Mitigating Use-After-Free Attacks Using Memory-Reuse-Prohibited Library

Toshihiro YAMAUCHI  Yuta IKEGAMI  Yuya BAN  

IEICE TRANSACTIONS on Information and Systems   Vol.E100-D   No.10   pp.2295-2306
Publication Date: 2017/10/01
Online ISSN: 1745-1361
Type of Manuscript: Special Section PAPER (Special Section on Security, Privacy and Anonymity in Computation, Communication and Storage Systems)
Category: Operating system and network Security
use-after-free (UAF) vulnerabilities,  UAF attack-prevention,  memory-reuse-prohibited library,  system security,  

Full Text: PDF(887.9KB)
>>Buy this Article

Recently, there has been an increase in use-after-free (UAF) vulnerabilities, which are exploited using a dangling pointer that refers to a freed memory. In particular, large-scale programs such as browsers often include many dangling pointers, and UAF vulnerabilities are frequently exploited by drive-by download attacks. Various methods to prevent UAF attacks have been proposed. However, only a few methods can effectively prevent UAF attacks during runtime with low overhead. In this paper, we propose HeapRevolver, which is a novel UAF attack-prevention method that delays and randomizes the timing of release of freed memory area by using a memory-reuse-prohibited library, which prohibits a freed memory area from being reused for a certain period. The first condition for reuse is that the total size of the freed memory area is beyond the designated size. The threshold for the conditions of reuse of the freed memory area can be randomized by HeapRevolver. Furthermore, we add a second condition for reuse in which the freed memory area is merged with an adjacent freed memory area before release. Furthermore, HeapRevolver can be applied without modifying the target programs. In this paper, we describe the design and implementation of HeapRevolver in Linux and Windows, and report its evaluation results. The results show that HeapRevolver can prevent attacks that exploit existing UAF vulnerabilities. In addition, the overhead is small.