Tuesday, March 17, 2015

Research Spotlight: Exploiting Use-After-Free Vulnerabilities

This blog post was authored by Earl Carter & Yves Younan.

Talos is constantly researching the ways in which threat actors take advantage of security weaknesses to exploit systems. Yves Younan of Talos will be presenting at CanSecWest on Friday March 20th. The topic of his talk will be FreeSentry, a software-based mitigation technique developed by Talos to protect against exploitation of use-after-free vulnerabilities. Use-after-free vulnerabilities have become an important class of security problems due to the existence of mitigations that protect against other types of vulnerabilities, such as buffer overflows.

Just examining the CVE entries for 2015, you can already see over 20 use-after-free vulnerabilities that have already been identified, impacting various common software applications:

Use-after-free vulnerabilities occur when a program marks memory as free, but then subsequently tries to use that memory. The following code snippet shows a sample of how a use-after-free vulnerability may appear in code:

char* transaction_str = (char*)malloc (SIZE);


if (error_condition) {
transaction_aborted  = 1;


if (transaction_aborted) {
logErrorMessage("Transaction aborted: ", transaction_str);

Such a vulnerability can lead to remote code execution when exploited. These vulnerabilities are difficult to spot during code reviews because of the complexity of dynamic memory operations, where the free can occur thousands of lines from the actual re-use. Many of these vulnerabilities may not cause any runtime errors during regular operation unless specific conditions are met, making them hard to detect through automated testing.

Security mitigations on modern operating systems continue to evolve. Due to various mitigations that have been deployed on modern operating systems, use-after-free vulnerabilities are currently the most exploited vulnerabilities on Windows 7 and higher platforms. During his talk, Yves will present a detailed presentation on FreeSentry. The mitigation is accomplished by dynamically tracking memory. When a memory location is freed, all pointers to that location are invalidated. If a use-after-free occurs within a program, the program will attempt to use one of the invalidated pointers and will crash, thus preventing an attacker from exploiting the vulnerability.

Since any attempted use of the pointer will result in a crash, it can also be used to detect the existence of use-after-free vulnerabilities more easily when using fuzzing techniques against the software. During the presentation, Yves will demonstrate the effectiveness of the protection by showing that the mitigation protects against a number of real-world vulnerabilities. This technique has also found new vulnerabilities, particularly in a popular performance benchmark that was missed by similar mitigations. A paper describing the mitigation was published in February at NDSS, this talk will cover the contents of that paper as well as highlighting further improvements we have done since the paper originally presented.

Talos will publish a in-depth blog post outlining FreeSentry and its latest improvements the week of March 30, 2015.

No comments:

Post a Comment