1 exploit 2 jump nop sled shellcode return address stack"> 1 exploit 2 jump nop sled shellcode return address stack">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Similar presentations


Presentation on theme: "Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn."— Presentation transcript:

1 Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn

2 A Brief History of Memory Exploits 2 Frequency Year 200020022004200620082010 Stack overflow StackGuard Heap exploit Vista heap, layout randomization Nozzle Heap spraying

3 Stack Overflow Exploit 3 <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCC … ഍഍"> 1 exploit 2 jump nop sled shellcode return address stack

4 Heap Corruption Exploit 4 <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCC … ഍഍"> 1 exploit 2 jump nop sled shellcode Heap vtable pointer

5 Heap Spraying Exploit 5 shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCC … ഍഍"> 1 exploit sled shellcode sled shellcode sled shellcode sled shellcode sled shellcode sled shellcode Heap vtable pointer sled shellcode sled shellcode sled shellcode sled shellcode sled shellcode 2 spray 3 jump

6 Kittens of Doom. Is no data sacred? Spraying: general attack – Embed malicious code in images, documents, DLLs, etc. – Image example: Comments Transformed data Documented at BH’08 6

7 Heap Spraying is a Real Problem 7 Drive-by exploits – Just visiting a site can compromise your whole machine

8 Nozzle Overview Heap Spraying Relies on pre-existing exploit (in C/C++) Spraying in type-safe language – JavaScript, C#, Java – JIT-ed languages: good targets Randomization doesn’t help Browsers are popular target Nozzle Detect / mitigate heap spray attack Monitors heap for suspicious activity Compare to HW “no-execute” page protection – More compatible – Doesn’t just crash Focus on browser, but applicable to all applications 8

9 Nozzle Architecture 9 Monitor allocationsInterpret heap objects as codeMaintain a global heap health metric

10 Nozzle Experimental Summary 10

11 Local vs. Global Detection Code or Data? Local Detection: Is this object dangerous? Code and data: same on x86 Local detection: 80% FP rate 11 000000000000 000000000000 000000000000 000000000000 add [eax], al 0101010101 and ah, [edx] Global Detection: Is my heap under attack? Nozzle: collections of objects Sprayed heap: large attack surface

12 Nozzle Global Heap Metric o Bi SA(Bi)SA(o) SA(H) NSA(H) 12 build CFG dataflow Compute threat of single block Compute threat of single object Compute threat of entire heap Normalize to (approx): P(jump will cause exploit)

13 Attack Surface Calculation 13 Extract control flow graph (CFG) from heap object SA(B i ) = likelihood of ending in B i if we land within object boundaries A BB contributes its effective size to another BB’s SA, if there is a path to that other BB BB containing prohibitive instructions has zero effective size – int, out, hlt, or ltr An example object from visiting google.com D CB A

14 economist.com versus mw-612 (actual attack) 14 Logical time (number of allocations/frees) Normalize Surface Area

15 Nozzle Runtime Overhead 15 4X50% 20%10%

16 Summary Heap spraying is a real threat to Windows, Office, … – Can be launched with JavaScript, C#, Java, Images, mp3s,… – Code/data is difficult to distinguish – Published approaches fail Heap spraying affects global heap health, – Detected by Nozzle – Effectively identifies spraying at low cost – Product groups have already expressed interest 16

17 Future Work Closely integrate Nozzle with – IE –.NET/CLR (garbage-collected heap vulnerable too) Improve filtering, anticipate new attacks Mitigate after detecting Address TOCTOU with GC and/or identifying stores to heap 17

18 Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn

19 False positive results 19 No more than 12% of max SA reported No false positives reported for 20% threshold What about SA for rogue sites? Maximum normalized SA for Alexa top 150 (top) and 10 selected sites (bottom)

20 Backup: SA for various benign sites 20

21 Nozzle versus DEP DEP prevents code execution in memory 21 Can be disabled at runtime Has compatibility issue Circumvented with Java (Applet) But, Nozzle is more compatible and more selective

22 False negative results 12 published heap spray pages 2000 synthetic heap spray pages – Use MetaSploit’s advance NOP engine and shellcode database 22 Maximum normalize SA Over 8 times of the max of the benign sites Over 6 times of the max of the benign sites

23 Effect of sampling on max SA calculation 23 Average error rate Test with the 10 selected sites Measure the error with respect to 100%


Download ppt "Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn."

Similar presentations


Ads by Google