MIRAGE: Randomizing large chunk allocation via dynamic binary instrumentation

DASC-PICom-DataCom-CyberSciTech 2017 : 2017 IEEE 15th International Conference on Dependable, Autonomic and Secure Computing ; 2017 IEEE 15th International Conference on Pervasive Intelligence and Computing ; 2017 IEEE 3rd International... Pub Date : 2017-08-01 DOI:10.1109/DESEC.2017.8073800

Zhenghao Hu, Yuanyuan Zhang, Hui Wang, Juanru Li, Wenbo Yang, Dawu Gu

{"title":"MIRAGE: Randomizing large chunk allocation via dynamic binary instrumentation","authors":"Zhenghao Hu, Yuanyuan Zhang, Hui Wang, Juanru Li, Wenbo Yang, Dawu Gu","doi":"10.1109/DESEC.2017.8073800","DOIUrl":null,"url":null,"abstract":"Heap security relies heavily on the randomness of chunk allocations in memory allocators to mitigate heap fengshui and heap spraying attacks, which are the most widely used techniques in modern exploits. However, randomness in large chunk allocation has been overlooked. Memory allocators directly call mmap (sometimes brk) syscall to allocate large chunks, while the Linux kernel does not provide a fine-grained randomization for mmap/brk syscall — only the base address is randomized, but the offset between every two syscalls is predictable. The less randomized large chunk will be vulnerable to heap fengshui and heap spraying attacks. In this paper, we assess the security of three most representative general-purpose memory allocators, Glibc ptmalloc, OpenBSD PHK malloc, and DieHarder, in scenario of large-chunk-based attacks, with successful heap fengshui and heap spraying attacks under Nginx. We then present MIRAGE, a transparent, portable, and memory allocator agnostic, runtime large chunk randomizer to fortify the existing memory allocators against large-chunk-based attacks. Large chunk fengshui and spraying attacks can be successfully mitigated by MIRAGE with a fine-grained randomization in mmap/brk syscall. And, MIRAGE imposes an acceptable overhead in performance.","PeriodicalId":92346,"journal":{"name":"DASC-PICom-DataCom-CyberSciTech 2017 : 2017 IEEE 15th International Conference on Dependable, Autonomic and Secure Computing ; 2017 IEEE 15th International Conference on Pervasive Intelligence and Computing ; 2017 IEEE 3rd International...","volume":"29 1","pages":"98-106"},"PeriodicalIF":0.0000,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"DASC-PICom-DataCom-CyberSciTech 2017 : 2017 IEEE 15th International Conference on Dependable, Autonomic and Secure Computing ; 2017 IEEE 15th International Conference on Pervasive Intelligence and Computing ; 2017 IEEE 3rd International...","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DESEC.2017.8073800","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Heap security relies heavily on the randomness of chunk allocations in memory allocators to mitigate heap fengshui and heap spraying attacks, which are the most widely used techniques in modern exploits. However, randomness in large chunk allocation has been overlooked. Memory allocators directly call mmap (sometimes brk) syscall to allocate large chunks, while the Linux kernel does not provide a fine-grained randomization for mmap/brk syscall — only the base address is randomized, but the offset between every two syscalls is predictable. The less randomized large chunk will be vulnerable to heap fengshui and heap spraying attacks. In this paper, we assess the security of three most representative general-purpose memory allocators, Glibc ptmalloc, OpenBSD PHK malloc, and DieHarder, in scenario of large-chunk-based attacks, with successful heap fengshui and heap spraying attacks under Nginx. We then present MIRAGE, a transparent, portable, and memory allocator agnostic, runtime large chunk randomizer to fortify the existing memory allocators against large-chunk-based attacks. Large chunk fengshui and spraying attacks can be successfully mitigated by MIRAGE with a fine-grained randomization in mmap/brk syscall. And, MIRAGE imposes an acceptable overhead in performance.

查看原文本刊更多论文

海市蜃楼:通过动态二进制检测随机分配大块

堆安全性在很大程度上依赖于内存分配器中块分配的随机性，以减轻堆风水和堆喷涂攻击，这是现代攻击中使用最广泛的技术。然而，大数据块分配中的随机性一直被忽视。内存分配器直接调用mmap(有时是brk)系统调用来分配大块，而Linux内核没有为mmap/brk系统调用提供细粒度的随机化——只有基址是随机化的，但是每两个系统调用之间的偏移量是可预测的。随机化程度较低的大块容易受到堆风水和堆喷攻击。本文对Glibc ptmalloc、OpenBSD PHK malloc和DieHarder这三种最具代表性的通用内存分配器在基于大块的攻击场景下的安全性进行了评估，并在Nginx下成功进行了堆风水和堆喷涂攻击。然后，我们提出MIRAGE，一个透明的，可移植的，内存分配器无关的，运行时大块随机器，以加强现有的内存分配器对基于大块的攻击。MIRAGE通过mmap/brk系统调用中的细粒度随机化，可以成功地缓解大块风水和喷洒攻击。而且，MIRAGE在性能上的开销是可以接受的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

DASC-PICom-DataCom-CyberSciTech 2017 : 2017 IEEE 15th International Conference on Dependable, Autonomic and Secure Computing ; 2017 IEEE 15th International Conference on Pervasive Intelligence and Computing ; 2017 IEEE 3rd International...

自引率

0.00%

发文量