New Techniques Could Prevent Use-After-Free Exploits: Black Hat

Use-after-free memory flaws regularly impact Microsoft’s Windows operating system and Internet Explorer Web browser, but thanks to new research from Hewlett-Packard, that could soon change.

Brian Gorenc, manager of vulnerability research for HP Security Research, detailed his research at a session at the Black Hat USA conference here Aug. 6 that could curb use-after-free (UAF) attacks. The research was also given to Microsoft earlier this year, as a submission to the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program, which resulted in a $125,000 award for HP’s researchers.

UAF is a class of memory flaws that enable an attacker to make use of authorized memory that normally should not be accessible to an unauthorized application. With UAF, attackers have the potential to execute arbitrary code and take over a system.

HP looked at how UAF vulnerabilities work and researched how isolated heap memory protection works on Windows and how objects are located on a system, Gorenc told eWEEK.

Isolated heap

“We started looking at Microsoft’s memory protection techniques for weakness, and we found several techniques for bypassing the isolated heap,” he said.

One of the things that HP discovered was that the isolated heap doesn’t properly keep track of different object types, which is one potential path to exploitation using a technique known as type confusion. One mitigation that HP recommends is randomized heap allocations, which diminish the effectiveness of type confusion attacks, Gorenc said.

Going a step further, Gorenc and his team were able to use the isolated heap to actually bypass Microsoft’s address space layout randomization (ASLR) feature.

“So we used one memory mitigation against another memory mitigation in order to make exploitation easier,” he said.

HP is also suggesting a mitigation to prevent the ASLR bypass technique, with an approach Gorenc calls the entropy dependent loading of software libraries

“With the entropy dependent approach, we’re limiting the available memory region where objects can be loaded,” he said. “The result is that there is only one location where a module can be loaded, where it can be checked.”

HP provided Microsoft with multiple mitigations to help protect against the issues that Gorenc discussed at Black Hat. Some of the mitigations have been implemented, though not all. The ASLR bypass technique is still possible, he said.

If Microsoft implemented all the mitigations suggested by HP, UAF exploitation on the isolation heap would be a lot more difficult, if not impossible, he said.

Gorenc helps run HP’s Zero Day Initiative (ZDI), which purchases vulnerabilities from researchers. With some mitigations already implemented, he said he has already seen a drop in UAF submissions against Microsoft.

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

BNP Paribas Joins JP Morgan Blockchain Trading Network

French bank BNP Paribas becomes first European bank to join JP Morgan's blockchain-based Onyx Digital…

14 hours ago

SEC Held Off Elon Musk Enforcement ‘Due To Court Fears’

US securities regulators may have refrained from enforcement actions against Elon Musk due to discouraging…

15 hours ago

Snap Earnings Warning Triggers Tech Sell-Off

Investors spooked after Snap warns of deteriorating economic conditions, says earnings now 'below the low…

16 hours ago

Russian Operator Discounts Smartphones As Sanctions Bite

Biggest Russian mobile operator MTS begins selling discounted and second-hand smartphones as Russians hit by…

17 hours ago

Clearview AI Fined £7.5m Over Facial Recognition Data

UK Information Commissioner's Office orders controversial facial recognition firm Clearview AI to delete data it…

18 hours ago

Airbnb To Pull Out Of China Amidst ‘Pandemic Challenges’

Airbnb to pull out of China as ongoing zero-Covid policy places severe restrictions on domestic…

19 hours ago