research-article

ViK: practical mitigation of temporal memory safety violations through object ID inspection

Authors:

Yan Shoshitaishvili,

Gail-Joon AhnAuthors Info & Claims

ASPLOS '22: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 271 - 284

https://doi.org/10.1145/3503222.3507780

Published: 22 February 2022 Publication History

Abstract

Temporal memory safety violations, such as use-after-free (UAF) vulnerabilities, are a critical security issue for software written in memory-unsafe languages such as C and C++.

In this paper, we introduce ViK, a novel, lightweight, and widely applicable runtime defense that can protect both operating system (OS) kernels and user-space applications against temporal memory safety violations. ViK performs object ID inspection, where it assigns a random identifier to every allocated object and stores the identifier in the unused bits of the corresponding pointer. When the pointer is used, ViK inspects the value of a pointer before dereferencing, ensuring that the pointer still references the original object. To the best of our knowledge, this is the first mitigation against temporal memory safety violations that scales to OS kernels. We evaluated the software prototype of ViK on Android and Linux kernels and observed runtime overhead of around 20%. Also, we evaluated a hardware-assisted prototype of ViK on Android kernel, where the runtime overhead was as low as 2%.

References

[1]

2018. Byte-unixbench: A Unix benchmark suite. https://github.com/kdlucas/byte-unixbench

[2]

2019. Arm A-Profile Architecture Developments: Armv8.5-A. https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/enhancing-memory-safety

[3]

2019. Exploit Database. https://www.exploit-db.com

[4]

2019. KASAN: remove use after scope bugs detection. https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux/+/7771bdbbfd3d6f204631b6fd9e1bbc30cd15918e

[5]

2019. White Paper: ARM v8.5-A Memory Tagging Extension. ARM.

[6]

Sam Ainsworth and Timothy M Jones. 2020. MarkUs: Drop-in use-after-free prevention for low-level languages. In Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA.

[7]

Periklis Akritidis. 2010. Cling: A Memory Allocator to Mitigate Dangling Pointers. In Proceedings of the 19th USENIX Security Symposium (Security). Washingtion, DC. 177–192.

[8]

Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. 2009. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors. In Proceedings of the 18th USENIX Security Symposium (Security). Montreal, Canada.

[9]

ARM. [n.d.]. Address spaces in Armv8-A. https://developer.arm.com/architectures/learn-the-architecture/memory-management/address-spaces-in-armv8-a

[10]

Emery D Berger and Benjamin G Zorn. 2006. DieHard: probabilistic memory safety for unsafe languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). Ottawa, Canada. 158–168.

Digital Library

[11]

Juan Caballero, Gustavo Grieco, Mark Marron, and Antonio Nappa. 2012. Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA). Minneapolis, MN. 133–143.

Digital Library

[12]

Thurston HY Dang, Petros Maniatis, and David Wagner. 2017. Oscar: A practical page-permissions-based scheme for thwarting dangling pointers. In Proceedings of the 26th USENIX Security Symposium (Security). Vancouver, BC, Canada. 815–832.

[13]

Vincenzo Frascino. 2019. ARM v8.5 Memory Tagging Extension. In Linux Plumbers Conference 2019. Lisbon, Portugal.

[14]

Intel. [n.d.]. 5-Level Paging and 5-Level EPT. https://software.intel.com/sites/default/files/managed/2b/80/5-level_paging_white_paper.pdf

[15]

RISC-V International. 2019. RISC-V Instruction Set Manual. https://github.com/riscv/riscv-isa-manual

[16]

Yeongjin Jang, Sangho Lee, and Taesoo Kim. 2016. Breaking kernel address space layout randomization with intel tsx. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS). Vienna, Austria. 380–392.

Digital Library

[17]

The kernel development community. 2019. The Linux Kernel 5.9.0-rc3 documentation: Application Data Integrity (ADI). https://www.kernel.org/doc/html/latest/sparc/adi.html

[18]

Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. 2015. Preventing Use-after-free with Dangling Pointers Nullification. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.

[19]

Hans Liljestrand, Thomas Nyman, Kui Wang, Carlos Chinea Perez, J Ekberg, and N Asokan. 2019. PAC it up: Towards pointer integrity using ARM pointer authentication. In Proceedings of the 28th USENIX Security Symposium (Security). Santa Clara, CA. 781–797.

[20]

Daiping Liu, Mingwei Zhang, and Haining Wang. 2018. A robust and efficient defense against use-after-free exploits via concurrent pointer sweeping. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS). Toronto, Canada. 1635–1648.

Digital Library

[21]

Larry W McVoy and Carl Staelin. 1996. lmbench: Portable tools for performance analysis. In Proceedings of the 1996 USENIX Annual Technical Conference (ATC). San Diego, CA. 279–294.

[22]

MIPS. 2015. MIPS Architecture For Programmers Volume III: MIPS64/microMIPS64TM Privileged Resource Architecture. https://www.mips.com/?do-download=the-mips64-and-micromips64-privileged-resource-architecture-v6-03

[23]

Reza Mirzazade farkhani, Mansour Ahmadi, and Long Lu. 2021. PTAuth: Temporal Memory Safety via Robust Points-to Authentication. In Proceedings of the 30th USENIX Security Symposium (Security). Vancouver, Canada.

[24]

Santosh Nagarakatte, Milo MK Martin, and Steve Zdancewic. 2014. Watchdoglite: Hardware-accelerated compiler-based pointer checking. In Proceedings of the 2014 International Symposium on Code Generation and Optimization (CGO). Orlando, FL.

[25]

Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. 2010. CETS: compiler enforced temporal safety for C. ACM Sigplan Notices, 45, 8 (2010), 31–40.

Digital Library

[26]

Gene Novark and Emery D Berger. 2010. DieHarder: securing the heap. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS). Chicago, IL. 573–584.

Digital Library

[27]

Oracle. 2019. Oracle Solaris 11.3 Programming Interfaces Guide: Using Application Data Integrity (ADI). https://docs.oracle.com/cd/E53394_01/html/E54815/gqajs.html

[28]

Lenovo Press. 2021. Introduction to 5-Level Paging in 3rd Gen Intel Xeon Scalable Processors with Linux. https://lenovopress.com/lp1468.pdf

[29]

Qualcomm. 2017. Pointer Authentication on ARMv8.3. https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf

[30]

Jangseop Shin, Donghyun Kwon, Jiwon Seo, Yeongpil Cho, and Yunheung Paek. 2019. CRCount: Pointer Invalidation with Reference Counting to Mitigate Use-after-free in Legacy C/C+. In Proceedings of the 2019 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.

[31]

Sam Silvestro, Hongyu Liu, Corey Crosser, Zhiqiang Lin, and Tongping Liu. 2017. Freeguard: A faster secure heap allocator. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS). Dallas, TX. 2389–2403.

Digital Library

[32]

Matthew S Simpson and Rajeev K Barua. 2013. MemSafe: ensuring the spatial and temporal memory safety of C at runtime. Software: Practice and Experience, 43, 1 (2013), 93–128.

Digital Library

[33]

Inc. Sun Microsystems. 2007. OpenSPARC T2 Core Microarchitecture Specification. https://www.oracle.com/technetwork/systems/opensparc/t2-06-opensparct2-core-microarch-1537749.html

[34]

Erik Van Der Kouwe, Vinod Nigade, and Cristiano Giuffrida. 2017. Dangsan: Scalable use-after-free detection. In Proceedings of the 12th European Conference on Computer Systems (EuroSys). Belgrade, Serbia. 405–419.

Digital Library

[35]

Brian Wickman, Hong Hu, Insu Yun, Daehee Jang, JungWon Lim, Sanidhya Kashyap, and Taesoo Kim. 2021. Preventing Use-After-Free Attacks with Fast Forward Allocation. In Proceedings of the 30th USENIX Security Symposium (Security). Vancouver, Canada.

[36]

Wei Wu, Yueqi Chen, Jun Xu, Xinyu Xing, Xiaorui Gong, and Wei Zou. 2018. FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities. In Proceedings of the 27th USENIX Security Symposium (Security). Baltimore, MD. 781–797.

[37]

Wen Xu, Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, and Dawu Gu. 2015. From collision to exploitation: Unleashing use-after-free vulnerabilities in linux kernel. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). Denver, CO. 414–425.

Digital Library

[38]

Yves Younan. 2015. FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.

[39]

Tong Zhang, Dongyoon Lee, and Changhee Jung. 2019. BOGO: Buy Spatial Memory Safety, Get Temporal Memory Safety (Almost) Free. In Proceedings of the 24th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). Providence, RI. 631–644.

Digital Library

Cited By

Du YGuo YZhang YYang J(2024)RTT-UAF: Reuse Time Tracking for Use-After-Free DetectionProceedings of the 38th ACM International Conference on Supercomputing10.1145/3650200.3656606(376-387)Online publication date: 30-May-2024
https://dl.acm.org/doi/10.1145/3650200.3656606
Zhou JCriswell JHicks M(2023)Fat Pointers for Temporal Memory Safety of CProceedings of the ACM on Programming Languages10.1145/35860387:OOPSLA1(316-347)Online publication date: 6-Apr-2023
https://dl.acm.org/doi/10.1145/3586038

Index Terms

ViK: practical mitigation of temporal memory safety violations through object ID inspection
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Operating systems security

Recommendations

Practical low-overhead enforcement of memory safety for c programs
Practical memory safety with REST
ISCA '18: Proceedings of the 45th Annual International Symposium on Computer Architecture

In this paper, we propose Random Embedded Secret Tokens (REST), a simple hardware primitive to provide content-based checks, and show how it can be used to mitigate common types of spatial and temporal memory errors at very low cost. REST is simply a ...
Hardware-Software Co-design for Practical Memory Safety

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '22: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

February 2022

1164 pages

ISBN:9781450392051

DOI:10.1145/3503222

General Chairs:
Babak Falsafi
EPFL, Switzerland
,
Michael Ferdman
Stony Brook University, USA
,
Program Chairs:
Shan Lu
University of Chicago, USA
,
Tom Wenisch
University of Michigan, USA / Google, USA

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 February 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Artifacts Evaluated & Functional / v1.1

Author Tags

Qualifiers

Research-article

Funding Sources

The National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT)

Conference

ASPLOS '22

Sponsor:

ASPLOS '22: 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems

February 28 - March 4, 2022

Lausanne, Switzerland

Acceptance Rates

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
623
Total Downloads

Downloads (Last 12 months)113
Downloads (Last 6 weeks)6

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Du YGuo YZhang YYang J(2024)RTT-UAF: Reuse Time Tracking for Use-After-Free DetectionProceedings of the 38th ACM International Conference on Supercomputing10.1145/3650200.3656606(376-387)Online publication date: 30-May-2024
https://dl.acm.org/doi/10.1145/3650200.3656606
Zhou JCriswell JHicks M(2023)Fat Pointers for Temporal Memory Safety of CProceedings of the ACM on Programming Languages10.1145/35860387:OOPSLA1(316-347)Online publication date: 6-Apr-2023
https://dl.acm.org/doi/10.1145/3586038

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents