Use-after-free 2016-12-08
Use-after-free 2016-12-08
Papers younan,Yves."FreeSentry:protecting against use- after-free vulnerabilities due to dangling pointers."NDSS.2015. Lee,B.,Song,C.,Jang,y.,Wang,T.,Kim,T.,Lu,L., Lee,W.(2015,February).Preventing Use-after-free with Dangling Pointers Nullification.NDSS.2015 5
5 Papers • Younan, Yves. "FreeSentry: protecting against useafter-free vulnerabilities due to dangling pointers." NDSS. 2015. • Lee, B., Song, C., Jang, Y., Wang, T., Kim, T., Lu, L., & Lee, W. (2015, February). Preventing Use-after-free with Dangling Pointers Nullification. NDSS.2015
Use-after-free vulnerabilities ·A dangling pointer -A pointer points to a freed memory region Using a dangling pointer leads to undefined program states Easy to achieve arbitrary code executions -so called use-after-free 6
Use-after-free vulnerabilities 6
Use-after-free vulnerabilities object A f0: integer1 p=(struct A*) integer2 malloc(16); integer3 free(p); q=(struct B*) integer4 malloc(16); p->integer1 value; q->function_ptr1(); P Pointer to A
Use-after-free vulnerabilities 7
Use-after-free vulnerabilities object A f0: integer1; p=(struct A*) integer2; malloc(16); integer3; free(p); q=(struct B*) integer4; malloc(16); p->integer1 value; q->function_ptr1(): P Pointer to A 8
Use-after-free vulnerabilities 8
Use-after-free vulnerabilities object B f0: function_ptr1 p=(struct A*) function_ptr2 malloc(16); IP free(p); char_array q=(struct B*) malloc(16); p->integer1 value; q->function_ptr1(); f1: P Pointer to A f2: Q Pointer to B 9
Use-after-free vulnerabilities 9
Use-after-free vulnerabilities object B f0: function_ptr1 p=(struct A*) function_ptr2 malloc(16); free(p); char_array q=(struct B*) IP malloc(16): p->integer1 value; q->function_ptr1(): f1: attacker P Pointer to A code: 2: Q Pointer to B 10
Use-after-free vulnerabilities 10
Use-after-free vulnerabilities object B f0: function ptr1 p=(struct A*) function_ptr2 malloc(16): free(p): char_array q=(struct B*) malloc(16); p->integer1 value; q->function_ptr1(): f1: attacker P Pointer to A code: f2: Q Pointer to B 11
Use-after-free vulnerabilities 11
Use-after-free vulnerabilities object B f0: function_ptr1 p=(struct A*) function_ptr2 malloc(16); free(p): char_array q=(struct B*) malloc(16); p->integer1 value; q->function_ptr1(): f1: IP attacker P Pointer to A code: f2: Pointer to B 12
Use-after-free vulnerabilities 12
Use-after-free vulnerabilities class Doc:public Element Doc *doc new Doc(): Body *body=new Body(): Element *child; }: doc->child body: class Body:public Element delete body; Element *child: if (doc->child) doc->child->getAlign() 13
Use-after-free vulnerabilities 13