| In recent years,the safety of the heap has received more and more attention.Not only has the number of vulnerabilities on the heap increased,but there have also been more and more articles related to heap safety,which shows that the heap safety problem is still a serious and actual threat.One of the reasons is that the existing secure allocator still has some shortcomings,such as inability to provide sufficient safety protection,or incurring non-negligible time overhead.This article summarizes and analyzes the security measures of the existing secure allocator,and points out three shortcomings in the existing work: First,the defense measures for UAF in the existing secure allocator cannot effectively deal with the use of UAF combined with heap spraying;Second,the metadata protection proposal in the existing secure allocator cannot take into account security and efficiency at the same time;Third,the existing secure allocator cannot ensure that the memory layout has sufficient sparsity and uncertainty while ensuring high efficiency.This will bring convenience to the attack method of injecting shellcode through heap spraying.Aiming at these three shortcomings,this paper designs and implements a new secure allocator and proposes a variety of new strategies to solve these problems.These measures include: First,the strategy of address randomization in the block is proposed to prevent the utilization of UAF combined with heap spraying.The randomization of addresses within the block hides the key information needed in the UAF utilization process to strengthen UAF defense.When allocating memory to the user program,allocate a block larger than the requested size to the user program,and use the difference between the block size and the user request size to randomize the location of the pointer assigned to the user program,even if a malicious attacker using heap spraying causes the memory block to be reused,and it is impossible to accurately know the exact location of the original data.Second,Use MPK,a lightweight isolation solution,to isolate metadata,taking into account the security of metadata and the execution efficiency of the memory allocator.Third,when the per thread cache is filled,the dynamic per thread heap and the strategy of reusing large memory into small memory are used to dynamically adjust the small memory source allocated to the requesting program,so that the small memory requested by the program can be dispersed to a certain extent In the entire process address space,a large area of shellcode is avoided in part of the space when the heap spray is injected into the shellcode,and the success rate of jumping to the shellcode is reduced.This paper also refers to the safety evaluation standards of the secure allocator in the latest work,and implements a variety of existing security strategies to ensure that the secure allocator implemented in this article is not weaker than the existing secure allocators in other safety indicators.Finally,through the analysis of safety measures,it shows that the safety of this work is better than that of existing work.Use multiple existing vulnerabilities and CTF questions to evaluate the secure allocator implemented in this article,which proves that the secure allocator implemented in this article can effectively defend against existing security vulnerabilities.It is also compared with a number of latest works to prove that the randomization of addresses in the block proposed in this paper can effectively prevent the use of UAF combined with heap spraying.Finally,the Benchmark test shows that while enhancing the security of the existing secure allocator,it does not bring too much time overhead. |
PDF Full Text Request