MineSweeper: A “Clean Sweep” for Drop-In Use-After-Free Prevention

Márton Erdős, Sam Ainsworth, Timothy M. Jones

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Low-level languages, which require manual memory management from the programmer, remain in wide use for performance-critical applications. Memory-safety bugs are common, and now a major source of exploits. In particular, a use-after-free bug occurs when an object is erroneously deallocated, whilst pointers to it remain active in memory, and those (dangling) pointers are later used to access the object. An attacker can reallocate the memory area backing an erroneously freed object, then overwrite its contents, injecting carefully chosen data into the host program, thus altering its execution and achieving privilege escalation.
We present MineSweeper, a system to mitigate use-after-free vulnerabilities by retaining freed allocations in a quarantine, until no pointers to them remain in program memory, thus preventing their reallocation until it is safe. MineSweeper performs efficient linear sweeps of memory to identify quarantined items that have no dangling pointers to them, and thus can be safely reallocated. This allows MineSweeper to be significantly more efficient than previous transitive marking procedure techniques. MineSweeper, attached to JeMalloc, improves security at an acceptable overhead in memory footprint (11.1% on average) and an execution-time cost of only 5.4% (geometric mean for SPEC CPU2006), with 9.6% additional threaded CPU usage. These figures considerably improve on the state-of-the-art for non-probabilistic drop-in temporal-safety systems, and make MineSweeper the only such scheme suitable for deployment in real-world production environments.
Original languageEnglish
Title of host publicationProceedings of the 27th International Conference on Architectural Support for Programming Languages and Operating Systems
EditorsBabak Falsafi, Michael Ferdman, Shan Lu, Tom Wenisch
Place of PublicationNew York, NY, USA
PublisherACM Association for Computing Machinery
Pages212-225
Number of pages14
ISBN (Electronic)9781450392051
DOIs
Publication statusPublished - 28 Feb 2022
Event27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems - Lausanne, Switzerland
Duration: 28 Feb 20224 Mar 2022
Conference number: 27
https://asplos-conference.org/

Conference

Conference27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
Abbreviated titleASPLOS 2022
Country/TerritorySwitzerland
CityLausanne
Period28/02/224/03/22
Internet address

Keywords

  • temporal safety
  • use-after-free
  • programming language security

Fingerprint

Dive into the research topics of 'MineSweeper: A “Clean Sweep” for Drop-In Use-After-Free Prevention'. Together they form a unique fingerprint.

Cite this