Please note: This master’s thesis presentation will take place online.
Ruizhe Wang, Master’s candidate
David R. Cheriton School of Computer Science
Supervisors: Professors N. Asokan, Meng Xu
Attacks on heap memory, encompassing memory overflow, double and invalid free, use-after-free (UAF), and various heap-spraying techniques are ever-increasing. Existing secure memory allocators can be generally classified as complete UAF-mitigating allocators that focus on detecting and stopping UAF attacks, type-based allocators that limit type confusion, and entropy-based allocators that provide statistical defenses against virtually all of these attack vectors. In this thesis, I introduce two novel approaches, SEMalloc and S2Malloc, of type- and entropy-based allocator, respectively. Both allocators are designed to restrict the attacker’s ability, that can significantly increase the security level without introducing excessive overheads.
SEMalloc proposes a new notion of thread-, context-, and flow-sensitive ‘type’, textttSemaType, to capture the semantics and prototype a textttSemaType-based allocator that aims for the best trade-off amongst the impossible trinity. In SEMalloc, only heap objects allocated from the same call site and via the same function call stack can possibly share a virtual memory address, which effectively stops type-confusion attacks and make UAF vulnerabilities harder to exploit.
S2Malloc aims to enhance UAF-attempt detection without compromising other security guarantees or introducing significant overhead. We use three innovative constructs in secure allocator design: textbffree block canaries (FBC) to detect UAF attempts, textbfrandom in-block offset (RIO) to stop the attacker from accurately overwriting the victim object, and textbfrandom bag layout (RBL) to impede attackers from estimating the block size based on its address.
This thesis demonstrates the importance of memory security and highlights the potential of more secure and efficient memory allocation by constraining attacker actions.