Address Sanitize Intro

Created in December 31, 2021

2021   ·   Fuzz

Address Sanitize

Prologue

The document of Address Sanitizer is amazzzzzing, this passage is personal note about the doc.

AddressSanitizer · google/sanitizers Wiki

Intro

It’s project from google, named AddressSanitizer ASan.

  • Use after free / dangling pointer dereference
  • Heap / Stack / Global buffer overflow

Algorithm

Hook malloc and free in run-time. Poising the address around malloc-ed chunk and quarantine the free -ed chunks. When accessing the memory, it would check if the address is poisoned.(This should be very fast because ASan calls the IsPoisoned function millions of times)

Implementation

  • Divide the memory into two parts: Mem and Shadow, the shadow documents the poisoned bytes. MemToShadow transforms the address to corresponding shadow memory and ShadowIsPoisoned would check if the red zone is modified.
  • ASan maps 8 bytes in Mem into 1 byte in Shadow, Shadow = (Mem >> 3) + 0x7fff8000 we have three party (HighMem, Shadow, LowMem)(informal)
  • Report the errors by function ReportError : copy failure address to rax and get access type + size from encoded byte (instruction).

Stack (Official Example)

void foo() {
  char a[8];
  ...
  return;
}
//----------------------------------
void foo() {
  char redzone1[32];  // 32-byte aligned
  char a[8];          // 32-byte aligned
  char redzone2[24];
  char redzone3[32];  // 32-byte aligned
  int  *shadow_base = MemToShadow(redzone1);
  shadow_base[0] = 0xffffffff;  // poison redzone1
  shadow_base[1] = 0xffffff00;  // poison redzone2, unpoison 'a'
  shadow_base[2] = 0xffffffff;  // poison redzone3
  ...
  shadow_base[0] = shadow_base[1] = shadow_base[2] = 0; // unpoison all
  return;
}

Basically, ASan uses 32bytes aligned and adds red-zone before & after the stack variables.

(I think the reason of “32” is the alignment: 32/8=4byte in shadow.)

As we mentioned above, SAn would perform the check while accessing the data.

 # long load8(long *a) { return *a; }
0000000000000030 <load8>:
  30:	48 89 f8             	mov    %rdi,%rax
  33:	48 c1 e8 03          	shr    $0x3,%rax
  37:	80 b8 00 80 ff 7f 00 	cmpb   $0x0,0x7fff8000(%rax)
  3e:	75 04                	jne    44 <load8+0x14>
  40:	48 8b 07             	mov    (%rdi),%rax   <<<<<< original load
  43:	c3                   	retq   
  44:	52                   	push   %rdx
  45:	e8 00 00 00 00       	callq  __asan_report_load8
//--------------------
# int  load4(int *a)  { return *a; }
0000000000000000 <load4>:
   0:	48 89 f8             	mov    %rdi,%rax
   3:	48 89 fa             	mov    %rdi,%rdx
   6:	48 c1 e8 03          	shr    $0x3,%rax
   a:	83 e2 07             	and    $0x7,%edx
   d:	0f b6 80 00 80 ff 7f 	movzbl 0x7fff8000(%rax),%eax
  14:	83 c2 03             	add    $0x3,%edx
  17:	38 c2                	cmp    %al,%dl
  19:	7d 03                	jge    1e <load4+0x1e>
  1b:	8b 07                	mov    (%rdi),%eax    <<<<<< original load
  1d:	c3                   	retq   
  1e:	84 c0                	test   %al,%al
  20:	74 f9                	je     1b <load4+0x1b>
  22:	50                   	push   %rax
  23:	e8 00 00 00 00       	callq  __asan_report_load4

SAn would convert Mem address to Shadow address and check the value of Shadow memory: 0x00 means the memory is regular memory so that the program could use it.

Heap

malloc and free is replaced and _asan_report_load8 is used to report the errors.

malloc would get a chunk with red-zones around it. free would quarantine the free-ed chunk so that the uaf could be detected.