Abstract
Memory corruption exploits continue to plague high profile applications such as web browsers, high performance servers, and mobile devices. Modern defenses for these targets have rendered classic attack vectors that execute shellcode directly on the stack impotent and obsolete. Instead, modern exploits frequently corrupt the data structures found in a program’s memory allocator in order to take control of running processes. These attacks against the heap are much harder to defend against versus classic stack-based buffer overflows because they often rely on an allocator acting on corrupted data in order to take control of a process. In this work, we introduce MPKAlloc, a memory allocator that utilizes memory protection keys (MPKs) found in recent Intel CPUs to effectively isolate heap meta-data from adversaries. We present our prototype implementation of MPKAlloc which hardens the tcmalloc and PartitionAlloc memory allocators used by the popular Chrome web browser. MPKAlloc protects each page containing heap meta-data with a key that provides an allocator exclusive access to the page. Effectively, MPKAlloc thwarts an adversary’s ability to access or corrupt heap meta-data at the hardware level. We embed the MPKAlloc defense in the open-source Chromium web browser, and demonstrate MPKAlloc stopping realistic attack vectors. Furthermore, we evaluate the performance overhead of Chromium configured with MPKAlloc on the top 50 web sites contained in the Alexa site ranking. Our evaluation shows that MPKAlloc introduces a geometric mean of 1.71% performance overhead (2.44% on average) when browsing the most popular web sites, in exchange for a significant increase in security against heap meta-data exploitation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
jemalloc. http://jemalloc.net/. Accessed 31 Mar 2021
A memory allocator. http://gee.cs.oswego.edu/dl/html/malloc.html. Accessed 31 Mar 2021
Storage protect keys. https://www.ibm.com/docs/en/aix/7.2?topic=concepts-storage-protect-keys. Accessed 16 Aug 2021
CVE-2016-10195 (2016). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10195. Accessed 04 May 2022
Memory tagging extension: Enhancing memory safety through architecture (2019). https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enhancing-memory-safety. Accessed 27 Feb 2022
Educational heap exploitation (2021). https://github.com/shellphish/how2heap. Accessed 31 Mar 2021
Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 1–40 (2009)
Ainsworth, S., Jones, T.M.: MarkUs: drop-in use-after-free prevention for low-level languages. In: IEEE Symposium on Security and Privacy (2020)
Anonymous: Once upon a free(). http://phrack.org/issues/57/9.html. Accessed 14 Mar 2021
Avgerinos, T., Cha, S.K., Rebert, A., Schwartz, E.J., Woo, M., Brumley, D.: Automatic exploit generation. Commun. ACM 57(2), 74–84 (2014)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM ASIA Conference on Computer and Communications Security (2011)
Cha, M.H., Lee, S.M., An, B.S., Kim, H.Y., Kim, K.H.: Fast and secure global-heap for memory-centric computing. J. Supercomputing 77, 13262–13291 (2021). https://doi.org/10.1007/s11227-021-03806-4
Chromium authors: Catapult. https://chromium.googlesource.com/catapult. Accessed 12 Oct 2021
Chromium Authors: Deploy PartitionAlloc-Everywhere. https://bugs.chromium.org/p/chromium/issues/detail?id=1121427. Accessed 12 Oct 2021
Connor, R.J., McDaniel, T., Smith, J.M., Schuchard, M.: PKU pitfalls: attacks on PKU-based memory isolation systems. In: USENIX Security Symposium (2020)
Delshadtehrani, L., Canakci, S., Blair, W., Egele, M., Joshi, A.: FlexFilt: towards flexible instruction filtering for security. In: Annual Computer Security Applications Conference (2021)
Demeri, A., Kim, W.H., Krishnan, R.M., Kim, J., Ismail, M., Min, C.: POSEIDON: safe, fast and scalable persistent memory allocator. In: International Middleware Conference (2020)
Farkhani, R.M., Ahmadi, M., Lu, L.: PTAuth: temporal memory safety via robust points-to authentication. In: USENIX Security Symposium (2021)
Hedayati, M., et al.: Hodor: intra-process isolation for high-throughput data plane libraries. In: USENIX Security Symposium (2019)
Heelan, S., Melham, T., Kroening, D.: Automatic heap layout manipulation for exploitation. In: USENIX Security Symposium (2018)
IBM Corporation: Power ISA version 3.0b (2017)
Intel Corporation: Intel 64 and IA-32 Architectures Software Developer’s Manual: Volume 3 (2016)
Kim, Y., Lee, J., Kim, H.: Hardware-based always-on heap memory safety. In: IEEE/ACM International Symposium on Microarchitecture (2020)
Kirth, P., et al.: PKRU-safe: automatically locking down the heap between safe and unsafe languages. In: European Conference on Computer Systems (2022)
Koning, K., Chen, X., Bos, H., Giuffrida, C., Athanasopoulos, E.: No need to hide: protecting safe regions on commodity hardware. In: European Conference on Computer systems (2017)
Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN Not. 40(6), 190–200 (2005)
Otto Moerbeek: A new malloc(3) for openBSD. http://www.openbsd.nl/papers/eurobsdcon2009/otto-malloc.pdf. Accessed 23 Mar 2021
Park, S., Lee, S., Xu, W., Moon, H., Kim, T.: libmpk: Software abstraction for intel memory protection keys (intel MPK). In: USENIX Annual Technical Conference (2019)
Park, T., Dhondt, K., Gens, D., Na, Y., Volckaert, S., Franz, M.: NOJITSU: locking down javascript engines. In: Network and Distributed System Security Symposium (2020)
Reis, C., Moshchuk, A., Oskov, N.: Site isolation: process separation for web sites within the browser. In: USENIX Security Symposium (2019)
Robertson, W.K., Kruegel, C., Mutz, D., Valeur, F.: Run-time detection of heap-based overflows. In: Conference on Systems Administration (2003)
Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the \(\times \)86). In: ACM Conference on Computer and Communications Security (2007)
Solar Designer: JPEG COM Marker Processing Vulnerability. https://www.openwall.com/articles/JPEG-COM-Marker-Vulnerability. Accessed 23 Mar 2021
Vahldiek-Oberwagner, A., Elnikety, E., Duarte, N.O., Sammler, M., Druschel, P., Garg, D.: ERIM: secure, efficient in-process isolation with protection keys (MPK). In: USENIX Security Symposium (2019)
Yun, I., Kapil, D., Kim, T.: Automatic techniques to systematically discover new heap exploitation primitives. In: USENIX Security Symposium (2020)
Yun, I., Song, W., Min, S., Kim, T.: HardsHeap: a universal and extensible framework for evaluating secure allocators. In: ACM Conference on Computer and Communications Security (2021)
Zhao, Z., Wang, Y., Gong, X.: HAEPG: an automatic multi-hop exploitation generation framework. In: Maurice, C., Bilge, L., Stringhini, G., Neves, N. (eds.) DIMVA 2020. LNCS, vol. 12223, pp. 89–109. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-52683-2_5
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Blair, W., Robertson, W., Egele, M. (2022). MPKAlloc: Efficient Heap Meta-data Integrity Through Hardware Memory Protection Keys. In: Cavallaro, L., Gruss, D., Pellegrino, G., Giacinto, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2022. Lecture Notes in Computer Science, vol 13358. Springer, Cham. https://doi.org/10.1007/978-3-031-09484-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-09484-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-09483-5
Online ISBN: 978-3-031-09484-2
eBook Packages: Computer ScienceComputer Science (R0)