{"637853":{"#nid":"637853","#data":{"type":"news","title":"New Tool Brings Fuzzing Approach to Memory System Security","body":[{"value":"\u003Cp\u003EHeap allocators manage one of the most common types of memory. Georgia Tech researchers have created an automated tool that reveals how exploitable they are, though.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EUnlike other heap exploitation techniques that require considerable effort from the researcher, ArcHeap can autonomously explore the system.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Many heap exploitation techniques have been discovered by researchers; however, this task always relies on manual efforts,\u0026rdquo; said School of Computer Science (SCS) Ph.D. student \u003Cstrong\u003E\u003Ca href=\u0022https:\/\/jakkdu.github.io\/\u0022\u003EInsu Yun\u003C\/a\u003E\u003C\/strong\u003E. \u0026ldquo;We wanted to automate this process.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003E[RELATED CONTENT: \u003Ca href=\u0022https:\/\/www.scs.gatech.edu\/news\/634115\/team-ids-real-world-vulnerabilities-popular-browser-during-premier-hackathon\u0022\u003ETeam IDs Real-world Vulnerabilities In Popular Browser During Premier Hackathon\u003C\/a\u003E]\u003C\/strong\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EHeap exploitation techniques\u003C\/strong\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003EHeap is dynamically allocated memory, or memory that\u0026rsquo;s size is determined during program execution. Heap allocators manage it efficiently, yet they are also very susceptible to attack.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EExploitation techniques abuse underlying heap allocator mechanisms to exploit vulnerabilities. Popular systems software is plagued by heap-related vulnerabilities. Microsoft \u003Ca href=\u0022https:\/\/twitter.com\/epakskape\/status\/984481101937651713\u0022\u003Esaid\u003C\/a\u003E heap vulnerabilities led to more than half of their security problems in 2017. Heap vulnerability \u0026nbsp;attacks have also been seen in popular software such as WhatsApp, VMware, and Eximail in 2019.\u003C\/p\u003E\r\n\r\n\u003Cp\u003ESince each exploit is specific to the allocator, previous research was specialized and manually done. This created a barrier to understanding security issues with various heap allocators and led to even more attacks. \u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EHow ArcHeap works\u003C\/strong\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003EArcHeap introduces operations and attack capabilities to see if these trigger an exploitation. The approach is comparable to fuzzing, an automatic software testing technique that inputs random data to expose vulnerabilities.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;We found that fuzzing is very useful for finding software vulnerabilities, so we extended this idea into discovering heap exploitation techniques,\u0026rdquo; Yun said. \u0026ldquo;However, classical fuzzing cannot be naively applied to this new problem, so ArcHeap employs several new ideas.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe researchers determined heap allocators share common design components that allowed them to abstract enough so that the tool can be applied to any allocator. ArcHeap also synthesizes its finding as it moves through the allocator to reduce redundancies.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EArcHeap\u0026rsquo;s findings\u003C\/strong\u003E\u003C\/p\u003E\r\n\r\n\u003Cp\u003EResearchers evaluated ArcHeap on 11 allocators and found five new exploitation techniques in Linux\u0026#39;s default allocator, ptmalloc2. Despite decades of research in this area, ArcHeap successfully discovered heap exploitation techniques in ptmalloc2.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026ldquo;Our results show that their manual security analysis was insufficient to cover a large space of heap exploitation techniques,\u0026rdquo; Yun said. \u0026ldquo;As a result of\u0026nbsp;this insufficient manual testing, these allocators were actually not secure as their claims.\u0026rdquo;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThey also found vulnerabilities in seven of the 10 other popular allocators.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAlthough right now ArcHeap can determine if a heap allocator is vulnerable or not, the researchers hope to put a quantitative value on that security in the future.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThey presented the research in the paper, \u003Ca href=\u0022https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/yun\u0022\u003E\u003Cem\u003EAutomatic Techniques to Systematically Discover New Heap Exploitation Primitives\u003C\/em\u003E\u003C\/a\u003E, at \u003Ca href=\u0022https:\/\/www.usenix.org\/conference\/usenixsecurity20\u0022\u003EUsenix\u0026rsquo;s 29\u003Csup\u003Eth\u003C\/sup\u003E Security Symposium\u003C\/a\u003E from August 12 to 14. Yun co-wrote the paper with SCS Associate Professor \u003Ca href=\u0022https:\/\/taesoo.kim\/\u0022\u003ETaesoo Kim\u003C\/a\u003E and Facebook\u0026rsquo;s Dhaval Kapil.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E\r\n","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"Unlike other heap exploitation techniques that require considerable effort from the researcher, ArcHeap can autonomously explore the system. "}],"uid":"34541","created_gmt":"2020-08-13 17:48:23","changed_gmt":"2020-08-13 18:01:37","author":"Tess Malone","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2020-08-13T00:00:00-04:00","iso_date":"2020-08-13T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"637856":{"id":"637856","type":"image","title":"ArcHeap","body":null,"created":"1597341678","gmt_created":"2020-08-13 18:01:18","changed":"1597341678","gmt_changed":"2020-08-13 18:01:18","alt":"ArcHeap","file":{"fid":"242596","name":"Screen Shot 2020-08-13 at 2.00.20 PM.png","image_path":"\/sites\/default\/files\/images\/Screen%20Shot%202020-08-13%20at%202.00.20%20PM.png","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/images\/Screen%20Shot%202020-08-13%20at%202.00.20%20PM.png","mime":"image\/png","size":93052,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/Screen%20Shot%202020-08-13%20at%202.00.20%20PM.png?itok=JA9q6KQP"}}},"media_ids":["637856"],"groups":[{"id":"47223","name":"College of Computing"},{"id":"50875","name":"School of Computer Science"}],"categories":[],"keywords":[],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003ETess Malone, Communications Officer\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Ca href=\u0022mailto:tess.malone@cc.gatech.edu\u0022\u003Etess.malone@cc.gatech.edu\u003C\/a\u003E\u003C\/p\u003E\r\n","format":"limited_html"}],"email":[],"slides":[],"orientation":[],"userdata":""}}}