ESHard: Extreme Software Hardening


ESHard aims at protecting software artifacts from popular memory corruption vulnerabilities. Although there are many known protection techniques (i.e., Address Sanitizer or Valgrind), these cannot guarantee the memory safety under adversarial running environments and thus canbe bypassed. Therefore, in order to develop non-bypassable protection techniques, ESHard eliminates the root cause of the vulnerability to avoid any security side effects from the memory corruption. Currently ESHard is comprised of two different components, DangNull and CaVer, each of which is protecting certain type of the vulnerability.

DangNull prevents use-after-free at runtime. It relies on the key observation that the root cause of the use-after-free vulnerability is that pointers are not nullified after the target object is freed. Based on this observation, DangNull automatically traces the object's relationships via pointers and nullifies all pointers when the target object is freed.

CaVer prevents bad-casting at runtime. With the help of the LLVM compiler suite, CaVer first performs program instrumentations at compile time and then validates type casting based on a new runtime type tracing mechanism.

Discovered Vulnerabilities

ESHard projects helped us to discover new security vulnerabilities in popular applications. We accordingly corresponded with vendors to report and fix following vulnerabilities.

  • CVE-2014-1594: Firefox - bad casting from BasicThebesLayer to BasicContainerLayer
  • GCC Bug 63345: Multiple undefined behaviors (static_cast<>) in libstdc++-v3/include/bits


  • Preventing Use-after-free with Dangling Pointers Nullification (NDSS 2015) [paper]
  • Type Casting Verification: Stopping an emerging attack vector (USENIX Security 2015) [paper]


Demo (DangNull)

The following video clips show the demo the Chromium browser hardened using DangNull.

Chromium hardened with DangNull a. We tested using a use-after-free exploit, CVE-2013-2909, and it shows how DangNull stops the exploit --- it stops the exploit attempts by triggering a segmentation fault due to null-dereference (we do a little bit more extra jobs to safely contain this exception, which we call safe-null dereference). When the nullification value is NULL, the Chromium browser can correctly render the exploit page as if the vulnerability is patched.

Demo (CaVer)

Similar to the demo on DangNull, this demo shows the CaVer on the bad-casting exploit, CVE-2013-0912. Once CaVer detects the bad-casting, it reports the detailed casting information along with call stacks.