MarkUs: Drop-in Use-After-Free Prevention for Low-Level Languages

Sam Ainsworth, Timothy M Jones

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

Use-after-free vulnerabilities have plagued software written in low-level languages, such as C and C++, becoming one of the most frequent classes of exploited software bugs. Attackers identify code paths where data is manually freed by the programmer, but later incorrectly reused, and take advantage by reallocating the data to themselves. They then alter the data behind the program’s back, using the erroneous reuse to gain control of the application and, potentially, the system. While a variety of techniques have been developed to deal with these vulnerabilities, they often have unacceptably high performance or memory overheads, especially in the worst case. We have designed MarkUs, a memory allocator that prevents this form of attack at low overhead, sufficient for deployment in real software, even under allocation- and memory-intensive scenarios. We prevent use-after-free attacks by quarantining data freed by the programmer and forbidding its reallocation until we are sure that there are no dangling pointers targeting it. To identify these we traverse live-objects accessible from registers and memory, marking those we encounter, to check whether quarantined data is accessible from any currently allocated location. Unlike garbage collection, which is unsafe in C and C++, MarkUs ensures safety by only freeing data that is both quarantined by the programmer and has no identifiable dangling pointers. The information provided by the programmer’s allocations and frees further allows us to optimize the process by freeing physical addresses early for large objects, specializing analysis for small objects, and only performing marking when sufficient data is in quarantine. Using MarkUs, we reduce the overheads of temporal safety in low-level languages to 1.1× on average for SPEC CPU2006, with a maximum slowdown of only 2×, vastly improving upon the state-of-the-art.
Original languageEnglish
Title of host publicationProceedings of the 41st IEEE Symposium on Security and Privacy
PublisherIEEE Computer Society
Pages1214-1227
Number of pages14
ISBN (Electronic)978-1-7281-3497-0
DOIs
Publication statusPublished - 20 May 2020
Event41st IEEE Symposium on Security and Privacy - The Hyatt Regency, San Francisco, United States
Duration: 18 May 202020 May 2020
Conference number: 41
http://www.ieee-security.org/TC/SP2020/

Publication series

NameProceedings of the IEEE Symposium on Security and Privacy.
ISSN (Electronic)2375-1207

Conference

Conference41st IEEE Symposium on Security and Privacy
Abbreviated titleSP 2020
Country/TerritoryUnited States
CitySan Francisco
Period18/05/2020/05/20
Internet address

Fingerprint

Dive into the research topics of 'MarkUs: Drop-in Use-After-Free Prevention for Low-Level Languages'. Together they form a unique fingerprint.

Cite this