Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Slides:

Advertisements

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Smashing the Stack for Fun and Profit

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA.

 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Fault Tolerant, Efficient, and Secure Runtimes Ben Zorn Research in Software Engineering (RiSE) Microsoft Research In collaboration with: Emery Berger.

Browser Exploitation Framework (BeEF) Lab

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

VEX: Vetting Browser Extensions For Security Vulnerabilities Sruthi Bandhakavi, Samuel T. King, P. Madhusudan, Marianne Winslett University of Illinois.

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

SANS Technology Institute - Candidate for Master of Science Degree

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

Information Systems Security LAÏMOUCHE El Hadj, DAVY Benjamin 1source :

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.

Finding Malware on a Web Scale

TCP/IP Malicious Packet Detection (SQL Injection Detection) Ashok Parchuri.

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

Long Lu, Wenke Lee College of Computing, Georgia Institute of Technology Vinod Yegneswaran, Phillip Porras SRI International ACM CCS (Oct,2010) Long Lu,

Yet Another Heapspray Detector Danny Kovach Raytheon SI.

Finding Malware on a Web Scale

Mitigation of Buffer Overflow Attacks

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis Carsten Willems 1, Thorsten Holz 1, Felix Freiling 2 1 Ruhr-University.

Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Shellcode Development -Femi Oloyede -Pallavi Murudkar.

Spectator: Detection and Containment of JavaScriptWorms

Nozzle: A Defense Against Heap Spraying Attacks

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.

Paruj Ratanaworabhan, Ben Livshits, David Simmons, and Ben Zorn JSMeter: Characterizing the Behavior of JavaScript Web Applications 1 In collaboration.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov

Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.

By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Mitigation against Buffer Overflow Attacks

Final Project: Advanced security blade

Cross-Site Request Forgeries: Exploitation and Prevention

Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

Software Security Lesson Introduction

Web Design and Development

Software Security.

Understanding and Preventing Buffer Overflow Attacks in Unix

Presentation transcript:

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond, WA)

Heap-spraying Attacks What? - New method to enable malicious exploit - Targeted at browsers, document viewers, etc. - Current attacks include IE, Adobe Reader, and Flash - Effective in any application the allows JavaScript How? 1. Attacker must have existing vulnerability (i.e., overwrite a function pointer) 2. Attacker allocates many copies of malicious code as JavaScript strings 3. When attacker subverts control flow, jump is likely to land in malicious code sled shellcode sled shellcode sled shellcode sled shellcode sled shellcode sled shellcode Heap p fcn pointer sled shellcode sled shellcode sled shellcode sled shellcode sled shellcode 1 exploit 2 spray 3 jump shellcode = malicious code sled = code that when executed will eventually reach sled

Nozzle: Effective Heap Spray Prevention Approach: runtime monitoring of object content – Invoked with memory allocator – Scans objects for “suspicious” nature – Raises alert on detection What’s suspicious? – User data that looks like code – Semantic properties of code are a signature – Accumulates information across all objects in heap Effectiveness – Detects real attacks on IE, FireFox, Adobe Reader – Very low false positive rate on real content (web, documents) – Low overhead (<10% with 10% sampling rate) More information: – See “Nozzle: A Defense Against Heap-spraying Code Injection Attacks”, Ratanaworabhan, Livshits, and Zorn, USENIX Security Symposium, August 2009 – Nozzle web site: