Abstract
Memory corruption exploits continue to plague high profile
applications such as web browsers, high performance servers, and
mobile devices. Modern defenses have rendered classic attack vectors
that execute shellcode directly on the stack impotent and obsolete.
Instead, modern exploits frequently corrupt the data structures found
in a program's memory allocator in order to take control of running
processes. These attacks against the heap are much harder to defend
against versus classic stack-based buffer overflows because they often
rely on an allocator acting on corrupted data in order to take control
of a process.
In this work, we propose a memory allocator that utilizes memory
protection keys (MPKs) found in recent Intel CPUs to ensure the
integrity and confidentiality of heap meta-data. We present our
prototype implementation of our allocator which hardens the tcmalloc
and PartitionAlloc memory allocators used by the popular Chrome web
browser. Our allocator protects each page containing heap meta-data
with a key that provides an allocator exclusive access to the page.
Effectively, this allocator thwarts any attempt to compromise the
integrity or confidentiality of heap meta-data at the hardware level.
We embed our allocator in the open-source Chromium web browser,
demonstrate the allocator's ability to stop realistic attack vectors
that corrupt heap meta-data, and evaluate the performance overhead of
Chromium+MPK on the top 50 websites contained in the Alexa site
ranking. Our evaluation shows that our proposed allocator introduces
3.7% performance overhead when browsing the most popular web sites, in
exchange for a significant increase in security against heap meta-data
exploitation.
Refs
- ERIM
- Secure, efficient in-process isolation with protection keys, Usenix Security 19
- Hodor
- Intra-process isolation for high-throughput data plane libraries, Usenix ATC 19
- PKU Pitfalls
- Attacks on PKU-based Memory Isolation Systems, Usenix Security 20