article

Comprehensively and efficiently protecting the heap

Authors:

Mazen Kharbutli,

Guru Venkataramani,

Milos PrvulovicAuthors Info & Claims

ACM SIGARCH Computer Architecture News, Volume 34, Issue 5

Pages 207 - 218

https://doi.org/10.1145/1168919.1168884

Published: 20 October 2006 Publication History

Abstract

The goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library keeps the heap meta-data (heap structure information) and the application's heap data in an interleaved fashion and does not protect them against each other. Such implementations are inherently unsafe: vulnerabilities in the application can cause the heap library to perform unintended actions to achieve control-flow and non-control attacks.Unfortunately, current heap protection techniques are limited in that they use too many assumptions on how the attacks will be performed, require new hardware support, or require too many changes to the software developers' toolchain. We propose Heap Server, a new solution that does not have such drawbacks. Through existing virtual memory and inter-process protection mechanisms, Heap Server prevents the heap meta-data from being illegally overwritten, and heap data from being meaningfully overwritten. We show that through aggressive optimizations and parallelism, Heap Server protects the heap with nearly-negligible performance overheads even on heap-intensive applications. We also verify the protection against several real-world exploits and attack kernels.

References

[1]

Alexander Anisimov, Positive Technologies. Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass. http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm, 2005.

[2]

Anonymous. Once upon a free(). Phrack Magazine, 57(9), 2001.

[3]

E. Berger and B. Zorn. Diehard: Probabilistic memory safety for unsafe languages. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, 2006.

Digital Library

[4]

E.D. Berger, K.S. McKinley, R.D. Blumofe, and P.R.Wilson. Hoard: A Scalable Memory Allocator for Multithreaded Applications. in Proc. of the 9th Intl. Conf. on Architectural Support for Programming Languages and Operating Systems (ASPLOS-IX), pages 117--128, 2000.

Digital Library

[5]

S. Bhatkar, D.C. DuVarney, and R. Sekar. Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. in Proc. of the 12th USENIX Security Symp., pages 105--120, 2003.

Digital Library

[6]

S. Chen, J. Xu, E.C. Sezer, P. Gauriar, and R.K. Iyer. Non-Control-Data Attacks Are Realistic Threats. in Proc. of the 14th USENIX Security Symp., pages 177--192, 2005.

Digital Library

[7]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities. in Proc. of the 12th USENIX Security Symp., pages 91--104, 2003.

Digital Library

[8]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. in Proc. of the 7th USENIX Security Symp., pages 63--78, 1998.

Digital Library

[9]

Darkeagle. Mozzila GIF Image Processing Library Remote Heap Overflow Vulnerability. http://www.securityfocus.com/bid/12881/exploit, 2005.

[10]

D.L. Detlefs, A. Dosser, and B. Zorn. Memory Allocation Costs in Large C and C++ Programs. Software Practice and Experience, pages 527--542, 1994.

Digital Library

[11]

Doug Lea. A Memory Allocator. http://gee.cs.oswego.edu/dl/html/malloc.html, 2000.

[12]

G. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proc. of the 11th Intl. Conf. on Architectural Support for Programming Languages and Operating Systems. Boston, MA, 2004.

Digital Library

[13]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address space randomization. In Proc. of the ACM Conf. on Computer and Communications Security, 2004.

Digital Library

[14]

J.R. Crandall and F.T. Chong. Minos: Control data attack prevention orthogonal to memory model. To appear in Proc. of the 37th Intl. Symp. on Microarchitecture. Portland, OR, 2004.

Digital Library

[15]

Jones, Richard, and Rafael Lins. Garbage Collection: Algorithms for Automatic Dynamic Memory Management. John Wiley & Sons, New York, 1996.

Digital Library

[16]

V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure Execution via Program Shepherding. In 11th USENIX Security Symp., 2002.

Digital Library

[17]

Linux Programmer's Manual. Man Pages MSGOP(2). 2002.

[18]

Matt Conover and w00w00 Security Team. w00w00 on Heap Overflows. http://www.w00w00.org/files/articles/heaptut.txt, 1999.

[19]

Nathan Tuck, Brad Calder and George Varghese. Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow. Proc. of the 37th annual IEEE/ACM Intl. Symp. on Microarchitecture, pages 209--220, 2004.

Digital Library

[20]

PaX Team. PaX Address Space Layout Randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt, 2003.

[21]

F. Perriot and P. Szor. An Analysis of the Slapper Worm Exploit. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf, 2003.

[22]

R. Wojtczuk. Defeating Solar Designer Non-executable Stack Patch. http://seclists.org/lists/bugtraq, experimental study of security vulnerabilities caused by errors. In Proc. of the IEEE Intl. Conf, 1998.

[23]

S. Andersen and V. Abella. Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx,2004.

[24]

Security Focus. Wu-Ftpd File Globbing Heap Corruption Vulnerability. http://www.securityfocus.com/bid/3581, 2002.

[25]

Security Focus. Sudo Password Prompt Heap Overflow Vulnerability. http://www.securityfocus.com/bid/4593, 2003.

[26]

Security Focus. Microsoft Windows winhlp32.exe Heap Overflow Vulnerability. http://www.securityfocus.com/archive/1/385332/2004-12-20/2004-12-26/2, 2004.

[27]

Standard Performance Evaluation Corporation. SPEC CPU2000 Benchmarks. http://www.spec.org/osg/cpu2000/, 2000.

[28]

US-CERT. CVS Heap Overflow Vulnerability. www.uscert.gov/cas/techalerts/index.html, pages TA04-147A, 2004.

[29]

US-CERT. HTTP Parsing Vulnerabilities in Check Point Firewall-1. www.uscert.gov/cas/techalerts/index.html, pages TA04-036A, 2004.

[30]

US-CERT. Microsoft Internet Explorer vulnerable to buffer overflow via FRAME and IFRAME elements. http://www.kb.cert.org/vuls/id/842160, page VU 842160, 2004.

[31]

J. Xu, Z. Kalbarczyk, and R.K. Iyer. Transparent Runtime Randomization for Security. in Proc. of the 22nd Intl. Symp. on Reliable Distributed Systems, pages 260--269, 2003.

Cited By

Ziad MArroyo MManzhosov EPiersma RSethumadhavan SMartínez JDuato JJohn L(2021)No-FATProceedings of the 48th Annual International Symposium on Computer Architecture10.1109/ISCA52012.2021.00076(916-929)Online publication date: 14-Jun-2021
https://dl.acm.org/doi/10.1109/ISCA52012.2021.00076
Simha RSmith S(2012)Languages and SecurityHandbook on Securing Cyber-Physical Critical Infrastructure10.1016/B978-0-12-415815-3.00013-3(333-355)Online publication date: 2012
https://doi.org/10.1016/B978-0-12-415815-3.00013-3
Gain GSoldani CHuici FMathy LGavrilovska AAltınbüken DBinnig C(2022)Want more unikernels?Proceedings of the 13th Symposium on Cloud Computing10.1145/3542929.3563473(510-525)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3542929.3563473
Show More Cited By

Index Terms

Comprehensively and efficiently protecting the heap
1. Computer systems organization

Recommendations

Comprehensively and efficiently protecting the heap
Proceedings of the 2006 ASPLOS Conference

The goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library ...
Comprehensively and efficiently protecting the heap
Proceedings of the 2006 ASPLOS Conference

The goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library ...
Comprehensively and efficiently protecting the heap
ASPLOS XII: Proceedings of the 12th international conference on Architectural support for programming languages and operating systems

The goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGARCH Computer Architecture News

ACM SIGARCH Computer Architecture News Volume 34, Issue 5

Proceedings of the 2006 ASPLOS Conference

December 2006

425 pages

ISSN:0163-5964

DOI:10.1145/1168919

Issue’s Table of Contents

ASPLOS XII: Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
October 2006
440 pages
ISBN:1595934510
DOI:10.1145/1168857
General Chair:
John Paul Shen
Intel Corp.
,
Program Chair:
Margaret R. Martonosi
Princeton University

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 October 2006

Published in SIGARCH Volume 34, Issue 5

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

56
Total Citations
View Citations
925
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)0

Reflects downloads up to 21 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ziad MArroyo MManzhosov EPiersma RSethumadhavan SMartínez JDuato JJohn L(2021)No-FATProceedings of the 48th Annual International Symposium on Computer Architecture10.1109/ISCA52012.2021.00076(916-929)Online publication date: 14-Jun-2021
https://dl.acm.org/doi/10.1109/ISCA52012.2021.00076
Simha RSmith S(2012)Languages and SecurityHandbook on Securing Cyber-Physical Critical Infrastructure10.1016/B978-0-12-415815-3.00013-3(333-355)Online publication date: 2012
https://doi.org/10.1016/B978-0-12-415815-3.00013-3
Gain GSoldani CHuici FMathy LGavrilovska AAltınbüken DBinnig C(2022)Want more unikernels?Proceedings of the 13th Symposium on Cloud Computing10.1145/3542929.3563473(510-525)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3542929.3563473
Ibn Ziad MArroyo MManzhosov EPiersma RSethumadhavan S(2021)No-FAT: Architectural Support for Low Overhead Memory Safety Checks2021 ACM/IEEE 48th Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA52012.2021.00076(916-929)Online publication date: Jun-2021
https://doi.org/10.1109/ISCA52012.2021.00076
Silvestro SLiu HLiu TLin ZLiu TEnck WFelt A(2018)GuarderProceedings of the 27th USENIX Conference on Security Symposium10.5555/3277203.3277213(117-133)Online publication date: 15-Aug-2018
https://dl.acm.org/doi/10.5555/3277203.3277213
Liu DZhang MWang HLie DMannan MBackes MWang X(2018)A Robust and Efficient Defense against Use-after-Free Exploits via Concurrent Pointer SweepingProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243826(1635-1648)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243826
Garg RMohan ASullivan MCooperman G(2018)CRUM: Checkpoint-Restart Support for CUDA's Unified Memory2018 IEEE International Conference on Cluster Computing (CLUSTER)10.1109/CLUSTER.2018.00047(302-313)Online publication date: Sep-2018
https://doi.org/10.1109/CLUSTER.2018.00047
Chekole EChattopadhyay SOchoa MHuaqun G(2018)Enforcing Full-Stack Memory-Safety in Cyber-Physical SystemsEngineering Secure Software and Systems10.1007/978-3-319-94496-8_2(9-26)Online publication date: 20-Jun-2018
https://doi.org/10.1007/978-3-319-94496-8_2
Silvestro SLiu HCrosser CLin ZLiu TThuraisingham BEvans DMalkin TXu D(2017)FreeGuardProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3133957(2389-2403)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3133956.3133957
Nagarakatte SMartin MZdancewic S(2014)WatchdogLiteProceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization10.1145/2581122.2544147(175-184)Online publication date: 15-Feb-2014
https://dl.acm.org/doi/10.1145/2581122.2544147
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents