| Title | A Robust and Efficient Defense Against Use-after-Free Exploits via Concurrent Pointer Sweeping |
| Publication Type | Conference Paper |
| Year of Publication | 2018 |
| Authors | Liu, Daiping, Zhang, Mingwei, Wang, Haining |
| Conference Name | Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-5693-0 |
| Keywords | composability, Concurrency, cyber-physical system, Cyber-physical systems, Metrics, Predictive Metrics, pubcrawl, resilience, Resiliency, software security, use-after-free, vulnerability defense |
| Abstract | Applications in C/C++ are notoriously prone to memory corruptions. With significant research efforts devoted to this area of study, the security threats posed by previously popular vulnerabilities, such as stack and heap overflows, are not as serious as before. Instead, we have seen the meteoric rise of attacks exploiting use-after-free (UaF) vulnerabilities in recent years, which root in pointers pointing to freed memory (i.e., dangling pointers). Although various approaches have been proposed to harden software against UaF, none of them can achieve robustness and efficiency at the same time. In this paper, we present a novel defense called pSweeper to robustly protect against UaF exploits with low overhead, and pinpoint the root-causes of UaF vulnerabilities with one safe crash. The success of pSweeper lies in its two unique and innovative design ideas, concurrent pointer sweeping (CPW) and object origin tracking (OOT). CPW exploits the increasingly available multi-cores on modern PCs and outsources the heavyweight security checks and enforcement to dedicated threads that can run on spare cores. Specifically, CPW iteratively sweeps all live pointers in a concurrent thread to find dangling pointers. This design is quite different from previous work that requires to track every pointer propagation to maintain accurate point-to relationship between pointers and objects. OOT can help to pinpoint the root-causes of UaF by informing developers of how a dangling pointer is created, i.e., how the problematic object is allocated and freed. We implement a prototype of pSweeper and validate its efficacy in real scenarios. Our experimental results show that pSweeper is effective in defeating real-world UaF exploits and efficient when deployed in production runs. |
| DOI | 10.1145/3243734.3243826 |
| Citation Key | liu_robust_2018 |
A Robust and Efficient Defense Against Use-after-Free Exploits via Concurrent Pointer Sweeping