secure programming chapter 4 dynamic memory management
TRANSCRIPT
![Page 1: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/1.jpg)
SECURE PROGRAMMING
Chapter 4
Dynamic Memory Management
![Page 2: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/2.jpg)
Overview
Introduction
C Memory Management
Common C Memory Management errors
C++ Dynamic Memory Management
Common C++ Dynamic Memory Management Errors
Memory Managers
Doug Lea's Memory Allocator
RtlHeap
Heap management vulnerabilities
Buffer overflows
Double-Free Vulnerabilities
Writing to freed memory
Another Windows vulnerability: Look-Aside Table
Mitigation Strategies
Vulnerability Hall of Shame
Summary
![Page 3: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/3.jpg)
Introduction
Memory management is a source of:
programming defects
security flaws
vulnerabilities
Main causes:
Double freeing
Buffer overflows
use of freed pointers
….
![Page 4: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/4.jpg)
C Memory Management
Functions defined:
malloc(size_t size)
aligned_alloc(size_t alignment,size_t size)
realloc(void *p, size_t size) (Do not use size=0)
calloc(size_nmemb, size_t size) (initializes to 0)
free(void *p)
![Page 5: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/5.jpg)
C Memory Management
The importance of alignment
subobjects
complete objects
alignment hierarchy (weaker to stronger/stricter)
max_align_t
alignas(size_t size) (support for SIMD)
extended alignment > max_align_t
overaligned type
Note that realloc() does not preserve alignment!
![Page 6: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/6.jpg)
C Memory Management
alloca(size_t size)
Allocates on stack area
Usually inlined
Non-standard
Dangerous
Variable length arrays: similar. Lots of caveats
![Page 7: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/7.jpg)
Common C Memory Management Errors
Initialization errors
Random behavior
Security leaks
Use memset(void *s, int c, size_t n) or memset_s()
Can use calloc, provided the product of the arguments doesn't overflow.
![Page 8: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/8.jpg)
Common C Memory Management Errors
Failing to check return values
AIX and Linux may allow allocation requests to succeed even if there is no space, and then kill the process when it tries to access too much memory.
Causes for Heap exhaustion:
memory leaks
Data structures incorrectly implemented
Overall system memory exhausted
Other transient conditions
An example: indirecting through an offset of the returned pointer (p 154)
![Page 9: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/9.jpg)
Common C Memory Management Errors
Dereferencing Null or Invalid Pointers (or their offsets)
Referencing Freed Memory
Freeing Memory Multiple times (example, page 157)
Memory Leaks (can facilitate DOS attacks)
Zero-Length Allocations (pp 159-160)
![Page 10: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/10.jpg)
C++ Dynamic Memory Management
Only dynamic functions are:
new type [(initialization list)]
delete item (or ~x)
(Constructors cannot be called explicitly)
new return a pointer to the object requested; initialized if given initializer data
new delete, plain for “scalar” data, [ ] for arrays
Also:
new (place) type [(initialization list)]
![Page 11: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/11.jpg)
C++ Dynamic Memory Management Allocation Functions
Class member or global function
May not:
Use namespace other than global
Declare as static in global scope
Returns a void *
First parameter: std::size_t size
Idea is that new is implemented through malloc/calloc
Failure throws an exception of type std::bad_alloc unless called with argument std::nothrow; in that case, it returns null pointer:
T * p1 = new T; // can throw bad_alloc
T * p2 = new(std::nothrow) T; // returns null pointer on failure
![Page 12: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/12.jpg)
C++ Dynamic Memory Management More on allocation failures
Standard idiom for allocation and allocation failure: Resource Acquisition Is Initialization (RAII):
Attach lifetime of a resource to lifetime of object it refers to
Examples, pages 166, 167, 168 (gets handler address)
![Page 13: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/13.jpg)
C++ Dynamic Memory Management Deallocation Functions
Same restrictions as on allocate functions.
Returns void, first parameter is void *, may have second parameter: either
a) delete() one parameter
b) delete() two parameters, second type std::size_t
Both scalar and [ ] versions.
If first parameter is void, is a no-op.
If first argument is none-of-the-above, we have problems.
![Page 14: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/14.jpg)
C++ Dynamic Memory Management Garbage Collection
Optional in C++
Boehm-Demers-Weiser conservative GC does not require use of free/delete.
Can also be used to detect memory leaks.
Weakness:
Disguised pointers.
Modified pointers
Non referenced pointers (examples, pp 169-170)
![Page 15: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/15.jpg)
C++ Dynamic Memory Management Garbage Collection
Remedy?
Inquire rules for pointer safety
relaxed: Normal rules
preferred (similar to relaxed, but a gc may run to detect leaks or “bad pointers”
strict (gc may be running)
namespace std {
enum class pointer_safety {relaxed, preferred, strict};
pointer_safety get_pointer_safety();
}
![Page 16: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/16.jpg)
C++ Dynamic Memory Allocation Garbage Collection
In C++11:
declare_reachable/undeclare_reachable page 171
![Page 17: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/17.jpg)
Common C++ Dynamic Memory Management Errors:Bad Allocation
Failure checkC++ allows either NULL return or exception
throwing: do not mix! (std::nothrow)
![Page 18: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/18.jpg)
Common C++ Dynamic Memory Management Errors
Improperly pairing C and C++ memory management functions.
C++ is a superset of C, so malloc & friends/free are OK to use, However, they may use different memory areas and the do use different algorithms. Do not mix!
![Page 19: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/19.jpg)
Common C++ Dynamic Memory Management Errors
Use scalar new with scalar delete;
use array new with array delete.
There are new, member new, operator new and
delete, member delete, operator delete.
Operator new may allocate raw memory, without calling a constructor; don't call a destructor. Call operator delete instead.
![Page 20: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/20.jpg)
Common C++ Dynamic Memory Management Errors
![Page 21: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/21.jpg)
Common C++ Dynamic Memory Management Errors
Double freeing memory:
![Page 22: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/22.jpg)
Common C++ Dynamic Memory Management Errors
Standard C++ containers with pointers do not delete their objects, means programmer has to do it (p 177) but
(p 178: double-free vulnerability:)
Also, not exception-safe.
Solutions:
1) Garbage collecting memory management.
2) Smart pointers: overload -> and * to act like pointers ++ (add check for Null, GC, reference counts, etc.)
Most common smart pointer:
std::shared_ptr from standard library (pp 178/179)
![Page 23: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/23.jpg)
Common C++ Dynamic Memory Management Errors
Deallocation Function throws an exception NONO
(p 180)
![Page 24: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/24.jpg)
Memory Managers
Manage both allocated and free memory.
Runs as part of the user process
Three types:
OS supplied
Compiler supplied
User supplied
Algorithm due to D. E Knuth, The Art of Computer Programming (several editions)
First fit vs best fit.
In band linked lists may be a bad idea, but there are none better.
![Page 25: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/25.jpg)
Doug Lea's Memory Allocator
dlmalloc
![Page 26: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/26.jpg)
Doug Lea's Memory Allocator
![Page 27: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/27.jpg)
Doug Lea's Memory allocator
Free chunks arranged in circular double-linked headed lists called bins;
Small sizes have dedicated bins, larger sizes have bins dedicated to a range of sizes, arranged in descending size order.
Special bin for recently freed chunks, acts like cache: one chance and they are ent to regular bin.
Unlink macro takes a chunk from the bin (code page 184, picture, page 185)
![Page 28: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/28.jpg)
RtlHeap by Microsoft
![Page 29: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/29.jpg)
RtlHeap by Microsoft: Virtual Memory API
Page base:
32 bit linear addressing
4096 byte pages
Each region either reserved, committed or free.Must have common protection, type, base allocationPages also protection and pagelock flag status bits
![Page 30: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/30.jpg)
RtlHeap by Microsoft:Heap Memory API
HeapCreate(maxsize...) → unique handle
Default heap, handle obtainable with GetProcessHeap()
![Page 31: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/31.jpg)
RtlHeap by MicrosoftLocal, Glabal Memory API
Provided local and global memory management for backward compatibility with Windows 3.1
![Page 32: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/32.jpg)
RtlHeap by MicrosoftCRT Memory Functions
Before Win32, much FUD, with Win32 uses local/global memory management and is safe and portable.
![Page 33: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/33.jpg)
RtlHeap by MicrosoftMemory-Mapped File API
Virtual address space mapped directly onto a file: → file access becomes dereferencing a pointer.
![Page 34: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/34.jpg)
RtlHeap by MicrosoftData Structures
Uses virtual memory API,
Implements all the others
Constantly evolving
Programmers need to assume least secure version.
Internal data structures:
Process environment block
free lists
look aside lists
memory chunk structures
![Page 35: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/35.jpg)
RtlHeap by MicrosoftData Structures: Process Env BlockMaintains global variables for each process.
![Page 36: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/36.jpg)
RtlHeap by MicrosoftData Structures: FreeList[]
Array of 128 LIST_ENTRY structs = head of double-linked lists..
Located at 0x178 from address returned by HeapCreate()
Keep track of free chunks of a particular size: index*8, except FreeList[0], keeps buffers > 1024, < virtual allocation threshold, sorted from smallest to largest.
![Page 37: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/37.jpg)
RtlHeap by MicrosoftData Structures: FreeList[]
![Page 38: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/38.jpg)
RtlHeap by MicrosoftData Structures: Look-aside Lists
Requires HEAP_NO_SERIALIZE not set and HEAP_GROWABLE set (defaults)
Creates 128 singly linked look-aside lists
speed up allocation of small ( < 1016 bytes) blocks
Start out empty, grow as memory is freed.
![Page 39: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/39.jpg)
RtlHeap by MicrosoftData Structures: Memory Chunks
This structure precedes address returned by HeapAlloc by 8 bytes. Chunk size field are given in quad words (i.e./8)
![Page 40: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/40.jpg)
RtlHeap by MicrosoftData Structures: Memory Chunks
Free chunk picture:
![Page 41: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/41.jpg)
RtlHeap by Microsoft
![Page 42: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/42.jpg)
RtlHeap by Microsoft
![Page 43: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/43.jpg)
RtlHeap by Microsoft
![Page 44: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/44.jpg)
RtlHeap by Microsoft
![Page 45: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/45.jpg)
RtlHeap by Microsoft
![Page 46: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/46.jpg)
Doug Lea's Memory allocator
![Page 47: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/47.jpg)
Double-Free Vulnerabilities
![Page 48: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/48.jpg)
Mitigation Strategies
![Page 49: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/49.jpg)
Vulnerability Hall of Shame
![Page 50: SECURE PROGRAMMING Chapter 4 Dynamic Memory Management](https://reader033.vdocuments.us/reader033/viewer/2022051415/56649cc95503460f949919df/html5/thumbnails/50.jpg)
Summary
C Memory Management
Common C Memory Management errors
C++ Dynamic Memory Management
Common C++ Dynamic Memory Management Errors
Memory Managers
Doug Lea's Memory Allocator
Double-Free Vulnerabilities
Mitigation Strategies
Vulnerability Hall of Shame
Summary