security of memory allocators for c and c++

Download Security of Memory Allocators for C and C++

Post on 02-Feb-2016

30 views

Category:

Documents

2 download

Embed Size (px)

DESCRIPTION

Security of Memory Allocators for C and C++. Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be. Overview. Introduction Attacks Memory Allocators - PowerPoint PPT Presentation

TRANSCRIPT

  • Security of Memory Allocators for C and C++Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den EyndenDistriNet, Department of Computer ScienceKatholieke Universiteit LeuvenBelgiumYves.Younan@cs.kuleuven.ac.be

  • OverviewIntroductionAttacksMemory AllocatorsA Safer AllocatorRelated WorkConclusion

  • IntroductionMany allocators ignore securityPerformance and waste limitation is more importantMany allocators can be abused to perform code injection attacksMore security is possible at a modest cost

  • OverviewIntroductionAttacksHeap-based buffer overflowOff by One/Off by FiveDangling Pointer ReferencesMemory AllocatorsA Safer AllocatorRelated WorkConclusion

  • Heap-based buffer overflowsHeap memory is dynamically allocated at run-timeCan also be overflowed but no return address is availableModify data pointers (IPO) or function pointers - not always availableModify the memory management information associated with heap memory

  • Off by one / Off by fiveSpecial case of buffer overflow: limited space neededOff by one: write one byte past the boundsOff by five: dont occur often but demonstrate low-space attacksUsually only exploitable on little endian machines (LSB is stored before MSB)

  • Dangling pointer referencesPointers to memory that is no longer allocatedDereferencing is unchecked in CGenerally leads to crashes (SIGSEGV)Can be used for code injection attacks when deallocated twice (double free)A double free can be used to change memory management information allowing an overwrite of arbitrary memory locations

  • OverviewIntroductionAttacksMemory AllocatorsDoug Leas malloc (Linux)CSRI/QuickfitPoul-Henning Kamps malloc (BSD)Boehms garbage collectorA Safer AllocatorRelated WorkConclusion

  • Doug Leas mallocGNU lib C is based on this mallocEvery allocation is represented by a chunkManagement information stored before the chunkFree chunks stored in doubly linked list of free chunksTwo bordering free chunks are coalesced into a larger free chunkDescription based on dlmalloc 2.7.2

  • Doug Leas mallocSize of prev chunkSize of chunk1Chunk1Chunk2User dataHigh addrChunk3Chunk4

  • Heap Overflow (dlmalloc)Backward PointerReturn addressSize of prev chunkSize of chunk1Chunk1Chunk2User dataSize of chunk1Size of chunk2Old user dataForward PointerChunk3Chunk4StackInjected code

  • Off by one (dlmalloc)Chunk sizes are multiples of 8Size contains two flags mmapped and prev_inuseTwo chunks must be next to each other (no padding) for off by onePrev_size of next will be used for dataOverwrite 1 byte of the size and set prev_inuse to 0 and set a smaller sizeMake a fake chunk, containing modified pointers

  • Off by one (dlmalloc)Backward PointerReturn addressSize of prev chunkSize of chunk1Chunk1User dataStackInjected codeBackward PointerChunk2Size of chunk2Old user dataForward PointerSize of fake chunkSize of chunk2Forward Pointer

  • Dangling pointer references (dlmalloc)Size of prev chunkSize of chunkOld user dataForward PointerBackward PointerSize of prev chunkSize of chunkOld user dataForward PointerBackward PointerSize of prev chunkSize of chunkOld user dataForward PointerBackward PointerChunk1Chunk2Chunk3Return addressUser dataStackInjected Code

  • Doug Leas malloc conclusionVulnerable to: Heap overflowOff by one/fiveDouble freeVersion 2.8.x contains some mitigation techniques, see related work

  • OverviewIntroductionAttacksMemory AllocatorsDoug Leas malloc (Linux)CSRI/QuickfitPhkmalloc (BSD)Boehms garbage collectorA Safer AllocatorRelated WorkConclusion

  • CSRI/QuickfitHigh addrSize of chunk1Size of chunk1Chunk1User data11InuseCSRIQuickfit

  • Heap Overflow (CSRI)Next PointerReturn addressSize of chunk1Size of chunk1Chunk1Chunk2User dataSize of chunk2Size of chunk2\125Previous PointerChunk3Chunk4StackInjected code1100Old user data

  • CSRI/Quickfit ConclusionVery similar to dlmallocVulnerable to heap overflowNo double free possible: inuse bit checkedNo off by one/five possible: size at beginning compared with size at end

  • OverviewIntroductionAttacksMemory AllocatorsDoug Leas malloc (Linux)CSRI/QuickfitPhkmalloc (BSD)Boehms garbage collectorA Safer AllocatorRelated WorkConclusion

  • Poul-Henning Kamps mallocStandard FreeBSD allocator (used in other BSDs as well).Takes advantage of the virtual memory systemTries to minimize accessed pagesMakes sure that objects that are smaller or equal to a page do not span pagesTwo layers: page layer, chunk layer

  • Phkmalloc: Page layerManages allocation and freeing of pagesInformation about pages allocated to the heap are stored in a page directoryFirst elements contain pointers to a linked list of page information for each possible size of chunksOther elements store information about particular pages

  • Phkmalloc: page directoryHeapFreePageLarge multipage chunkFreePagePage with small chunksPage directoryPointer to pginfo listPointer to pginfo listMALLOC_FREEMALLOC_FIRSTMALLOC_FOLLOWMALLOC_FREEPointer to pginfopginfoMALLOC_FREEFreePage

  • Phkmalloc: free pagesFree pages stored in a sorted (address) doubly linked listAdjacent free pages are coalesced and only a pointer to the first page is keptFree page info (pgfree) is stored using malloc (allows swapping pages out)To increase performance a cache pointer is kept of a free pgfree

  • Phkmalloc: free pagesHeapFreePageLarge multipage chunkFreePagePage with small chunksFreePagenextprevpageendfreelistsizepgfreenextprevpageendsizepgfree

  • Phkmalloc: Chunk layerThree different types of chunks: small, medium largeLarge is larger than half a pageLarge object allocation: search for contiguous free pages, set MALLOC_FIRST and MALLOC_FOLLOWSmall or medium chunks are rounded up to the next power of twoPages only contain chunks of the same size

  • Phkmalloc: pginfoPginfo is used to describe a small or medium pageStored in the beginning of the page for small chunksAllocated using malloc for medium chunksThe entry in the pagedir or small/medium pages points to pginfo

  • Phkmalloc: pginfoHeapPage with small chunksPage directoryPointer to pginfo listPointer to pginfo listMALLOC_FREEMALLOC_FIRSTMALLOC_FOLLOWMALLOC_FREEPointer to pginfoMALLOC_FREEPginfonextpagesizeshiftfreetotalbits[]Pginfonextpagesizeshiftfreetotalbits[]

  • Heap overflow (phkmalloc)Pginfo (for medium chunks) and pgfree structs are stored together with normal chunksCan be overflowedWe will demonstrate using pginfoMake page-field point to target memoryModify the bits[] array to make all chunks seem freeWhen a chunk is of that size is requested, the allocator will return the page-pointer as a valid chunk

  • Heap overflow (phkmalloc)ChunkLower addressesPginfonextpagePage with medium chunksReturn addressStacksizeshiftfreetotalbits[]

  • Off by one (phkmalloc)ChunkLower addressesPginfonextpagesizeshiftfreetotalbits[]Return addressStackPginfonextpagesizeshiftfreetotalbits[]Fake Pginfonextpagesizeshiftfreetotalbits[]

  • Phkmalloc conclusionVulnerable to: Heap overflowOff by oneNot vulnerable to double free: a check is done to see if the chunk is free or not

  • OverviewIntroductionAttacksMemory AllocatorsDoug Leas malloc (Linux)CSRI/QuickfitPhkmalloc (BSD)Boehms garbage collectorA Safer AllocatorRelated WorkConclusion

  • Boehms Garbage CollectorConservative garbage collector for C/C++Assumes values in memory are pointers if they look like pointersAutomatically releases memory to the system when no longer neededNo dangling pointer references are possible (unless programmer does explicit freeing)Uses mark and sweep

  • Boehms Garbage CollectorMakes a difference between small and large chunksLarge chunks are larger than half of page size (IA32) and rounded up to page sizeSmall chunks are allocated in pages and the page is divided in chunks of same sizeAllocated chunks only contain dataFree chunks contain pointer to the next free chunk

  • Heap overflow (Boehm)If attackers can overflow a chunk, they can overwrite the next pointerAn attacker can make the next pointer point to a target memory locationEventually the allocator will return the pointers target as a valid chunkUsually an off by four attack

  • Double free (Boehm)Chunk 1Chunk 1NextNextChunk 2Chunk 2

  • Boehm ConclusionVulnerable to:Heap overflowOff by one-fourDouble free: only if the programmer explicitly frees memory (usually not necessary)

  • OverviewIntroductionAttacksMemory AllocatorsA Safer AllocatorRelated WorkConclusion

  • DesignOn most modern systems code and data are loaded into separate memory locationsWe apply the same to chunk information and chunksChunk info is stored in separate contiguous memoryThis area is protected by guard pagesA hashtable is used to associate chunks with chunkinfoThe hashtable contains pointers to a linked list of chunk information accessed through the hashfunctionImplemented in a prototype called dnmalloc (DistriNet malloc), based on dlmalloc

  • Modified memory layoutTextDataBssChunksChunkinfoHashtableStackNon-writable pageNon-writable page

  • Dnmalloc: hashtableHashtable is stored before the stack in a mmaped area big enough to hold itEach page is divided in 256 possible chunks (of 16 bytes, minimum chunk size)These chunks are separated into 32 groups of 8 chunksEach group has an entry in the hashtable, maximum 32 entries for every pageOne element of the group is accessed through a linked list of max. 8 elements

  • Dnmalloc: hashfunctionTo find a chunks information from a chunk we do the following:Substract the start of the heap from the chunks addressShift the result 7 bits to the right: gives us the en

Recommended

View more >