SECURE PROGRAMMING - PowerPoint PPT Presentation

About This Presentation
Title:

SECURE PROGRAMMING

Description:

SECURE PROGRAMMING Chapter 4 Dynamic Memory Management – PowerPoint PPT presentation

Number of Views:78
Avg rating:3.0/5.0
Slides: 51
Provided by: kent144
Learn more at: https://www.cs.kent.edu
Category:

less

Transcript and Presenter's Notes

Title: SECURE PROGRAMMING


1
SECURE PROGRAMMING Chapter 4 Dynamic Memory
Management
2
Overview
  • Introduction
  • C Memory Management
  • Common C Memory Management errors
  • C Dynamic Memory Management
  • Common C Dynamic Memory Management Errors
  • Memory Managers
  • Doug Lea's Memory Allocator
  • RtlHeap
  • Heap management vulnerabilities
  • Buffer overflows
  • Double-Free Vulnerabilities
  • Writing to freed memory
  • Another Windows vulnerability Look-Aside Table
  • Mitigation Strategies
  • Vulnerability Hall of Shame
  • Summary

3
Introduction
  • Memory management is a source of
  • programming defects
  • security flaws
  • vulnerabilities
  • Main causes
  • Double freeing
  • Buffer overflows
  • use of freed pointers
  • .

4
C Memory Management
  • Functions defined
  • malloc(size_t size)
  • aligned_alloc(size_t alignment,size_t size)
  • realloc(void p, size_t size) (Do not use size0)
  • calloc(size_nmemb, size_t size) (initializes to
    0)
  • free(void p)

5
C Memory Management
  • The importance of alignment
  • subobjects
  • complete objects
  • alignment hierarchy (weaker to stronger/stricter)
  • max_align_t
  • alignas(size_t size) (support for SIMD)
  • extended alignment gt max_align_t
  • overaligned type
  • Note that realloc() does not preserve alignment!

6
C Memory Management
  • alloca(size_t size)
  • Allocates on stack area
  • Usually inlined
  • Non-standard
  • Dangerous
  • Variable length arrays similar. Lots of caveats

7
Common C Memory Management Errors
  • Initialization errors
  • Random behavior
  • Security leaks
  • Use memset(void s, int c, size_t n) or
    memset_s()
  • Can use calloc, provided the product of the
    arguments doesn't overflow.

8
Common C Memory Management Errors
  • Failing to check return values
  • AIX and Linux may allow allocation requests to
    succeed even if there is no space, and then kill
    the process when it tries to access too much
    memory.
  • Causes for Heap exhaustion
  • memory leaks
  • Data structures incorrectly implemented
  • Overall system memory exhausted
  • Other transient conditions
  • An example indirecting through an offset of the
    returned pointer (p 154)

9
Common C Memory Management Errors
  • Dereferencing Null or Invalid Pointers (or their
    offsets)
  • Referencing Freed Memory
  • Freeing Memory Multiple times (example, page 157)
  • Memory Leaks (can facilitate DOS attacks)
  • Zero-Length Allocations (pp 159-160)

10
C Dynamic Memory Management
  • Only dynamic functions are
  • new type (initialization list)
  • delete item (or x)
  • (Constructors cannot be called explicitly)
  • new return a pointer to the object requested
    initialized if given initializer data
  • new delete, plain for scalar data, for
    arrays
  • Also
  • new (place) type (initialization list)

11
C Dynamic Memory Management Allocation Functions
  • Class member or global function
  • May not
  • Use namespace other than global
  • Declare as static in global scope
  • Returns a void
  • First parameter stdsize_t size
  • Idea is that new is implemented through
    malloc/calloc
  • Failure throws an exception of type
    stdbad_alloc unless called with argument
    stdnothrow in that case, it returns null
    pointer
  • T p1 new T // can throw bad_alloc
  • T p2 new(stdnothrow) T // returns null
    pointer on failure

12
C Dynamic Memory Management More on allocation
failures
  • Standard idiom for allocation and allocation
    failure Resource Acquisition Is Initialization
    (RAII)
  • Attach lifetime of a resource to lifetime of
    object it refers to
  • Examples, pages 166, 167, 168 (gets handler
    address)

13
C Dynamic Memory Management Deallocation
Functions
  • Same restrictions as on allocate functions.
  • Returns void, first parameter is void , may have
    second parameter either
  • a) delete() one parameter
  • b) delete() two parameters, second type
    stdsize_t
  • Both scalar and versions.
  • If first parameter is void, is a no-op.
  • If first argument is none-of-the-above, we have
    problems.

14
C Dynamic Memory Management Garbage Collection
  • Optional in C
  • Boehm-Demers-Weiser conservative GC does not
    require use of free/delete.
  • Can also be used to detect memory leaks.
  • Weakness
  • Disguised pointers.
  • Modified pointers
  • Non referenced pointers (examples, pp 169-170)

15
C Dynamic Memory Management Garbage Collection
  • Remedy?
  • Inquire rules for pointer safety
  • relaxed Normal rules
  • preferred (similar to relaxed, but a gc may
    run to detect leaks or bad pointers
  • strict (gc may be running)
  • namespace std
  • enum class pointer_safety relaxed,
    preferred, strict
  • pointer_safety get_pointer_safety()

16
C Dynamic Memory Allocation Garbage Collection
  • In C11
  • declare_reachable/undeclare_reachable page 171

17
Common C Dynamic Memory Management ErrorsBad
Allocation Failure check
  • C allows either NULL return or exception
    throwing do not mix! (stdnothrow)

18
Common C Dynamic Memory Management Errors
  • Improperly pairing C and C memory management
    functions.
  • C is a superset of C, so malloc friends/free
    are OK to use, However, they may use different
    memory areas and the do use different algorithms.
    Do not mix!

19
Common C Dynamic Memory Management Errors
  • Use scalar new with scalar delete
  • use array new with array delete.
  • There are new, member new, operator new and
  • delete, member delete, operator delete.
  • Operator new may allocate raw memory, without
    calling a constructor don't call a destructor.
    Call operator delete instead.

20
Common C Dynamic Memory Management Errors
21
Common C Dynamic Memory Management Errors
  • Double freeing memory

22
Common C Dynamic Memory Management Errors
  • Standard C containers with pointers do not
    delete their objects, means programmer has to do
    it (p 177) but
  • (p 178 double-free vulnerability)
  • Also, not exception-safe.
  • Solutions
  • 1) Garbage collecting memory management.
  • 2) Smart pointers overload -gt and to act like
    pointers (add check for Null, GC, reference
    counts, etc.)
  • Most common smart pointer
  • stdshared_ptr from standard library (pp 178/179)

23
Common C Dynamic Memory Management Errors
  • Deallocation Function throws an exception NONO
  • (p 180)

24
Memory Managers
  • Manage both allocated and free memory.
  • Runs as part of the user process
  • Three types
  • OS supplied
  • Compiler supplied
  • User supplied
  • Algorithm due to D. E Knuth, The Art of Computer
    Programming (several editions)
  • First fit vs best fit.
  • In band linked lists may be a bad idea, but there
    are none better.

25
Doug Lea's Memory Allocator
  • dlmalloc

26
Doug Lea's Memory Allocator
27
Doug Lea's Memory allocator
  • Free chunks arranged in circular double-linked
    headed lists called bins
  • Small sizes have dedicated bins, larger sizes
    have bins dedicated to a range of sizes, arranged
    in descending size order.
  • Special bin for recently freed chunks, acts like
    cache one chance and they are ent to regular
    bin.
  • Unlink macro takes a chunk from the bin (code
    page 184, picture, page 185)

28
RtlHeap by Microsoft
29
RtlHeap by Microsoft Virtual Memory API
  • Page base
  • 32 bit linear addressing
  • 4096 byte pages
  • Each region either reserved, committed or
    free.Must have common protection, type, base
    allocationPages also protection and pagelock
    flag status bits

30
RtlHeap by MicrosoftHeap Memory API
  • HeapCreate(maxsize...) ? unique handle
  • Default heap, handle obtainable with
    GetProcessHeap()

31
RtlHeap by MicrosoftLocal, Glabal Memory API
  • Provided local and global memory management for
    backward compatibility with Windows 3.1

32
RtlHeap by MicrosoftCRT Memory Functions
  • Before Win32, much FUD, with Win32 uses
    local/global memory management and is safe and
    portable.

33
RtlHeap by MicrosoftMemory-Mapped File API
  • Virtual address space mapped directly onto a
    file ? file access becomes dereferencing a
    pointer.

34
RtlHeap by MicrosoftData Structures
  • Uses virtual memory API,
  • Implements all the others
  • Constantly evolving
  • Programmers need to assume least secure version.
  • Internal data structures
  • Process environment block
  • free lists
  • look aside lists
  • memory chunk structures

35
RtlHeap by MicrosoftData Structures Process Env
Block
  • Maintains global variables for each process.

36
RtlHeap by MicrosoftData Structures FreeList
  • Array of 128 LIST_ENTRY structs head of
    double-linked lists..
  • Located at 0x178 from address returned by
    HeapCreate()
  • Keep track of free chunks of a particular size
    index8, except FreeList0, keeps buffers gt
    1024, lt virtual allocation threshold, sorted from
    smallest to largest.

37
RtlHeap by MicrosoftData Structures FreeList
38
RtlHeap by MicrosoftData Structures Look-aside
Lists
  • Requires HEAP_NO_SERIALIZE not set and
    HEAP_GROWABLE set (defaults)
  • Creates 128 singly linked look-aside lists
  • speed up allocation of small ( lt 1016 bytes)
    blocks
  • Start out empty, grow as memory is freed.

39
RtlHeap by MicrosoftData Structures Memory
Chunks
  • This structure precedes address returned by
    HeapAlloc by 8 bytes. Chunk size field are given
    in quad words (i.e./8)

40
RtlHeap by MicrosoftData Structures Memory
Chunks
  • Free chunk picture

41
RtlHeap by Microsoft
42
RtlHeap by Microsoft
43
RtlHeap by Microsoft
44
RtlHeap by Microsoft
45
RtlHeap by Microsoft
46
Doug Lea's Memory allocator
47
Double-Free Vulnerabilities
48
Mitigation Strategies
49
Vulnerability Hall of Shame
50
Summary
  • C Memory Management
  • Common C Memory Management errors
  • C Dynamic Memory Management
  • Common C Dynamic Memory Management Errors
  • Memory Managers
  • Doug Lea's Memory Allocator
  • Double-Free Vulnerabilities
  • Mitigation Strategies
  • Vulnerability Hall of Shame
  • Summary
Write a Comment
User Comments (0)
About PowerShow.com