|
 ABSTRACT
The goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library keeps the heap meta-data (heap structure information) and the application's heap data in an interleaved fashion and does not protect them against each other. Such implementations are inherently unsafe: vulnerabilities in the application can cause the heap library to perform unintended actions to achieve control-flow and non-control attacks.Unfortunately, current heap protection techniques are limited in that they use too many assumptions on how the attacks will be performed, require new hardware support, or require too many changes to the software developers' toolchain. We propose Heap Server, a new solution that does not have such drawbacks. Through existing virtual memory and inter-process protection mechanisms, Heap Server prevents the heap meta-data from being illegally overwritten, and heap data from being meaningfully overwritten. We show that through aggressive optimizations and parallelism, Heap Server protects the heap with nearly-negligible performance overheads even on heap-intensive applications. We also verify the protection against several real-world exploits and attack kernels.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Alexander Anisimov, Positive Technologies. Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass. http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm, 2005.
|
| |
2
|
Anonymous. Once upon a free(). Phrack Magazine, 57(9), 2001.
|
 |
3
|
|
| |
4
|
Emery D. Berger , Kathryn S. McKinley , Robert D. Blumofe , Paul R. Wilson, Hoard: a scalable memory allocator for multithreaded applications, Proceedings of the ninth international conference on Architectural support for programming languages and operating systems, p.117-128, November 2000, Cambridge, Massachusetts, United States
|
| |
5
|
S. Bhatkar, D.C. DuVarney, and R. Sekar. Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. in Proc. of the 12th USENIX Security Symp., pages 105--120, 2003.
|
| |
6
|
S. Chen, J. Xu, E.C. Sezer, P. Gauriar, and R.K. Iyer. Non-Control-Data Attacks Are Realistic Threats. in Proc. of the 14th USENIX Security Symp., pages 177--192, 2005.
|
| |
7
|
C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities. in Proc. of the 12th USENIX Security Symp., pages 91--104, 2003.
|
| |
8
|
C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. in Proc. of the 7th USENIX Security Symp., pages 63--78, 1998.
|
| |
9
|
Darkeagle. Mozzila GIF Image Processing Library Remote Heap Overflow Vulnerability. http://www.securityfocus.com/bid/12881/exploit, 2005.
|
| |
10
|
|
| |
11
|
Doug Lea. A Memory Allocator. http://gee.cs.oswego.edu/dl/html/malloc.html, 2000.
|
| |
12
|
G. Edward Suh , Jae W. Lee , David Zhang , Srinivas Devadas, Secure program execution via dynamic information flow tracking, Proceedings of the 11th international conference on Architectural support for programming languages and operating systems, October 07-13, 2004, Boston, MA, USA
|
| |
13
|
Hovav Shacham , Matthew Page , Ben Pfaff , Eu-Jin Goh , Nagendra Modadugu , Dan Boneh, On the effectiveness of address-space randomization, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
[doi> 10.1145/1030083.1030124]
|
| |
14
|
|
| |
15
|
|
| |
16
|
|
| |
17
|
Linux Programmer's Manual. Man Pages MSGOP(2). 2002.
|
| |
18
|
Matt Conover and w00w00 Security Team. w00w00 on Heap Overflows. http://www.w00w00.org/files/articles/heaptut.txt, 1999.
|
| |
19
|
|
| |
20
|
PaX Team. PaX Address Space Layout Randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt, 2003.
|
| |
21
|
F. Perriot and P. Szor. An Analysis of the Slapper Worm Exploit. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf, 2003.
|
| |
22
|
R. Wojtczuk. Defeating Solar Designer Non-executable Stack Patch. http://seclists.org/lists/bugtraq, experimental study of security vulnerabilities caused by errors. In Proc. of the IEEE Intl. Conf, 1998.
|
| |
23
|
S. Andersen and V. Abella. Data Execution Prevention. Changes to Functionality in Microsoft Windows XP Service Pack 2, Part 3: Memory Protection Technologies. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx,2004.
|
| |
24
|
Security Focus. Wu-Ftpd File Globbing Heap Corruption Vulnerability. http://www.securityfocus.com/bid/3581, 2002.
|
| |
25
|
Security Focus. Sudo Password Prompt Heap Overflow Vulnerability. http://www.securityfocus.com/bid/4593, 2003.
|
| |
26
|
Security Focus. Microsoft Windows winhlp32.exe Heap Overflow Vulnerability. http://www.securityfocus.com/archive/1/385332/2004-12-20/2004-12-26/2, 2004.
|
| |
27
|
Standard Performance Evaluation Corporation. SPEC CPU2000 Benchmarks. http://www.spec.org/osg/cpu2000/, 2000.
|
| |
28
|
US-CERT. CVS Heap Overflow Vulnerability. www.uscert.gov/cas/techalerts/index.html, pages TA04-147A, 2004.
|
| |
29
|
US-CERT. HTTP Parsing Vulnerabilities in Check Point Firewall-1. www.uscert.gov/cas/techalerts/index.html, pages TA04-036A, 2004.
|
| |
30
|
US-CERT. Microsoft Internet Explorer vulnerable to buffer overflow via FRAME and IFRAME elements. http://www.kb.cert.org/vuls/id/842160, page VU 842160, 2004.
|
| |
31
|
J. Xu, Z. Kalbarczyk, and R.K. Iyer. Transparent Runtime Randomization for Security. in Proc. of the 22nd Intl. Symp. on Reliable Distributed Systems, pages 260--269, 2003.
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
C.0