Seminar report: DieHarder: Securing the heap
|
|
- Kathryn Cross
- 6 years ago
- Views:
Transcription
1 Seminar report: DieHarder: Securing the heap Otto Waltari Helsinki Seminar report UNIVERSITY OF HELSINKI Department of Computer science
2 HELSINGIN YLIOPISTO HELSINGFORS UNIVERSITET UNIVERSITY OF HELSINKI Tiedekunta Fakultet Faculty Laitos Institution Department University of Helsinki Department of Computer science Tekijä Författare Author Otto Waltari Työn nimi Arbetets titel Title Seminar report: DieHarder: Securing the heap Oppiaine Läroämne Subject Computer Science Työn laji Arbetets art Level Aika Datum Month and year Sivumäärä Sidoantal Number of pages Seminar report sivua Tiivistelmä Referat Abstract This paper is a seminar report inspired by the article DieHarder: Securing the Heap [NB10]. Avainsanat Nyckelord Keywords Säilytyspaikka Förvaringsställe Where deposited Muita tietoja övriga uppgifter Additional information
3 Contents ii 1 Introduction 1 2 Heap attacks Preconditions Memory management errors Exploitable allocator Common attack model Allocator implementations DLmalloc Windows PHKmalloc OpenBSD DieHard DieHarder 8 5 Conclusion 9 References 12
4 1 Introduction Heap based attacks are an ongoing threat. As with many security vulnerabilities the exploitable glitch is rst discovered by the attacking party. Pointing out the glitch, creating a patch to x it and getting it to production on all systems using the software may require a vast amount of time, although it should happen as fast as possible. These patches often only x the specic application vulnerability, which leaves the operating system once again exploitable as soon as a similar application level vulnerability is discovered. Bad memory management from the programmer may lead to various errors that could interfere with other processes and enable heap based attacks. Instead of relying on the programmers memory managing skills, an approach to prevent these heap based attacks is to make the memory allocator safe. This basically means that the allocator tries to tolerate the inevitable memory errors and let them not interfere with anything but the processes that caused them. Several widely used memory allocators have no focus on security issues. operating systems have their own implementation of a memory allocator. leaves us with many dierent approaches that eventually do the same thing. Many This The rest of this paper is structured as follows. Section 2 describes briey what heap attacks are and what allows them to happen. Section 3 gives an overview of various allocators used today. Section 4 explains a more secure allocator implementation. And nally, Section 5 concludes the main points of interest in this paper. 2 Heap attacks In a heap attack the attacker targets the memory heap of a process. The heap contains all the memory the current process has allocated. If the attack succeeds the attacker could compromise the system, or simply just cause a crash. In order for the attacker to carry on with a heap attack there are a couple of aws that have to be present in the system that is to be attacked.
5 2.1 Preconditions 2 There are a couple of conditions that are inevitable prior to a heap attack. First of all there has to be a memory management error. Secondly the memory allocator has to be exploitable Memory management errors A memory management error is required. If the target application can be proven to be completely safe from memory errors there is no chance of the attacker getting his hands on the heap. Unfortunately such proofs are hard to make, and therefore we have to assume that memory management errors are possible. Memory management errors usually originate from the programmer. Memory unsafe programming languages such as C and C++ require the programmer to allocate all memory he uses and to free the memory he no longer needs. This allows many kinds of humane errors in the code that even the compiler can not necessarily warn about. There are ve common memory management errors: Heap overow and underow. Overow happens when the allocated memory is too small to store the object. Underow in contrast means reading or writing data to a location that is below the allocated area. Underows do not occur unintentionally very often, but overows are a common mistake. Dangling pointers. A pointer that points to a object that has already been freed. These pointers are also referred to as use-after-free pointers. Use of a dangling pointer might or might not lead to unexpected behaviour. This depends on wether or not the deallocated space has been overwritten yet. Double free. This error happens if the code tries to free the same object twice. Behaviour depends on the runtime implementation. Invalid free. This error happens if the code tries to free an object it never allocated. Once again the following behaviour depends on the runtime implementation.
6 3 Unitialized reads. C and C++ allocation functions malloc() and new() do not initalize fresh allocated space with any default or empty values. Accidental use of the existing arbitrary memory content could lead to unexpected behaviour. These memory management errors should not achievable with memory safe programming languages, such as Java, JavaScript or Flash. This however doesn't remove the threat of heap exploits. For example many browsers store web content objects in the same heap as its own internal data. While for example Java is implemented in C, it by default relies on the same C runtime allocator that the system uses. Attackers have been able to create documents, such as PDF's, images, et cetera, that trigger errors like the ones listed above. Thus the possibility for vulnerabilities exists Exploitable allocator Second requirement for a successful attack is that the memory allocator has to be exploitable. This generally means that the allocator is predictable so that we know how to get it to allocate memory on a certain area. Let us assume that the attacker has found out the memory management error and knows the execution path to the error. The next point of interest is the memory allocator. Allocator exploitation is achieved through driving the allocator to a predictable state. If the attacker manages to predict how to get data executed from a specic location where he is able to manipulate data, for example through overowing, the ingredients are prepared for an actual attack. Memory allocator security is achieved through steps that make the allocator unpredictable. An eective way of doing this is to allocate memory from a random location. If the free space is allocated from a random location it has a great impact on the heap structure and predictability. Additional ways to decrease predictability is to obfuscate and encrypt the heap metadata. We will take a closer look at allocator security later in this paper.
7 2.2 Common attack model 4 Probably the most common attack type is done via writing data beyond allocated space boundaries. In an attack like this the attacker benets from an overow, or underow error. By writing arbitrary data to the adjacent page the attacker could simply crash some process or interfere its behaviour. A more benecial way from the patient attackers point of view would be to try injecting shellcode to the page and hope that the shellcode overwrote a function pointer. If the overwritten pointer is now called, instead of it the attackers shellcode is executed. A second, quite similar way is called heap spraying. If the memory allocator does not erase unallocated data, the attacker could gradually ll, or as the name says spray, the memory with shellcode. If then a process would by itself or with a specic execution path call an uninitialized function pointer, the shellcode would be executed. In a situtation like this it would be extremely hard to know where the pointer would be called. To work around this problem attacks often use so called NOP-slides. NOP-slides are dummy algorithms that drift the instruction pointer to the beginning of the actual harmful shellcode. It is of course important to keep in mind that the attackers have to exploit the vulnerabilities through trial and error. A succesful attack scenario is usually so complicated, that it almost denitely did not succeed on the rst attempt. If the target system or application crashes after a single try, the attacker gets only one attempt per system. Live systems, such as online servers, might or might not restart the crashed service. In either case this is generally considered simply as denial of service. If the attacker is able to trigger many successive attacks at the target system he is more likely to succeed. This is probably the reason why most known heap attacks are done against generic consumer level systems with default applications. This is digestible, because the attacker is able to replicate the target system and investigate and debug the internals on the target system.
8 3 Allocator implementations 5 Roughly speaking there are two types of dynamic memory allocators. Main task for both of them is eventually the same. The dierence between them is in how they allocate and manage the free space that is to be used by applications. Allocators are usually designed to be rapid and to maintain a low fragmentation level. Unfortunately in many cases they tend to lack focus on security issues. One type is a so called freelist allocator. A freelist based allocator maintains a linked list of all the free space within the memory. A linked list is easy to maintain and thus it provides a simple way to allocate, free and merge chunks. The second type keeps track of free and allocated space with the help of a bitmap or a so called memory pool. In this case all the free memory is divided into pages of a xed size, usually 4kB. This means that the smallest allocable size is 4kB while all bigger allocations have to be multiples of 4kB. 3.1 DLmalloc DLmalloc is a freelist based allocator. It is named after its author Doug Lea. Its rst version was written in 1987, and since then it has been probably the most widely used allocator. It works well on systems ranging from embedded devices to large scale computers. It is also widely used for educational purposes because of its open source, straightforward design and exible nature. Doug Lea describes the allocator as follows: "This is not the fastest, most space-conserving, most portable, or most tunable malloc ever written. However it is among the fastest while also being among the most space-conserving, portable and tunable. Consistent balance across these factors results in a good general-purpose allocator for malloc-intensive programs." Original DLmalloc has very little focus on security issues. It stores heap metadata inside the free and allocated chunks. This metadata consists of chunk sizes, usage ags, or if the chunk is not allocated it contains pointers to other free chunks.
9 6 Another drawback is that there is necessarily no space between two adjacent chunks. This basically means that overowing might mess up the adjacent object or even harm the freelist in case a freelist link was overwritten by accident. Due to these various security issues, there is a huge amount of DLmalloc derivatives with improvements. One of them is PTmalloc, which has been used as the allocator in GNU C library since version Windows Due to a closed source many of the details regarding Windows memory allocator are unknown. It is however known that the Windows allocator is freelist based. There have been multiple successful exploit attempts since XP SP2 through Vista [MV09] that have revealed some of the details. For instance, the exploits reveal that a one byte cookie has been used as a key in the header of allocated chunks. 3.3 PHKmalloc PHKmalloc is the former allocator of FreeBSD and NetBSD. It was designed in 1996 to work eciently in virtual memory. The eciency led into various checks which half accidentally exposed dierent types of memory management errors. PHKmalloc is for example able to determine if a pointer passed to free() or realloc() is valid without dereferencing it. Also it is able to detect if a pointer was not returned by malloc() or realloc(). Knowing all this, PHKmalloc is able to detect all double frees and invalid frees. The consequences of these detections depend on the nature of the application. While an unpriviledged process could get away with only a warning, more critical processes might want to abort. Because of PHKmalloc's poor support for multithreading both FreeBSD (since 7.0) and NetBSD (since 5.0) changed their allocators to JEmalloc.
10 3.4 OpenBSD 7 OpenBSD's fundamentals are designed with heavy focus on security issues. Originally OpenBSD implemented PHKmalloc which has in the long run been improved in many ways. Still, many of the PHKmalloc properties listed above apply. Probably the most signicant improvement is the use of address space layout randomization (ASLR) [SPP + 04]. The system call mmap() on OpenBSD benets from a ASLR implementation and thus returns a range of pages from a random location. This is a nice feature and because of it the OpenBSD's allocators randomization is based on mmap(). Even the space for heap metadata is allocated through mmap(), which means that the heap metadata becomes completely segregated from the actual heap objects. OpenBSD's implementation of mmap() has other security focused characteristics. One of them is a sparse page layout. mmap() intentionally leaves empty pages between allocated pages. This makes sure that overowing from a chunk does not interfere with the adjacent chunk. The same thing happens in case of an underow. OpenBSD's allocator even randomizes the placement of objects within a page. This makes the allocator even harder to exploit. Not only is the attacker unable to locate the recently allocated space, but he is also unable to say for sure where inside the page the interesting data lies. Another unpdredictability enhancement is randomized reuse of pages. Once a page is freed it is not likely to be reallocated to another process anytime soon. Freelist based allocators tend to store free pages sorted by size. In the worst case scenario this could end up in the allocator circulating the same page over and over when triggering the same execution path to allocate a page. This kind of predictability is not possible if the freed pages end up in a pool of unused pages and on allocation a random page is pulled from the pool. What OpenBSD's allocator also does to improve exploitability is data overwriting before freeing the page. This so called destroy-on-free feature is discussed more in chapter 4.
11 3.5 DieHard 8 DieHard is a bitmap based allocator and was originally designed to be resistant against memory errors. This resistance was achieved through randomizing both memory allocation and the reuse of freed objects. These properties greatly improved reliability in two dierent ways. One of them being the fact that with randomized allocation it is unlikely that two adjacent objects are next to each other and that the former one would overow onto the latter. Secondly, randomizing the reuse of freed objects makes the allocator unpredictable, and as earlier stated, unpredictability makes the allocator harder to exploit. There is an adaptive version of DieHard that manages memory through so called miniheaps. Each of these miniheaps holds objects of exactly one size. When a specic size page is requested by a process the corresponding miniheap provides the page. Each miniheap size is adaptively adjusted so that a predened ratio between used and allocated space is sustained. It has been suggested that the heap size could be twice the size the process requires [BZ07]. DieHarder, which is presented in chapter 4, is a further improved version of the adaptive variant of DieHard. 4 DieHarder As earlier stated, DieHarder is a DieHard derivative. DieHard is designed to tolerate memory errors, while DieHarder focuses on security. Security vulnerabilities emerge from memory errors, so it is not surprising that both of them benet from the same design. OpenBSD's memory allocator has many eective and secure properties that have been implemented to DieHarder. One of the drawbacks DieHard suers from is that it allocates large continuous areas. This is a bad thing from the security aspect, since there are no guardian pages between heap objects. Although allocating large continuous areas is faster and requires less overhead, a sparse page layout is a great improvement on security, thus making it worth the overhead. DieHarder adapts a sparse page layout mechanism very similar to OpenBSD's randomized mmap().
12 9 Another feature DieHarder adapts from OpenBSD is erasing of freed data. Overwriting every freed page with random data causes of course some overhead. But once again from the security aspect it is well worth it. Take for example a situation where an attacker exploits the allocator and is able to ll an allocated page with arbitrary data. With the help of randomized reuse of used pages, the attacker could gradually ll the memory with for example shellcode. Erasing the unallocated data prevents this scenario. Filling the unallocated chunks with random data leaves the attacker with only one chunk to play with at a time. In addition overwriting unallocated chunks also reveals eectively dangling pointers and other use-after-free errors. On systems with limited or no support for ASLR, DieHarder handles randomizing in the following manner. DieHarder maps a generously large space of virtual memory within which the randomizing is done. While on modern systems the virtual address space is larger than anyone could require, the generous mapping doesn't aect performance. On modern 64 bit systems (x86-64 operating in long-mode) the virtual address space can be up to 16 exabytes (2 64 bytes, or about 16 million petabytes). With this magnitude of address space available mapping excessive address space has no impact on performance. The drawback however is that the process page tables size grow due to uneccessarily mapped pages. Even though physical memory wouldn't be a problem, keeping track of all the mapped pages could have a huge impact on the page table size and cache eciency. All the features presented above do not come for free. Figure 1 shows a chart of runtime overhead while processing some memory intensive tasks. DieHarder generates a noticeable amount of overhead, but it is not however incompetent with other major allocators. On for instance critical systems performance may take a hit, while security is not negotiable. 5 Conclusion A heap attack is an attack against the memory heap of a specic process. There are two preconditions that have to be true in order for a heap attack to be possible. First
13 10 Figure 1: DieHarder runtime overhead of all a memory management error has to be present. These errors usually originate from the programmer, but recently attackers have managed to trigger similar errors through various document types. Probably the most common memory errors are heap under- and overows and dangling pointers, or so called use-after-free errors. Secondly the memory allocator has to be exploitable. Allocator exploitability basically means that the allocator can be driven to a predictable state. If the attacker knows a way to write arbitrary data to a specic location with the help of a memory error, and is afterwards able to exploit the allocator to work on that same location, he is close to a successful attack. There are roughly speaking two types of memory allocators. One type is a so called freelist allocator. These allocators keep track of unallocated space with the help of a linked list. When a process requests memory, the list is searched for a page of proper size, which then is extracted from the list and given to the requesting process. Second type keeps track of allocated and free space through a bitmap. These bitmap bits represent memory pages of the same size, usually 4kB. Bitmap based allocators are considered to be more reliable because the bitmap is segregated from the allocable memory, while the freelist is a data structure located all over the memory, making it fragile. OpenBSD implements an allocator that has a heavy focus on security issues. DieHard
14 11 on the other hand is a allocator that provides high level of reliability and tolerance against memory errors. The authors of DieHard have combined the properties from both of these to create an even more secure allocator called DieHarder. DieHarder features for instance completely segregated metadata, erasing of data when space is freed, randomized page allocation and randomized object positioning inside pages. Secure allocators cause overhead which is an important thing to take into consideration when choosing between either rapid or secure allocators.
15 References 12 BZ07 MV09 Berger, E. D. and Zorn, B. G., Diehard: Ecient probabilistic memory safety, McDonald, J. and Valasek, C., Practical Windows XP/2003 heap exploitation. Black hat, USA, NB10 Novark, G. and Berger, E. D., Dieharder: securing the heap. ACM Conference on Computer and Communications Security, 2010, pages SPP + 04 Shacham, H., Page, M., Pfa, B., Goh, E.-J., Modadugu, N. and Boneh, D., On the eectiveness of address-space randomization. Proceedings of the 11th ACM conference on Computer and communications security, CCS '04, New York, NY, USA, 2004, ACM, pages , URL http: //doi.acm.org/ /
DieHarder: Securing the Heap
DieHarder: Securing the Heap Gene Novark Emery D. Berger Dept. of Computer Science University of Massachusetts Amherst Amherst, MA 01003 gnovark@cs.umass.edu, emery@cs.umass.edu Abstract Heap-based attacks
More informationDieHarder: Securing the Heap
DieHarder: Securing the Heap Gene Novark Dept. of Computer Science University of Massachusetts Amherst gnovark@cs.umass.edu Abstract Heap-based attacks depend on a combination of memory management errors
More informationDieHard: Probabilistic Memory Safety for Unsafe Programming Languages
DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery Berger University of Massachusetts Amherst Ben Zorn Microsoft Research Problems with Unsafe Languages C, C++: pervasive apps,
More informationVetting Browser Extensions for Security Vulnerabilities
Vetting Browser Extensions for Security Vulnerabilities Risto Sandvik Helsinki 28.3.2011 UNIVERSITY OF HELSINKI Faculty of Science Department of Computer Science HELSINGIN YLIOPISTO HELSINGFORS UNIVERSITET
More informationECE 598 Advanced Operating Systems Lecture 10
ECE 598 Advanced Operating Systems Lecture 10 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 17 February 2015 Announcements Homework #1 and #2 grades, HW#3 Coming soon 1 Various
More informationFault-tolerant and real-time CORBA
Date of acceptance Grade Instructor Fault-tolerant and real-time CORBA Mika Karlstedt Helsinki December 1, 2007 UNIVERSITY OF HELSINKI Department of Computer Science HELSINGIN YLIOPISTO HELSINGFORS UNIVERSITET
More informationExperimental Security Analysis of a Modern Automobile
hyväksymispäivä arvosana arvostelija Experimental Security Analysis of a Modern Automobile Matti Valovirta Helsinki HELSINGIN YLIOPISTO Tietojenkäsittelytieteen laitos HELSINGIN YLIOPISTO HELSINGFORS UNIVERSITET
More informationHeap Management. Heap Allocation
Heap Management Heap Allocation A very flexible storage allocation mechanism is heap allocation. Any number of data objects can be allocated and freed in a memory pool, called a heap. Heap allocation is
More informationVMem. By Stewart Lynch.
VMem By Stewart Lynch. 1 Contents Introduction... 3 Overview... 4 Getting started... 6 Fragmentation... 7 Virtual Regions... 8 The FSA... 9 Biasing... 10 The Coalesce allocator... 11 Skewing indices...
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More informationRun-time Environments -Part 3
Run-time Environments -Part 3 Y.N. Srikant Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Compiler Design Outline of the Lecture Part 3 What is run-time support?
More informationSecure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationSecure Coding in C and C++
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Sept 21, 2017 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationDigital Forensics Lecture 02 PDF Structure
Digital Forensics Lecture 02 PDF Structure PDF Files Structure Akbar S. Namin Texas Tech University Spring 2017 PDF Format and Structure Tools used Text editor (e.g., vi) ClamAV antivirus (http://www.clamav.net/lang/en/download/
More informationMemory Allocation. Static Allocation. Dynamic Allocation. Dynamic Storage Allocation. CS 414: Operating Systems Spring 2008
Dynamic Storage Allocation CS 44: Operating Systems Spring 2 Memory Allocation Static Allocation (fixed in size) Sometimes we create data structures that are fixed and don t need to grow or shrink. Dynamic
More informationMemory Allocator Security
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be
More informationModern Buffer Overflow Prevention Techniques: How they work and why they don t
Modern Buffer Overflow Prevention Techniques: How they work and why they don t Russ Osborn CS182 JT 4/13/2006 1 In the past 10 years, computer viruses have been a growing problem. In 1995, there were approximately
More informationRun-time Environments - 3
Run-time Environments - 3 Y.N. Srikant Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Principles of Compiler Design Outline of the Lecture n What is run-time
More informationImproving memory management security for C and C++
Improving memory management security for C and C++ Yves Younan, Wouter Joosen, Frank Piessens, Hans Van den Eynden DistriNet, Katholieke Universiteit Leuven, Belgium Abstract Memory managers are an important
More informationRun-Time Environments/Garbage Collection
Run-Time Environments/Garbage Collection Department of Computer Science, Faculty of ICT January 5, 2014 Introduction Compilers need to be aware of the run-time environment in which their compiled programs
More informationOn-Demand Proactive Defense against Memory Vulnerabilities
On-Demand Proactive Defense against Memory Vulnerabilities Gang Chen, Hai Jin, Deqing Zou, and Weiqi Dai Services Computing Technology and System Lab Cluster and Grid Computing Lab School of Computer Science
More informationDnmaloc: a more secure memory allocator
Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
More informationCyber Moving Targets. Yashar Dehkan Asl
Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target techniques, their threat models, and their technical details. Cyber moving target technique: Defend a system
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationUndefined Behaviour in C
Undefined Behaviour in C Report Field of work: Scientific Computing Field: Computer Science Faculty for Mathematics, Computer Science and Natural Sciences University of Hamburg Presented by: Dennis Sobczak
More informationCS61C : Machine Structures
inst.eecs.berkeley.edu/~cs61c/su06 CS61C : Machine Structures Lecture #6: Memory Management CS 61C L06 Memory Management (1) 2006-07-05 Andy Carle Memory Management (1/2) Variable declaration allocates
More informationA Comprehensive Complexity Analysis of User-level Memory Allocator Algorithms
2012 Brazilian Symposium on Computing System Engineering A Comprehensive Complexity Analysis of User-level Memory Allocator Algorithms Taís Borges Ferreira, Márcia Aparecida Fernandes, Rivalino Matias
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationDeallocation Mechanisms. User-controlled Deallocation. Automatic Garbage Collection
Deallocation Mechanisms User-controlled Deallocation Allocating heap space is fairly easy. But how do we deallocate heap memory no longer in use? Sometimes we may never need to deallocate! If heaps objects
More informationBuilding a Reactive Immune System for Software Services
Building a Reactive Immune System for Software Services Tobias Haupt January 24, 2007 Abstract In this article I summarize the ideas and concepts of the paper Building a Reactive Immune System for Software
More informationSegmentation. Multiple Segments. Lecture Notes Week 6
At this point, we have the concept of virtual memory. The CPU emits virtual memory addresses instead of physical memory addresses. The MMU translates between virtual and physical addresses. Don't forget,
More informationAdvanced Programming & C++ Language
Advanced Programming & C++ Language ~6~ Introduction to Memory Management Ariel University 2018 Dr. Miri (Kopel) Ben-Nissan Stack & Heap 2 The memory a program uses is typically divided into four different
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationMemory Management Basics
Memory Management Basics 1 Basic Memory Management Concepts Address spaces! Physical address space The address space supported by the hardware Ø Starting at address 0, going to address MAX sys! MAX sys!!
More informationLimitations of the stack
The heap hic 1 Limitations of the stack int *table_of(int num, int len) { int table[len+1]; for (int i=0; i
More informationAdvanced Memory Allocation
Advanced Memory Allocation Call some useful functions of the GNU C library to save precious memory and to find nasty bugs. by Gianluca Insolvibile Dealing with dynamic memory traditionally has been one
More informationOpera&ng Systems CMPSCI 377 Dynamic Memory Management. Emery Berger and Mark Corner University of Massachuse9s Amherst
Opera&ng Systems CMPSCI 377 Dynamic Memory Management Emery Berger and Mark Corner University of Massachuse9s Amherst Dynamic Memory Management How the heap manager is implemented malloc, free new, delete
More informationDynamic Memory Allocation
Dynamic Memory Allocation CS61, Lecture 10 Prof. Stephen Chong October 4, 2011 Announcements 1/2 Assignment 4: Malloc Will be released today May work in groups of one or two Please go to website and enter
More informationLecture 16. Today: Start looking into memory hierarchy Cache$! Yay!
Lecture 16 Today: Start looking into memory hierarchy Cache$! Yay! Note: There are no slides labeled Lecture 15. Nothing omitted, just that the numbering got out of sequence somewhere along the way. 1
More information2/9/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Agenda. Dynamic Memory Interface. Dynamic Memory Interface
Secure Coding CYSE 411/AIT681 Secure Software Engineering Topic #9. Secure Coding: Dynamic Memory Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security
More informationEnforcement in Abstract Argumentation via Boolean Optimization
Enforcement in Abstract Argumentation via Boolean Optimization Andreas Niskanen MSc thesis University of Helsinki Department of Computer Science Helsinki, November 30, 2016 HELSINGIN YLIOPISTO HELSINGFORS
More informationCS 536 Introduction to Programming Languages and Compilers Charles N. Fischer Lecture 11
CS 536 Introduction to Programming Languages and Compilers Charles N. Fischer Lecture 11 CS 536 Spring 2015 1 Handling Overloaded Declarations Two approaches are popular: 1. Create a single symbol table
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationEngine Support System. asyrani.com
Engine Support System asyrani.com A game engine is a complex piece of software consisting of many interacting subsystems. When the engine first starts up, each subsystem must be configured and initialized
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationMemory by the Slab. The Tale of Jeff Bonwick s Slab Allocator Ryan Zezeski // Sep 2015 // Papers We Love, NYC
Memory by the Slab The Tale of Jeff Bonwick s Slab Allocator Ryan Zezeski // Sep 2015 // Papers We Love, NYC Best Fit Fastest VS General Allocator? malloc(3c) & free(3c) Have no a priori knowledge of
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationLecture Notes on Garbage Collection
Lecture Notes on Garbage Collection 15-411: Compiler Design André Platzer Lecture 20 1 Introduction In the previous lectures we have considered a programming language C0 with pointers and memory and array
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationPerformance Evaluation of Bloom Multifilters
Date of acceptance Grade Instructor Performance Evaluation of Bloom Multifilters Francesco Concas Helsinki December 7, 2017 UNIVERSITY OF HELSINKI Department of Computer Science HELSINGIN YLIOPISTO HELSINGFORS
More informationMemory Allocation. Copyright : University of Illinois CS 241 Staff 1
Memory Allocation Copyright : University of Illinois CS 241 Staff 1 Memory allocation within a process What happens when you declare a variable? Allocating a page for every variable wouldn t be efficient
More informationLast week. Data on the stack is allocated automatically when we do a function call, and removed when we return
Last week Data can be allocated on the stack or on the heap (aka dynamic memory) Data on the stack is allocated automatically when we do a function call, and removed when we return f() {... int table[len];...
More informationDynamic Memory Allocation. Basic Concepts. Computer Organization 4/3/2012. CSC252 - Spring The malloc Package. Kai Shen
Dynamic Memory Allocation: Basic Concepts Kai Shen Dynamic Memory Allocation Programmers use dynamic memory allocators (such as malloc) to acquire memory at run time. For data structures whose size is
More informationPlot SIZE. How will execution time grow with SIZE? Actual Data. int array[size]; int A = 0;
How will execution time grow with SIZE? int array[size]; int A = ; for (int i = ; i < ; i++) { for (int j = ; j < SIZE ; j++) { A += array[j]; } TIME } Plot SIZE Actual Data 45 4 5 5 Series 5 5 4 6 8 Memory
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis Host Based Attacks Pavel Laskov Wilhelm Schickard Institute for Computer Science Software security threats Modification of program code viruses and self-replicating
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationSummary: Issues / Open Questions:
Summary: The paper introduces Transitional Locking II (TL2), a Software Transactional Memory (STM) algorithm, which tries to overcomes most of the safety and performance issues of former STM implementations.
More informationCSCI-UA /2. Computer Systems Organization Lecture 19: Dynamic Memory Allocation: Basics
Slides adapted (and slightly modified) from: Clark Barrett Jinyang Li Randy Bryant Dave O Hallaron CSCI-UA.0201-001/2 Computer Systems Organization Lecture 19: Dynamic Memory Allocation: Basics Mohamed
More informationThe implementation and performance of Chord
The implementation and performance of Chord Kasperi Kaija Master s Thesis UNIVERSITY OF HELSINKI Department of Computer Science Helsinki, October 1, 2017 HELSINGIN YLIOPISTO HELSINGFORS UNIVERSITET UNIVERSITY
More informationGarbage Collection (1)
Garbage Collection (1) Advanced Operating Systems Lecture 7 This work is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/4.0/
More informationExploiting a Coalmine Abusing Complex Bugs in Webkit's RenderArena
Exploiting a Coalmine Abusing Complex Bugs in Webkit's RenderArena Georg Wicherski Senior Security Researcher Wednesday, April 11, 2012 WebKit Based on KHTML (KDE) Apple forked in 2001 Chrome, (Mobile)
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationCode with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function
1 Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function IsPasswordOK(), and compares it with the correct password.
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationECE 598 Advanced Operating Systems Lecture 12
ECE 598 Advanced Operating Systems Lecture 12 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 1 March 2018 Announcements Next homework will be due after break. Midterm next Thursday
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationPointers II. Class 31
Pointers II Class 31 Compile Time all of the variables we have seen so far have been declared at compile time they are written into the program code you can see by looking at the program how many variables
More informationDynamic Memory Allocation
Dynamic Memory Allocation CS61, Lecture 11 Prof. Stephen Chong October 6, 2011 Announcements 1/2 Reminder: No section on Monday Monday sections have been rescheduled See website for details Please attend
More informationMemory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory.
Memory Management Page 1 Memory Management Wednesday, October 27, 2004 4:54 AM Memory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory. Two kinds
More informationLab 1: Dynamic Memory: Heap Manager
Lab 1: Dynamic Memory: Heap Manager Introduction to Systems, Duke University 1 Introduction For this lab you implement a basic heap manager. The standard C runtime library provides a standard heap manager
More informationMy malloc: mylloc and mhysa. Johan Montelius HT2016
1 Introduction My malloc: mylloc and mhysa Johan Montelius HT2016 So this is an experiment where we will implement our own malloc. We will not implement the world s fastest allocator, but it will work
More informationLANGUAGE RUNTIME NON-VOLATILE RAM AWARE SWAPPING
Technical Disclosure Commons Defensive Publications Series July 03, 2017 LANGUAGE RUNTIME NON-VOLATILE AWARE SWAPPING Follow this and additional works at: http://www.tdcommons.org/dpubs_series Recommended
More informationData Structure Series
Data Structure Series This series is actually something I started back when I was part of the Sweet.Oblivion staff, but then some things happened and I was no longer able to complete it. So now, after
More informationLecture 3 Notes Arrays
Lecture 3 Notes Arrays 15-122: Principles of Imperative Computation (Summer 1 2015) Frank Pfenning, André Platzer 1 Introduction So far we have seen how to process primitive data like integers in imperative
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationJonathan Afek, 1/8/07, BlackHat USA
Dangling Pointer Jonathan Afek, 1/8/07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 2 What is a Dangling Pointer?
More informationHeap Off by 1 Overflow Illustrated. Eric Conrad October 2007
Heap Off by 1 Overflow Illustrated Eric Conrad October 2007 1 The Attack Older CVS versions are vulnerable to an Off by 1 attack, where an attacker may insert one additional character into the heap CVS
More informationChapter 3 - Memory Management
Chapter 3 - Memory Management Luis Tarrataca luis.tarrataca@gmail.com CEFET-RJ L. Tarrataca Chapter 3 - Memory Management 1 / 222 1 A Memory Abstraction: Address Spaces The Notion of an Address Space Swapping
More informationGuarder: A Tunable Secure Allocator
Guarder: A Tunable Secure Allocator Sam Silvestro, Hongyu Liu, and Tianyi Liu, University of Texas at San Antonio; Zhiqiang Lin, Ohio State University; Tongping Liu, University of Texas at San Antonio
More informationCNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated
CNIT 127: Exploit Development Ch 18: Source Code Auditing Updated 4-10-17 Why Audit Source Code? Best way to discover vulnerabilities Can be done with just source code and grep Specialized tools make it
More informationTesting is a very big and important topic when it comes to software development. Testing has a number of aspects that need to be considered.
Testing Testing is a very big and important topic when it comes to software development. Testing has a number of aspects that need to be considered. System stability is the system going to crash or not?
More informationLecture Notes on Arrays
Lecture Notes on Arrays 15-122: Principles of Imperative Computation July 2, 2013 1 Introduction So far we have seen how to process primitive data like integers in imperative programs. That is useful,
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationCS-527 Software Security
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017 Eternal
More informationDynamic Memory Allocation
1 Dynamic Memory Allocation Anne Bracy CS 3410 Computer Science Cornell University Note: these slides derive from those by Markus Püschel at CMU 2 Recommended Approach while (TRUE) { code a little; test
More informationMemory management. Johan Montelius KTH
Memory management Johan Montelius KTH 2017 1 / 22 C program # include int global = 42; int main ( int argc, char * argv []) { if( argc < 2) return -1; int n = atoi ( argv [1]); int on_stack
More informationDynamic Memory Allocation: Basic Concepts
Dynamic Memory Allocation: Basic Concepts CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGİN Slides adapted from Bryant & O Hallaron s slides 1 Today Basic concepts Implicit free lists
More informationDynamic Memory Management
Dynamic Memory Management Professor Jennifer Rexford http://www.cs.princeton.edu/~jrex 1 Goals of Today s Lecture Dynamic memory management o Garbage collection by the run-time system (Java) o Manual deallocation
More informationOracle Developer Studio Code Analyzer
Oracle Developer Studio Code Analyzer The Oracle Developer Studio Code Analyzer ensures application reliability and security by detecting application vulnerabilities, including memory leaks and memory
More informationCS61C : Machine Structures
inst.eecs.berkeley.edu/~cs61c CS61C : Machine Structures Lecture 5 C Memory Management 2010-06-28!!! Instructor Paul Pearce! Symmetric multiprocessor! MIPS support for Android MIPS Technologies (founded
More informationLearning to Provide Modern Solutions
1 Learning to Provide Modern Solutions Over the course of this book, you will learn to enhance your existing applications to modernize the output of the system. To do this, we ll take advantage of the
More informationCache introduction. April 16, Howard Huang 1
Cache introduction We ve already seen how to make a fast processor. How can we supply the CPU with enough data to keep it busy? The rest of CS232 focuses on memory and input/output issues, which are frequently
More information