Skip to main content
SpringerLink
Log in

Memory Categorization: Separating Attacker-Controlled Data

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11543))

Abstract

Memory corruption attacks against software written in C or C++ are still prevalent and remain a significant cause of security breaches. Defenses providing full memory safety remain expensive, and leaner defenses only addressing control-flow data are insufficient.

We introduce memory categorization, an approach to separate data based on attacker control to mitigate the exploitation of memory corruption vulnerabilities such as use-after-free and use-after-return. MemCat implements this approach by: (i) providing separate memory allocators for different data categories, (ii) categorizing the use of memory allocations, (iii) changing allocations to take advantage of the categorization.

We demonstrate the effectiveness of MemCat in a case study on actual vulnerabilities in real-world programs. We further show that, although our prototype implementation causes a high overhead in two edge cases, in most cases the performance hit remains negligible, with a median overhead of less than 3% on the SPEC benchmark suite.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abadi, M., Budiu, M., Erlingsson, Ú, Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)

    Google Scholar 

  2. Akritidis, P.: Cling: a memory allocator to mitigate dangling pointers. In: USENIX Security Symposium (2010)

    Google Scholar 

  3. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: IEEE Symposium on Security and Privacy (2008)

    Google Scholar 

  4. LAndersen, L.O.: Program Analysis and Specialization for the C Programming Language. Carnegie Mellon University (1994)

    Google Scholar 

  5. Bosman, E., Slowinska, A., Bos, H.: Minemu: the world’s fastest taint tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_1

    Chapter  Google Scholar 

  6. Brand, M., Evans, C.: Significant flash exploit mitigations are live in v18.0.0.209 (2015). https://googleprojectzero.blogspot.com/2015/07/significant-flash-exploit-mitigations16.html

  7. busybox. https://busybox.net/

  8. Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: USENIX Security Symposium (USENIX SEC) (2015)

    Google Scholar 

  9. Carr, S.A., Payer, M.: DataShield: configurable data confidentiality and integrity. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ASIA CCS 2017 (2017)

    Google Scholar 

  10. Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Symposium on Operating Systems Design and Implementation (2006)

    Google Scholar 

  11. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14, p. 12 (2005)

    Google Scholar 

  12. Chen, X., Slowinska, A., Bos, H.: Who allocated my memory? Detecting custom memory allocators in C binaries. In: Proceedings of the Working Conference on Reverse Engineering (WCRE) (2013)

    Google Scholar 

  13. Disassembler Library for x86 and x86–64. https://github.com/vmt/udis86

  14. Dropbear. https://matt.ucc.asn.au/dropbear/dropbear.html

  15. Electric Fence. https://github.com/kallisti5/ElectricFence

  16. Goktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control- flow integrity. In: IEEE Symposium on Security and Privacy (Oakland) (2014)

    Google Scholar 

  17. Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: dynamic taint analysis with targeted control-flow propagation. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2011)

    Google Scholar 

  18. Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: Libdft: practical dynamic data flow tracking for commodity systems. In: ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (2012)

    Google Scholar 

  19. Kroes, T., et al.: BinRec: attack surface reduction through dynamic binary recovery. In: Proceedings of the 2018 Workshop on Forming an Ecosystem Around Software Transformation, FEAST 2018 (2018)

    Google Scholar 

  20. Kurmus, A., Zippel, R.: A tale of two kernels: towards ending kernel hardening wars with split kernel. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014 (2014)

    Google Scholar 

  21. Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2014)

    Google Scholar 

  22. Lee, B., et al.: Preventing use-after-free with dangling pointers nullification. In: NDSS (2015)

    Google Scholar 

  23. Lettner, J., Song, D., Park, T., Larsen, P., Volckaert, S., Franz, M.: PartiSan: fast and flexible sanitization via run-time partitioning. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 403–422. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_19

    Chapter  Google Scholar 

  24. Moerbeek, O.: A new malloc(3) for OpenBSD. In: EuroBSDCon (2009)

    Google Scholar 

  25. MWR. Isolated Heap & Friends: Object Allocation Hardening in Web Browsers (2014). https://labs.mwrinfosecurity.com/blog/isolated-heap-friends-object-allocation-hardening-in-web-browsers/

  26. Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: Proceedings of the 2010 International Symposium on Memory Management, ISMM 2010 (2010)

    Google Scholar 

  27. Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009 (2009)

    Google Scholar 

  28. Nikiforakis, N., Piessens, F., Joosen, W.: HeapSentry: kernel-assisted protection against heap overflows. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 177–196. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39235-1_11

    Chapter  Google Scholar 

  29. Novark, G., Berger, E.D.: DieHarder: securing the heap. In: ACM Conference on Computer and Communications Security (2010)

    Google Scholar 

  30. OpenSSL. https://www.openssl.org/

  31. Page Heap. https://msdn.microsoft.com/en-us/library/ms220938(v=vs.90).aspx

  32. Pereira, F.M.Q., Berlin, D.: Wave propagation and deep propagation for pointer analysis. In: IEEE/ACM International Symposium on Code Generation and Optimization (2009)

    Google Scholar 

  33. perf. https://perf.wiki.kernel.org

  34. Qin, F., Wang, C., Li, Z., Kim, H.S., Zhou, Y., Wu, Y.: LIFT: a low-overhead practical information flow tracking system for detecting security attacks. In: IEEE/ACM International Symposium on Microarchitecture (2006)

    Google Scholar 

  35. SafeStack (2017). http://clang.llvm.org/docs/SafeStack.html

  36. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE Symposium on Security and Privacy (Oakland) (2015)

    Google Scholar 

  37. Silvanovich, N.: Life After the Isolated Heap (2016). https://googleprojectzero.blogspot.com/2016/03/lifeafter-isolated-heap.html

  38. Slowinska, A., Bos, H.: Pointless tainting?: Evaluating the practicality of pointer tainting. In: ACM European Conference on Computer Systems (2009)

    Google Scholar 

  39. SPEC (2006). https://www.spec.org/cpu2006/

  40. Sui, Y., Xue, J.: SVF: interprocedural static value-flow analysis in LLVM. In: International Conference on Compiler Construction (2016)

    Google Scholar 

  41. Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: IEEE Symposium on Security and Privacy (Oakland) (2013)

    Google Scholar 

  42. Wagner, J., Kuznetsov, V., Candea, G., Kinder, J.: High system-code security with low overhead. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 866–879 (2015)

    Google Scholar 

  43. Younan, Y.: FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In: Internet Society Symposium on Network and Distributed Systems Security (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Research – Zurich, Zurich, Switzerland

    Matthias Neugschwandtner, Alessandro Sorniotti & Anil Kurmus

Authors
  1. Matthias Neugschwandtner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alessandro Sorniotti
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anil Kurmus
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alessandro Sorniotti .

Editor information

Editors and Affiliations

  1. University of Georgia, Athens, GA, USA

    Roberto Perdisci

  2. University of Rennes, CNRS, IRISA, Rennes, France

    Clémentine Maurice

  3. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

  4. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Neugschwandtner, M., Sorniotti, A., Kurmus, A. (2019). Memory Categorization: Separating Attacker-Controlled Data. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-22038-9_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-22037-2

  • Online ISBN: 978-3-030-22038-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation