Improving Memory Management Security for C and C++

Improving Memory Management Security for C and C++

Yves Younan (Katholieke Universiteit Leuven, Belgium), Wouter Joosen (Katholieke Universiteit Leuven, Belgium), Frank Piessens (Katholieke Universiteit Leuven, Belgium) and Hans Van den Eynden (Katholieke Universiteit Leuven, Belgium)
DOI: 10.4018/978-1-4666-1580-9.ch011


Memory managers are an important part of modern language and are used to dynamically allocate memory. Many managers exist; however, two major types can be identified: manual memory allocators and garbage collectors. In the case of manual memory allocators, the programmer must manually release memory back to the system when it is no longer needed. Problems can occur when a programmer forgets to release it, releases it twice or uses freed memory. These problems are solved in garbage collectors. However, both manual memory allocators and garbage collectors store management information. This paper describes several vulnerabilities for C and C++ and how these could be remedied by modifying the management information of a representative manual memory allocator and garbage collector. Additionally, the authors present an approach that, when applied to memory managers, will protect against these attack vectors.
Chapter Preview

Heap-Based Vulnerabilities For Code Injection Attacks

There are a number of vulnerabilities that occur frequently and as such have become a favorite for attackers to use to perform code injection. We will examine how different memory allocators might be misused by using one of three common vulnerabilities: “heap-based buffer overflows”, “off by one errors” and “dangling pointer references”. In this section we will describe what these vulnerabilities are and how they could lead to a code injection attack.

Heap-Based Buffer Overflow

Heap memory is dynamically allocated at run-time by the application. Buffer overflow, which are usually exploited on the stack, are also possible in this kind of memory. Exploitation of such heap-based buffer overflows usually relies on finding either function pointers or by performing an indirect pointer attack (Bulba & Kil3r, 2000) on data pointers in this memory area. However, these pointers are not always present in the data stored by the program in this memory. As such, most attackers overwrite the memory management information that the memory allocator stores in or around memory chunks it manages. By modifying this information, attackers can perform an indirect pointer overwrite. This allows attackers to overwrite arbitrary memory locations, which could lead to a code injection attack (anonymous, 2001; Younan, 2003). In the following sections we will describe how an attacker could use specific memory managers to perform this kind of attack.

Complete Chapter List

Search this Book: