Title: SECURE PROGRAMMING
1SECURE PROGRAMMING Chapter 4 Dynamic Memory
Management
2Overview
- Introduction
- C Memory Management
- Common C Memory Management errors
- C Dynamic Memory Management
- Common C Dynamic Memory Management Errors
- Memory Managers
- Doug Lea's Memory Allocator
- RtlHeap
- Heap management vulnerabilities
- Buffer overflows
- Double-Free Vulnerabilities
- Writing to freed memory
- Another Windows vulnerability Look-Aside Table
- Mitigation Strategies
- Vulnerability Hall of Shame
- Summary
3Introduction
- Memory management is a source of
- programming defects
- security flaws
- vulnerabilities
- Main causes
- Double freeing
- Buffer overflows
- use of freed pointers
- .
4C Memory Management
- Functions defined
- malloc(size_t size)
- aligned_alloc(size_t alignment,size_t size)
- realloc(void p, size_t size) (Do not use size0)
- calloc(size_nmemb, size_t size) (initializes to
0) - free(void p)
5C Memory Management
- The importance of alignment
- subobjects
- complete objects
- alignment hierarchy (weaker to stronger/stricter)
- max_align_t
- alignas(size_t size) (support for SIMD)
- extended alignment gt max_align_t
- overaligned type
- Note that realloc() does not preserve alignment!
6C Memory Management
- alloca(size_t size)
- Allocates on stack area
- Usually inlined
- Non-standard
- Dangerous
- Variable length arrays similar. Lots of caveats
7Common C Memory Management Errors
- Initialization errors
- Random behavior
- Security leaks
- Use memset(void s, int c, size_t n) or
memset_s() - Can use calloc, provided the product of the
arguments doesn't overflow.
8Common C Memory Management Errors
- Failing to check return values
- AIX and Linux may allow allocation requests to
succeed even if there is no space, and then kill
the process when it tries to access too much
memory. - Causes for Heap exhaustion
- memory leaks
- Data structures incorrectly implemented
- Overall system memory exhausted
- Other transient conditions
- An example indirecting through an offset of the
returned pointer (p 154)
9Common C Memory Management Errors
- Dereferencing Null or Invalid Pointers (or their
offsets) - Referencing Freed Memory
- Freeing Memory Multiple times (example, page 157)
- Memory Leaks (can facilitate DOS attacks)
- Zero-Length Allocations (pp 159-160)
10C Dynamic Memory Management
- Only dynamic functions are
- new type (initialization list)
- delete item (or x)
- (Constructors cannot be called explicitly)
- new return a pointer to the object requested
initialized if given initializer data - new delete, plain for scalar data, for
arrays - Also
- new (place) type (initialization list)
11C Dynamic Memory Management Allocation Functions
- Class member or global function
- May not
- Use namespace other than global
- Declare as static in global scope
- Returns a void
- First parameter stdsize_t size
- Idea is that new is implemented through
malloc/calloc - Failure throws an exception of type
stdbad_alloc unless called with argument
stdnothrow in that case, it returns null
pointer - T p1 new T // can throw bad_alloc
- T p2 new(stdnothrow) T // returns null
pointer on failure
12C Dynamic Memory Management More on allocation
failures
- Standard idiom for allocation and allocation
failure Resource Acquisition Is Initialization
(RAII) - Attach lifetime of a resource to lifetime of
object it refers to - Examples, pages 166, 167, 168 (gets handler
address)
13C Dynamic Memory Management Deallocation
Functions
- Same restrictions as on allocate functions.
- Returns void, first parameter is void , may have
second parameter either - a) delete() one parameter
- b) delete() two parameters, second type
stdsize_t - Both scalar and versions.
- If first parameter is void, is a no-op.
- If first argument is none-of-the-above, we have
problems.
14C Dynamic Memory Management Garbage Collection
- Optional in C
- Boehm-Demers-Weiser conservative GC does not
require use of free/delete. - Can also be used to detect memory leaks.
- Weakness
- Disguised pointers.
- Modified pointers
- Non referenced pointers (examples, pp 169-170)
15C Dynamic Memory Management Garbage Collection
- Remedy?
- Inquire rules for pointer safety
- relaxed Normal rules
- preferred (similar to relaxed, but a gc may
run to detect leaks or bad pointers - strict (gc may be running)
- namespace std
- enum class pointer_safety relaxed,
preferred, strict - pointer_safety get_pointer_safety()
-
-
16C Dynamic Memory Allocation Garbage Collection
- In C11
- declare_reachable/undeclare_reachable page 171
17Common C Dynamic Memory Management ErrorsBad
Allocation Failure check
- C allows either NULL return or exception
throwing do not mix! (stdnothrow)
18Common C Dynamic Memory Management Errors
- Improperly pairing C and C memory management
functions. - C is a superset of C, so malloc friends/free
are OK to use, However, they may use different
memory areas and the do use different algorithms.
Do not mix!
19Common C Dynamic Memory Management Errors
- Use scalar new with scalar delete
- use array new with array delete.
- There are new, member new, operator new and
- delete, member delete, operator delete.
- Operator new may allocate raw memory, without
calling a constructor don't call a destructor.
Call operator delete instead.
20Common C Dynamic Memory Management Errors
21Common C Dynamic Memory Management Errors
22Common C Dynamic Memory Management Errors
- Standard C containers with pointers do not
delete their objects, means programmer has to do
it (p 177) but - (p 178 double-free vulnerability)
- Also, not exception-safe.
- Solutions
- 1) Garbage collecting memory management.
- 2) Smart pointers overload -gt and to act like
pointers (add check for Null, GC, reference
counts, etc.) - Most common smart pointer
- stdshared_ptr from standard library (pp 178/179)
23Common C Dynamic Memory Management Errors
- Deallocation Function throws an exception NONO
- (p 180)
24Memory Managers
- Manage both allocated and free memory.
- Runs as part of the user process
- Three types
- OS supplied
- Compiler supplied
- User supplied
- Algorithm due to D. E Knuth, The Art of Computer
Programming (several editions) - First fit vs best fit.
- In band linked lists may be a bad idea, but there
are none better.
25Doug Lea's Memory Allocator
26Doug Lea's Memory Allocator
27Doug Lea's Memory allocator
- Free chunks arranged in circular double-linked
headed lists called bins - Small sizes have dedicated bins, larger sizes
have bins dedicated to a range of sizes, arranged
in descending size order. - Special bin for recently freed chunks, acts like
cache one chance and they are ent to regular
bin. - Unlink macro takes a chunk from the bin (code
page 184, picture, page 185)
28RtlHeap by Microsoft
29RtlHeap by Microsoft Virtual Memory API
- Page base
- 32 bit linear addressing
- 4096 byte pages
- Each region either reserved, committed or
free.Must have common protection, type, base
allocationPages also protection and pagelock
flag status bits
30RtlHeap by MicrosoftHeap Memory API
- HeapCreate(maxsize...) ? unique handle
- Default heap, handle obtainable with
GetProcessHeap()
31RtlHeap by MicrosoftLocal, Glabal Memory API
- Provided local and global memory management for
backward compatibility with Windows 3.1
32RtlHeap by MicrosoftCRT Memory Functions
- Before Win32, much FUD, with Win32 uses
local/global memory management and is safe and
portable.
33RtlHeap by MicrosoftMemory-Mapped File API
- Virtual address space mapped directly onto a
file ? file access becomes dereferencing a
pointer.
34RtlHeap by MicrosoftData Structures
- Uses virtual memory API,
- Implements all the others
- Constantly evolving
- Programmers need to assume least secure version.
- Internal data structures
- Process environment block
- free lists
- look aside lists
- memory chunk structures
35RtlHeap by MicrosoftData Structures Process Env
Block
- Maintains global variables for each process.
36RtlHeap by MicrosoftData Structures FreeList
- Array of 128 LIST_ENTRY structs head of
double-linked lists.. - Located at 0x178 from address returned by
HeapCreate() - Keep track of free chunks of a particular size
index8, except FreeList0, keeps buffers gt
1024, lt virtual allocation threshold, sorted from
smallest to largest.
37RtlHeap by MicrosoftData Structures FreeList
38RtlHeap by MicrosoftData Structures Look-aside
Lists
- Requires HEAP_NO_SERIALIZE not set and
HEAP_GROWABLE set (defaults) - Creates 128 singly linked look-aside lists
- speed up allocation of small ( lt 1016 bytes)
blocks - Start out empty, grow as memory is freed.
39RtlHeap by MicrosoftData Structures Memory
Chunks
- This structure precedes address returned by
HeapAlloc by 8 bytes. Chunk size field are given
in quad words (i.e./8)
40RtlHeap by MicrosoftData Structures Memory
Chunks
41RtlHeap by Microsoft
42RtlHeap by Microsoft
43RtlHeap by Microsoft
44RtlHeap by Microsoft
45RtlHeap by Microsoft
46Doug Lea's Memory allocator
47Double-Free Vulnerabilities
48Mitigation Strategies
49Vulnerability Hall of Shame
50Summary
- C Memory Management
- Common C Memory Management errors
- C Dynamic Memory Management
- Common C Dynamic Memory Management Errors
- Memory Managers
- Doug Lea's Memory Allocator
- Double-Free Vulnerabilities
- Mitigation Strategies
- Vulnerability Hall of Shame
- Summary