New Techniques Could Prevent Use-After-Free Exploits: Black Hat

Use-after-free memory flaws regularly impact Microsoft’s Windows operating system and Internet Explorer Web browser, but thanks to new research from Hewlett-Packard, that could soon change.

Brian Gorenc, manager of vulnerability research for HP Security Research, detailed his research at a session at the Black Hat USA conference here Aug. 6 that could curb use-after-free (UAF) attacks. The research was also given to Microsoft earlier this year, as a submission to the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program, which resulted in a $125,000 award for HP’s researchers.

UAF is a class of memory flaws that enable an attacker to make use of authorized memory that normally should not be accessible to an unauthorized application. With UAF, attackers have the potential to execute arbitrary code and take over a system.

HP looked at how UAF vulnerabilities work and researched how isolated heap memory protection works on Windows and how objects are located on a system, Gorenc told eWEEK.

Isolated heap

“We started looking at Microsoft’s memory protection techniques for weakness, and we found several techniques for bypassing the isolated heap,” he said.

One of the things that HP discovered was that the isolated heap doesn’t properly keep track of different object types, which is one potential path to exploitation using a technique known as type confusion. One mitigation that HP recommends is randomized heap allocations, which diminish the effectiveness of type confusion attacks, Gorenc said.

Going a step further, Gorenc and his team were able to use the isolated heap to actually bypass Microsoft’s address space layout randomization (ASLR) feature.

“So we used one memory mitigation against another memory mitigation in order to make exploitation easier,” he said.

HP is also suggesting a mitigation to prevent the ASLR bypass technique, with an approach Gorenc calls the entropy dependent loading of software libraries

“With the entropy dependent approach, we’re limiting the available memory region where objects can be loaded,” he said. “The result is that there is only one location where a module can be loaded, where it can be checked.”

HP provided Microsoft with multiple mitigations to help protect against the issues that Gorenc discussed at Black Hat. Some of the mitigations have been implemented, though not all. The ASLR bypass technique is still possible, he said.

If Microsoft implemented all the mitigations suggested by HP, UAF exploitation on the isolation heap would be a lot more difficult, if not impossible, he said.

Gorenc helps run HP’s Zero Day Initiative (ZDI), which purchases vulnerabilities from researchers. With some mitigations already implemented, he said he has already seen a drop in UAF submissions against Microsoft.

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago