Nozzle: A Defense Against Heap Spraying Attacks

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Use After Free Defcon Russia # Feb. 2012
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Eran Tromer Slides credit: Avishai Wool, Tel Aviv University
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Performance is Dead, Long Live Performance
Finding Malware on a Web Scale
CS3012: Formal Languages and Compilers The Runtime Environment After the analysis phases are complete, the compiler must generate executable code. The.
Computer Security 2014 – Ymir Vigfusson Some slides borrowed from David Brumley’s lectures at CMU, and Vitaly Shmatikov’s CS380S.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Computer Security and Penetration Testing
Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.
Yet Another Heapspray Detector Danny Kovach Raytheon SI.
Finding Malware on a Web Scale
Mitigation of Buffer Overflow Attacks
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis Carsten Willems 1, Thorsten Holz 1, Felix Freiling 2 1 Ruhr-University.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)
Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
A Generic Approach to Automatic Deobfuscation of Executable Code Paper by Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray.
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.
Exploiting & Defense Day 1 Recap
Introduction to Information Security
Secure Programming Dr. X
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Return Oriented Programming
Challenges in Pointer Analysis of JavaScript
Secure Programming Dr. X
Introduction to Information Security
CSC 495/583 Topics of Software Security Stack Overflows (2)
Basic Memory Corruption Attacks
CSC 495/583 Topics of Software Security Return-oriented programming
CMSC 414 Computer and Network Security Lecture 21
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Advanced Buffer Overflow: Pointer subterfuge
Understanding and Preventing Buffer Overflow Attacks in Unix
Return-to-libc Attacks
Presentation transcript:

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA

A Brief History of Memory Exploits Stack overflow Heap exploit Heap spraying Frequency Vista heap, layout randomization Nozzle StackGuard Year 2000 2002 2004 2006 2008 2010

Stack Overflow Exploit return address 2 jump NOP sled shellcode <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … ഍഍"></IFRAME> 1 exploit

Heap Corruption Exploit 2 jump vtable pointer NOP sled shellcode <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … ഍഍"></IFRAME> 1 exploit

Heap Spraying Exploit in a Browser sled shellcode sled shellcode <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; </SCRIPT> sled shellcode sled shellcode sled shellcode <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … ഍഍"></IFRAME> sled shellcode sled shellcode vtable pointer sled shellcode sled shellcode sled shellcode sled shellcode 1 spray 2 exploit 3 jump

Kittens of Doom. Is no Data Sacred? Spraying: general attack Embed malicious code in images, documents, DLLs… Image example: Comments, transformed data Documented at BlackHat’08 cmd.exe opened

Visiting a Site Can Compromise Your Whole Machine

Nozzle Overview Heap Spraying Nozzle Relies on pre-existing exploit (in C/C++) Spraying in type-safe language JavaScript, C#, Java JIT-ed languages: good targets Randomization doesn’t help Browsers are popular target Detect / mitigate heap spray attack Monitors heap for suspicious activity Compare to HW “no-execute” page protection More compatible Doesn’t just crash Focus on browser, but applicable to all applications

Nozzle Architecture Monitor allocations Interpret heap objects as code Maintain a global heap health metric: normalized surface area

Local vs. Global Detection Code or Data? Local Detection: Is this object dangerous? Code and data: same on x86 Local detection: 80% FP rate 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000 add [eax], al Global Detection: Is my heap under attack? 0101010101 and ah, [edx] Nozzle: collections of objects Sprayed heap: large attack surface 10

Nozzle Global Heap Metric Normalize to (approx): P(jump will cause exploit) obj Bi SA(Bi) SA(o) SA(H) NSA(H) build CFG Compute threat of entire heap dataflow Compute threat of single block Compute threat of single object

Surface Area Calculation: Dataflow Extract control flow graph (CFG) from heap object SA(Bi) = likelihood of ending in Bi if we land within object boundaries A BB contributes its effective size to another BB’s SA, if there is a path to that other BB BB containing prohibitive instructions has zero effective size int, out, hlt, or ltr An example object from visiting google.com 12

Nozzle Experimental Summary 0 False Positives 10 popular AJAX-heavy sites 150 top Web sites 0 False Negatives 12 published heap spraying exploits and 2,000 synthetic rogue pages generated using Metasploit Runtime Overhead As high as 2x without sampling 5-10% with sampling

economist.com versus mw-612 (actual attack) Normalized Surface Area Logical time (number of allocations/frees)

False Positive Results No more than 12% of max SA reported No false positives reported for 20% threshold What about SA for rogue sites? 15

False Negative Evaluation 12 published heap spray pages 2,000 synthetic heap spray pages using MetaSploit advanced NOP engine Shellcode database

Normalized Surface Area Locally

Global Detection is Necessary P. Akritidis, E. P. Markatos, M. Polychronakis, and K. G. Anagnostakis, STRIDE: Polymorphic sled detection through instruction sequence

Nozzle Runtime Overhead 19

Nozzle is more compatible and more selective Nozzle vs. DEP DEP prevents code execution in memory But, Can be disabled at runtime Has compatibility issue Circumvented with Java (Applet) Nozzle is more compatible and more selective 20

Demo

Conclusion Nozzle: effective heap spraying prevention No false positives, no false negatives Can be used for online or offline scanning

Contact us Ben Livshits (livshits@microsoft.com) Nozzle MSR _

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.