[Master 2R 2013-2014] Dynamic detections of Use after free and exploitability characterization

Advisors : Laurent Mounier, Marie-Laure Potet

Laurent.Mounier@imag.fr, Marie-Laure.Potet@imag.fr

Key words: security, binary code, code analysis, vulnerability exploitation

Context:

Vulnerability detection against buffer overflow has nowadays been deeply studied (manually and using tools) and applications can be now mitigated against buffer overflows. Vulnerabilities that are now very sensitive are use-after-free (UaF) and double-free, based on dangling pointer (their number doubles every year since 2008). The complexity of UaF detection follows from several reasons: they are introduced by sophisticated programming features (object oriented features) and they involve two separate program events (creation of a dandling pointer and its use).

Objective:

Several technics can be used to track this type of memory errors either statically (by code analysis) or dynamically (by instrumentation). Static analysis can ensure completeness but suffers from false positives. Dynamic tools, such as Address Sanitizer [Asan], are efficient but not complete (some UaFs are not detected). Futhermore, in general, these tools use tuned allocators, that do not correspond to the effect of a real allocator such as those proposed in the libc. The aim of this work is to recense and compare the main UaF detection technics and to propose an extension of the Address Sanitizer solutions to ensure detection completness. AddressSanitizer is an open source code tool (http://code.google.com/p/address-sa...) that detects memory corruption bugs. AddressSanitizer is based on compiler instrumentation and is currently implemented in the Clang compiling suite based on LLVM platform [llvm].

Working plan:

  • An understanding of UaF exploits through some CVEs [Blog Vupen] [Blog IBM] [Aurora] [CVE-2011-1260] [CVE-2012-4792]
  • A fine understanding of mitigations against uses after free and of the solution proposed by Address Sanitizer
  • A proposition of extension for Address Sanitizer and its prototyping on the LLVM platform
  • A validation of the proposed approach with the help of KLEE, a dynamic and symbolic test generator for LLVM code, to build vulnerable paths.

The subject is encompassed in a larger project led in Vérimag where basic analyses have been developed for binary code (value, dependency, taintness). Vérimag also participates to a ANR project dedicated to binary analysis for code with memory allocation (BinSec 2013-2017), involving academic and industrial partners.

This subject is well suited for students interested by security and binary code analysis. This subject will also give the opportunity to interact with our academic and industrial partners in this topic. This works could be followed by a PhD proposal.

[Asan] AddressSanitizer: A Fast Address Sanity Checker (Konstantin Serebryany and Derek Bruening and Alexander Potapenko and Dmitry Vyukov), 2012 [llvm] The LLVM Compiler Infrastructure Project llvm.org [Blog Vupen] http://www.vupen.com/blog/20120110.... http://www.vupen.com/blog/20120625....

[Aurora] http://www.thegreycorner.com/2010/0... [CVE-2011-1260] http://d0cs4vage.blogspot.fr/2011/0... http://www.exploit-monday.com/2011/... [CVE-2012-4792] http://blog.exodusintel.com/2013/01... [CVE-2012-2553] http://j00ru.vexillium.org/?p=1479