HEAPHOPPER: Bringing bounded model CheckingtoHeap implementation security

Moritz Eckert; Antonio Bianchi; Ruoyu Wang; Yan Shoshitaishvili; Christopher Kruegel; Giovanni Vigna

HEAPHOPPER: Bringing bounded model CheckingtoHeap implementation security

Moritz Eckert, Antonio Bianchi, Ruoyu Wang, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna

Engineering, Ira A. Fulton Schools of (IAFSE)

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Scopus citations

Abstract

Heap metadata attacks have become one of the primary ways in which attackers exploit memory corruption vulnerabilities. While heap implementation developers have introduced miti-gations to prevent and detect corruption, it isstill possible for attackers to work around them. In part, this is because these mitigations are created and evaluated without aprincipled foundation, resulting, in many cases, in complex, inefficient, and ineffective attemptsatheap metadata defenses. In this paper, we present HEAPHOPPER, anautomated approach, basedonmodel checking and symbolic execution, to analyze the exploitability of heap implementations in the presence of memory corruption. Using HEAPHOPPER, we were able to performa systematic analysis of different, widely used heap implementations, finding surprising weak-nessesinthem. Our results show, for instance, howa newly introduced caching mechanismin ptmalloc (the heap allocator implementation usedby most of the Linux distributions) significantly weakens its security. Moreover, HEAPHOPPER guidedus inimplementing and evaluating improvements to the security of ptmalloc, replacing an ineffective recent attempt at the mitigation of a specific form of heap metadata corruption withan effective defense.

Original language	English (US)
Title of host publication	Proceedings of the 27th USENIX Security Symposium
Publisher	USENIX Association
Pages	99-116
Number of pages	18
ISBN (Electronic)	9781939133045
State	Published - Jan 1 2018
Event	27th USENIX Security Symposium - Baltimore, United States Duration: Aug 15 2018 → Aug 17 2018

Publication series

Name	Proceedings of the 27th USENIX Security Symposium

Conference

Conference	27th USENIX Security Symposium
Country	United States
City	Baltimore
Period	8/15/18 → 8/17/18

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Access to Document

Fingerprint Dive into the research topics of 'HEAPHOPPER: Bringing bounded model CheckingtoHeap implementation security'. Together they form a unique fingerprint.

Cite this

Eckert, M., Bianchi, A., Wang, R., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2018). HEAPHOPPER: Bringing bounded model CheckingtoHeap implementation security. In Proceedings of the 27th USENIX Security Symposium (pp. 99-116). (Proceedings of the 27th USENIX Security Symposium). USENIX Association.

HEAPHOPPER : Bringing bounded model CheckingtoHeap implementation security. / Eckert, Moritz; Bianchi, Antonio; Wang, Ruoyu ; Shoshitaishvili, Yan; Kruegel, Christopher; Vigna, Giovanni.

Proceedings of the 27th USENIX Security Symposium. USENIX Association, 2018. p. 99-116 (Proceedings of the 27th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

@inproceedings{cb90f0d2a3ca4b4d964fb54d84d73cc2,

title = "HEAPHOPPER: Bringing bounded model CheckingtoHeap implementation security",

abstract = "Heap metadata attacks have become one of the primary ways in which attackers exploit memory corruption vulnerabilities. While heap implementation developers have introduced miti-gations to prevent and detect corruption, it isstill possible for attackers to work around them. In part, this is because these mitigations are created and evaluated without aprincipled foundation, resulting, in many cases, in complex, inefficient, and ineffective attemptsatheap metadata defenses. In this paper, we present HEAPHOPPER, anautomated approach, basedonmodel checking and symbolic execution, to analyze the exploitability of heap implementations in the presence of memory corruption. Using HEAPHOPPER, we were able to performa systematic analysis of different, widely used heap implementations, finding surprising weak-nessesinthem. Our results show, for instance, howa newly introduced caching mechanismin ptmalloc (the heap allocator implementation usedby most of the Linux distributions) significantly weakens its security. Moreover, HEAPHOPPER guidedus inimplementing and evaluating improvements to the security of ptmalloc, replacing an ineffective recent attempt at the mitigation of a specific form of heap metadata corruption withan effective defense.",

author = "Moritz Eckert and Antonio Bianchi and Ruoyu Wang and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna",

year = "2018",

month = jan,

day = "1",

language = "English (US)",

series = "Proceedings of the 27th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "99--116",

booktitle = "Proceedings of the 27th USENIX Security Symposium",

note = "27th USENIX Security Symposium ; Conference date: 15-08-2018 Through 17-08-2018",

}

TY - GEN

T1 - HEAPHOPPER

T2 - 27th USENIX Security Symposium

AU - Eckert, Moritz

AU - Bianchi, Antonio

AU - Wang, Ruoyu

AU - Shoshitaishvili, Yan

AU - Kruegel, Christopher

AU - Vigna, Giovanni

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Heap metadata attacks have become one of the primary ways in which attackers exploit memory corruption vulnerabilities. While heap implementation developers have introduced miti-gations to prevent and detect corruption, it isstill possible for attackers to work around them. In part, this is because these mitigations are created and evaluated without aprincipled foundation, resulting, in many cases, in complex, inefficient, and ineffective attemptsatheap metadata defenses. In this paper, we present HEAPHOPPER, anautomated approach, basedonmodel checking and symbolic execution, to analyze the exploitability of heap implementations in the presence of memory corruption. Using HEAPHOPPER, we were able to performa systematic analysis of different, widely used heap implementations, finding surprising weak-nessesinthem. Our results show, for instance, howa newly introduced caching mechanismin ptmalloc (the heap allocator implementation usedby most of the Linux distributions) significantly weakens its security. Moreover, HEAPHOPPER guidedus inimplementing and evaluating improvements to the security of ptmalloc, replacing an ineffective recent attempt at the mitigation of a specific form of heap metadata corruption withan effective defense.

AB - Heap metadata attacks have become one of the primary ways in which attackers exploit memory corruption vulnerabilities. While heap implementation developers have introduced miti-gations to prevent and detect corruption, it isstill possible for attackers to work around them. In part, this is because these mitigations are created and evaluated without aprincipled foundation, resulting, in many cases, in complex, inefficient, and ineffective attemptsatheap metadata defenses. In this paper, we present HEAPHOPPER, anautomated approach, basedonmodel checking and symbolic execution, to analyze the exploitability of heap implementations in the presence of memory corruption. Using HEAPHOPPER, we were able to performa systematic analysis of different, widely used heap implementations, finding surprising weak-nessesinthem. Our results show, for instance, howa newly introduced caching mechanismin ptmalloc (the heap allocator implementation usedby most of the Linux distributions) significantly weakens its security. Moreover, HEAPHOPPER guidedus inimplementing and evaluating improvements to the security of ptmalloc, replacing an ineffective recent attempt at the mitigation of a specific form of heap metadata corruption withan effective defense.

UR - http://www.scopus.com/inward/record.url?scp=85075955990&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85075955990&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85075955990

T3 - Proceedings of the 27th USENIX Security Symposium

SP - 99

EP - 116

BT - Proceedings of the 27th USENIX Security Symposium

PB - USENIX Association

Y2 - 15 August 2018 through 17 August 2018

ER -