Efficient Use-After-Free Prevention with Pooling, OS-assisted, and Opportunistic Page-Level Sweeping

Abstract

Defeating use-after-free exploits presents a challenging problem, one for which a universal solution remains elusive. Recent efforts towards efficient prevention of use-after-free exploits have found that delaying the reuse of freed memory can both be effective and efficient in many cases. Such efforts are again classified into two categories: one where reuse is postponed until the allocator can confidently ascertain the absence of any dangling pointers to the freed memory, and another that refrains from reusing a freed heap chunk until the program's termination. We make an intriguing observation from our in-depth analysis of these two approaches and their reported performance impacts. When compared to the design that delays the reuse until the program terminates, the other strategy suffers from a significant performance overhead for some workloads. The change in the way each heap chunk is reused affects the distribution of allocated chunks in the heap, and the performance of some benchmarks. This study proposes HUSHVAC+, an allocator that performs delayed reuse in such a way that the distribution of heap chunks becomes more friendly to such workloads. HUSHVAC+ takes care of the locality when reusing previously freed heap chunks, adaptively pools the chunks considering the expected lifespan, and is assisted by a tailored OS service to quickly return physical pages to the system. An evaluation of HUSHVAC+ showed that the average performance overhead of HUSHVAC+ (1.5%) was similar to or lower than that of the state-of-the-art (11.4%, 4.7%, 0.0%, and 2.1%) when running the SPEC CPU 2006 benchmark suite. Specifically, the overhead of HUSHVAC+ on the distribution-sensitive benchmark, xalancbmk, was about 4.8% while the prior work has an overhead of 110%, 35.2%, 34.5%, and 27.1%