Use-after-FreeMail: Generalizing the use-after-free problem and applying it to email services

Daniel Gruss, Michael Schwarz, Matthias Wübbeling, Simon Guggi, Timo Malderle, Stefan More, Moritz Lipp

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandBegutachtung

Abstract

Use-after-free is a type of vulnerability commonly present in software written in memory-unsafe languages like C or C++, where a program frees a memory buffer too early. By placing counterfeit structures at the freed memory location, an attacker can leak information or gain execution control upon subsequent access. In this paper, we show that the concept of use-after-free can be generalized to any environment and situation where resources can be silently exchanged. As an instance of our generalization we demonstrate Use-After-FreeMail attacks. Use-After-FreeMail attacks gather email addresses from publicly available database leaks. The fully automated quantitative analysis brought to light that 33.5% of all free-mail addresses we tested are not valid anymore. In two user studies with 100 and 31 participants we found that 11-19% of users are affected by our attack. In qualitative case studies we investigated what information can be gained in Use-After-FreeMail attacks, e.g., payment information, and how far currently used accounts can be compromised (identity theft). Finally, drawing the connection between mitigations against traditional use-after-free scenarios and the Use-After-FreeMail scenario, we provide a concise list of recommendations to free-mail providers and users as a protection against use-after-free attacks.

Originalspracheenglisch
TitelASIACCS 2018 - Proceedings of the 2018 ACM Asia Conference on Computer and Communications Security
Herausgeber (Verlag)Association of Computing Machinery
Seiten297-311
Seitenumfang15
ISBN (elektronisch)9781450355766
DOIs
PublikationsstatusVeröffentlicht - 29 Mai 2018
Veranstaltung13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018 - Incheon, Südkorea
Dauer: 4 Juni 20188 Juni 2018

Konferenz

Konferenz13th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2018
Land/GebietSüdkorea
OrtIncheon
Zeitraum4/06/188/06/18

ASJC Scopus subject areas

  • Software
  • Angewandte Informatik
  • Information systems
  • Computernetzwerke und -kommunikation

Fingerprint

Untersuchen Sie die Forschungsthemen von „Use-after-FreeMail: Generalizing the use-after-free problem and applying it to email services“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren