Repository logo
 

MarkUs: Drop-in use-after-free prevention for low-level languages

Accepted version
Peer-reviewed

Type

Conference Object

Change log

Authors

Jones, TM 

Abstract

Use-after-free vulnerabilities have plagued software written in low-level languages, such as C and C++, becoming one of the most frequent classes of exploited software bugs. Attackers identify code paths where data is manually freed by the programmer, but later incorrectly reused, and take advantage by reallocating the data to themselves. They then alter the data behind the program’s back, using the erroneous reuse to gain control of the application and, potentially, the system. While a variety of techniques have been developed to deal with these vulnerabilities, they often have unacceptably high performance or memory overheads, especially in the worst case.

We have designed MarkUs, a memory allocator that prevents this form of attack at low overhead, sufficient for deployment in real software, even under allocation- and memory-intensive scenarios. We prevent use-after-free attacks by quarantining data freed by the programmer and forbidding its reallocation until we are sure that there are no dangling pointers targeting it. To identify these we traverse live-objects accessible from registers and memory, marking those we encounter, to check whether quarantined data is accessible from any currently allocated location. Unlike garbage collection, which is unsafe in C and C++, MarkUs ensures safety by only freeing data that is both quarantined by the programmer and has no identifiable dangling pointers. The information provided by the programmer’s allocations and frees further allows us to optimize the process by freeing physical addresses early for large objects, specializing analysis for small objects, and only performing marking when sufficient data is in quarantine. Using MarkUs, we reduce the overheads of temporal safety in low-level languages to 1.1× on average for SPEC CPU2006, with a maximum slowdown of only 2×, vastly improving upon the state-of-the-art.

Description

Keywords

4606 Distributed Computing and Systems Software, 46 Information and Computing Sciences, 4612 Software Engineering, Prevention

Journal Title

Proceedings - IEEE Symposium on Security and Privacy

Conference Name

2020 IEEE Symposium on Security and Privacy (SP)

Journal ISSN

1081-6011

Volume Title

2020-May

Publisher

IEEE

Rights

All rights reserved
Sponsorship
Engineering and Physical Sciences Research Council (EP/K026399/1)
Engineering and Physical Sciences Research Council (EP/P020011/1)
Arm Limited