Microsoft Research: Microsoft Research
RSA: The Security Division of EMC

Publisher

USENIX Association

United States

Publication History

Published: 11 August 2010

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

37
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 24 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Huang KPayer MQian ZSampson JTan GJaeger TLuo BLiao XXu JKirda ELie D(2024)Top of the Heap: Efficient Memory Error Protection of Safe Heap ObjectsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690310(1330-1344)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690310
Gorter FKoning KBos HGiuffrida CYin HStavrou ACremers CShi E(2022)DangZeroProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560625(1307-1322)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560625
Papaevripides MAthanasopoulos E(2021)Exploiting Mixed BinariesACM Transactions on Privacy and Security10.1145/341889824:2(1-29)Online publication date: 2-Jan-2021
https://dl.acm.org/doi/10.1145/3418898
Liu BOlivier PRavindran B(2019)SlimGuardProceedings of the 20th International Middleware Conference10.1145/3361525.3361532(1-13)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3361525.3361532
Xia HWoodruff JAinsworth SFilardo NRoe MRichardson ARugg PNeumann PMoore SWatson RJones T(2019)CHERIvokeProceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture10.1145/3352460.3358288(545-557)Online publication date: 12-Oct-2019
https://dl.acm.org/doi/10.1145/3352460.3358288
Österlund SKoning KOlivier PBarbalace ABos HGiuffrida CBahar IHerlihy MWitchel ELebeck A(2019)kMVXProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3297858.3304054(559-572)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297858.3304054
Silvestro SLiu HLiu TLin ZLiu TEnck WFelt A(2018)GuarderProceedings of the 27th USENIX Conference on Security Symposium10.5555/3277203.3277213(117-133)Online publication date: 15-Aug-2018
https://dl.acm.org/doi/10.5555/3277203.3277213
Wang YGao FSitu LWang LChen BLiu YZhao JLi X(2018)DangDoneProceedings of the 10th Asia-Pacific Symposium on Internetware10.1145/3275219.3275231(1-10)Online publication date: 16-Sep-2018
https://dl.acm.org/doi/10.1145/3275219.3275231
van der Kouwe EKroes TOuwehand CBos HGiuffrida C(2018)Type-After-TypeProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274705(17-27)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274705
Liu DZhang MWang HLie DMannan MBackes MWang X(2018)A Robust and Efficient Defense against Use-after-Free Exploits via Concurrent Pointer SweepingProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243826(1635-1648)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243826
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten