Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Slides:



Advertisements
Similar presentations
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Advertisements

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.
StackGuard: A Historical Perspective
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Use After Free Defcon Russia # Feb. 2012
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Fault Tolerant, Efficient, and Secure Runtimes Ben Zorn Research in Software Engineering (RiSE) Microsoft Research In collaboration with: Emery Berger.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
JSZap: Compressing JavaScript Code Martin Burtscher, UT Austin Ben Livshits & Ben Zorn, Microsoft Research Gaurav Sinha, IIT Kanpur.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Performance is Dead, Long Live Performance
Finding Malware on a Web Scale
2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Yet Another Heapspray Detector Danny Kovach Raytheon SI.
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.
Finding Malware on a Web Scale
Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Cristiano Giuffrida Anton Kuijsten Andrew S. Tanenbaum.
Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)
Control Hijacking Attacks Note: project 1 is out Section this Friday 2pm (Skilling 090)
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.
Nozzle: A Defense Against Heap Spraying Attacks
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.
17 th ACM CCS (October, 2010).  Introduction  Problem Statement  Approach  RG Design  Implementation  Related Work 2 A Seminar at Advanced Defense.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Control Hijacking Attacks Note: project 1 is out Section this Friday 4:15pm (Gates B03)
Windows Security Features protect Memory Disk Network.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Heap Overflows. What is a Heap? malloc(), free(), realloc() Stores global variables Automatic memory allocation/deallocation Allocated at runtime Implemented.
Exploiting & Defense Day 1 Recap
Let’s look at an example
Secure Programming Dr. X
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Exploiting and Defense
Secure Programming Dr. X
Exploiting & Defense Day 2 Recap
CSC 495/583 Topics of Software Security Stack Overflows (2)
Exam Review.
Basic Memory Corruption Attacks
C++ Interlude 2 Pointers, Polymorphism, and Memory Allocation
CMSC 414 Computer and Network Security Lecture 21
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
SEED Workshop Buffer Overflow Lab
Advanced Buffer Overflow: Pointer subterfuge
Memory Physical and Virtual
CSC 495/583 Topics of Software Security StackGuard & Format String Bug
Several Tips on Project 1
Week 3: Format String Vulnerability
Presentation transcript:

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation at Advanced Defense Lab

Outline Introduce to Heap Spray Nozzle Architecture Design Implement Evaluation Limitation 2Advanced Defense Lab

Heap Memory Corruption Advanced Defense Lab3 Memory Corruption NOP Sled Shellcode Stack overflow, Heap overflow, Double free, Dangling pointer,… With many mechanism for stack protection

Heap Heap Spray Advanced Defense Lab4 Memory Corruption Heap is less predictable, and some mechanism for randomizing the heap layout NOP Sled Shellcode NOP Sled Shellcode NOP Sled Shellcode NOP Sled Shellcode shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }

Heap Spray Requires… Attacker must be able to control the contents of the heap. Providing data Ex: images, documents, … Scripting language Allocate object directly Browsers are popular target. Advanced Defense Lab5

Nozzle Architecture Advanced Defense Lab6 Monitor allocationsInterpret heap objects as codeMaintain a global heap health metric: normalized surface area

Local vs. Global Detection Local Detection Code and data: same on x86 80% objects of Firefox would become false positive Global Detection Sprayed heap: large attack surface Advanced Defense Lab7 Code or Data? add [eax], al and ah, [edx]

Design Definition: A sequence of bytes is legitimate, if it can be decoded as a sequence of valid x86 instructions. Advanced Defense Lab c 0a bc 6f d3 0c 0a bc 6f d c 0a bc 6f d3 0c 0a bc 6f d c 0a bc 6f d3 0c 0a bc 6f d c 0a bc 6f d3 0c 0a bc 6f d c 0a bc 6f d3 0c 0a bc 6f d c 0a bc 6f d3 0c 0a bc 6f d3 X86 instructions legitimate

Design (cont.) Definition: A valid instruction sequence is a legitimate instruction sequence that does not include instructions in the following categories: I/O or system calls (in, outs, etc) interrupts (int) privileged instructions (hlt, ltr) jumps outside of the current object address range Advanced Defense Lab9

Design (cont.) NOZZLE attempts to discover objects in which control flow through the object (the NOP sled) frequently reaches the same basic block(s) (the shellcode.) Advanced Defense Lab10 object disassemble Control Flow Graph

A Example Advanced Defense Lab11 B i : ith block SA(B i ): Attack Surface Area of Bi V: valid instruction block MASK i : mask self block

Design (cont.) Compute the attack surface area of object o as: The attack surface area of heap containing n objects is defined as follows: The normalized attack surface area of heap Advanced Defense Lab12

Detection Threshold th abs =5 MB 5MB is the size of Firefox heap when open a blank page. A real attack would need to fill the heap with at least as many malicious objects. Advanced Defense Lab13

Implement Using a binary rewriting infrastructure called Detours to intercept functions calls that allocate and free memory. Within Mozilla Firefox these routines are malloc, calloc, realloc, and free, defined in MOZCRT19.dll. Only consider objects of size greater than 32 bytes Advanced Defense Lab14

Implement (cont.) Rewrite the main function to allocate a pool of N scanning threads to be used by NOZZLE We scan the previously allocated object when we see the next object allocated. Time-of-Check to Time-of-Use(TOCTTOU) vulnerability Advanced Defense Lab15

Evaluation Advanced Defense Lab16

Evaluation(cont.) 10 heavily-used benign web site 150 most visited sites as ranked by Alexa Advanced Defense Lab17

False Positive Results Advanced Defense Lab18 Set th norm at 15%

False Negative Evaluation 12 published heap spray pages 2,000 synthetic heap spray pages using MetaSploit advanced NOP engine Shellcode database Advanced Defense Lab19

Advanced Defense Lab20

Advanced Defense Lab21

Performance Firefox version GHz Intel Core 2 E6600 CPU Windows XP SP3 2 GB memory Advanced Defense Lab22

Single Core Advanced Defense Lab23

2 Core Advanced Defense Lab24

Error Rate with Sampling Advanced Defense Lab25

Porting for Adobe In February 2009, a remote code execution vulnerability was discovered in Adobe Acrobat and Adobe Reader. NOZZLE correctly detected this heap spraying attack, determining that the attack surface of the heap was greater than 94% Advanced Defense Lab26

Limitation TOCTTOU vulnerability Rescans could be triggered when N OZZLE observes a significant number of heap stores Start with uninterpretable opcode NOZZLE skip it Attack with fewer malicious objects Attacker will have high failure probability. Advanced Defense Lab27

Limitation (cont.) Jump into Page Attacker allocates page-size chunk of memory Advanced Defense Lab28 Page-size Shellcode Page-size Shellcode Page-size Shellcode Page alignment Fixed offset!!

Thank You Advanced Defense Lab29

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.