Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption
share
Heap layout randomization renders a good portion of heap vulnerabilities unexploitable. However, some remnants of the vulnerabilities are still exploitable even under the randomized layout. According to our analysis, such heap exploits often abuse pointer-width allocation granularity to spray crafted pointers. To address this problem, we explore the efficacy of byte-granularity (the most fine-grained) heap randomization; leveraging the advancement of CPU architectures handling arbitrary memory access alignment. Heap randomization, in general, has been a well-trodden area; however, the efficacy of byte-granularity randomization has never been fully explored as it involves unaligned access which degrades performance and raises compatibility issues. In this paper, we discuss byte-granularity heap randomization; and conduct comprehensive analysis in three folds: (i) security effectiveness, (ii) performance impact, and (iii) compatibility analysis to measure deployment cost. Moreover, we design a new heap allocator (RUMA) based on the CPU microbenchmark analysis results. Security discussion is based on case studies using 20 publicly disclosed heap vulnerabilities. Performance and compatibility analysis are based on cycle-level microbenchmark, SPEC2006, Coreutils, Nginx, and ChakraCore.
READ FULL TEXT