New Techniques Could Prevent Use-After-Free Exploits: Black Hat

The single most pervasive zero-day is use-after-free (UAF), but new research from HP detailed at Black Hat could change that and eliminate many UAF bugs.


LAS VEGAS—Use-after-free memory flaws regularly impact Microsoft's Windows operating system and Internet Explorer Web browser, but thanks to new research from Hewlett-Packard, that could soon change.

Brian Gorenc, manager of vulnerability research for HP Security Research, detailed his research at a session at the Black Hat USA conference here Aug. 6 that could curb use-after-free (UAF) attacks. The research was also given to Microsoft earlier this year, as a submission to the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program, which resulted in a $125,000 award for HP's researchers.

UAF is a class of memory flaws that enable an attacker to make use of authorized memory that normally should not be accessible to an unauthorized application. With UAF, attackers have the potential to execute arbitrary code and take over a system.

HP looked at how UAF vulnerabilities work and researched how isolated heap memory protection works on Windows and how objects are located on a system, Gorenc told eWEEK.

"We started looking at Microsoft's memory protection techniques for weakness, and we found several techniques for bypassing the isolated heap," he said.

One of the things that HP discovered was that the isolated heap doesn't properly keep track of different object types, which is one potential path to exploitation using a technique known as type confusion. One mitigation that HP recommends is randomized heap allocations, which diminish the effectiveness of type confusion attacks, Gorenc said.

Going a step further, Gorenc and his team were able to use the isolated heap to actually bypass Microsoft's address space layout randomization (ASLR) feature.

"So we used one memory mitigation against another memory mitigation in order to make exploitation easier," he said.

HP is also suggesting a mitigation to prevent the ASLR bypass technique, with an approach Gorenc calls the entropy dependent loading of software libraries.

"With the entropy dependent approach, we're limiting the available memory region where objects can be loaded," he said. "The result is that there is only one location where a module can be loaded, where it can be checked."

HP provided Microsoft with multiple mitigations to help protect against the issues that Gorenc discussed at Black Hat. Some of the mitigations have been implemented, though not all. The ASLR bypass technique is still possible, he said.

If Microsoft implemented all the mitigations suggested by HP, UAF exploitation on the isolation heap would be a lot more difficult, if not impossible, he said.

Gorenc helps run HP's Zero Day Initiative (ZDI), which purchases vulnerabilities from researchers. With some mitigations already implemented, he said he has already seen a drop in UAF submissions against Microsoft.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.