Download presentation
Presentation is loading. Please wait.
Published byAubrey Seavey Modified over 9 years ago
1
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation at Advanced Defense Lab
2
Outline Introduce to Heap Spray Nozzle Architecture Design Implement Evaluation Limitation 2Advanced Defense Lab
3
Heap Memory Corruption Advanced Defense Lab3 Memory Corruption NOP Sled Shellcode Stack overflow, Heap overflow, Double free, Dangling pointer,… With many mechanism for stack protection
4
Heap Heap Spray Advanced Defense Lab4 Memory Corruption Heap is less predictable, and some mechanism for randomizing the heap layout NOP Sled Shellcode NOP Sled Shellcode NOP Sled Shellcode NOP Sled Shellcode shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }
5
Heap Spray Requires… Attacker must be able to control the contents of the heap. Providing data Ex: images, documents, … Scripting language Allocate object directly Browsers are popular target. Advanced Defense Lab5
6
Nozzle Architecture Advanced Defense Lab6 Monitor allocationsInterpret heap objects as codeMaintain a global heap health metric: normalized surface area
7
Local vs. Global Detection Local Detection Code and data: same on x86 80% objects of Firefox would become false positive Global Detection Sprayed heap: large attack surface Advanced Defense Lab7 Code or Data? 000000000000 000000000000 000000000000 000000000000 000000000000 000000000000 000000000000 000000000000 0101010101 add [eax], al and ah, [edx]
8
Design Definition: A sequence of bytes is legitimate, if it can be decoded as a sequence of valid x86 instructions. Advanced Defense Lab8 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 X86 instructions legitimate
9
Design (cont.) Definition: A valid instruction sequence is a legitimate instruction sequence that does not include instructions in the following categories: I/O or system calls (in, outs, etc) interrupts (int) privileged instructions (hlt, ltr) jumps outside of the current object address range Advanced Defense Lab9
10
Design (cont.) NOZZLE attempts to discover objects in which control flow through the object (the NOP sled) frequently reaches the same basic block(s) (the shellcode.) Advanced Defense Lab10 object disassemble Control Flow Graph
11
A Example Advanced Defense Lab11 B i : ith block SA(B i ): Attack Surface Area of Bi V: valid instruction block MASK i : mask self block
12
Design (cont.) Compute the attack surface area of object o as: The attack surface area of heap containing n objects is defined as follows: The normalized attack surface area of heap Advanced Defense Lab12
13
Detection Threshold th abs =5 MB 5MB is the size of Firefox heap when open a blank page. A real attack would need to fill the heap with at least as many malicious objects. Advanced Defense Lab13
14
Implement Using a binary rewriting infrastructure called Detours to intercept functions calls that allocate and free memory. Within Mozilla Firefox these routines are malloc, calloc, realloc, and free, defined in MOZCRT19.dll. Only consider objects of size greater than 32 bytes Advanced Defense Lab14
15
Implement (cont.) Rewrite the main function to allocate a pool of N scanning threads to be used by NOZZLE We scan the previously allocated object when we see the next object allocated. Time-of-Check to Time-of-Use(TOCTTOU) vulnerability Advanced Defense Lab15
16
Evaluation Advanced Defense Lab16
17
Evaluation(cont.) 10 heavily-used benign web site 150 most visited sites as ranked by Alexa Advanced Defense Lab17
18
False Positive Results Advanced Defense Lab18 Set th norm at 15%
19
False Negative Evaluation 12 published heap spray pages 2,000 synthetic heap spray pages using MetaSploit advanced NOP engine Shellcode database Advanced Defense Lab19
20
Advanced Defense Lab20
21
Advanced Defense Lab21
22
Performance Firefox version 2.0.0.16 2.4 GHz Intel Core 2 E6600 CPU Windows XP SP3 2 GB memory Advanced Defense Lab22
23
Single Core Advanced Defense Lab23
24
2 Core Advanced Defense Lab24
25
Error Rate with Sampling Advanced Defense Lab25
26
Porting for Adobe In February 2009, a remote code execution vulnerability was discovered in Adobe Acrobat and Adobe Reader. NOZZLE correctly detected this heap spraying attack, determining that the attack surface of the heap was greater than 94% Advanced Defense Lab26
27
Limitation TOCTTOU vulnerability Rescans could be triggered when N OZZLE observes a significant number of heap stores Start with uninterpretable opcode NOZZLE skip it Attack with fewer malicious objects Attacker will have high failure probability. Advanced Defense Lab27
28
Limitation (cont.) Jump into Page Attacker allocates page-size chunk of memory Advanced Defense Lab28 Page-size Shellcode Page-size Shellcode Page-size Shellcode Page alignment Fixed offset!!
29
Thank You Advanced Defense Lab29
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.