中文 |

Newsroom

Researchers Propose an Effective Method for Detecting Concurrency Memory Corruption Vulnerabilities

Dec 05, 2019

Memory corruption vulnerabilities, known as concurrency vulnerabilities, can occur in multithreaded executions. They are harmful and can be exploited to launch severe attacks. Unfortunately, it’s difficult to detect them due to non-determination multithreaded executions. 

One straightforward detection approach is to explore all possible thread interleaving (e.g., model checking approaches); however, the executions of multithreaded programs suffer from interleaving space explosion problem. Other approaches including data race detectors and techniques based on constraints soling have been proved to be ineffective. 

Recently, a research team led by Prof. CAI Yan from the State Key Laboratory of Computer Science, Institute of Software of the Chinese Academy of Sciences (ISCAS), presented a novel detection method. This method focused on three kinds of concurrency vulnerabilities involving memory corruptions (i.e., UAF: Use-After-Free, NPD: Null-Pointer-Dereference and DF: Double Free), which are mostly considered to be caused by orders. 

Two threads are shown in Fig. 1: a thread t1 dereferences a pointer via p->test(), and a second thread t2 frees the same pointer free(p). A concurrency UAF can occur if thread t2 executes free(p) before thread t1. 

"The key to detect concurrency vulnerabilities is to determine whether two or more out of a set of memory operation events in a given execution are exchangeable. Based on this, we propose a new concept of 'Exchangeable Events' to determine whether the orders of two events can be probably reversed," said Prof. CAI. 

If there exists a third event (eany in Fig. 2) that satisfies a set of relationship with the given two events (e1 and e2), there will be a high probability for the two events to be exchangeable events, and smaller the distance between the two given events, the higher probability to reverse the execution order of the two events. 

The researchers thus proposed an evaluation on the distance based on a third event (Fig. 2). Exchangeable events were defined across synchronizations; hence, they had larger coverage. They further designed three algorithms to detect these three kinds of concurrency vulnerabilities from correct executions based on exchangeable events. 

"This method has been evaluated to be effective on detecting concurrency vulnerabilities even in large-scale programs," said Prof. CAI. 

The study entitled "Detecting Concurrency Memory Corruption Vulnerabilities" was published in the 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE2019). 

  

Fig. 1. A concurrency vulnerability caused by orders. (Image by ISCAS) 
 

 

Fig. 2. Illustration on exchangeable events. (Image by ISCAS)
Contact

GAO Ziyue

Institute of Software

E-mail:

Detecting concurrency memory corruption vulnerabilities

Related Articles
Contact Us
  • 86-10-68597521 (day)

    86-10-68597289 (night)

  • 86-10-68511095 (day)

    86-10-68512458 (night)

  • cas_en@cas.cn

  • 52 Sanlihe Rd., Xicheng District,

    Beijing, China (100864)

Copyright © 2002 - Chinese Academy of Sciences