TY - GEN
T1 - HeapExpo
T2 - 36th Annual Computer Security Applications Conference, ACSAC 2020
AU - Shen, Zekun
AU - Dolan-Gavitt, Brendan
N1 - Funding Information:
This research was supported in part by National Science Foundation (NSF) Award 1657199. Any opinions, findings, conclusions, or recommendations expressed are those of the authors and not necessarily of the NSF.
Publisher Copyright:
© 2020 ACM.
PY - 2020/12/7
Y1 - 2020/12/7
N2 - Use-after-free (UAF) vulnerabilities, in which dangling pointers remain after memory is released, remain a persistent problem for applications written in C and C++. In order to protect legacy code, prior work has attempted to track pointer propagation and invalidate dangling pointers at deallocation time, but this work has gaps in coverage, as it lacks support for tracking program variables promoted to CPU registers. Moreover, we find that these gaps can significantly hamper detection of UAF bugs: in a preliminary study with OSS-Fuzz, we found that more than half of the UAFs in real-world programs we examined (10/19) could not be detected by prior systems due to register promotion. In this paper, we introduce HeapExpo, a new system that fills this gap in coverage by parsimoniously identifying potential dangling pointer variables that may be lifted into registers by the compiler and marking them as volatile. In our experiments, we find that HeapExpo effectively detects UAFs missed by other systems with an overhead of 35% on the majority of SPEC CPU2006 and 66% when including two benchmarks that have high amounts of pointer propagation.
AB - Use-after-free (UAF) vulnerabilities, in which dangling pointers remain after memory is released, remain a persistent problem for applications written in C and C++. In order to protect legacy code, prior work has attempted to track pointer propagation and invalidate dangling pointers at deallocation time, but this work has gaps in coverage, as it lacks support for tracking program variables promoted to CPU registers. Moreover, we find that these gaps can significantly hamper detection of UAF bugs: in a preliminary study with OSS-Fuzz, we found that more than half of the UAFs in real-world programs we examined (10/19) could not be detected by prior systems due to register promotion. In this paper, we introduce HeapExpo, a new system that fills this gap in coverage by parsimoniously identifying potential dangling pointer variables that may be lifted into registers by the compiler and marking them as volatile. In our experiments, we find that HeapExpo effectively detects UAFs missed by other systems with an overhead of 35% on the majority of SPEC CPU2006 and 66% when including two benchmarks that have high amounts of pointer propagation.
KW - Dangling pointers
KW - memory errors
KW - use-after-free
UR - http://www.scopus.com/inward/record.url?scp=85098054108&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85098054108&partnerID=8YFLogxK
U2 - 10.1145/3427228.3427645
DO - 10.1145/3427228.3427645
M3 - Conference contribution
AN - SCOPUS:85098054108
T3 - ACM International Conference Proceeding Series
SP - 454
EP - 465
BT - Proceedings - 36th Annual Computer Security Applications Conference, ACSAC 2020
PB - ICST
Y2 - 7 December 2020 through 11 December 2020
ER -