Abstract
Heap metadata attacks have become one of the primary ways in which attackers exploit memory corruption vulnerabilities. While heap implementation developers have introduced miti-gations to prevent and detect corruption, it isstill possible for attackers to work around them. In part, this is because these mitigations are created and evaluated without aprincipled foundation, resulting, in many cases, in complex, inefficient, and ineffective attemptsatheap metadata defenses. In this paper, we present HEAPHOPPER, anautomated approach, basedonmodel checking and symbolic execution, to analyze the exploitability of heap implementations in the presence of memory corruption. Using HEAPHOPPER, we were able to performa systematic analysis of different, widely used heap implementations, finding surprising weak-nessesinthem. Our results show, for instance, howa newly introduced caching mechanismin ptmalloc (the heap allocator implementation usedby most of the Linux distributions) significantly weakens its security. Moreover, HEAPHOPPER guidedus inimplementing and evaluating improvements to the security of ptmalloc, replacing an ineffective recent attempt at the mitigation of a specific form of heap metadata corruption withan effective defense.
| Original language | English (US) |
|---|---|
| Title of host publication | Proceedings of the 27th USENIX Security Symposium |
| Publisher | USENIX Association |
| Pages | 99-116 |
| Number of pages | 18 |
| ISBN (Electronic) | 9781939133045 |
| State | Published - Jan 1 2018 |
| Event | 27th USENIX Security Symposium - Baltimore, United States Duration: Aug 15 2018 → Aug 17 2018 |
Publication series
| Name | Proceedings of the 27th USENIX Security Symposium |
|---|
Conference
| Conference | 27th USENIX Security Symposium |
|---|---|
| Country | United States |
| City | Baltimore |
| Period | 8/15/18 → 8/17/18 |
Fingerprint
ASJC Scopus subject areas
- Computer Networks and Communications
- Information Systems
- Safety, Risk, Reliability and Quality
Cite this
HEAPHOPPER : Bringing bounded model CheckingtoHeap implementation security. / Eckert, Moritz; Bianchi, Antonio; Wang, Ruoyu; Shoshitaishvili, Yan; Kruegel, Christopher; Vigna, Giovanni.
Proceedings of the 27th USENIX Security Symposium. USENIX Association, 2018. p. 99-116 (Proceedings of the 27th USENIX Security Symposium).Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - HEAPHOPPER
T2 - Bringing bounded model CheckingtoHeap implementation security
AU - Eckert, Moritz
AU - Bianchi, Antonio
AU - Wang, Ruoyu
AU - Shoshitaishvili, Yan
AU - Kruegel, Christopher
AU - Vigna, Giovanni
PY - 2018/1/1
Y1 - 2018/1/1
N2 - Heap metadata attacks have become one of the primary ways in which attackers exploit memory corruption vulnerabilities. While heap implementation developers have introduced miti-gations to prevent and detect corruption, it isstill possible for attackers to work around them. In part, this is because these mitigations are created and evaluated without aprincipled foundation, resulting, in many cases, in complex, inefficient, and ineffective attemptsatheap metadata defenses. In this paper, we present HEAPHOPPER, anautomated approach, basedonmodel checking and symbolic execution, to analyze the exploitability of heap implementations in the presence of memory corruption. Using HEAPHOPPER, we were able to performa systematic analysis of different, widely used heap implementations, finding surprising weak-nessesinthem. Our results show, for instance, howa newly introduced caching mechanismin ptmalloc (the heap allocator implementation usedby most of the Linux distributions) significantly weakens its security. Moreover, HEAPHOPPER guidedus inimplementing and evaluating improvements to the security of ptmalloc, replacing an ineffective recent attempt at the mitigation of a specific form of heap metadata corruption withan effective defense.
AB - Heap metadata attacks have become one of the primary ways in which attackers exploit memory corruption vulnerabilities. While heap implementation developers have introduced miti-gations to prevent and detect corruption, it isstill possible for attackers to work around them. In part, this is because these mitigations are created and evaluated without aprincipled foundation, resulting, in many cases, in complex, inefficient, and ineffective attemptsatheap metadata defenses. In this paper, we present HEAPHOPPER, anautomated approach, basedonmodel checking and symbolic execution, to analyze the exploitability of heap implementations in the presence of memory corruption. Using HEAPHOPPER, we were able to performa systematic analysis of different, widely used heap implementations, finding surprising weak-nessesinthem. Our results show, for instance, howa newly introduced caching mechanismin ptmalloc (the heap allocator implementation usedby most of the Linux distributions) significantly weakens its security. Moreover, HEAPHOPPER guidedus inimplementing and evaluating improvements to the security of ptmalloc, replacing an ineffective recent attempt at the mitigation of a specific form of heap metadata corruption withan effective defense.
UR - http://www.scopus.com/inward/record.url?scp=85075955990&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85075955990&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85075955990
T3 - Proceedings of the 27th USENIX Security Symposium
SP - 99
EP - 116
BT - Proceedings of the 27th USENIX Security Symposium
PB - USENIX Association
ER -