RUMA: On the Analysis of Defenses based on Misaligned Accesses
share
The adoption of randomness against heap layout has rendered a good portion of heap vulnerabilities unexploitable. However, some remnants of vulnerabilities are still exploitable even under the randomized heap layout. According to our analysis, such heap exploits often require pointer-width allocation granularity to inject fake pointers. To address such problem, we explore the efficacy of adopting byte-level (unaligned or misaligned) allocation granularity as part of the heap exploit defenses since the pointer-spraying attack techniques are increasing. Heap randomization, in general, has been a well-trodden area. However, the efficacy of byte granularity randomization has never been fully explored as it involves unaligned heap memory access which degrades performance and raises compatibility issues. In this paper, we discuss byte-granularity heap randomization; and conduct comprehensive analysis in three folds: (i) security mitigation effectiveness, (ii) performance impact, and (iii) compatibility with existing applications. Moreover, we designed a new heap allocator (RUMA) considering the analysis results. Security discussion is based on case studies using 20 publicly disclosed heap vulnerabilities. Performance and compatibility analysis are based on cycle-level microbenchmark, SPEC2006, Coreutils, Nginx, and ChakraCore.
READ FULL TEXT