The defense of Use-After-Free (UAF) exploits generally could be guaranteed via static or dynamic analysis, however, both of which are restricted to intrinsic deficiency. The static analysis has limitations in loop handling, optimization of memory representation and constructing a satisfactory test input to cover all execution paths. While the lack of maintenance of pointer information in dynamic analysis may lead to defects that cannot accurately identify the relationship between pointers and memory. In order to successfully exploit a UAF vulnerability, attackers need to reference freed memory. However, main existing schemes barely defend all types of UAF exploits because of the incomplete check of pointers. To solve this problem, we propose UAF-GUARD to defend against the UAF exploits via fine-grained memory permission management. Specially, we design two key data structures to enable the fine-grained memory permission management to support efficient relationship search for pointers and memory, which is the key design of our defending scheme against UAF exploits. In addition, UAF-GUARD can precisely locate the position of UAF vulnerabilities, so that malicious programs can be terminated in the place where the abnormality is discovered. We implement UAF-GUARD on a 64-bit Linux system, and further use UAF-GUARD to transform a program into a suitable version that can defend against UAF vulnerabilities exploits. Compared with main existing schemes UAF-GUARD is able to effectively and efficiently defend against all the three types of UAF exploits with acceptable space overhead (26.4% for small programs and 0.3% for large programs) and time complexity (21.9%).
Read full abstract