MarkUs: Drop-in use-after-free prevention for low-level languages

Abstract: Use-after-free vulnerabilities have plagued software written in low-level languages, such as C and C++, becoming one of the most frequent classes of exploited software bugs. Attackers identify code paths where data is manually freed by the programmer, but later incorrectly reused, and take advantage by reallocating the data to themselves. They then alter the data behind the program's back, using the erroneous reuse to gain control of the application and, potentially, the system. While a variety of techniques h… Show more

“…Other static detectors and dynamic detectors are not considered because their prototypes are either unavailable or unable to run. To answer RQ5 and RQ6, we evaluate five publicly-available exploit mitigation tools: MarkUs [1], SlimGuard [41], Guarder [40],…”

“…Worst of all, some dangling pointers may survive for a long time, which further increases the memory overhead of garbage collection. Another key limitation is that they may free objects that are still referenced by hidden pointers [1], thus causing UAFs themselves.…”

“…Delay memory reuse. Many mitigation techniques delay memory reuse until a criterion is met [1], [16], [18], [44], [63], [87], [91], [124], [130]. For example, MemGC [124] delays memory reuse until the total size of unreferenced chunks reaches a dynamically calculated threshold (that is, criterion).…”

“…The design limitation is that its protection is probabilistic. MarkUs [1] differs from other memory reuse-delay approaches in that it delays memory reuse until it cannot find dangling pointers to freed objects.…”

“…U Se-After-Free (UAF), that is, dangling pointer dereferences on the freed memory object, is top security vulnerability [1], [2]. Previous research shows that in the NVD database, 80.14% of UAFs from 2007 to 2016 are rated as critical or high severity [3], with an increasing number of UAFs every year.…”

Automated Use-After-Free Detection and Exploit Mitigation: How Far Have We Gone?

“…Other static detectors and dynamic detectors are not considered because their prototypes are either unavailable or unable to run. To answer RQ5 and RQ6, we evaluate five publicly-available exploit mitigation tools: MarkUs [1], SlimGuard [41], Guarder [40],…”

“…Worst of all, some dangling pointers may survive for a long time, which further increases the memory overhead of garbage collection. Another key limitation is that they may free objects that are still referenced by hidden pointers [1], thus causing UAFs themselves.…”

“…Delay memory reuse. Many mitigation techniques delay memory reuse until a criterion is met [1], [16], [18], [44], [63], [87], [91], [124], [130]. For example, MemGC [124] delays memory reuse until the total size of unreferenced chunks reaches a dynamically calculated threshold (that is, criterion).…”

“…The design limitation is that its protection is probabilistic. MarkUs [1] differs from other memory reuse-delay approaches in that it delays memory reuse until it cannot find dangling pointers to freed objects.…”

“…U Se-After-Free (UAF), that is, dangling pointer dereferences on the freed memory object, is top security vulnerability [1], [2]. Previous research shows that in the NVD database, 80.14% of UAFs from 2007 to 2016 are rated as critical or high severity [3], with an increasing number of UAFs every year.…”

Automated Use-After-Free Detection and Exploit Mitigation: How Far Have We Gone?

SoK: Secure Memory Allocation

MPKAlloc: Efficient Heap Meta-data Integrity Through Hardware Memory Protection Keys