SafeInit: Comprehensive and Practical Mitigation of Uninitialized Read Vulnerabilities

Milburn, Alyssa; Bos, Herbert; Giuffrida, Cristiano

doi:10.14722/ndss.2017.23183

Cited by 22 publications

(21 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Section: Introductionmentioning

confidence: 99%

“…However, in kernel exploitation, a local (unprivileged) adversary, armed with an arbitrary (kernel-level) memory disclosure vulnerability [84,99] has increased flexibility in mounting a JIT-ROP attack on a diversified kernel [64], as any user program may attack the OS. Therefore, kernel JIT-ROP attacks are not only easier to mount but are also facilitated by the abundance of memory disclosure vulnerabilities in kernel code [88,100,102,108].As a response to JIT-ROP attacks in user applications, execute-only memory prevents the (onthe-fly) discovery of gadgets by blocking read access to executable pages [27]. Nevertheless, given that widely used CPU architectures such as the x86 do not provide native support for enforcing execute-only permissions, such memory protection(s) can be achieved by relying on page table manipulation [9], TLB desynchronization [63], hardware virtualization [40,62], or techniques inspired by software-fault isolation (SFI) [86].…”

mentioning

confidence: 99%

See 1 more Smart Citation

Untitled

2019

TOPS

View full text Add to dashboard Cite

The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As stricter memory isolation mechanisms between the kernel and user space become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, as in web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of code snippets in order to construct code-reuse payloads. Recent studies have shown that the coupling of code diversification with the enforcement of a "read XOR execute" (R ∧ X) memory safety policy is an effective defense against the exploitation of userland software, but so far this approach has not been applied for the protection of the kernel itself.In this article, we fill this gap by presenting kR ∧ X: a kernel-hardening scheme based on execute-only memory and code diversification. We study a previously unexplored point in the design space, where a hypervisor or a super-privileged component is not required. Implemented mostly as a set of GCC plugins, kR ∧ X is readily applicable to x86 Linux kernels (both 32b and 64b) and can benefit from hardware support (segmentation on x86, MPX on x86-64) to optimize performance. In full protection mode, kR ∧ X incurs a low runtime overhead of 4.04%, which drops to 2.32% when MPX is available, and 1.32% when memory segmentation is in use. 5:2M. Pomonis et al. INTRODUCTIONThe deployment of standard kernel-hardening schemes, such as address space layout randomization (KASLR) [50] and non-executable memory [91], has prompted a shift from legacy code injection (in kernel space) to return-to-user (ret2usr) attacks [80]. Due to the weak separation between kernel and user space-as a result of the kernel being mapped inside the (upper part of the) address space of every user process for performance reasons-in ret2usr attacks, the kernel control/dataflow is hijacked and redirected to code/data residing in user space, effectively bypassing KASLR and (kernel-space) W ∧ X. Fortunately, however, recent software [38,69,80,116] and hardware [35,77] kernel protection mechanisms mitigate ret2usr threats by enforcing a more stringent address space separation. Alas, mirroring the co-evolution of attacks and defenses in user space, kernel exploits have started to rely on code-reuse techniques, such as return-oriented programming (ROP) [134,144]; old ret2usr exploits [14] are converted to use ROP payloads instead of shellcode [18], while modern jailbreak and privilege escalation exploits rely solely on code reuse [2,129,152].At the same time, the security community started developing protections against code-reuse attacks: control-flow integrity (CFI) [7] and code-diversification [44,72,87,112,149] schemes have been applied both in the user and kernel settings [42,58,64,94]. Unfortunately, the...

show abstract

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

Untitled

2019

TOPS

View full text Add to dashboard Cite

show abstract

“…If the program erroneously references the original object, it executes a method controlled by the attacker. Likewise, common uninitialized read attacks exploit memory reuse to leak sensitive information, such as return addresses stored on the stack [27]. Temporal type safety prevents such attacks by preventing reuse of memory for different types.…”

Section: Introductionmentioning

confidence: 99%

“…More importantly, they protect only the heap, leaving the stack vulnerable. The reason is that the stack is notoriously performance-sensitive and extremely challenging to protect without incurring high overhead [27]. Unfortunately, stack-based temporal attacks are popular and, for instance, Microsoft reports that, over the last ten years, 52% of the uninitialized read vulnerabilities on its platform concerned the stack [28].…”

Section: Introductionmentioning

confidence: 99%

“…In contrast, Type-After-Type does not rely on complete call graph or points-to analysis, allowing support for complex, real-world applications. Finally, existing efficient stack protections provide comparable performance to Type-After-Type's on both stack and heap, but even on the stack alone they cannot address all the temporal vulnerabilities [22,25,27].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Type-After-Type

Kouwe

Kroes

Ouwehand

et al. 2018

Proceedings of the 34th Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

Temporal memory errors, such as use-after-free bugs, are increasingly popular among attackers and their exploitation is hard to stop efficiently using current techniques. We present a new design, called Type-After-Type, which builds on abstractions in production allocators to provide complete temporal type safety for C/C++ programs-ensuring that memory reuse is always type safe-and efficiently hinder temporal memory attacks. Type-After-Type uses static analysis to determine the types of all heap and stack allocations, and replaces regular allocations with typed allocations that never reuse memory previously used by other types. On the heap, Type-After-Type splits available memory into separate pools for each type. For the stack, Type-After-Type efficiently implements type-safe memory reuse for the first time, pushing variables on separate stacks according to their types, unless they are provably safe (e.g., their address is not taken), in which case they are zeroinitialized and kept on a special stack. In our evaluation, we show that Type-After-Type stops a variety of real-world temporal memory attacks and on SPEC CPU2006 incurs a performance overhead of 4.3% and a memory overhead of 17.4% (geomean).

show abstract

Static Detection of Uninitialized Stack Variables in Binary Code

Garmany

Stoffel

Gawlik

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

More than two decades after the first stack smashing attacks, memory corruption vulnerabilities utilizing stack anomalies are still prevalent and play an important role in practice. Among such vulnerabilities, uninitialized variables play an exceptional role due to their unpleasant property of unpredictability: as compilers are tailored to operate fast, costly interprocedural analysis procedures are not used in practice to detect such vulnerabilities. As a result, complex relationships that expose uninitialized memory reads remain undiscovered in binary code. Recent vulnerability reports show the versatility on how uninitialized memory reads are utilized in practice, especially for memory disclosure and code execution. Research in recent years proposed detection and prevention techniques tailored to source code. To date, however, there has not been much attention for these types of software bugs within binary executables. In this paper, we present a static analysis framework to find uninitialized variables in binary executables. We developed methods to lift the binaries into a knowledge representation which builds the base for specifically crafted algorithms to detect uninitialized reads. Our prototype implementation is capable of detecting uninitialized memory errors in complex binaries such as web browsers and OS kernels, and we detected 7 novel bugs.

show abstract

SafeInit: Comprehensive and Practical Mitigation of Uninitialized Read Vulnerabilities

Cited by 22 publications

References 44 publications

Untitled

Untitled

Type-After-Type

Static Detection of Uninitialized Stack Variables in Binary Code

Contact Info

Product

Resources

About