Research On Heap Security

The attack and defense of memory has always been an important topic in the security research area,especially the security of stack and heap in memory.With the introduction of various system-level mitigation schemes,it becomes more and more difficult to exploit stack vulnerability,and heap exploit technology has become one of the main ways for attackers to exploit memory corruption vulnerability because it can bypass most system-level mitigation schemes.Most of the existing research on the safety mechanism of the heap is found on the network platforms such as personal blogs,and there is a lack of effective and complete analysis and summary.At the same time,the current detection methods for heap vulnerabilities are mainly manual auditing and fuzzing.Manual detection is time-consuming and labor-intensive,while fuzzing lacks pertinence and also requires manual intervention,resulting in a low degree of automation.Therefore,this thesis presents a heap security analysis system called HSASystem and conducts a systematic security analysis on the heap,and then presents a heap vulnerability detection method based on program backward slicing and symbolic execution,and implements its prototype system HVDetector.In summary,this thesis makes the following contributions:(1)Aiming at the lack of effective and complete analysis and summary of the heap security mechanism,this thesis design and build a Docker-based heap security analysis system called HSASystem,and manually conduct a systematic security analysis of heap vulnerabilities,heap vulnerability exploitation techniques,heap security checks and system-level mitigation mechanisms based on the system.According to the causes,heap vulnerabilities are divided into four categories: heap overflow,fake free,use after free and double free,and this thesis analyzes the principles and implementations of 18 kinds of heap vulnerability exploitation techniques.At the same time,the attack effect of these techniques on 11 versions of GLIBC is verified by experiments,and the attack and defense process of heap vulnerability exploit and corresponding heap security checks are analyzed in the process.Finally,according to the experimental results,the common points and respective characteristics of 18 heap vulnerability exploitation technologies are analyzed in depth from four dimensions: exploiting heap vulnerability types,exploiting bin types,destroying metadata types and system-level mitigation mechanisms.(2)Aiming at the problems that the current heap vulnerability detection methods lack pertinence and the analysis efficiency is low due to path explosion during symbol execution,this thesis propses a vulnerability detection method based on backward slicing and symbolic execution.In this method,the program backward slicing technology is used to preprocess the target program,and extract the suspicious code fragments that may contain heap vulnerabilities,so as to improve the pertinence of heap vulnerability detection and reducing the code space for analysis.Then,in the stage of heap vulnerability detection,the hook technology is used to realize the heap vulnerability detection algorithm,and according to the detection algorithm,the existence of the heap vulnerability is determined in the process of symbol execution engine simulating the running of the target program.At the same time,the state is trimmed according to the suspicious code fragment during the symbolic execution,so as to avoid analyzing the irrelevant path of the vulnerability and improve the efficiency of heap vulnerability detection.(3)This thesis present a heap vulnerability detection prototype system HVDetector,and set up two sets of experiments to verify the effectiveness of the system function and the preprocessing module to improve the detection efficiency.The first group of experiments used a simple vulnerability program and 10 CTF challenges to test the system,and only one false negative and one false positive,which proves the effectiveness of the heap vulnerability detection method in this thesis.The second group of experiments uses the same samples to compare the HVDetector with or without the preprocessing module.The experimental results show that the time spent in the preprocessing module is within an acceptable range when detecting simple programs,while the preprocessing module can significantly improve the efficiency when detecting complex programs.