TY - GEN
T1 - Use-After-Free Mitigation via Protected Heap Allocation
AU - Zhang, Mingbo
AU - Zonouz, Saman
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2019/1/23
Y1 - 2019/1/23
N2 - Use after free (UAF) exploits have contributed to many software memory corruption attacks in recent practice. They are especially popular in the world of web browsers. Despite many successful UAF exploits against widely-used applications, state-of-The-Art defense mechanisms have proved to still leave the systems vulnerable. In this paper, we argue that a successful UAF exploit is feasible because of the fine-grained determinism provided by existing heap memory allocators. We introduce a new defense strategy, Zeus, that leverages additional memory buffers to make allocation outcomes locally unpredictable to adversaries. This fine-grained non-determinism prevents exact alignment of subsequent allocations and in-object member fields. It significantly lowers the success rate of a UAF exploit even in the presence of heap sprays. We validated our defense using real recent UAF exploits against several CVE vulnerabilities in large and popular software packages (FireFox and Tor browsers). Zeus was able to terminate all the exploits in early stages and prevented successful location of the gadget addresses for the follow-up return-oriented programming steps of the intrusion. Zeus's runtime performance overhead was negligible (1.2% on average).
AB - Use after free (UAF) exploits have contributed to many software memory corruption attacks in recent practice. They are especially popular in the world of web browsers. Despite many successful UAF exploits against widely-used applications, state-of-The-Art defense mechanisms have proved to still leave the systems vulnerable. In this paper, we argue that a successful UAF exploit is feasible because of the fine-grained determinism provided by existing heap memory allocators. We introduce a new defense strategy, Zeus, that leverages additional memory buffers to make allocation outcomes locally unpredictable to adversaries. This fine-grained non-determinism prevents exact alignment of subsequent allocations and in-object member fields. It significantly lowers the success rate of a UAF exploit even in the presence of heap sprays. We validated our defense using real recent UAF exploits against several CVE vulnerabilities in large and popular software packages (FireFox and Tor browsers). Zeus was able to terminate all the exploits in early stages and prevented successful location of the gadget addresses for the follow-up return-oriented programming steps of the intrusion. Zeus's runtime performance overhead was negligible (1.2% on average).
UR - http://www.scopus.com/inward/record.url?scp=85062555367&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85062555367&partnerID=8YFLogxK
U2 - 10.1109/DESEC.2018.8625135
DO - 10.1109/DESEC.2018.8625135
M3 - Conference contribution
AN - SCOPUS:85062555367
T3 - DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing
BT - DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2018 IEEE Conference on Dependable and Secure Computing, DSC 2018
Y2 - 10 December 2018 through 13 December 2018
ER -