A PRACTICAL ROBUST MITIGATION AND TESTING TOOL FOR USE-AFTER-FREE VULNERABILITIES presented at Ruxcon 2015

by Yves Younan,

Summary : Use-after-free vulnerabilities occur when a program marks memory as free, but then subsequently tries to use that memory.
Such a vulnerability can lead to remote code execution when exploited. These vulnerabilities are difficult to spot during code reviews because of the complexity of dynamic memory operations, where the free can occur thousands of lines from the actual re-use. Many of these vulnerabilities will also not cause many runtime errors during regular operation, making them hard to detect through automated testing. Due to various mitigations that have been deployed on modern operating systems, these are currently the most exploited vulnerabilities on Windows 7 and higher platforms. The mitigation presented here, FreeSentry, provides protection for these types of vulnerabilities. It provides protection by dynamically tracking memory, when a memory location is freed, all pointers to that location are invalidated. If a use-after-free occurs within a program, the program will attempt to use one of the invalidated pointers and will crash, preventing an attacker from exploiting this vulnerability.
A major advantage to our approach is that it is fully compatible with unprotected code, allowing a non-protected libraries to work in conjunction with protected programs or modules, this also allows programmers to coarsely or granularly decide what parts of the application they want to protect. Since any attempted misuse of the protected memory will result in a crash, it can also be used as a testing tool to detect the existence more easily when fuzzing applications.
The presentation will demonstrate the effectiveness of the protection by showing that the mitigation protects against a number of real-world vulnerabilities. However, it has also found new ones, particularly in a popular performance benchmark that was missed by similar mitigations. This means that it is effective to use as a tool when fuzzing.