Browse > Article
http://dx.doi.org/10.3745/KTCCS.2017.6.1.43

A Study on the Remove Use-After-Free Security Weakness  

Park, Yong Koo (고려대학교 정보보호대학원 정보보호학과)
Choi, Jin Young (고려대학교 정보보호대학원 정보보호학과)
Publication Information
KIPS Transactions on Computer and Communication Systems / v.6, no.1, 2017 , pp. 43-50 More about this Journal
Abstract
Use-After-Free security problem is rapidly growing in popularity, especially for attacking web browser, operating system kernel, local software. This security weakness is difficult to detect by conventional methods. And if local system or software has this security weakness, it cause internal security problem. In this paper, we study ways to remove this security weakness in software development by summarize the cause of the Use-After-Free security weakness and suggest ways to remove them.
Keywords
Use-After-Free; Security Weakness; Vulnerability; Dangling Pointer; Nullification;
Citations & Related Records
연도 인용수 순위
  • Reference
1 L. Szekeres, M. Payer, T. Wei, and D. Song, "Sok: Eternal war in memory," in Security and Privacy (SP), 2013 IEEE Symposium on, pp.48-62, 2013.
2 Breno Cunha, Perspectives on exploit development and cyber attacks [Internet], http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-attacks.html.
3 J. Caballero, G. Grieco, M. Marron, and A. Nappa, "Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities," in Proceedings of the 2012 International Symposium on Software Testing and Analysis, pp.133-143, 2012.
4 B. Zhang, B. Wu, C. Feng, X. Zhang, and C. Tang, "Statically detect invalid pointer dereference vulnerabilities in binary soft ware," in 2015 IEEE International Conference on Progress in Informatics and Computing (PIC), pp.390-394, 2015.
5 Mark Yason, Use-After-Frees : That pointer may be pointing to something bad[Internet] https://securityintelligence.com/us e-after-frees-that-pointer-may-be-pointing-to-somethingbad.
6 J. Feist, L. Mounier, and M. L. Potet, "Statically detecting use after free on binary code," Journal of Computer Virology and Hacking Techniques, Vol.10, No.3, pp.211-217, 2014.   DOI
7 W. Xu, J. Li, J. Shu, W. Yang, T. Xie, Y. Zhang, and D. Gu, "From collision to exploitation: Unleashing use-after-free vulnerabilities in linux kernel," in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp.414-425, 2015.
8 G. Tassey, "The economic impacts of inadequate infrastructure for software testing," National Institute of Standards and Technology, RTI Project, 7007(011). 2002.
9 CVE-2012-4792 [Internet], http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4792.
10 Red Alert, CVE-2012-4792 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability, 2013.
11 H.M. Kim, "Windows System Hacking Guide : Bug Hunting and Exploit," SECU BOOK, Goyang-City, Gyunggi Province, 2016.
12 CERT : MEM01-C [Internet], https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=440.
13 CWE-416 : Use After Free [Internet], https://cwe.mitre.org/data/definitions/416.html.
14 B. Lee, C. Song, Y. Jang, T. Wang, T. Kim, L. Lu, and W. Lee, "Preventing Use-after-free with Dangling Pointers Nullification," in NDSS, 2015.