Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.
Working with JavaScript. 2 Objectives Introducing JavaScript Inserting JavaScript into a Web Page File Writing Output to the Web Page Working with Variables.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Browser Exploitation Framework (BeEF) Lab
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
 What I hate about you things people often do that hurt their Web site’s chances with search engines.
Norman SecureSurf Protect your users when surfing the Internet.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Chapter 9 Interactive Multimedia Authoring with Flash - Introduction to Programming “Computers and Creativity” Richard D. Webster, COSC 109 Instructor.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
Gulfstream Salvatore Guarnieri University of Washington Ben Livshits Microsoft Research Staged Static Analysis for Streaming JavaScript Applications.
SANS Technology Institute - Candidate for Master of Science Degree
VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.
Performance is Dead, Long Live Performance
1. 2 ● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software. ● In 2010, Symantec’s Global Internet Security.
Finding Malware on a Web Scale
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Chapter 1 What is Programming? Lecture Slides to Accompany An Introduction to Computer Science Using Java (2nd Edition) by S.N. Kamin, D. Mickunas, E.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran, Phillip Porras SRI International ACM CCS (Oct,2010) Long Lu,
Yet Another Heapspray Detector Danny Kovach Raytheon SI.
Finding Malware on a Web Scale
XP Tutorial 10New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Working with JavaScript Creating a Programmable Web Page for North Pole.
Mitigation of Buffer Overflow Attacks
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:
Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis Carsten Willems 1, Thorsten Holz 1, Felix Freiling 2 1 Ruhr-University.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)
XP Tutorial 10New Perspectives on HTML and XHTML, Comprehensive 1 Working with JavaScript Creating a Programmable Web Page for North Pole Novelties Tutorial.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
 In computer programming, a loop is a sequence of instruction s that is continually repeated until a certain condition is reached.  PHP Loops :  In.
Nozzle: A Defense Against Heap Spraying Attacks
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.
SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
XP Tutorial 10New Perspectives on HTML, XHTML, and DHTML, Comprehensive 1 Working with JavaScript Creating a Programmable Web Page for North Pole Novelties.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
PDF Security Issues Doing your bit to help Betsy Kent May 2010.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Secure Programming Dr. X
Mitigation against Buffer Overflow Attacks
Chapter 10 Programming Fundamentals with JavaScript
Secure Programming Dr. X
Chapter 10 Programming Fundamentals with JavaScript
Detecting Targeted Attacks Using Shadow Honeypots
Week 2: Buffer Overflow Part 2.
Exploring DOM-Based Cross Site Attacks
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond, WA)

Heap Spraying is a Problem Firefox 3.5 July 14, 2009 http://www.web2secure.com/2009/07/mozilla-firefox-35-heap-spray.html Adobe Acrobat / Reader February 19, 2009 Flash July 23, 2009 http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html Common Element: All vulnerable applications support embedded scripting languages (JavaScript, ActionScript, etc.) Adobe Acrobat/Reader July 23, 2009

Drive-By Heap Spraying Owned!

Drive-By Heap Spraying (2) ASLR prevents the attack Program Heap ok bad PC Creates the malicious object ok <HTML> <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … ഍഍"> </IFRAME> </HTML> Triggers the jump

Drive-By Heap Spraying (3) Program Heap bad ok bad bad bad bad ok bad <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; </SCRIPT> Allocate 1000s of malicious objects

Kittens of Doom What data can you trust? Heap spraying is quite general, easy to implement Many applications allow scripts in type safe languages JavaScript, ActionScript Java, C# Many applications accept data from untrusted sources Embed malicious code in images, documents, DLLs, etc. [Sotirov & Dowd BH’08] cmd.exe opened

Nozzle – Runtime Heap Spraying Detection Application: Web Browser Malicious Site Normalized Surface Area Nozzle answers: How much of my heap is suspicious? Normal Site Logical time (number of allocations/frees)

Outline Nozzle design & implementation Evaluation Summary False positives False negatives New threats (Adobe Reader) Summary

Nozzle Design Advantages Application Threads Nozzle Threads Advantages Just need to hook standard APIs – malloc, free, HeapAlloc, HeapFree, etc. - Monitor new applications using Detours Can be applied to existing binaries scan object and classify Repeat Initialize Object Create Object Application Heap benign object suspect object new object init object Runtime monitor Assumes objects are code and classifies - Tracks current state of heap suspect object suspect object benign object benign object benign object

Local Malicious Object Detection Is this object dangerous? Code or Data? NOP sled shellcode Is this object code? Code and data look the same on x86 Focus on sled detection Majority of object is sled Spraying scripts build simple sleds Is this code a NOP sled? Previous techniques do not look at heap Many heap objects look like NOP sleds 80% false positive rates using previous techniques Need stronger local techniques 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000 add [eax], al 0101010101 and ah, [edx] 10

Object Surface Area Calculation (1) Assume: attacker wants to reach shell code from jump to any point in object Goal: find blocks that are likely to be reached via control flow Strategy: use dataflow analysis to compute “surface area” of each block An example object from visiting google.com 11

Object Surface Area Calculation (2) 4 2 3 10 14 4 12 6 9 12 14 15 Each block starts with its own size as weight Weights are propagated forward with flow Invalid blocks don’t propagate Iterate until a fixpoint is reached Compute block with highest weight An example object from visiting google.com 12

Nozzle Global Heap Metric Normalize to (approx): P(jump will cause exploit) obj Bi SA(Bi) SA(o) SA(H) NSA(H) build CFG Compute threat of entire heap dataflow Compute threat of single block Compute threat of single object

Nozzle Experimental Summary 0 False Positives 10 popular AJAX-heavy sites 150 top Web sites 0 False Negatives 12 published heap spraying exploits and 2,000 synthetic rogue pages generated using Metasploit Runtime Overhead As high as 2x without sampling 5-10% with sampling

Nozzle on Benign Sites Benign sites have low Nozzle NSA Max NSA always less than 12% Thresholds can be set much higher for detection (50% or more) 15

Nozzle with Known Heap Sprays 12 published heap spray pages in multiple browsers 2,000 synthetic heap spray pages using MetaSploit advanced NOP engine shellcode database Result: max NSA between 76% and 96% Nozzle detects real spraying attacks

Nozzle Runtime Overhead 17

Using Nozzle in Adobe Reader Demo det-AcroRd32.exe AcroRd32.exe Detours nozzlert.dll Adobe Reader heap spray exploit published in February 2009 We detoured shipping version of Adobe Reader 9.1.0 with Nozzle Results Detected a published heap spray attack (NSA = 98%) Runtime overhead was 8% on average NSA of normal document < 10% Results - Detected a published heap spray attack (NSA > 75%) - Runtime overhead was 8% on average - NSA of normal document < 10%

Summary Heap spraying attacks are Easy to implement, easy to retarget In widespread use Existing detection methods fail to classify malicious objects on x86 architecture Nozzle Effectively detects published attacks (known and new) Has acceptable runtime overhead Can be used both online and offline

Questions? Nozzle heap spraying Paruj Ratanaworabhan (paruj.r@gmail.com) Ben Livshits (livshits@microsoft.com) Ben Zorn (zorn@microsoft.com) Nozzle heap spraying See us on Channel 9: http://channel9.msdn.com/posts/Peli/ Heap-Spraying-Attack-Detection-with-Nozzle/

Backup

Attacks on Nozzle Injecting junk into start of object Where does the exploit code begin? TOCTTOU – When do you scan the object? Attacks on surface area calculation Jumps outside of objects Multiple instances of shellcode inside an object Hiding the code itself Code that rewrites heap at last minute

What about Data Execution Prevention? DEP / NX bit = hardware to prevent code execution on the heap DEP is great , but isn’t used everywhere Issues with app compatibility DEP can be circumvented JIT compilers complicate the story Nozzle augments DEP for defense in depth

Global Detection is Necessary P. Akritidis, E. P. Markatos, M. Polychronakis, and K. G. Anagnostakis, STRIDE:Polymorphic sled detection through instruction sequence analysis

Normalized Surface Area Locally

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.