Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DieHarder (CCS 2010, WOOT 2011)

626 views

Published on

Heap-based attacks depend on a combination of memory management errors and an exploitable memory allocator. Many allocators include ad hoc countermeasures against particular exploits, but their effectiveness against future exploits has been uncertain.

This paper presents the first formal treatment of the impact of allocator design on security. It analyzes a range of widely-deployed memory allocators, including those used by Windows, Linux, FreeBSD, and OpenBSD, and shows that they remain vulnerable to attack. It then presents DieHarder, a new allocator whose design was guided by this analysis. DieHarder provides the highest degree of security from heap-based attacks of any practical allocator of which we are aware, while imposing modest performance overhead. In particular, the Firefox web browser runs as fast with DieHarder as with the Linux allocator.

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

DieHarder (CCS 2010, WOOT 2011)

  1. 1. DIEHARDER:   SECURING  THE  HEAP     Gene  Novark  &  Emery  Berger   University  of  Massachusetts,   Amherst  [originally  presented  at  CCS  ASSACHUSETTS,  AMHERST    •    Department  of  Computer  Science   UNIVERSITY  OF  M 2011]  
  2. 2. DieHard:  ProbabilisFc  Memory  Safety   for  C/C++  Programs  [PLDI  2005]  Direct  inspira4on  for  Windows  7’s  Fault-­‐Tolerant  Heap  (2009)   UNIVERSITY  OF  MASSACHUSETTS,  AMHERST    •    Department  of  Computer  Science  
  3. 3. DieHard:  ProbabilisFc  Memory  Safety   for  C/C++  Programs  [PLDI  2005]  Direct  inspira4on  for  Windows  7’s  Fault-­‐Tolerant  Heap  (2009)   UNIVERSITY  OF  MASSACHUSETTS,  AMHERST    •    Department  of  Computer  Science  
  4. 4. 14  
  5. 5. 15  
  6. 6. 16  
  7. 7. 17  
  8. 8. 20  
  9. 9. 23  
  10. 10. 24  
  11. 11. 25  
  12. 12. 26  
  13. 13. 27  
  14. 14. 28  
  15. 15. 29  
  16. 16. 30  
  17. 17. 31  
  18. 18. sensitive  data  /  metadata   32  
  19. 19. sensitive   data  /  metadata  All data / metadata sensitive 33  
  20. 20. guard  /  unmapped  page   34  
  21. 21. guard  /  unmapped  page   35  
  22. 22. 36  
  23. 23. 37  
  24. 24. 38  
  25. 25. Address-­‐space  layout  randomization   39  
  26. 26. object free spaceheap metadata
  27. 27. prev. object object free space object sizeheap  metadata  (GNU  libc,  others)  
  28. 28. object x free spaceheap metadata
  29. 29. object x free spaceheap metadata
  30. 30. 44  
  31. 31. 45  
  32. 32. 46  
  33. 33. 47  
  34. 34. 48  
  35. 35. 49  
  36. 36. 50  
  37. 37. ≈ 4-5 bits of entropy 51  
  38. 38. 52  
  39. 39. Maximal entropy:log N bits (e.g., ≈ 25-30) 53  
  40. 40. 54  
  41. 41. 44.2 sec
  42. 42. 44.2 sec 41.6 sec
  43. 43. DIEHARDER:   SECURING  THE  HEAP     Gene  Novark  &  Emery  Berger   University  of  Massachusetts,   Amherst  UNIVERSITY  OF  MASSACHUSETTS,  AMHERST    •    Department  of  Computer  Science  

×