Dynamic detection of Use After Free bugs

The article describes new method of use after free bug detection using program dynamic analysis. In memory-unsafe programming languages such as C/C++ this class of bugs mainly accurse when program tries to access specific area of dynamically allocated memory that has been already freed. This method is based on combination of two basic components. The first component tracks all memory operations through dynamic binary instrumentation and searches for inappropriate memory access. It preserves two sets of memory address for all allocation and free instructions. Using both sets this component checks whether current memory is accessible through its address or it has been already freed. It is based on dynamic symbolic execution and code coverage algorithm. It is used to maximize the number of execution paths of the program. Using initial input, it starts symbolic execution of the target program and gathers input constraints from conditional statements. The new inputs are generated by systematically solving saved constraints using constraint solver and then sorted by number of basic blocks they cover. Proposed method detects use after free bugs by applying first component each time when second one was able to open new path of the program. It was tested on our synthetic tests that were created based on well-known use after free bug patterns. The method was also tested on couple of real projects by injecting bugs on different levels of execution.

program dynamic analysis, use after free bug, dynamic symbolic execution, code coverage, instrumentation

1. D. Dewey, B. Reaves, P. Trainor. Uncovering Use-After-Free Conditions in Compiled Code. In Proc of the 10th International Conference on Availability, Reliability and Security (ARES), 2015, pp. 90-99

2. J. Feist, L. Mounier, ML. Potet. Statically detecting use after free on binary code. Journal of Computer Virology and Hacking Techniques, vol. 10, issue 3, 2014, pp 211-217

3. Ildar Isaev, Denis Sidorov, Alexander Gerasimov, Mikhail Ermakov. Avalanche: Using dynamic analysis for automatic defect detection in programs based on network sockets. Trudy ISP RAN/Proc. ISP RAS, vol. 21, 2011, pp. 55-70 (in Russian).

4. B. Lee, Ch. Song, Y. Jang, T. Wang. Preventing Use-after-free with Dangling Pointers Nullification. In Proc of the Network and Distributed System Security Symposium, 2015, https://www.ndss-symposium.org/ndss2015/ndss-2015-programme/preventing-use-after-free-dangling-pointers-nullification/, accessed at 05.05.2018

5. Yves Younan. FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers. In Proc of the Network and Distributed System Security Symposium, 2015, https://www.ndss-symposium.org/ndss2015/ndss-2015-programme/freesentry-protecting-against-use-after-free-vulnerabilities-due-dangling-pointers/, accessed at 05.05.2018

6. J. Caballero, G. Grieco, M. Marron, A. Nappa. Undangle: Early Detection of Dangling Pointers in Use-After-Free and Double-Free Vulnerabilities. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, 2012, pp. 133-143

7. Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert and David Brumley. Unleashing MAYHEM on Binary Code. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012, pp. 380-394

8. Pin – A Dynamic Binary Instrumentation Tool, https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool, accessed at 05.05.2018

9. Triton – Dynamic Binary Analysis Framework, https://triton.quarkslab.com/, accessed at 05.05.2018

10. P. Godefroid, M. Y. Levin, D. Molnar. Automated Whitebox Fuzz Testing. In Proceedings of NDSS'2008 (Network and Distributed Systems Security), 2008, pp. 151-166.

11. A. Aho, J. Ullman, R. Sethi, M. S. Lam. Compilers: Principles, Techniques, and Tools. Addison Wesley; 2nd edition, September 10, 2006, 1000 p.

12. Leonardo de Moura, Nikolaj Bjørner. Z3: an efficient SMT solver. In Proceedings of the 14th international conference on Tools and algorithms for the construction and analysis of systems, 2008, pp. 337-340