DIEHARDER:	                                   SECURING	  THE	  HEAP	                                   	                  ...
DieHard:	  ProbabilisFc	  Memory	  Safety	                                                     for	  C/C++	  Programs	  [P...
DieHard:	  ProbabilisFc	  Memory	  Safety	                                                     for	  C/C++	  Programs	  [P...
14	  
15	  
16	  
17	  
20	  
23	  
24	  
25	  
26	  
27	  
28	  
29	  
30	  
31	  
sensitive	  data	  /	  metadata	                              32	  
sensitive	   data	  /	  metadata	  All data / metadata sensitive                             33	  
guard	  /	  unmapped	  page                             	                                      34	  
guard	  /	  unmapped	  page                             	                                      35	  
36	  
37	  
38	  
Address-­‐space	  layout	  randomization	                                  39	  
object       free spaceheap metadata
prev. object              object     free space   object sizeheap  metadata  (GNU  libc,  others)  
object   x   free spaceheap metadata
object   x   free spaceheap metadata
44	  
45	  
46	  
47	  
48	  
49	  
50	  
≈ 4-5 bits of entropy                   51	  
52	  
Maximal entropy:log N bits (e.g., ≈ 25-30)                      53	  
54	  
44.2 sec
44.2 sec   41.6 sec
DIEHARDER:	      SECURING	  THE	  HEAP	      	                                                            Gene	  Novark	  ...
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
DieHarder (CCS 2010, WOOT 2011)
Upcoming SlideShare
Loading in …5
×

DieHarder (CCS 2010, WOOT 2011)

404
-1

Published on

Heap-based attacks depend on a combination of memory management errors and an exploitable memory allocator. Many allocators include ad hoc countermeasures against particular exploits, but their effectiveness against future exploits has been uncertain.

This paper presents the first formal treatment of the impact of allocator design on security. It analyzes a range of widely-deployed memory allocators, including those used by Windows, Linux, FreeBSD, and OpenBSD, and shows that they remain vulnerable to attack. It then presents DieHarder, a new allocator whose design was guided by this analysis. DieHarder provides the highest degree of security from heap-based attacks of any practical allocator of which we are aware, while imposing modest performance overhead. In particular, the Firefox web browser runs as fast with DieHarder as with the Linux allocator.

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
404
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DieHarder (CCS 2010, WOOT 2011)

  1. 1. DIEHARDER:   SECURING  THE  HEAP     Gene  Novark  &  Emery  Berger   University  of  Massachusetts,   Amherst  [originally  presented  at  CCS  ASSACHUSETTS,  AMHERST    •    Department  of  Computer  Science   UNIVERSITY  OF  M 2011]  
  2. 2. DieHard:  ProbabilisFc  Memory  Safety   for  C/C++  Programs  [PLDI  2005]  Direct  inspira4on  for  Windows  7’s  Fault-­‐Tolerant  Heap  (2009)   UNIVERSITY  OF  MASSACHUSETTS,  AMHERST    •    Department  of  Computer  Science  
  3. 3. DieHard:  ProbabilisFc  Memory  Safety   for  C/C++  Programs  [PLDI  2005]  Direct  inspira4on  for  Windows  7’s  Fault-­‐Tolerant  Heap  (2009)   UNIVERSITY  OF  MASSACHUSETTS,  AMHERST    •    Department  of  Computer  Science  
  4. 4. 14  
  5. 5. 15  
  6. 6. 16  
  7. 7. 17  
  8. 8. 20  
  9. 9. 23  
  10. 10. 24  
  11. 11. 25  
  12. 12. 26  
  13. 13. 27  
  14. 14. 28  
  15. 15. 29  
  16. 16. 30  
  17. 17. 31  
  18. 18. sensitive  data  /  metadata   32  
  19. 19. sensitive   data  /  metadata  All data / metadata sensitive 33  
  20. 20. guard  /  unmapped  page   34  
  21. 21. guard  /  unmapped  page   35  
  22. 22. 36  
  23. 23. 37  
  24. 24. 38  
  25. 25. Address-­‐space  layout  randomization   39  
  26. 26. object free spaceheap metadata
  27. 27. prev. object object free space object sizeheap  metadata  (GNU  libc,  others)  
  28. 28. object x free spaceheap metadata
  29. 29. object x free spaceheap metadata
  30. 30. 44  
  31. 31. 45  
  32. 32. 46  
  33. 33. 47  
  34. 34. 48  
  35. 35. 49  
  36. 36. 50  
  37. 37. ≈ 4-5 bits of entropy 51  
  38. 38. 52  
  39. 39. Maximal entropy:log N bits (e.g., ≈ 25-30) 53  
  40. 40. 54  
  41. 41. 44.2 sec
  42. 42. 44.2 sec 41.6 sec
  43. 43. DIEHARDER:   SECURING  THE  HEAP     Gene  Novark  &  Emery  Berger   University  of  Massachusetts,   Amherst  UNIVERSITY  OF  MASSACHUSETTS,  AMHERST    •    Department  of  Computer  Science  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×