U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Guard Pages

Published: September 27, 2005 | Last revised: May 10, 2013

Author(s): Daniel Plakosh Maturity Levels and Audience Indicators: L2  / D/P L  SDLC Life Cycles: Implementation Copyright: Copyright © 2005, 2008 Pearson Education, Inc.

Abstract

Automatic allocation of additional inaccessible memory during memory allocation operations is a technique for mitigating against exploitation of heap buffer overflows. These guard pages are unmapped pages placed between all memory allocations of one page or larger. The guard page causes a segmentation fault upon any access.

Development Context

Dynamic memory management

Technology Context

C++, C, UNIX, Win32

Attacks

Attacker executes arbitrary code on machine with permissions of compromised process or changes the behavior of the program.

Risk

Standard C dynamic memory management functions such as malloc() , calloc(), realloc(), and free()  [ISO/IEC 99] are prone to programmer mistakes that can lead to vulnerabilities resulting from buffer overflow in the heap, writing to already freed memory, and freeing the same memory multiple times (e.g., double-free vulnerabilities).

Description

Automatic allocation of additional inaccessible memory during memory allocation operations is a technique for mitigating against exploitation of heap buffer overflows. These guard pages are unmapped pages placed between all allocations of memory the size of one page or larger. The guard page causes a segmentation fault upon any access. As a result, any attempt by an attacker to overwrite adjacent memory in the course of exploiting a buffer overflow causes the vulnerable program to terminate rather than continue execution of the attacker-supplied code. Guard pages are implemented by a number of systems and tools, including OpenBSD, Electric Fence, and Application Verifier (each of which is discussed further in this content area).

Guard pages have a high degree of overhead because they fragment the kernel’s memory map and can increase the amount of virtual space considerably. Their effectiveness depends on the size and pattern of allocations; they are often more effective as a debugging facility than an operational security measure.

References

[ISO/IEC 99]

ISO/IEC. ISO/IEC 9899 Second edition 1999-12-01 Programming Languages — C. International Organization for Standardization, 1999.


Back to Top