Introduction to the use after free vulnerability and why it matters

use-after-free vulnerabilities they are classic vulnerabilities that exploit memory locations that have been the alligator so a lot of states that their last vulnerability that is very high severity exploiting them hi they're generally induced in two ways confusion regarding which segments of handles free memory and eras issues that free memory but do not dereference the pointer to that members why are they important juice after free gulnar abilities have nearly the same impact over the ability to compromise data store remembering the pool the capacity to crash program that's running possibility to execute arbitrary code if programmer learns about any vulnerabilities generally they're going to only learn about buffer overflows until they become a much more experienced program

it is a current attack vector we have s 1263 which was vulnerability in microsoft internet explorer to use after people metasploit has a great summary how the detail as well as people really great write-up stick it very technical reductions

down um

Oh

so I'm setting everything

visit page you don't see anything except to rewrite

attention crashes

but this is a seriously gave a career privileges

great day health people I don't a lot of

Oh

create some others that are public they should be able to see better private it's going to create some others that are private but they shouldn't be able to see it's going to display that before freeze memory it's going to create the memory one of the buffers send it out allocate to private buffers those private buffers are not going to be not supposed to be seeing that either then it's going to display the pointers and do execute a simple use after three vulnerability so that we can see the concepts time it show why use a free vulnerability works in the end it will print all offers and privates and we can see the consequences

yes I think what is the difference public and a private broker the public buffer is simply one that we give a user access to with the command line arguments and be private buffer is one that they should not have access to so I can everyone read this

the teacher of a star's life he'll be up and inside there some of them drag that window

okay so this is at taking the arguments users can write users can read and mine now so we're going to see that help of the public buffers with our arguments we can read and write to okay then we're creating our private club first after we free public upper too because we did not null the pointer for public buffer to we can see that hello buffer tube is pointing to the same memory location here as private upper one so they were allocated the same space because we freed it and we did not null that pointer publicly we still have access to it is now supposed to be private that so we displayed public buffer to again and

we can see this private data that was not to display we write to that buffer and we can now write over this then that was supposed to be private I run it again this time with a using a larger buffer for my third argument I'm actually switch which private buffer I'm writing over

so going to detect a bit what's happening so Emma Emma life is the system call used to ask the operating system for memory for your program and your variables so here we can see that

we can see that calling the system call I'm Alec and that we are getting result dr. result by Mary location eax and we are moving that into these local variables local one and local to these are public buffer one and 42 and I was just the line above that is just one sample the second line that said public offer to the next thing that code used was string copy okay that's going to take one of our arguments from command line and put it into our with a third argument of the size that buffer so we're not going

so then we're going to get some parts that are a bit more interesting to this vulnerability we have a free followed my memory allocation take a closer look at this right so what we call the memory allocation we can see that turns see 1148 every location all the next one different value but when we go to access local three local three is still storing sea bottom for a witch vocal 3 is public buffer flat see 1148 is now

so again this is a simple example just to introduce people to the concepts find and use that for free vulnerability so that people can start diving into any more about that this was just the case where a work where it's supposed to be the referencing memory and who's supposed to be taking care of that another example is your error handling you create about four you air out and you didn't clear you didn't dereference the pointer like why you did deallocate so just in case that if you were doing static code analysis you could look for some of these yes it's a little bit harder with some of the error handling but if you create we're by

you create robust methods where whenever you are d allocating memory make sure that you're handling and being pointer to that memory as well you can avoid a lot of the simple cases

yes other debugger programmers levels of government that would help you spot none that I could find that I could afford that there may be some but they're not the student can play

this was supposed to be a fireside so I tried to first presentation for the part of this that facilitate the discussion yes that's one clarify that understanding this this classic oh really cause c c++ an assembly but a lot of things are written this so anything that has pointers and its allocated memory deallocate memory if it's not handling it's the allocation correctly you can end up in a situation where you can still access memory without it being out you can access mary asf context

got another 15 minutes of this is supposed to be disguise does anyone have any suggestions as to maybe how we can better encourage programming students to learn about different probabilities and explore themselves how to create motor abilities for themselves and learn how to avoid them writing are 13 like I know us has a lot of love and like web go easy late secure code but to the web app works like this I don't know I remember seeing something on Twitter like in the past day about there being some and it's the same thing but it create something in the next week looks like George Lucas what I that sounds but there may be something like that available he's either great

developers drew where you and have it be so please yes I mean I've seen academic programs just getting students to deal with memory leaks you know I think this is one of these vulnerabilities is generally the developer because the program is still a pumpkin these kind you know it's probably a straight format vulnerability they most of hundred everything is spotted the ability in the current context is going to be hard I think without giving my librarians for others who civil developers that will handle this kind of stuff i mean honestly this is sort of the reason to my prayer is that java showed up with so that you didn't have to handle this kind of allocation de-allocation

I think it's going to I

yes / 7 later louder I was at the point in going after you after you we call free if you know the point after you call three then that corner can no longer access that location that you've now assigned to something else so they'll go away right about this problem about whether it's the problem in the first case there's still difficulties with an error handling which is how along with another vulnerability the Internet Explorer vulnerability came about

there is a great summary

a great summary about how a complex issue can arise smaller issues and it's actually only a few very good job yes I'm pretty much understand what's going on here but you may be explained in terms of the stack that's exactly how we call this fuse one private welfare mother so happens any call three ok so the there's two components ok we are asking in the operating system to allocate s memory and it returns us a memory address which we then store a pointer now we can tell the operating system that would free that we don't need that memory however if we don't tell the point not to point there anymore that's when this motor going to

happen because you can access that can and a different scope and now accessing memory that out of reach at that time to help yes

field at any time in 30

knowledge is just always look for any time you right now that just I know you actually do that solve all cases on my skating moonsault there are cases where you're already we're which doing is you're going to point that a pointer at a different piece of memory instead of just going it out but you change where it's going just somewhere that you're expecting it

all the slides and focusing creative comments on my website so absolutely so you