COMSM0049

Week 2 Homework

Reading

(Key bits marked with a *, rest optional)

• • Vudu malloc tricks (Michel “MaXX” Kaempf)
• • Once upon a free (anonymous)
• The Malloc Maleficarum (Phantasmal Phantasmagoria)

• The Malloc Des-Maleficarum (blackngel) :: A practical guide to the Malloc Maleficarum…

• • Glibc Malloc Internals :: a really good guide to how malloc works

Alternative explanations and videos

• Live Overflow 0x14: The Heap: what does malloc() do?
• Live Overflow 0x15: The Heap: How to exploit a Heap Overflow
• Live Overflow 0x16: How do use-after-free exploits work?
• Live Overflow 0x17: The Heap: Once upon a free()
• Live Overflow 0x18: The Heap: dlmalloc unlink() exploit

Exercises

1. Explain what is meant by an arena, a heap, and a chunk and how they relate? (5 marks)

2. To defend against use after free attacks, Alice has the following macro defined:

#define FREE(x) { free(x); x = NULL; }

Is that going to be sufficient to stop the vulnerability and why? What tradeoffs are being made? What about compiler optimizations? (5 marks)

1. The CHERI architecture is a (really cool) new instruction set architecture that makes it impossible to exploit buffer overflows by replacing pointers with capabilities; that is bounded data structures that provide hardware protection against buffer overflows by ensuring that all pointers are bounds checked (they’re not just an address but instead a base address and an offset that defines the permissible range, that can’t be fiddled with via register arithmetic). Speculate on whether these new capabilities would also protect against heap overflow attacks in particular use after free.

…okay maybe that last one would be rather mean for an exam; speculate away and we can discuss in the next lab if anyone is keen!

(also… Microsoft have recently anounced that they’ll including support for CHERI primitives in the latest version of Windows; sometimes research really does become real world technology!)

Answers (do not check this before you try to answer the exercices alone)

1. The arena is a block of memory shared between threads of a process which the alloca]tor can allocate from (1). A heap is an area of memory within an arena that will be divided up by an allocator (1) Chunks are sections of a heap that are either allocated or free for allocation (1)

An arena will contain at least one heap (1) A heap will be divided up into chunks as memory is allocated and freed (1)

1. No. (1)

Whilst that will stop (or at least force writes to null) if x is reused in the same function call (1) as soon as x is aliased (ie. passed in a function call or copied) it wont with the aliased call. (1)

Checking that you’re not reusing a pointer after you free it is useful in a function and will likely cause an explicit crash now, but this shouldn’t give you false confidence that the bug isnt actually present. In the best case if x really isnt ever used again in that function call the compiler will remove the write to x anyway as a dead write making the whole exercise redundant (1).

1. https://ctsrd-cheri.github.io/cheri-exercises/exercises/buffer-overflow-heap/index.html

This definitely falls into only if youre interested territory, but CHERI is really interesting.