Abstract / Description of output
Use-after-free vulnerabilities have plagued software written in low-level languages, such as C and C++, becoming one of the most frequent classes of exploited software bugs. Attackers identify code paths where data is manually freed by the programmer, but later incorrectly reused, and take advantage by reallocating the data to themselves. They then alter the data behind the program’s back, using the erroneous reuse to gain control of the application and, potentially, the system. While a variety of techniques have been developed to deal with these vulnerabilities, they often have unacceptably high performance or memory overheads, especially in the worst case. We have designed MarkUs, a memory allocator that prevents this form of attack at low overhead, sufficient for deployment in real software, even under allocation- and memory-intensive scenarios. We prevent use-after-free attacks by quarantining data freed by the programmer and forbidding its reallocation until we are sure that there are no dangling pointers targeting it. To identify these we traverse live-objects accessible from registers and memory, marking those we encounter, to check whether quarantined data is accessible from any currently allocated location. Unlike garbage collection, which is unsafe in C and C++, MarkUs ensures safety by only freeing data that is both quarantined by the programmer and has no identifiable dangling pointers. The information provided by the programmer’s allocations and frees further allows us to optimize the process by freeing physical addresses early for large objects, specializing analysis for small objects, and only performing marking when sufficient data is in quarantine. Using MarkUs, we reduce the overheads of temporal safety in low-level languages to 1.1× on average for SPEC CPU2006, with a maximum slowdown of only 2×, vastly improving upon the state-of-the-art.
Original language | English |
---|---|
Title of host publication | Proceedings of the 41st IEEE Symposium on Security and Privacy |
Publisher | IEEE Computer Society |
Pages | 1214-1227 |
Number of pages | 14 |
ISBN (Electronic) | 978-1-7281-3497-0 |
DOIs | |
Publication status | Published - 20 May 2020 |
Event | 41st IEEE Symposium on Security and Privacy - The Hyatt Regency, San Francisco, United States Duration: 18 May 2020 → 20 May 2020 Conference number: 41 http://www.ieee-security.org/TC/SP2020/ |
Publication series
Name | Proceedings of the IEEE Symposium on Security and Privacy. |
---|---|
ISSN (Electronic) | 2375-1207 |
Conference
Conference | 41st IEEE Symposium on Security and Privacy |
---|---|
Abbreviated title | SP 2020 |
Country/Territory | United States |
City | San Francisco |
Period | 18/05/20 → 20/05/20 |
Internet address |