Secure Coding in C and C++ Dynamic Memory ManagementIssuesDynamic Memory ManagementMemory Management Functions - 1Methods to do Dynamic Storage Allocation - 1Methods to do Dynamic Storage Allocation - 2Dynamic Memory Management ErrorsInitializationFailing to Check Return ValuesChecking Return Codes from malloc()Incorrect use of Standard new OperatorReferencing Freed Memory - 1Referencing Freed Memory - 2Referencing Freed Memory - 4Freeing Memory Multiple TimesDueling Data Structures - 1Dueling Data StructuresImproperly Paired Memory Management FunctionsImproperly Paired Memory Management Functions – Example ProgramFailure to Distinguish Scalars and ArraysImproper Use of Allocation Functions - 1Doug Lea’s Memory Allocatordlmalloc Memory Management - 1dlmalloc Memory Management - 2dlmalloc Memory Management - 3dlmalloc Memory Management - 4Free List Double-linked Structuredlmalloc - 1dlmalloc - 2The unlink MacroFour-step unlink ExampleBuffer OverflowsUnlink TechniqueCode Vulnerable to an Exploit Using the unlink Technique - 1Slide 35Slide 36Slide 37Slide 38Using the Size Field to Find the Start of the Next ChunkMalicious Argument used in unlink TechniqueSlide 41Slide 42Slide 43Slide 44Memory in Second Chunk - 1Memory in Second Chunk - 2Slide 47The unlink() Macro - 1The unlink() Macro - 2Frontlink Technique - 1Frontlink Technique - 2The frontlink Code SegmentSample Code Vulnerable to an Exploit using the frontlink Technique - 1Frontlink Technique - 3Slide 55Slide 56Slide 57Slide 58Slide 59The frontlink Code Segment - 1Slide 61Slide 63Slide 64Double-Free VulnerabilitiesEmpty bin and Allocated ChunkBin with Single Free ChunkCorrupted Data Structures After Second call of free()Double-free Exploit Code - 1Slide 70Slide 71Slide 72Slide 73Slide 74Slide 75Slide 76Slide 77Writing to Freed Memory – Example ProgramWriting to Freed MemorySecure Coding in C and C++Dynamic Memory ManagementLecture 6Acknowledgement: These slides are based on author Seacord’s original presentationIssuesDynamic Memory ManagementCommon Dynamic Memory Management ErrorsDoug Lea’s Memory AllocatorBuffer Overflows (Redux)Writing to Freed MemoryDouble-FreeMitigation StrategiesNotable VulnerabilitiesDynamic Memory Management Memory allocation in C: calloc() malloc() realloc()Deallocated using the free() function. Memory allocation in C++ using the new operator.Deallocated using the delete operator.Memory Management Functions - 1 malloc(size_t size); Allocates size bytes and returns a pointer to the allocated memory. The memory is not cleared.free(void * p); Frees the memory space pointed to by p, which must have been returned by a previous call to malloc(), calloc(), or realloc(). If free(p) has already been called before, undefined behavior occurs. If p is NULL, no operation is performed.Methods to do Dynamic Storage Allocation - 1Best-fit method – An area with m bytes is selected, where m is the smallest available chunk of contiguous memory equal to or larger than n. First-fit method – Returns the first chunk encountered containing n or more bytes.Prevention of fragmentation, a memory manager may allocate chunks that are larger than the requested size if the space remaining is too small to be useful.Methods to do Dynamic Storage Allocation - 2Memory managers return chunks to the available space list as soon as they become free and consolidate adjacent areas. Boundary tags Help consolidate adjoining chunks of free memory so that fragmentation is avoided. The size field simplifies navigation between chunks.Dynamic Memory Management ErrorsInitialization errors, Failing to check return values, Writing to already freed memory, Freeing the same memory multiple times, Improperly paired memory management functions,Failure to distinguish scalars and arrays, Improper use of allocation functions.InitializationMost C programs use malloc() to allocate blocks of memory. A common error is assuming that malloc() zeros memory. Initializing large blocks of memory can impact performance and is not always necessary. Programmers have to initialize memory using memset() or by calling calloc(), which zeros the memory.Failing to Check Return ValuesMemory is a limited resource and can be exhausted. Memory allocation functions report status back to the caller. VirtualAlloc() returns NULL, Microsoft Foundation Class Library (MFC) operator new throws CMemoryException *,HeapAlloc() may return NULL or raise a structured exception. The application programmer should:determine when an error has occurred. handle the error in an appropriate manner.Checking Return Codes from malloc()1. int *i_ptr;2. i_ptr = (int*)malloc(sizeof(int)*nelements_wanted);3. if (i_ptr != NULL) {4. i_ptr[i] = i;5. }6. else { /* Couldn't get the memory - recover */7. }Incorrect use of Standard new Operator1. int *ip = new int;2. if (ip) { // condition always true ...3. }4. else { // will never execute5. }Referencing Freed Memory - 1Once memory has been freed, it is still possible to read or write from its location if the memory pointer has not been set to null. An example of this programming error: for (p = head; p != NULL; p = p->next) free(p);Problem? Solution?Referencing Freed Memory - 2Reading from already freed memory almost always succeeds without a memory fault, because freed memory is recycled by the memory manager.There is no guarantee that the contents of the memory has not been altered. While the memory is usually not erased by a call to free(), memory managers may use some of the space to manage free or unallocated memory. Writing to a freed memory location is also unlikely to result in a memory faultReferencing Freed Memory - 4If the memory has not been reallocated, writing to a free chunk may overwrite and corrupt the data structures used by the memory manager. This can be used as the basis for an exploit when the data being written is controlled by an attacker.Freeing Memory Multiple Times Freeing the same memory chunk more than once is dangerous because it can corrupt the data structures 1. x = malloc(n * sizeof(int));2. /* manipulate x */3. free(x);4. y = malloc(n *