CSC 2045 Week 11 Dynamic Memory Heap PDF

CSC 2045 SECURE MEMORY HANDLING: DYNAMIC MEMORY HEAP OBJECTIVES AGENDA: WEEK 11 Explain the relationship between 1. Heap Memory applications, CPU, and main memory 2. OOP and Heap Memory Describe and implement dynamic 3. Heap Buffer Overflow memory management. Understand the various parts of a 4. Use-After-Free process space 5. Consequences & Mitigations Understand how activation records of Use-After-Free relate to program variables 6. Double Free Understand where various kinds of program variables are stored in 7. Heap Guidelines memory process space HEAP MEMORY Heap memory is managed by the developer at runtime using a pointer to the heap It is the responsibility of the kernel to fulfill these memory allocation and deallocation requests as the come in. The individual pieces of the heap that are in use, versus those that are free, must be carefully tracked. The heap is managed in units of chunk’s. The size of a chunk is not fixed, and often varies depending on what memory allocations are requested. When a chunk is requested, the first-fit algorithm will try to find the first chunk that is both free and large enough HEAP ALLOCATION & DEALLOCATION From the pool of Heap memory, allocate memory as a chunk malloc() or new Give it back, deallocate memory (freed chucks can be reused now) free() or delete C char* str = (char*)malloc(80); // 80 bytes allocated free(str); C++ char* str = new char; // 80 bytes allocated delete [] str; OOP AND HEAP MEMORY Classes that use dynamic memory must complete the rule of 3 1. Copy Constructor Allocates new heap memory for any data member stored on the heap, then assigns/copies the values of the data members of one object to the new object's data members 2. Assignment Operator Allocates new heap memory for any data member stored on the heap, then assigns/copies the values of the data members of one object to the data members of another object 3. Destructor Destroys all allocated heap memory when the object goes out of scope. INVALID FREE | UNINITIALIZED EXPLOITS Invalid free, when a program deletes a chunk it never allocated. Uninitialized reads, when a program blindly reads from a newly allocated heap. HEAP OVERFLOW OR UNDERFLOW Attack buffer is located on the heap and the heap chunk is too small to hold the data memory is requested by programs to use in dynamic data structures (such as linked lists of records) typically located above program code no return address is specified, and thus no easy transfer of control manipulate management data structures may have function pointers to exploit Defenses include making the heap non-executable randomizing the allocation of memory on the heap DANGLING POINTERS Dangling pointers (aka use after free), is when a program frees a heap chunk, but later makes use of it. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. USE-AFTER-FREE VULNERABILITY Use-After Free is a vulnerability related to the incorrect use of dynamic memory during program operation. o If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. USE AFTER FREE VULNERABILITY 1. Allocate a 2. Free the 3. Reallocate 4. Access freed chunk of chunk of Heap the freed memory by dangling Heap memory chunk with pointer memory crafted data USE-AFTER-FREE VULNERABILITY (CWE) Referencing memory after it has been freed can cause a program to crash, use unexpected values, corruption of valid data, or execute code. The simplest way data corruption may occur involves the system's reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes: Error conditions and other exceptional circumstances. Confusion over which part of the program is responsible for freeing the memory. CONSEQUENCES OF USE-AFTER-FREE Integrity: The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere. Availability: If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information. Access Control (instruction processing): If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code. MITIGATE USE-AFTER-FREE Smart Pointers (Modern C++) https://msdn.microsoft.com/en-us/library/hh279674.aspx #include unique_ptr (pointer ownership) When the object is pointed to by only one pointer shared_ptr (pointer with reference counter) When the object is pointed by more than one pointers To avoid circular reference, weak_ptr is used together DOUBLE FREE If the same chunk of memory is double freed, it could be possible reallocation of the same chunk to different allocation requests. The chunk 0x9214008, after being freed twice, was subsequently re- allocated twice. 1st malloc(8): 0x9214008 2nd malloc(8): 0x9214018 3rd malloc(8): 0x9214028 Freeing the first one... So, instead, we'll free 0x9214018. Now, we can free 0x9214008 again, now it's head of free list. Now the free list has [ 0x9214008, 0x9214018, 0x9214008 ] If we malloc 3 times, we'll get 0x9214008 twice! 1st malloc(8): 0x9214008 2nd malloc(8): 0x9214018 3rd malloc(8): 0x9214008 HEAP VULNERABILITY MITIGATIONS Many strategies typically incur a large performance overhead, and focus on tackling specific types of heap vulnerabilities. MemorySanitizer a dynamic analysis tool that detects uninitialized reads, at the cost of a 2.5x slowdown and 2x memory overhead AddressSanitizer targets detecting overflows and use after frees, incurs a 73% slowdown and 3.4x memory increase. HeapTherapy propose efficient heap overflow detection, however provide no protections against uninitialized reads or use after free vulnerabilities (@zeng2018codeless). MEMORY MANAGEMENT ERRORS Initialization errors Failing to check return values Writing to already freed memory Freeing the same memory more than once Improperly paired memory management functions (example: malloc / delete) Failure to distinguish scalars and arrays Improper use of allocation functions HEAP GUIDELINES Only ever use the amount of memory requested by malloc, and no more. Only ever free memory that was allocated by you, once. Never access freed memory. Always check the return value of malloc for NULL. Never assume the state memory is when returned by malloc. After free, NULL all pointers to it. Zero sensitive memory before freeing. Don't use dynamic memory allocation after initialization for critical systems

CSC 2045 Week 11 Dynamic Memory Heap PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue