Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees
Preventing Use-After-Free (UAF) bugs is crucial to ensure temporal memory safety. Against UAF attacks, much research has adopted a well-known approach, lock-and-key, in which unique, disposable locks and keys are first assigned respectively to objects and pointers, and then on every memory access, c...
| Main Authors: | , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2024-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/10363125/ |
| _version_ | 1797316090227851264 |
|---|---|
| author | Inyoung Bang Martin Kayondo Junseung You Donghyun Kwon Yeongpil Cho Yunheung Paek |
| author_facet | Inyoung Bang Martin Kayondo Junseung You Donghyun Kwon Yeongpil Cho Yunheung Paek |
| author_sort | Inyoung Bang |
| collection | DOAJ |
| description | Preventing Use-After-Free (UAF) bugs is crucial to ensure temporal memory safety. Against UAF attacks, much research has adopted a well-known approach, lock-and-key, in which unique, disposable locks and keys are first assigned respectively to objects and pointers, and then on every memory access, checked for a match. Attention has been drawn again to this approach by recent work that capitalizes on a vast abundance of virtual address (VA) space in the lock assignment, thus being able to prevent UAFs in stripped binary. However, as this VA-based lock-and-key scheme tends to rapidly consume virtual space, it is likely to suffer from high performance overhead. In this paper, we propose a new scheme, called the VA tagging, whose goal is to tackle this performance problem with the support of the Memory Tagging Architecture (MTA) introduced in several commodity processors. In our scheme, the original VA-based locks are augmented with tags of MTA. As a VA-based lock can be assigned to multiple objects with different tags, the same VA is reused for many objects without compromising temporal safety. We have observed in our experiments that this tagging scheme lowers the VA consumption rate drastically by one order of magnitude. We implement a light-weight memory allocator, Vatalloc, by modifying existing allocators, dlmalloc and jemalloc, to employ the VA tagging scheme for efficient prevention of UAFs. Our evaluation shows that Vatalloc with allocator modifications only incurs 1.70% (on dlmalloc) and 3.05% (on jemalloc) of runtime overhead without considering performance degradation of MTE. As a result of simulating the tagging architecture assuming the worst-case, postulating MTE precise trapping mode incurs performance overhead of 30.9% based on dlmalloc, and 25.5% based on jemalloc. If imprecise mode is assumed, the slowdown is measured 16.9% for dlmalloc and 12.0% for jemalloc respectively. Vatalloc only incurs 19.0% and 3.0% memory overhead for dlmalloc and jemalloc respectively. |
| first_indexed | 2024-03-08T03:14:09Z |
| format | Article |
| id | doaj.art-da8da3be40344961baad91a9e86733e0 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-03-08T03:14:09Z |
| publishDate | 2024-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-da8da3be40344961baad91a9e86733e02024-02-13T00:00:53ZengIEEEIEEE Access2169-35362024-01-01125462547610.1109/ACCESS.2023.334377710363125Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-FreesInyoung Bang0https://orcid.org/0000-0003-3042-3023Martin Kayondo1https://orcid.org/0009-0003-7340-6968Junseung You2https://orcid.org/0000-0003-1539-229XDonghyun Kwon3https://orcid.org/0000-0002-7507-3111Yeongpil Cho4https://orcid.org/0000-0001-7842-1719Yunheung Paek5https://orcid.org/0000-0001-7842-1719Department of Electrical and Computer Engineering, Inter-University Semiconductor Research Center, Seoul National University, Seoul, South KoreaDepartment of Electrical and Computer Engineering, Inter-University Semiconductor Research Center, Seoul National University, Seoul, South KoreaDepartment of Electrical and Computer Engineering, Inter-University Semiconductor Research Center, Seoul National University, Seoul, South KoreaSchool of Computer Science and Engineering, Pusan National University, Busan, South KoreaDepartment of Computer Science, Hanyang University, Seoul, South KoreaDepartment of Electrical and Computer Engineering, Inter-University Semiconductor Research Center, Seoul National University, Seoul, South KoreaPreventing Use-After-Free (UAF) bugs is crucial to ensure temporal memory safety. Against UAF attacks, much research has adopted a well-known approach, lock-and-key, in which unique, disposable locks and keys are first assigned respectively to objects and pointers, and then on every memory access, checked for a match. Attention has been drawn again to this approach by recent work that capitalizes on a vast abundance of virtual address (VA) space in the lock assignment, thus being able to prevent UAFs in stripped binary. However, as this VA-based lock-and-key scheme tends to rapidly consume virtual space, it is likely to suffer from high performance overhead. In this paper, we propose a new scheme, called the VA tagging, whose goal is to tackle this performance problem with the support of the Memory Tagging Architecture (MTA) introduced in several commodity processors. In our scheme, the original VA-based locks are augmented with tags of MTA. As a VA-based lock can be assigned to multiple objects with different tags, the same VA is reused for many objects without compromising temporal safety. We have observed in our experiments that this tagging scheme lowers the VA consumption rate drastically by one order of magnitude. We implement a light-weight memory allocator, Vatalloc, by modifying existing allocators, dlmalloc and jemalloc, to employ the VA tagging scheme for efficient prevention of UAFs. Our evaluation shows that Vatalloc with allocator modifications only incurs 1.70% (on dlmalloc) and 3.05% (on jemalloc) of runtime overhead without considering performance degradation of MTE. As a result of simulating the tagging architecture assuming the worst-case, postulating MTE precise trapping mode incurs performance overhead of 30.9% based on dlmalloc, and 25.5% based on jemalloc. If imprecise mode is assumed, the slowdown is measured 16.9% for dlmalloc and 12.0% for jemalloc respectively. Vatalloc only incurs 19.0% and 3.0% memory overhead for dlmalloc and jemalloc respectively.https://ieeexplore.ieee.org/document/10363125/Hardwarememory managementmemory safetysecuritytagging architecturetemporal safety |
| spellingShingle | Inyoung Bang Martin Kayondo Junseung You Donghyun Kwon Yeongpil Cho Yunheung Paek Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees IEEE Access Hardware memory management memory safety security tagging architecture temporal safety |
| title | Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees |
| title_full | Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees |
| title_fullStr | Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees |
| title_full_unstemmed | Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees |
| title_short | Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees |
| title_sort | enhancing a lock and key scheme with mte to mitigate use after frees |
| topic | Hardware memory management memory safety security tagging architecture temporal safety |
| url | https://ieeexplore.ieee.org/document/10363125/ |
| work_keys_str_mv | AT inyoungbang enhancingalockandkeyschemewithmtetomitigateuseafterfrees AT martinkayondo enhancingalockandkeyschemewithmtetomitigateuseafterfrees AT junseungyou enhancingalockandkeyschemewithmtetomitigateuseafterfrees AT donghyunkwon enhancingalockandkeyschemewithmtetomitigateuseafterfrees AT yeongpilcho enhancingalockandkeyschemewithmtetomitigateuseafterfrees AT yunheungpaek enhancingalockandkeyschemewithmtetomitigateuseafterfrees |