logoalt Hacker News

Uptrendalast Monday at 2:42 AM10 repliesview on HN

Has anyone in infosec ever seen the term "use after free" before LLMs? Or is this basically an acronym claude invented? I say this because I see claude use this term all the time like its common knowledge but in 15+ years in tech never seen it myself. I've seen all kinds of terms used to describe memory errors: memory corruption, heap corruption, stack corruption, whatever, just never this acronym.


Replies

mirashiilast Monday at 2:48 AM

This is and has been a common term in any systems programming concept for decades. You can, for example, search CVEs and easily find some from over 15 years ago: https://www.cve.org/CVERecord?id=CVE-2010-1119

It was even enumerated in the first pass of CWE as CWE-416 in 2006.

michaellee8last Monday at 2:45 AM

if you have spend any amount of time in low level c vulnerabilities you will have heard about it, it is a very common time on the low level/cybersec space.

LPisGoodlast Monday at 2:47 AM

Yes, it was a common attack vector in binary exploitation. Heap based attack vector like use after free, double free, heap overflows, and others are pretty neat. They force you to learn a lot about how malloc works.

There is a lot of cool work that went into making memory allocation work well; the different arenas, fast bins, chunk headers, etc. are super cool.

mdkotliklast Monday at 2:45 AM

yes, it’s a very common term in infosec. I haven’t heard the “UAF” acronym before though

show 1 reply
paulvlast Monday at 2:45 AM

It has been a known bug class for quite some time.

hgoelyesterday at 12:26 AM

I'm surprised that UAF as an acronym is apparently unusual even among people familiar with use-after-free as a concept. I thought that was a pretty typical acronym in the context of software.

atoavlast Monday at 3:23 AM

Huh? That is a really common term. There have been even memes about it. I remember roughly 5 years ago I first heard the ironic; "Real men use after free" in a discussion about Rust's benefits as its borrowing checker would have also prevented this one.

"Use after free" is also described in most standard books about C as a thing you should never do, have you read one?

asveikaulast Monday at 2:51 AM

I haven't really seen it as an acronym "UAF", but I can't recall the first time I heard "use after free". It was probably in the previous century.

The idea that Claude came up with it is ridiculous.

abofhlast Monday at 2:45 AM

[flagged]

show 4 replies