Use-after-free漏洞(简称UaF漏洞)是当前最流行的高危内存破坏漏洞。目前针对UaF漏洞的检测工作并不完善,原因是UaF漏洞产生的特征是分配内存、释放内存、使用已释放的内存并按顺序出现,而这3种事件可能出现在程序的任何位置,需要跟踪较长的执行序列并搜索潜在的危险事件序列才能检测到该漏洞,这很大程度上提高了检测的难度。该文针对UaF漏洞,分析了漏洞的产生原因、利用方式、带来的安全威胁以及漏洞检测技术面临的挑战,并设计和实现了一个基于静态分析和动态符号执行的面向二进制文件的UaF漏洞检测系统。经测试,该系统能够检测出已公开的UaF漏洞。通过该系统检测软件中的UaF漏洞,及时对软件进行修复或防护,可以有效提高软件的健壮性,减少UaF漏洞带来的安全隐患。
Use-after-free (UaF) vulnerabilities are one of the most common and risky memory corruption vulnerabilities. However, UaF vulnerabilities are difficult to detect. A UaF vulnerability is triggered if and only if three operations occur on the same memory region, in an order of allocating memory, freeing memory, and using the freed memory. These three operations may be conducted anywhere in the program in any order, so the analysis must track a long execution sequence and search for potential vulnerable event sequences to detect UaF vulnerabilities. This study analyzes the root causes of UaF vulnerabilities, ways to exploit them, the severity of the threat and the challenges in detecting them. A solution is then given based on a static analysis and dynamic symbolic execution to detect UaF vulnerabilities in binaries. Tests show that this solution can detect known vulnerabilities in a benchmark. Thus, this detection system can be used to identify and fix bugs to improve application security.
[1] 李舟军, 张俊贤, 廖湘科, 等. 软件安全漏洞检测技术[J]. 计算机学报, 2015, 38(4):717-732.LI Zhoujun, ZHANG Junxian, LIAO Xiangke, et al. Survey of software vulnerability detection techniques[J]. Journal of Computers, 2015, 38(4):717-732. (in Chinese)[2] Afek J, Sharabani A. Dangling pointer-smashing the pointer for fun and profit[J]. A Whitepaper from Watchfire Citado na, 2007, 41(1):1-21.[3] Corporation M. Common vulnerabilities and exposures (CVE)[Z/OL].[2016-5-10]. http://cve.mitre.org.[4] Daniel M, Honoroff J, Miller C. Engineering heap overflow exploits with JavaScript[C]//USENIX Workshop on Offensive Technologies. San Jose, CA, USA:USENIX, 2008:1-6.[5] Sotirov A. Heap feng shui in JavaScript[C]//Black Hat Europe 2013. Amesterdam, Netherlands:Black Hat, 2013:1-20.[6] Chess B, McGraw G. Static analysis for security[J]. IEEE Security & Privacy, 2004, 2(6):76-79.[7] Pistoia M, Chandra S, Fink S J, et al. A survey of static analysis methods for identifying security vulnerabilities in software systems[J]. Ibm Systems Journal, 2007, 46(2):265-288.[8] Cesare S. Bugalyze.com-detecting bugs using decompilation and data flow analysis[C]//Black Hat USA 2013. Las Vegas, NV, USA:Black Hat, 2013:1-9.[9] Feist J, Mounier L, Potet M L. Statically detecting use after free on binary code[J]. Journal of Computer Virology and Hacking Techniques, 2014, 10(3):211-217.[10] Dewey D, Reaves B, Traynor P. Uncovering use-after-free conditions in compiled code[C]//201510th International Conference on Availability, Reliability and Security. Reggio Calabria, Italy:IEEE, 2015:90-99.[11] Caballero J, Grieco G, Marron M, et al. Undangle:Early detection of dangling pointers in use-after-free and double-free vulnerabilities[C]//Proceedings of the 2012 International Symposium on Software Testing and Analysis. Minneapolis, MN, USA:ACM, 2012:133-143.[12] Hastings R, Joyce B. Purify:Fast detection of memory leaks and access errors[C]//Proceedings of the Winter 1992 USENIX Conference. San Antonio, TX, USA:USENIX, 1991:125-136.[13] Nethercote N, Seward J. Valgrind:A framework for heavyweight dynamic binary instrumentation[J]. Acm Sigplan Notices, 2007, 42(6):89-100.[14] Serebryany K, Bruening D, Potapenko A, et al. AddressSanitizer:A fast address sanity checker[C]//2012 USENIX Annual Technical Conference (USENIX ATC 12). Boston, MA, USA:USENIX, 2012:309-318.[15] Cadar C, Dunbar D, Engler D R. KLEE:Unassisted and automatic generation of high-coverage tests for complex systems programs[C]//8th USENIX Symposium on Operating Systems Design and Implementation. San Diego, CA, USA:USENIX, 2008:209-224.[16] Eagle C. The IDA Pro Book:The Unofficial Guide to the World's Most Popular Disassembler[M]. San Francisco, CA, USA:No Starch Press, 2011.[17] 王学, 李学新, 周智鹏, 等. S<sup>2</sup>E测试平台及并行性能分析[J]. 信息网络安全, 2012(7):16-19.WANG Xue, LI Xuexin, ZHOU Zhipeng, et al. Analysis of the software testing platform:S<sup>2</sup>E[J]. Netinfo Security, 2012(7):16-19.(in Chinese)
