An Efficient Use-after-Free Mitigation Approach via Static Dangling Pointer Nullification

被引：0

作者：

Yu, Yue ^{[1
,2
]}

Jia, Xiaoqi ^{[1
,2
]}

An, Xun ^{[1
,2
]}

Zhang, Shengzhi ^{[3
]}

机构：

[1] Chinese Acad Sci, Inst Informat Engn, BKLONSPT Beijing Key Lab Network Secur & Protect, CAS KLONAT Key Lab Network Assessment Technol, Beijing, Peoples R China

[2] Univ Chinese Acad Sci, Sch Cyber Secur, Beijing, Peoples R China

[3] Boston Univ, Metropolitan Coll, Boston, MA 02215 USA

来源：

ICT SYSTEMS SECURITY AND PRIVACY PROTECTION (SEC 2022) | 2022年 / 648卷

关键词：

Use-after-free vulnerability; Vulnerability mitigation; Alias analysis; Dangling pointer; SAFETY;

D O I：

10.1007/978-3-031-06975-8_29

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

UAF (use-after-free) is one of the most severe program vulnerabilities, caused by dangling pointers. Existing vulnerability mitigation approaches either attempt to block possible exploitation without fixing the root cause problem, or identify and remove dangling pointers with huge runtime overhead. In this paper, we present SDPN (Static Dangling Pointer Nullification) to defeat use-after-free vulnerability by eliminating dangling pointers filtered in multiple stages during compilation time. We implement a prototype of SDPN and evaluate it using realworld CVE vulnerabilities, and the results show that SDPN can effectively protect programs from use-after-free vulnerability. We also test SDPN using SPEC 2006 and the experimental results demonstrate that the time overhead introduced by SDPN is almost negligible, i.e., <1%.

引用

页码：507 / 523

页数：17

共 50 条

[1] Preventing Use-after-free with Dangling Pointers Nullification
Lee, Byoungyoung
Song, Chengyu
Jang, Yeongjin
Wang, Tielei
Kim, Taesoo
Lu, Long
Lee, Wenke
[J]. 22ND ANNUAL NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS 2015), 2015,
[2] A Robust and Efficient Defense against Use-after-Free Exploits via Concurrent Pointer Sweeping
Liu, Daiping
Zhang, Mingwei
Wang, Haining
[J]. PROCEEDINGS OF THE 2018 ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY (CCS'18), 2018, : 1635 - 1648
[3] An Efficient Metric-Based Approach for Static Use-After-Free Detection
Wei, Haolai
Chen, Liwei
Nie, Xiaofan
Zhang, Zhijie
Zhang, Yuantong
Shi, Gang
[J]. 2022 IEEE INTL CONF ON PARALLEL & DISTRIBUTED PROCESSING WITH APPLICATIONS, BIG DATA & CLOUD COMPUTING, SUSTAINABLE COMPUTING & COMMUNICATIONS, SOCIAL COMPUTING & NETWORKING, ISPA/BDCLOUD/SOCIALCOM/SUSTAINCOM, 2022, : 58 - 65
[4] Use-After-Free Mitigation via Protected Heap Allocation
Zhang, Mingbo
Zonouz, Saman
[J]. 2018 IEEE CONFERENCE ON DEPENDABLE AND SECURE COMPUTING (DSC), 2018, : 131 - 138
[5] Spatio-Temporal Context Reduction: A Pointer-Analysis-Based Static Approach for Detecting Use-After-Free Vulnerabilities
Yan, Hua
Sui, Yulei
Chen, Shiping
Xue, Jingling
[J]. PROCEEDINGS 2018 IEEE/ACM 40TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING (ICSE), 2018, : 327 - 337
[6] Refining Use-after-free Defense: Eliminating Dangling Pointers in Registers and Memory
An, Xun
Zhou, Qihang
Du, HaiChao
Song, ZhenYu
Jia, Xiaoqi
[J]. PROCEEDINGS OF THE 2023 30TH ASIA-PACIFIC SOFTWARE ENGINEERING CONFERENCE, APSEC 2023, 2023, : 493 - 502
[7] FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers
Younan, Yves
[J]. 22ND ANNUAL NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS 2015), 2015,
[8] Scalable Static Detection of Use-After-Free Vulnerabilities in Binary Code
Zhu, Kailong
Lu, Yuliang
Huang, Hui
[J]. IEEE ACCESS, 2020, 8 : 78713 - 78725
[9] POSTER: UAFChecker: Scalable Static Detection of Use-After-Free Vulnerabilities
Ye, Jiayi
Zhang, Chao
Han, Xinhui
[J]. CCS'14: PROCEEDINGS OF THE 21ST ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2014, : 1529 - 1531
[10] xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64
Bernhard, Lukas
Rodler, Michael
Holz, Thorsten
Davit, Lucas
[J]. 2022 IEEE 7TH EUROPEAN SYMPOSIUM ON SECURITY AND PRIVACY (EUROS&P 2022), 2022, : 502 - 519

← 1 2 3 4 5 →