research-article

Open access

DangZero: Efficient Use-After-Free Detection via Direct Page Table Access

Authors:

Herbert Bos, and

Cristiano GiuffridaAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

Pages 1307 - 1322

https://doi.org/10.1145/3548606.3560625

Published: 07 November 2022 Publication History

Abstract

Use-after-free vulnerabilities remain difficult to detect and mitigate, making them a popular source of exploitation. Existing solutions incur impractical performance/memory overhead, require specialized hardware, and/or guarantee only protection, but not detection.

In this paper, we propose DangZero, a new solution to detect use-after-free vulnerabilities as they occur. DangZero builds on a traditional page protection and aliasing scheme, where objects are made inaccessible after a free, and subsequent accesses are immediately detected. In contrast to prior solutions using alias-based detection, DangZero relies on direct page table access in ring 0 to provide a much more efficient implementation. The key idea is that, by giving the program's allocator direct access to the page tables, we can efficiently manage and invalidate vulnerable objects. To safely implement this, we build upon a unikernel-like design, where virtualization provides ring-0 (guest-mode) access, isolation, as well as compatibility with existing Linux programs. Moreover, we show direct page table access serves as an efficient building block for garbage collection-style alias reclaiming. Doing so provides the ability to safely reuse freed areas and address the scalability issues plaguing state-of-the-art alias-based solutions. Our experimental results confirm that DangZero provides accurate detection guarantees with significantly lower overhead than competing state-of-the-art solutions (e.g., 18% saturated throughput degradation on long-running programs such as the Nginx web server).

References

[1]

CVE-2015-2787. PHP 5.5.14 Use-After-Free Vulnerability. https://bugs.php.net/ bug.php?id=68976

[2]

CVE-2015-6835. PHP 5.4.44 Use-After-Free Vulnerability. https://www.exploit- db.com/exploits/38123

[3]

CVE-2016-5773. PHP 7.0.7 Use-After-Free Vulnerability. https://bugs.php.net/ bug.php?id=72434

[4]

Sam Ainsworth and Timothy M. Jones. 2021. MarkUs: Drop-in use-after-free prevention for low-level languages. In USENIX Security.

[5]

Periklis Akritidis. 2010. Cling: A memory allocator to mitigate dangling pointers. In USENIX Security.

Digital Library

[6]

Adam Belay, Andrea Bittau, Ali Mashtizadeh, David Terei, David Mazieres, and Christos Kozyrakis. 2012. Dune: Safe User-level Access to Privileged CPU Features. In OSDI.

[7]

Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: Probabilistic Memory Safety for Unsafe Languages. In PLDI.

[8]

Emery D. Berger, Benjamin G. Zorn, and Kathryn S. McKinley. 2002. Reconsidering custom memory allocation. In OOPSLA 9] Lukas Bernhard, Michael Rodler, Thorsten Holz, and Lucas Davi. 2022. xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64. In IEEE EuroS&P.

[9]

Lukas Bernhard, Michael Rodler, Thorsten Holz, and Lucas Davi. 2022. xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64. In IEEE EuroS&P.

[10]

Hans-J Boehm, Alan J. Demers, and Scott Shenker. 1991. Mostly parallel garbage collection. In PLDI.

[11]

Jeff Bonwick et al. 1994. The slab allocator: An object-caching kernel memory allocator. In USENIX ATC.

[12]

Jeremy Brown. CVE-2015-3205. Libmimedir VCF Memory Corruption Proof Of Concept. https://packetstormsecurity.com/files/132257/Libmimedir-VCF- Memory-Corruption-Proof-Of-Concept.html

[13]

Nathan Burow, Derrick McKee, Scott A Carr, and Mathias Payer. 2018. CUP: Comprehensive user-space protection for C/C. In AsiaCCS.

Digital Library

[14]

Zixian Cai, Stephen Blackburn, Michael Bond, and Martin Maas. 2022. Distilling the Real Cost of Production Garbage Collectors. In ISPASS.

[15]

Haehyun Cho, Jinbum Park, Adam Oest, Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, Adam Doupé, and Gail-Joon Ahn. 2022. ViK: practical mitigation of temporal memory safety violations through object ID inspection. In ASPLOS.

[16]

Jonathan Corbet. 2017. Five-level page tables. https://lwn.net/Articles/717293.

[17]

Thurston H.Y. Dang, Petros Maniatis, and David Wagner. 2017. Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers. In USENIX Security.

[18]

Dinakar Dhurjati and Vikram Adve. 2006. Efficiently detecting all dangling pointer uses in production servers. In DSN.

[19]

Márton Erd's, Sam Ainsworth, and Timothy M. Jones. 2022. MineSweeper: A Clean Sweep for Drop-In Use-after-Free Prevention. In ASPLOS.

[20]

Daniel Micay et al. 2019. Hardened malloc. https://github.com/GrapheneOS/ hardened_malloc.

[21]

Jason Evans. 2006. A scalable concurrent malloc (3) implementation for FreeBSD. BSDCan (2006).

[22]

Reza Mirzazade Farkhani, Mansour Ahmadi, and Long Lu. 2021. PTAuth: Tempo- ral Memory Safety via Robust Points-to Authentication. In USENIX Security.

[23]

Nathaniel Wesley Filardo, Brett F Gutstein, Jonathan Woodruff, Sam Ainsworth, Lucian Paul-Trifu, Brooks Davis, Hongyan Xia, Edward Tomasz Napierala, Alexander Richardson, John Baldwin, et al. 2020. Cornucopia: Temporal safety for CHERI heaps. In IEEE S&P.

[24]

Dinko Galetic and Denis Kasak. 2017. Use-After-Free Leading to An Invalid Pointer Dereference. https://hackerone.com/reports/213261

[25]

Binfa Gui, Wei Song, and Jeff Huang. 2021. UAFSan: an object-identifier-based dynamic approach for detecting use-after-free vulnerabilities. In ISSTA.

[26]

Frederick Boland Jr. and Paul Black. 2012. The Juliet 1.1 C/C and Java Test Suite. IEEE Computer (2012).

Digital Library

[27]

Koen Koning, Herbert Bos, and Cristiano Giuffrida. 2016. Secure and Efficient Multi-variant Execution Using Hardware-assisted Process Virtualization. In DSN.

[28]

Koen Koning, Xi Chen, Herbert Bos, Cristiano Giuffrida, and Elias Athanasopou- los. 2017. No need to hide: Protecting safe regions on commodity hardware. In EuroSys.

[29]

Hsuan-Chi Kuo, Dan Williams, Ricardo Koller, and Sibin Mohan. 2020. A Linux in Unikernel Clothing. In EuroSys.

[30]

Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. 2015. Preventing Use-after-free with Dangling Pointers Nullification. In NDSS.

[31]

Daan Leijen. 2020. Mimalloc. https://github.com/microsoft/mimalloc.

[32]

John Leitch. Issue 24613. array.fromstring use after free. https://bugs.python. org/issue24613

[33]

Beichen Liu, Pierre Olivier, and Binoy Ravindran. 2019. SlimGuard: A Secure and Memory-Efficient Heap Allocator. In Middleware.

[34]

Daiping Liu, Mingwei Zhang, and Haining Wang. 2018. A robust and efficient defense against use-after-free exploits via concurrent pointer sweeping. In CCS.

[35]

Yutao Liu, Tianyu Zhou, Kexin Chen, Haibo Chen, and Yubin Xia. 2015. Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation. In CCS.

[36]

Toshiyuki Maeda and Akinori Yonezawa. 2003. Kernel Mode Linux: Toward an operating system protected by a type theory. In ASIAN.

[37]

Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. 2010. TrustVisor: Efficient TCB reduction and attestation. In IEEE S&P.

[38]

Microsoft. 2022. GFlags and PageHeap. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/gflags-and-pageheap

[39]

Matt Miller. 2019. Trends and Challenges in the Vulnerability Mitigation Land- scape. https://www.usenix.org/conference/woot19/presentation/miller

[40]

MITRE. 2021. 2021 CWE Top 25 Most Dangerous Software Weaknesses. https: //cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html

[41]

Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. In ISMM.

Digital Library

[42]

Nicholas Nethercote and Julian Seward. 2007. Valgrind: a framework for heavy- weight dynamic binary instrumentation. In PLDI.

[43]

Nginx. 2022. Run nginx with "daemon off" or "master_process off" settings in a production environment. http://nginx.org/en/docs/faq/daemon_master_ process_off.html

[44]

Gene Novark and Emery D. Berger. 2010. DieHarder: Securing the Heap. In CCS.

[45]

Bruce Perens. 1987. Electric Fence. https://elinux.org/Electric_Fence

[46]

Sergej Proskurin, Marius Momeu, Seyedhamed Ghavamnia, Vasileios P. Kemerlis, and Michalis Polychronakis. 2020. xMP: Selective memory protection for kernel and user space. In IEEE S&P.

[47]

Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. 2012. Address Sanitizer: A Fast Address Sanity Checker. In USENIX ATC.

Digital Library

[48]

Kostya Serebryany and Dmitry Vyukov. -. Scudo Hardened Allocator. https: //llvm.org/docs/ScudoHardenedAllocator.html.

[49]

Zekun Shen and Brendan Dolan-Gavitt. 2020. HeapExpo: Pinpointing promoted pointers to prevent use-after-free vulnerabilities. In ACSAC.

[50]

Jangseop Shin, Donghyun Kwon, Jiwon Seo, Yeongpil Cho, and Yunheung Paek. 2019. CRCount: Pointer Invalidation with Reference Counting to Mitigate Use-after-free in Legacy C/C. In NDSS.

[51]

Vlad Tsyrklevich. 2019. GWP-ASan: Sampling heap memory error detection in-the-wild. https://sites.google.com/a/chromium.org/dev/Home/chromium-security/articles/gwp-asan

[52]

Erik Van Der Kouwe, Taddeus Kroes, Chris Ouwehand, Herbert Bos, and Cristiano Giuffrida. 2018. Type-After-Type: Practical and complete type-safe memory reuse. In ACSAC.

[53]

Erik Van Der Kouwe, Vinod Nigade, and Cristiano Giuffrida. 2017. DangSan: Scalable use-after-free detection. In EuroSys.

[54]

Brian Wickman, Hong Hu, Insu Yun, Daehee Jang, JungWon Lim, Sanidhya Kashyap, and Taesoo Kim. 2021. Preventing Use-After-Free Attacks with Fast Forward Allocation. In USENIX Security.

[55]

Yves Younan. 2015. FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers. In NDSS.

[56]

Insu Yun, Woosun Song, Seunggi Min, and Taesoo Kim. 2021. HardsHeap: A Universal and Extensible Framework for Evaluating Secure Allocators. In CCS.

[57]

Tong Zhang, Dongyoon Lee, and Changhee Jung. 2019. Bogo: Buy spatial memory safety, get temporal memory safety (almost) free. In ASPLOS.

Digital Library

Cited By

Bang IKayondo MYou JKwon DCho YPaek Y(2024)Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-FreesIEEE Access10.1109/ACCESS.2023.334377712(5462-5476)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3343777
Wang RXu MAsokan N(2024)S2malloc: Statistically Secure Allocator for Use-After-Free Protection and MoreDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_2(23-43)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_2
Shi LHu CZhuang YLu Y(2024)SdShield: Effectively Ensuring Heap Security via Shadow Page TableDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_8(114-131)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_8

Index Terms

DangZero: Efficient Use-After-Free Detection via Direct Page Table Access
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

DoubleTake: fast and precise error detection via evidence-based dynamic analysis
ICSE '16: Proceedings of the 38th International Conference on Software Engineering

Programs written in unsafe languages like C and C++ often suffer from errors like buffer overflows, dangling pointers, and memory leaks. Dynamic analysis tools like Valgrind can detect these errors, but their overhead---primarily due to the cost of ...
Read More
Deciding memory safety for single-pass heap-manipulating programs

We investigate the decidability of automatic program verification for programs that manipulate heaps, and in particular, decision procedures for proving memory safety for them. We extend recent work that identified a decidable subclass of uninterpreted ...
Read More
Flow sensitive-insensitive pointer analysis based memory safety for multithreaded programs
ICCSA'11: Proceedings of the 2011 international conference on Computational science and Its applications - Volume Part V

The competency of pointer analysis is crucial for many compiler optimizations, transformations, and checks like memory safety. The potential interaction between threads in multithreaded programs complicates their pointer analysis and memory-safety ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
1,029
Total Downloads

Downloads (Last 12 months)594
Downloads (Last 6 weeks)50

Other Metrics

View Author Metrics

Citations

Cited By

Bang IKayondo MYou JKwon DCho YPaek Y(2024)Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-FreesIEEE Access10.1109/ACCESS.2023.334377712(5462-5476)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3343777
Wang RXu MAsokan N(2024)S2malloc: Statistically Secure Allocator for Use-After-Free Protection and MoreDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_2(23-43)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_2
Shi LHu CZhuang YLu Y(2024)SdShield: Effectively Ensuring Heap Security via Shadow Page TableDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_8(114-131)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_8

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents