Detecting and Preventing Dangling Pointers
Author:
Affiliation:

Fund Project:

National Key R&D Program (2017YFA0700604); Program B for Outstanding PhD Candidate of Nanjing University

  • Article
  • | |
  • Metrics
  • |
  • Reference [44]
  • |
  • Related [20]
  • | | |
  • Comments
    Abstract:

    Due to rapid technology advance, cyber-physical system (CPS) plays increasingly important rules in society, such as power system and railway system. However, if these systems are attacked, it would be a serious problem for the world even threats human lives. Dangling pointers is such kind of software defects and can lead to use-after-free and double-free vulnerabilities, which can be leveraged by attackers. So far, only a few approaches have been proposed to protect against dangling pointers, while most of them suffer from high overhead. This paper study proposes a lightweight approach, named DangDone, to detect dangling pointers dynamically. Built upon the root cause of a dangling pointer, i.e., a pointer and its aliases are not nullified but the memory area they point to is deallocated. DangDone first detects dangling pointers by static analysis and fuzzing. Based on the result, DangDone realizes the detection by inserting an intermediate pointer between the pointers (i.e., a pointer and its aliases) and the memory area they point to. Hence, nullifying the intermediate pointer will nullify the pointer and its aliases, which causes crash when encountering use-after-free or double-free. Experimental results have demonstrated that DangDone introduces negligible runtime overhead (i.e., around 1% on average) on SPEC CPU benchmark and is able to protect 11 real-world use-after-free or double-free vulnerabilities. The evaluation demonstrates the efficiency and effectiveness of DangDone.

    Reference
    [1] Sridhar S, Hahn A, Govindarasu M. Cyber-Physical system security for the electric power grid. Proc. of the IEEE, 2011, 100(1):210-224.
    [2] Bu L, Zhang T, Chen X, et al. Model-Based construction and verification of cyber-physical systems. ACM SIGSOFT Software Engineering Notes, 2018,43(3):6-10..
    [3] Lee E. Cyber physical systems: Design challenges. In: Proc. of the 11th IEEE Int'l Symp. on Object and Component-Oriented Real-Time Distributed Computing (ISORC). IEEE, 2008. 363-369.
    [4] Xu W, Li JR, Shu JL, Yang WB, Xie TY, Zhang YY, Gu DW. From collision to exploitation: Unleashing use-after-free vulnerabilities in linux kernel. In: Proc. of the 22nd ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2015. 414-425.
    [5] Ye JY, Zhang C, Han XH. POSTER: UAFChecker: Scalable static detection of use-after-free vulnerabilities. In: Proc. of the ACM SIGSAC Conf. on Computer and Communications Security. 2014. 1529-1531.
    [6] Feist J, Mounier L, Potet ML. Statically detecting use after free on binary code. Journal of Computer Virology and Hacking Techniques, 2014,10(3):211-217.
    [7] Caballero J, Grieco G, Marron M, Nappa A. Un-Dangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In: Proc. of the Int'l Symp. on Software Testing and Analysis. ACM, 2012. 133-143.
    [8] Dhurjati D, Adve V. Efficiently detecting all dangling pointer uses in production servers. In: Proc. of the Int'l Conf. on Dependable Systems and Networks. IEEE, 2006. 269-280.
    [9] Pattabiraman K, Kalbarczyk ZT, Iyer RK. Automated derivation of application-aware error detectors using static analysis: The trusted illiac approach. IEEE Trans. on Dependable and Secure Computing, 2011,8(1):44-57.
    [10] Lee BY, Song CY, Jang YJ, Wang TL, Kim TS, Lu L, Lee WK. Preventing use-after-free with dangling pointers nullification. In: Proc. of the Network and Distributed System Security Symp. (NDSS). 2015.
    [11] Younan Y. FreeSentry: Protecting against use-after-free vulnerabilities due to dangling pointers. In: Proc. of the Network and Distributed System Security Symp. (NDSS). 2015.
    [12] The LLVM Compiler Infrastructure. 2020. http://llvm.org
    [13] Standard Performance Evaluation Corporation. SPEC CPU 2006. 2020. https://www.spec.org/cpu2006/
    [14] Afek J, Sharabani A. Dangling Pointer: Smashing the Pointer for Fun and Profit. Black Hat USA, 2007. 24.
    [15] Jackson T, Salamat B, Wagner G, Wimmer C, Franz M. On the effectiveness of multi-variant program execution for vulnerability detection and prevention. In: Proc. of the 6th Int'l Workshop on Security Measurements and Metrics. ACM, 2010.
    [16] Lopes BC, Auler R. Getting Started with LLVM Core Libraries. Packt Publishing Ltd, 2014.
    [17] Steensgaard B. Points-to analysis in almost linear time. In: Proc. of the 23rd ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages. ACM, 1996. 32-41.
    [18] Andersen LO. Program analysis and specialization for the C programming language [Ph.D. Thesis]. København: University of Cophenhagen, 1994.
    [19] Szekeres L, Payer M, Wei T, Song D. Sok: Eternal war in memory. In: Proc. of the IEEE Symp. on Security and Privacy (SP). IEEE, 2013. 48-62.
    [20] Writing an LLVM Pass. 2020. http://llvm.org/docs/WritingAnLLVMPass.html
    [21] Clang: A C language Family Frontend for LLVM. 2020. http://clang.llvm.org/
    [22] Exploits Database by Offensive Security. Exploits database. 2020. https://www.exploit-db.com/
    [23] Fortify Static Code Analysis Tool. 2020. https://www.microfocus.com/en-us/products/static-code-analysis-sast/overview
    [24] Splint-Secure Programming Lint. 2020. http://www.splint.org/
    [25] Coverity Scan-static Analysis. 2020. https://scan.coverity.com/
    [26] Akritidis P. Cling: A memory allocator to mitigate dangling pointers. In: Proc. of the USENIX Security Symp. 2010. 177-192.
    [27] Berger ED, Zorn BG. DieHard: Probabilistic memory safety for unsafe languages. ACM SIGPLAN Notices, 2006,41(6):158-168.
    [28] Novark G, Berger ED. DieHarder: Securing the heap. In: Proc. of the 17th ACM Conf. on Computer and Communications Security. ACM, 2010. 573-584.
    [29] Musuvathi M, Park DYW, Chou A, Engler DR, Dill DL. CMC: A pragmatic approach to model checking real code. ACM SIGOPS Operating Systems Review, 2002,36(SI):75-88.
    [30] Engler D, Musuvathi M. Static analysis versus software model checking for bug finding. In: Proc. of the Verification, Model Checking, and Abstract Interpretation. Springer-Verlag, 2004. 191-210.
    [31] Berdine J, Cook B, Ishtiaq S. SLAyer: Memory safety for systems-level code. In: Proc. of the Int'l Conf. on Computer Aided Verification. Springer-Verlag, 2011. 178-183.
    [32] Morgado A. Understanding valgrind memory leak reports. 2020. https://aleksander.es/data/valgrind-memcheck.pdf
    [33] Hastings R, Joyce B. Purify: Fast detection of memory leaks and access errors. In: Proc. of the Winter 1992 Usenix Conf. Citeseer, 1991. 125-136.
    [34] Eigler FC. Mudflap: Pointer use checking for C/C+. In: Proc. of the 1st Annual GCC Developers' Summit. 2003. 57-70.
    [35] Serebryany K, Bruening D, Potapenko A, Vyukov D. AddressSanitizer: A fast address sanity checker. In: Proc. of the USENIX Annual Technical Conf. 2012. 309-318.
    [36] Van Der Kouwe E, Nigade V, Giuffrida C. Dangsan: Scalable use-after-free detection. In: Proc. of the 12th European Conf. on Computer Systems, ACM, 2017. 405-419.
    [37] Nagarakatte S, Zhao JZ, Martin MMK, Zdancewic S. SoftBound: Highly compatible and complete spatial memory safety for C. In: Proc. of the ACM Sigplan Notices. 2009. 245-258.
    [38] Xu W, Duvarney DC, Sekar R. An efficient and backwards-compatible transformation to ensure memory safety of C programs. In: Proc. of the ACM Sigsoft Int'l Symp. on Foundations of Software Engineering. ACM, 2004. 117-126.
    [39] Liu DP, Zhang MW, Wang HN. A robust and efficient defense against use-after-free exploits via concurrent pointer sweeping. In: Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2018. 1635-1648.
    [40] Shin JS, Kwon DH, Seo JW, Cho YP, Paek YH. CRCount: Pointer invalidation with reference counting to mitigate use-after-free in legacy C/C++. In: Proc. of the Network and Distributed System Security Symp. (NDSS). 2019.
    [41] Standard Performance Evaluation Corporation. SPEC CPU 2000. 2020. https://www.spec.org/cpu2000/
    [42] Wang Y, Gao FJ, Situ LY, Wang LZ, Chen BH, Liu Y, Zhao JH, Li XD. Dangdone: Eliminating dangling pointers via intermediate pointers. In: Proc. of the 10th Asia-Pacific Symp. on Internetware. ACM, 2018. 6.
    [43] Su CJ, Wu CY. JADE implemented mobile multi-agent based, distributed information platform for pervasive health care monitoring. Applied Soft Computing, 2011,11(1):315-325.
    [44] Liang HY, Jagielski M, Zheng BW, et al. Network and system level security in connected vehicle applications. In: Proc. of the IEEE/ACM Int'l Conf. on Computer-Aided Design (ICCAD). IEEE, 2018.
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

王豫,高凤娟,马可欣,司徒凌云,王林章,陈碧欢,刘杨,赵建华,李宣东.垂悬指针检测与防御方法.软件学报,2020,31(6):1600-1618

Copy
Share
Article Metrics
  • Abstract:3131
  • PDF: 9499
  • HTML: 3236
  • Cited by: 0
History
  • Received:August 08,2019
  • Revised:October 23,2019
  • Online: April 20,2020
  • Published: June 06,2020
You are the first2044694Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063