Jangseop Shin (Seoul National University and Inter-University Semiconductor Research Center), Donghyun Kwon (Seoul National University and Inter-University Semiconductor Research Center), Jiwon Seo (Seoul National University and Inter-University Semiconductor Research Center), Yeongpil Cho (Soongsil University), Yunheung Paek (Seoul National University and Inter-University Semiconductor Research Center)

Pointer invalidation has been a popular approach adopted in many recent studies to mitigate use-after-free errors. The approach can be divided largely into two different schemes: explicit invalidation and implicit invalidation. The former aims to eradicate the root cause of use-after-free errors by invalidating every dangling pointer one by one explicitly. In contrast, the latter aims to prevent dangling pointers by freeing an object only if there is no pointer referring to it. A downside of the explicit scheme is that it is expensive, as it demands high-cost algorithms or a large amount of space to maintain every up-to-date list of pointer locations linking to each object at all times. Implicit invalidation is more efficient in that even without any explicit effort, it can eliminate dangling pointers by leaving objects undeleted until all the links between the objects and their referring pointers vanish by themselves during program execution. However, such an argument only holds if the scheme knows exactly when each link is created and deleted. Reference counting is a traditional method to determine the existence of reference links between objects and pointers. Unfortunately, impeccable reference counting for legacy C/C++ code is very difficult and expensive to achieve in practice, mainly because of the type unsafe operations in the code. In this paper, we present a solution, called CRCount, to the use-after-free problem in legacy C/C++. For effective and efficient problem solving, CRCount is armed with the pointer footprinting technique that enables us to compute, with high accuracy, the reference count of every object referred to by the pointers in the legacy code. Our experiments demonstrate that CRCount mitigates the use-after-free errors with a lower performance-wise and space-wise overhead than the existing pointer invalidation solutions.

View More Papers

Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session...

Cas Cremers (CISPA Helmholtz Center for Information Security), Martin Dehnel-Wild (University of Oxford)

Read More

Don't Trust The Locals: Investigating the Prevalence of Persistent...

Marius Steffens (CISPA Helmholtz Center for Information Security), Christian Rossow (CISPA Helmholtz Center for Information Security), Martin Johns (TU Braunschweig), Ben Stock (CISPA Helmholtz Center for Information Security)

Read More

Nearby Threats: Reversing, Analyzing, and Attacking Google’s ‘Nearby Connections’...

Daniele Antonioli (Singapore University of Technology and Design (SUTD)), Nils Ole Tippenhauer (CISPA), Kasper Rasmussen (University of Oxford)

Read More

Geo-locating Drivers: A Study of Sensitive Data Leakage in...

Qingchuan Zhao (The Ohio State University), Chaoshun Zuo (The Ohio State University), Giancarlo Pellegrino (CISPA, Saarland University; Stanford University), Zhiqiang Lin (The Ohio State University)

Read More