Efficient protection against heap-based buffer overflows without resorting to magic

Authors: Yves Younan, Wouter Joosen, and Frank Piessens
Published in: Lecture Notes in Computer Science Volume 4307/2006: Proceedings of the Eighth International Conference on Information and Communication Security (ICICS 2006), Raleigh, North Carolina, U.S.A., Springer-Verlag.
Date: December 2006

Abstract:
Bugs in dynamic memory management, including for instance heap-based buffer overflows and dangling pointers, are an important source of vulnerabilities in C and C++. Overwriting the management information of the memory allocation library is often a source
of attack on these vulnerabilities. All existing countermeasures with low performance overhead rely on magic values or canaries. A secret value is placed before a crucial memory location and by monitoring whether the value has changed, overruns can be detected. Hence, if attackers are able to read arbitrary memory locations, they can bypass the countermeasure. In this paper we present an approach that, when applied to a memory allocator, will protect against this attack vector without resorting to magic. We implemented our approach by modifying an existing widely-used memory allocator. Benchmarks show that this implementation has a negligible, sometimes even beneficial, impact on performance.