Preventing Use-After-Free Attacks with Fast Forward Allocation

Authors: 

Brian Wickman, GTRI; Hong Hu, PennState; Insu Yun, Daehee Jang, and JungWon Lim, GeorgiaTech; Sanidhya Kashyap, EPFL; Taesoo Kim, GeorgiaTech

Abstract: 

Memory-unsafe languages are widely used to implement critical systems like kernels and browsers, leading to thousands of memory safety issues every year. A use-after-free bug is a temporal memory error where the program accidentally visits a freed memory location. Recent studies show that use-after-free is one of the most exploited memory vulnerabilities. Unfortunately, previous efforts to mitigate use-after-free bugs are not widely deployed in real-world programs due to either inadequate accuracy or high performance overhead.

In this paper, we propose to resurrect the idea of one-time allocation (OTA) and provide a practical implementation with efficient execution and moderate memory overhead. With one-time allocation, the memory manager always returns a distinct memory address for each request. Since memory locations are not reused, attackers cannot reclaim freed objects, and thus cannot exploit use-after-free bugs. We utilize two techniques to render OTA practical: batch page management and the fusion of bump-pointer and fixed-size bins memory allocation styles. Batch page management helps reduce the number of system calls which negatively impact performance, while blending the two allocation methods mitigates the memory overhead and fragmentation issues. We implemented a prototype, called FFmalloc, to demonstrate our techniques. We evaluated FFmalloc on widely used benchmarks and real-world large programs. FFmalloc successfully blocked all tested use-after-free attacks while introducing moderate overhead. The results show that OTA can be a strong and practical solution to thwart use-after-free threats.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {263880,
author = {Brian Wickman and Hong Hu and Insu Yun and DaeHee Jang and JungWon Lim and Sanidhya Kashyap and Taesoo Kim},
title = {Preventing {Use-After-Free} Attacks with Fast Forward Allocation},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {2453--2470},
url = {https://www.usenix.org/conference/usenixsecurity21/presentation/wickman},
publisher = {USENIX Association},
month = aug
}

Presentation Video