Description
Despite many improvements and the development of safer programming
languages memory corruption vulnerabilities, such as buffer overflows
are still prevalent in current software. Attackers abusing memory
corruption vulnerabilities most typically target control structures that
govern the path of program execution. To counter this threat, in recent
years, control-flow integrity techniques have been introduced, in an
effort to mitigate corruption of these critical data structures. This is
achieved by constraining the execution to valid paths calculated at
compilation-time. Unfortunately, control-flow integrity techniques do
not prevent memory corruptions in the first place and thus have no
impact on attacks targeting non-control-flow relevant data.
This thesis evaluates the attack surface offered by dynamic memory
allocators and demonstrates using the example of two popular
implementations, ptmalloc and jemalloc, how the corruption of heap
management structures (non-control-flow relevant data) can still be used
to hijack the control-flow. To evaluate the security, this thesis
proposes an approach that is capable of comparing heap implementations
with regard to their resistance against memory corruption attacks. Then,
the design of a POSIX compatible heap measurably improving security is
presented. Security improvements are achieved by separating
user-controlled allocated buffers from management data and severely
limiting the type and amount of heap management information that
traditional implementations place close to allocated memory under
attacker control.
Depending on allocation characteristics such as size and order, the
performance of our proposed heap implementation is competitive with the
standard malloc implementation used by glibc on Linux, achieving 83
percent of its performance on average. Overall we conclude that dynamic
memory allocators can be made more resistant against memory corruption
attacks while still maintaining reasonable performance.
|
