Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Automated vulnerability analysis of zero-sized heap allocations

From: Julien Vanegue <jvanegue () microsoft com>
Date: Tue, 20 Apr 2010 12:37:48 +0000
I am pleased to announce the publication of some of the security research I have performed as a member of the Microsoft 
Security Engineering Center (MSEC) penetration testing team over the last year.

The following presentation was given at the Hackito Ergo Sum (HES'10) conference on April 10th 2010 in Paris, France.

Slides are now available at the following location: 
http://hackitoergosum.org/wp-content/uploads/2010/04/HES10-jvanegue_zero-allocations.pdf

Title: Automated vulnerability analysis of zero-sized heap allocations

Abstract:

The dynamic memory allocator is a fundamental component of modern operating systems, and one of the most important 
sources of security vulnerabilities. In this presentation, we emphasize on a particular weakness of the heap management 
that has proven to be the root cause of many escalation of privilege bugs in the windows kernel and other critical 
remote vulnerabilities in user-land applications. The problem is not specific to any operating system and is present in 
both user-land and kernel-land allocators. The presentation is divided into three parts. First, we will reveal the 
exact nature of the weakness and provide a taxonomy of all tested operating systems (both in the Windows and UNIX 
world, most of them are exposed). We then present a custom static analyzer for this class of defects based on the HAVOC 
framework, a heap-aware verifier for C programs, developed in the RISE team at Microsoft Research. We have deployed the 
analyzer on multiple kernel components, some of them reaching one million lines of C code. The analyzer produces a 
reasonable amount of warnings without any complex configuration. Finally, we generalize our analysis technique by 
characterizing what happens when the size of heap chunks is in the neighbourhood of zero (e.g. near-zero allocations) 
and give another example of fixed remote bug. We emphasize that this weakness should not be considered as a new class 
of vulnerabilities (such as buffer overflow), but rather a new type of code defect in the same style as integer 
overflows, as many occurrences are legit and do not lead to a bug.
Enjoy.

Julien

---
Julien Vanegue  - Security engineer
Microsoft Security Engineering Center / Penetration testing team.


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: