先通過翻譯過一遍文章,然后再對每個章節進行總結
摘要
Use-after-free vulnerabilities remain difficult to detect and mitigate, making them a popular source of exploitation. Existing solutions in- cur impractical performance/memory overhead, require specialized hardware, and/or guarantee only protection, but not detection
釋放后使用漏洞仍然難以檢測和緩解,使其成為流行的利用來源(exploitation 含義)。現有解決方案帶來不切實際的性能/內存開銷,需要專門的硬件,和/或只保證保護,而不保證檢測
In this paper, we propose DangZero, a new solution to detect use-after-free vulnerabilities as they occur. DangZero builds on a traditional page protection and aliasing scheme, where objects are made inaccessible after a free, and subsequent accesses are imme- diately detected. In contrast to prior solutions using alias-based detection, DangZero relies on direct page table access in ring 0 to provide a much more efficient implementation
在本文中,我們提出了DangZero,這是一種檢測釋放后使用漏洞的新解決方案。DangZero建立在傳統的頁面保護和別名方案之上,在該方案中,對象在釋放后無法訪問,隨后的訪問被立即檢測到。與使用基于別名的檢測的先前解決方案相比,DangZero依賴于環0中的直接頁表訪問來提供更有效的實現
The key idea is that, by giving the program’s allocator direct access to the page tables, we can efficiently manage and invalidate vulnerable objects. To safely implement this, we build upon a unikernel-like design, where virtualization provides ring-0 (guest-mode) access, isolation, as well as compatibility with existing Linux programs. Moreover, we show direct page table access serves as an efficient building block for garbage collection-style alias reclaiming. Doing so provides the ability to safely reuse freed areas and address the scalability issues plaguing state-of-the-art alias-based solutions.
關鍵思想是,通過讓程序的分配器直接訪問頁表,我們可以有效地管理易受攻擊的對象并使其無效。為了安全地實現這一點,我們構建了一個類似單內核的設計,其中虛擬化提供了環0(訪客模式)訪問、隔離以及與現有Linux程序的兼容性。此外,我們展示了直接頁表訪問是垃圾回收機制式別名回收的有效構建塊。這樣做提供了安全重用空閑區域的能力,并解決了困擾最先進的基于別名的解決方案的可擴展性問題。
Our experi- mental results confirm that DangZero provides accurate detection guarantees with significantly lower overhead than competing state- of-the-art solutions (e.g., 18% saturated throughput degradation on long-running programs such as the Nginx web server).
我們的經驗結果證實,DangZero提供了準確的檢測保證,與競爭的最先進的解決方案相比,開銷顯著降低(例如,在Nginx Web服務器等長時間運行的程序上,吞吐量下降了18%)。
總結
- DangZero的程序分配器可直接訪問頁表,以此令釋放后的對象無效,且可檢測到對其訪問
- 直接訪問頁表有助于提高垃圾回收機制的效率
介紹
Temporal memory errors remain an important concern in the pro- tection of computer systems against bugs and exploits. Use-after- free (UAF) bugs were ranked #7 in the CWE top 25 of the most common and impactful issues in software [40]. Additionally, Mi- crosoft reports that UAF bugs are the second most common root cause of vulnerabilities and continue to be a preferred target for exploitation [ 39]. Approaches to defend against such threats can be classified as offering immediate detection or (merely) protection against exploitation. Providing detection of bugs is important in both offline (e.g., testing) and online (e.g., sampling [ 51]) deploy- ment scenarios, as well as for bug triaging. Unfortunately, existing solutions in either category are problematic
時序內存錯誤仍然是保護計算機系統免受錯誤和攻擊的一個重要問題。在CWE軟件中最常見和最有影響力的問題前25名中,UAF錯誤排名第7[40]。此外,Mi-crosoft報告說,UAF錯誤是漏洞的第二個最常見的根本原因,并且仍然是利用的首選目標[39]。防御此類威脅的方法可以分為提供即時檢測或(僅)防止利用。 在離線(例如測試)和在線(例如采樣[51])部署場景以及bug分類中,提供錯誤檢測都很重要。不幸的是,這兩個類別中的現有解決方案都有問題
Guaranteeing UAF protection is typically more efficient than im- mediate detection and existing protection systems attempt to mini- mize their performance impact by means of a variety of techniques: type-safe memory reuse [ 5 , 52] (which, however, can only preserve type safety), reference counting [ 50 ] (which, however, is not applica- ble to arbitrary C/C++ programs), one-time allocation [54 ] (which, however, cannot bound memory usage), and garbage collection- style (GC) solutions [ 4 , 19 , 23, 34 ]. While GC-style solutions have been gaining momentum for their reported efficiency, recent studies evidence nontrivial, fundamental costs with GC-style techniques— often hiding behind concurrency and generous provisioning of memory/computational power [ 14 ]. Further drawbacks are that many solutions cannot protect against exploits that do not rely on memory reuse [ 5], while most of the compiler-based solutions (with exceptions [4, 5 , 19 , 54 ]) cannot handle unmodified binaries. Most importantly, none of the solutions in this category can provide strong UAF detection guarantees.
保證UAF保護通常比即時檢測更有效,現有的保護系統試圖通過各種技術來最小化它們對性能的影響:類型安全的內存重用[5,52](然而,它只能保持類型安全)、引用計數[50](然而,它不適用于任意的C/C++程序)、一次性分配[54](然而,它不能限制內存使用)和垃圾回收機制-風格(GC)解決方案[4,19,23,34]。雖然GC風格的解決方案因其報告的效率而獲得動力,但最近的研究證明,GC風格技術的成本是非同尋常的,基本的——通常隱藏在并發和內存/計算能力的慷慨配置背后[14]。進一步的缺點是,許多解決方案無法防止不依賴內存重用的攻擊[5],而大多數基于編譯器的解決方案(除了例外[4,5,19,54])無法處理未經修改的二進制文件。最重要的是,此類解決方案中沒有一個可以提供強大的UAF檢測保證。
Most UAF detection-focused systems rely on compiler instrumen- tation to track and invalidate pointers to freed objects [ 30, 49 , 53 , 55]. Despite dedicated optimizations [53], such solutions still incur non- trivial performance overhead. Less costly solutions rely on special hardware support [22, 57 ] (limiting deployability) or on object IDs [ 9, 13 , 15 , 22 , 25 , 41 ] (or poison values [47 ]) to detect UAFs (only) until a predetermined number of memory reuse events oc- curs (limiting security guarantees). Here also, most compiler-based solutions cannot handle unmodified binaries
大多數以UAF檢測為中心的系統依靠編譯器工具來跟蹤和無效指向已釋放對象的指針[30,49,53,55]。盡管進行了專門的優化[53],但這種解決方案仍然會產生不小的性能開銷。成本較低的解決方案依賴于特殊的硬件支持[22,57](限制可部署性)或對象ID[9,13,15,22,25,41](或毒值[47])來檢測UAF(僅),直到預定數量的內存重用事件發生(限制安全保證)。這里,大多數基于編譯器的解決方案也不能處理未經修改的二進制文件。
Nonetheless, binary-compatible UAF detection systems are de- scribed in literature [17 , 18 ]. Such solutions create a new virtual page (alias) for each memory allocation and map it to the same physical page as the original object. As a result, every object re- ceives a unique (unused) pointer, and the object (and its pointers) can easily be invalidated upon free by revoking the page mapping. Unfortunately, such alias-based solutions rely on the kernel for page protection and aliasing, and incur high overhead due to the extra syscalls and kernel administration costs. Moreover, state-of-the-art solutions [17 ] still suffer from impractical scalability issues due to virtual memory address space exhaustion—as we will show, this occurs in a matter of days on a heavily loaded web server.
盡管如此,文獻[17,18]中描述了二進制兼容的UAF檢測系統。這種解決方案為每個內存分配創建一個新的虛擬頁面(別名),并將其映射到與原始對象相同的物理頁面。因此,每個對象都重新獲得一個唯一的(未使用的)指針,并且該對象(及其指針)可以很容易地通過撤銷頁面映射在空閑時失效。不幸的是,這種基于別名的解決方案依賴內核進行頁面保護和別名,并且由于額外的系統調用和內核管理成本而產生高開銷。此外,由于虛擬內存地址空間耗盡,最先進的解決方案[17]仍然存在不切實際的可擴展性問題——正如我們將展示的,這發生在負載沉重的Web服務器上的幾天內。
In this paper, we introduce DangZero, an efficient, scalable, and binary-compatible UAF detection system. The key idea is to rely on direct page table access in ring 0 (i.e., the highest privilege level normally only running OS kernels) to implement a traditional alias- based scheme in a much more efficient way. Drawing inspiration from modern unikernel-like designs [29 ], DangZero relies on virtu- alization extensions and a privilege backend such as Kernel Mode Linux (KML) [36 ] to provide direct access to the page tables. This strategy allows us to transparently run (and isolate) arbitrary user- space programs in ring 0 guest mode, while safely providing them with direct access to their own (guest) page tables
在本文中,我們介紹了DangZero,這是一種高效、可擴展且二進制兼容的UAF檢測系統。關鍵思想是依靠環0中的直接頁表訪問(即最高權限級別通常只運行操作系統內核),以更有效的方式實現傳統的基于別名的方案。從現代單內核設計[29]中汲取靈感,DangZero依靠虛擬化擴展和權限后端,如內核模式Linux(KML)[36]來提供對頁表的直接訪問。這種策略允許我們在環0訪客模式下透明地運行(和隔離)任意用戶空間程序,同時安全地為它們提供對自己(訪客)頁表的直接訪問
We show that directly accessing page tables can crucially make alias-based UAF detection systems practical in two ways. First, by granting the program’s memory allocator page table access, it can efficiently manage aliases by directly updating page table mappings. Doing so eliminates the need for operating system involvement and the corresponding (syscall and kernel administration) overheads.
我們表明,直接訪問頁表可以通過兩種方式使基于別名的UAF檢測系統變得實用。首先,通過授予程序的內存分配器頁表訪問權限,它可以通過直接更新頁表映射來有效地管理別名。這樣做消除了操作系統參與的需要和相應的(系統調用和內核管理)開銷。
Second, page tables already track important metadata about the virtual memory address space of the program and can also accom- modate extra application-specific metadata. We use this observation to design an efficient alias reclaiming system and address the vir- tual memory address space exhaustion issues of prior alias-based solutions [17 ]. The goal is to allow safe reuse of virtual addresses, once we confirm that dangling pointers to the object (alias) no longer exist. Our design is similar, in spirit, to that of prior GC-style solutions [ 4, 19], but with two crucial differences. First, DangZero’s metadata management is uniquely efficient, since it can piggyback and expand on the metadata already present in the page tables (e.g., the present bit pinpointing the resident pages to scan for dangling pointers). Moreover, since DangZero reclaims virtual aliases rather than objects in physical memory, our reclaiming strategy is not prone to the typical performance/memory tradeoff of GC-style tech- niques [ 14 ]. Indeed, as we shall see, our alias reclaiming strategy is very efficient, allowing DangZero (a detection system) to out- perform even state-of-the-art GC-style protection systems [ 4 , 19 ] on long-running benchmarks (which commonly feature frequent, short-lived allocations), without having to resort to memory over- provisioning or concurrent reclaiming on spare CPU cores.
其次,頁表已經跟蹤了關于程序虛擬內存地址空間的重要元數據,也可以容納額外的application-specific元數據。我們利用這一觀察結果設計了一個高效的別名回收系統,并解決了先前基于別名的解決方案的虛擬內存地址空間耗盡問題[17]。目標是允許虛擬地址的安全重用,一旦我們確認指向對象(別名)的懸空指針不再存在。我們的設計在精神上與先前的GC風格解決方案[4,19]相似,但有兩個關鍵區別。首先,DangZero的元數據管理非常高效,因為它可以搭載和擴展頁表中已經存在的元數據(例如,當前位精確定位駐留頁面以掃描懸空指針)。此外,由于DangZero回收虛擬別名而不是物理內存中的對象,我們的回收策略不容易出現GC風格技術[14]的典型性能/內存權衡。事實上,正如我們將看到的,我們的別名回收策略非常有效,允許DangZero(一種檢測系統)在長時間運行的基準測試(通常具有頻繁、短暫的分配)上優于最先進的GC風格保護系統[4、19],而不必求助于內存過度配置或備用CPU內核上的并發回收。
We have evaluated DangZero on standard benchmarks (SPEC CPU 2006 and 2017) and long-running application benchmarks (the Nginx web server in particular). On SPEC CPU 2006, DangZero reported a geomean performance overhead of only 16% (and 22% on SPEC CPU 2017) compared to 40% for the state-the-art alias-based UAF detection system [17 ]. On Nginx, DangZero reported saturated overheads as low as 11-18%, significantly lower than state-of-the- art UAF protection/detection systems, with consistently modest (and bounded) memory overhead
我們在標準基準測試(SPEC CPU 2006和2017)和長期運行的應用程序基準測試(特別是Nginx Web服務器)上評估了DangZero。在SPEC CPU 2006上,DangZero報告的geomean性能開銷僅為16%(在SPEC CPU 2017上為22%),而最先進的基于別名的UAF檢測系統為40%[17]。在Nginx上,DangZero報告的飽和開銷低至11-18%,明顯低于最先進的UAF保護/檢測系統,內存開銷始終適中(且有限)
To summarize, we make the following contributions:
? A new approach to detect use-after-free bugs based on alias allocation with virtualization-based direct page table access.
? A novel solution for alias reclaiming.
? A prototype of DangZero using KML as a privilege backend
?An evaluation to show that DangZero significantly outper- forms prior detection systems and even state-of-the-art GC- style protection systems on long-running benchmarks.
總而言之,我們做出了以下貢獻:
? 一種基于別名分配的新方法,通過virtualization-based直接頁表訪問來檢測釋放后使用的錯誤。
? 別名回收的新解決方案。
? 使用KML作為特權后端的DangZero原型
? 評估表明,DangZero在長期運行的基準測試中明顯優于先前的檢測系統,甚至是最先進的GC式保護系統。
總結
- 分類為即時檢測和進行UAF保護以防止利用
- 已經有頁面保護和別名的機制(Oscar),但其系統調用開銷高,且虛擬內存地址空間容易耗盡,回收機制不好,DangZero基于此進行改進
- 用戶空間程序能直接訪問所在進程的頁表
- 別名回收系統可在對象的懸空指針不存在時,允許虛擬地址安全重用
背景
Use-after-free
Use-after-free (UAF) bugs are temporal memory errors present in unsafe languages such as C and C++, which arise due to heap allocated objects being dereferenced after already being freed. These bugs are possible since (so-called dangling) pointers to freed objects remain intact even if the pointed memory location is no longer valid. Attackers typically exploit UAF bugs and the corresponding dangling pointers by forcing memory reuse after the free, but before the use. However, depending on the allocator design, exploitation without memory reuse (with allocator metadata playing the role of the target object) is possible [ 5]. Listing 1 shows a trivial example of a UAF bug. The temporal nature of these bugs makes them hard to detect, both visually in the code as well as through program analysis, and many mitigation designs aimed to neutralize UAF bugs suffer from significant (runtime/memory) overhead. In this paper, we show such cost is not fundamental and direct page table access can unlock an efficient and scalable alias-based solution
釋放后使用(UAF)錯誤是不安全語言(如C和C++)中存在的時序內存錯誤,它是由于堆分配的對象在已經被釋放后被解引用而產生的。這些錯誤是可能的,因為即使指向的內存位置不再有效,指向釋放對象的(所謂的懸空)指針也會保持不變。攻擊者通常通過在釋放之后但在使用之前強制內存重用來利用UAF錯誤和相應的懸空指針。然而,根據分配器設計,沒有內存重用的利用(分配器元數據扮演目標對象的角色)是可能的[5]。清單1顯示了一個UAFbug的簡單示例。這些錯誤的時序特性使得它們很難在代碼中直觀地檢測到,也很難通過程序分析檢測到,許多旨在中和UAF錯誤的緩解設計都面臨著巨大的(運行時/內存)開銷。在本文中,我們展示了這種開銷不能從根本解決問題,直接頁表訪問可以解鎖一種高效且可擴展的基于別名的解決方案
Page tables
Page tables are a software-maintained data structure that is used by the memory management unit (MMU) of the CPU to describe how to map virtual to physical memory. On most common architectures, page tables are stored as a hierarchical tree, where certain bits of the virtual address are used to select the entry in the respective level of the page table. A page table entry (PTE) stores the address to the next level of the tree, or (for the last level) the result of the address translation. Additionally, PTEs store a limited number of metadata bits, such as permissions of that mapping and whether the entry is valid (“present”). Finally, each PTE contains a number of bits that are ignored by hardware, and thus can be used by the operating system for additional information. Most 64-bit architectures use 4-level page tables, each table consisting of 512 entries, yielding a 48-bit (256 TB) virtual address space. Some modern CPUs also feature 5-level page tables, but for the remainder of this paper we assume a 4-level page table structure for simplicity. Many different names exist for referring to the different levels of these structures; for this paper we simply refer to them as L4 through L1 (with L4 the root/first table, and L1 the leaves/last level).
頁表是一種軟件維護的數據結構,由CPU的內存管理單元(MMU)用來描述如何將虛擬內存映射到物理內存。在最常見的架構中,頁表存儲為分層樹,其中虛擬地址的某些位用于選擇頁表相應級別的條目。頁表條目(PTE)將地址存儲到樹的下一級,或(對于最后一級)地址轉換的結果。此外,PTE存儲有限數量的元數據位,例如該映射的權限以及條目是否有效(“存在”)。 最后,每個PTE包含一些被硬件忽略的位,因此操作系統可以使用這些位來獲取更多信息。大多數64位架構使用4級頁表,每個表由512個條目組成,產生48位(256 TB)的虛擬地址空間。一些現代CPU也具有5級頁表,但為了簡單起見,我們在本文的其余部分假設為4級頁表結構。存在許多不同的名稱來指代這些結構的不同級別;在本文中,我們簡單地將它們稱為L4到L1(L4是根/第一個表,L1是葉/最后一個級別)。
Typically, each process has its own set of page tables, describing the address space of that process. Linux splits the available address space in half, giving the bottom half to user space and keeping the top half for its own data. This means each user process has 128 TB of virtual addresses available. To request new mappings, or change existing mappings, the process (and its memory allocator) issues system calls such as brk, mmap, and mremap. On top of the page tables, Linux also maintains its own data structures, containing information for each consecutive virtual memory area (VMA)
通常,每個進程都有自己的一組頁表,描述該進程的地址空間。Linux將可用地址空間分成兩半,將下半部分留給用戶空間,并保留上半部分用于自己的數據。這意味著每個用戶進程都有128 TB的可用虛擬地址。為了請求新的映射,或更改現有的映射,進程(及其內存分配器)發出系統調用,例如brk、mmap和mremap。在頁表的頂部,Linux還維護自己的數據結構,包含每個連續虛擬內存區域(VMA)的信息
When running a virtual machine (VM) using hardware virtual- ization extensions, there are two levels of page tables: the guest page tables, and the extended page tables (EPT) on the host. The former behave exactly as described above, and give the guest the illusion of running directly on the hardware. The EPT is managed by the hypervisor and is similar to normal page tables, except it translates every guest-physical address to a host-physical address
當使用硬件虛擬化擴展運行虛擬機(VM)時,有兩個級別的頁表:客戶頁表和主機上的擴展頁表(EPT)。前者的行為與上述完全一樣,給客戶一種直接在硬件上運行的錯覺。EPT由管理程序管理,類似于普通頁表,只是它將每個客戶物理地址轉換為主機物理地址
Access to privileged CPU features
To achieve direct page table access, DangZero requires access to privileged features normally reserved for ring 0. The Dune [6] project presented a practical implementation through the use of a lightweight virtual environment. In particular, the application runs in ring 0 (guest mode) of a specialized “virtual process” environment. This provides the application access to all privileged features (e.g., guest page tables), while still being isolated from the rest of the (host) system by the hypervisor.
為了實現直接頁表訪問,DangZero需要訪問通常為環0保留的特權功能。Dune[6]項目通過使用輕量級虛擬環境提供了一個實用的實現。特別是,應用程序在專門的“虛擬進程”環境的環0(訪客模式)中運行。這為應用程序提供了對所有特權功能(例如訪客頁表)的訪問,同時仍然被管理程序與(主機)系統的其余部分隔離開來。
Dune used a small library operating system (libOS) running in the guest alongside the application, to manage basic kernel tasks so that unmodified Linux binaries could run. Additionally, a specialized (KVM-based) hypervisor mapped system calls issued by the guest via VM exits to Linux syscalls on the host.
Dune使用在應用程序旁邊的訪客中運行的小型庫操作系統(libOS)來管理基本的內核任務,以便未經修改的Linux二進制文件可以運行。 此外,專門的(基于KVM的)管理程序將訪客通過VM出口發出的系統調用映射到主機上的Linux系統調用。
注:實現上libOS應該就是trusted目錄,可以將主機其他未經修改的二進制文件放到此目錄中運行
Of similar spirit is the Kernel Mode Linux (KML) [ 36 ] project, which allows programs to run in ring 0 alongside the Linux kernel. KML has the advantage of not requiring expensive VM exits for every system call a la Dune. Similar to Dune, KML still requires a virtual environment for isolation, that is to protect the rest of the system. The resulting design effectively transforms Linux into a libOS and the process into a unikernel—and recent application opti- mization work has shown KML can be efficiently used as such [29 ]
類似的精神是內核模式Linux(KML)[36]項目,它允許程序與Linux內核一起在環0中運行。KML的優點是不需要為每個系統調用la Dune都需要昂貴的VM退出。與Dune類似,KML仍然需要一個虛擬環境來隔離,即保護系統的其余部分。由此產生的設計有效地將Linux轉換為libOS,并將進程轉換為單內核——最近的應用程序優化工作表明KML可以有效地用作此類[29]
總結
- 頁表項中有一些標志位來表示條目信息,如條目是否存在
- libOS使用KML作為單內核
威脅模型假定
We assume a standard threat model, with an attacker seeking to exploit arbitrary use-after-free vulnerabilities in a victim binary program (written in an unsafe language), for the purpose of in- formation disclosure, privilege escalation, etc. We consider arbi- trary use-after-free exploits regardless of whether memory reuse and other exploitation techniques (e.g., memory massaging) are involved. We assume the program is free from other vulnerabilities (e.g., buffer overflows) or otherwise hardened against them with orthogonal mitigations
我們假設一個標準的威脅模型,攻擊者試圖利用受害者二進制程序(用不安全的語言編寫)中的任意釋放后使用漏洞,以達到信息泄露、權限提升等目的。我們考慮任意釋放后使用漏洞,無論是否涉及內存重用和其他利用技術(例如內存篡改)。我們假設該程序沒有其他漏洞(例如緩沖區溢出),或者通過正交緩解措施對它們進行了強化
學習內容
“二進制兼容的UAF(Use-After-Free)檢測” :能夠檢測未經修改的二進制可執行文件中的UAF漏洞的能力。這意味著檢測工具或方法不需要訪問程序的源代碼或特定的編譯版本,而是可以直接應用于已編譯的二進制文件。這對于分析和保護現有應用程序以識別和修復UAF漏洞非常有用,因為它不依賴于源代碼的可用性或可訪問性。這種方法通常需要使用反匯編和靜態分析技術來分析二進制文件的執行路徑和內存訪問,以檢測UAF漏洞。
單內核是什么
-OpenGL)
)
)
 (A~B))