HEAPHOPPER: Bringing bounded model CheckingtoHeap implementation security

Moritz Eckert, Antonio Bianchi, Ruoyu Wang, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations

Abstract

Heap metadata attacks have become one of the primary ways in which attackers exploit memory corruption vulnerabilities. While heap implementation developers have introduced miti-gations to prevent and detect corruption, it isstill possible for attackers to work around them. In part, this is because these mitigations are created and evaluated without aprincipled foundation, resulting, in many cases, in complex, inefficient, and ineffective attemptsatheap metadata defenses. In this paper, we present HEAPHOPPER, anautomated approach, basedonmodel checking and symbolic execution, to analyze the exploitability of heap implementations in the presence of memory corruption. Using HEAPHOPPER, we were able to performa systematic analysis of different, widely used heap implementations, finding surprising weak-nessesinthem. Our results show, for instance, howa newly introduced caching mechanismin ptmalloc (the heap allocator implementation usedby most of the Linux distributions) significantly weakens its security. Moreover, HEAPHOPPER guidedus inimplementing and evaluating improvements to the security of ptmalloc, replacing an ineffective recent attempt at the mitigation of a specific form of heap metadata corruption withan effective defense.

Original languageEnglish (US)
Title of host publicationProceedings of the 27th USENIX Security Symposium
PublisherUSENIX Association
Pages99-116
Number of pages18
ISBN (Electronic)9781939133045
StatePublished - Jan 1 2018
Event27th USENIX Security Symposium - Baltimore, United States
Duration: Aug 15 2018Aug 17 2018

Publication series

NameProceedings of the 27th USENIX Security Symposium

Conference

Conference27th USENIX Security Symposium
CountryUnited States
CityBaltimore
Period8/15/188/17/18

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'HEAPHOPPER: Bringing bounded model CheckingtoHeap implementation security'. Together they form a unique fingerprint.

  • Cite this

    Eckert, M., Bianchi, A., Wang, R., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2018). HEAPHOPPER: Bringing bounded model CheckingtoHeap implementation security. In Proceedings of the 27th USENIX Security Symposium (pp. 99-116). (Proceedings of the 27th USENIX Security Symposium). USENIX Association.