Nozzle: A Defense Against Heap Spraying Attacks

Ben Livshits, Paruj Ratanaworabhan, and Ben ZornMicrosoft Research

Redmond, WA

Motivation

A Brief History of Memory Exploits

2

Freq

uen

cy

Year2000 2002 2004 2006 2008 2010

Stack overflow

StackGuard

Heap exploit

Vista heap,layout randomization

Nozzle

Heap spraying

Motivation

Stack Overflow Exploit

3

<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …&#3341;&#3341;"></IFRAME>

1 exploit

2 jump

NOP sled

shellcode

return address

stack

Motivation

Heap Corruption Exploit

4

<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …&#3341;&#3341;"></IFRAME>

1 exploit

2 jump

NOP sled

shellcode

Heap

vtablepointer

Motivation

Heap Spraying Exploit in a Browser

5

2 exploit

sled

shellcode

sled

shellcode

sled

shellcode

sled

shellcode

sled

shellcode

sled

shellcode

vtablepointer

sled

shellcode

sled

shellcode

sled

shellcode

sled

shellcode

sled

shellcode

1 spray 3 jump

<SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; }

sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }</SCRIPT>

<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …&#3341;&#3341;"></IFRAME>

Heap

Motivation

Kittens of Doom. Is no Data Sacred?

6

Spraying: general attack Embed malicious code in images, documents, DLLs… Image example: Comments, transformed data

Documented at BlackHat’08

Visiting a Site Can Compromise Your Whole Machine

7

Techniques

Nozzle Overview

Relies on pre-existing exploit (in C/C++)

Spraying in type-safe language JavaScript, C#, Java JIT-ed languages: good targets

Randomization doesn’t help

Browsers are popular target

8

Heap SprayingNozzle

Detect / mitigate heap spray attack

Monitors heap for suspicious activity

Compare to HW “no-execute” page protection More compatible Doesn’t just crash

Focus on browser, but applicable to all applications

Motivation

Nozzle Architecture

9

Browser processBrowser heapbrowser threads Nozzle detector

Allo

catio

n hi

sory

NOZZLE threads

Monitor allocations

Interpret heap objects as code

Maintain a global heap health metric: normalized surface area

Local vs. Global Detection

Code or Data? Local Detection:Is this object dangerous?

Code and data: same on x86 Local detection: 80% FP rate

10

000000000000000000000000000000000000000000000000000000000000000000000000000000000000

add [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], al

0101010101010101010101010101010101010101010101010101010101010101010101

and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]

Global Detection:Is my heap under

attack? Nozzle: collections of objects

Sprayed heap: large attack surface

Motivation

Nozzle Global Heap Metric

obj

Bi

SA(Bi)

SA(o)SA(H)

NSA(H)

11

build CFG

dataflow

in eax, 0x11

arithmatic

memory

I/O or syscall

control flow

sub [eax], eax

adc dh, bh

jecxz 021c7fd8

test cl, ah

add al, 30h

add al, 80h

or eax, 0d172004h

outs dx, [esi]

jecxz 021c7fde

add [ecx], 0

add [eax], al

xor [eax], eax

add al, 38h

imul eax, [eax], 6ch

or eax, 0d179004h

To ta

rget

blo

ck

Legend:

Compute threat ofsingle blockCompute threat of

single object

Compute threatof entire heap

Normalize to (approx):P(jump will cause exploit)

Surface Area Calculation: Dataflow

Extract control flow graph (CFG) from heap object

SA(Bi) = likelihood of ending in Bi if we land within object boundaries

A BB contributes its effective size to another BB’s SA, if there is a path to that other BB

BB containing prohibitive instructions has zero effective size int, out, hlt, or ltr

12

An example object from visiting google.com

A

Experiments

Nozzle Experimental Summary

0 False Positives•10 popular AJAX-heavy sites•150 top Web sites

0 False Negatives•12 published heap spraying exploits and•2,000 synthetic rogue pages generated using Metasploit

Runtime Overhead•As high as 2x without sampling•5-10% with sampling

13

economist.com versus mw-612 (actual attack)

14Logical time (number of allocations/frees)

Nor

mal

ized

Surf

ace

Area

False Positive Results

No more than 12% of max SA reported

No false positives reported for 20% threshold

What about SA for rogue sites?

15

False Negative Evaluation

12 published heap spray pages

2,000 synthetic heap spray pages using MetaSploit

advanced NOP engine Shellcode database

16

Normalized Surface Area Locally

17

Nozzle Runtime Overhead

19

Demo

21

Conclusion

Nozzle: effective heap spraying prevention

No false positives, no false negatives

Can be used for online or offline scanning

22

Contact us

Ben Livshits (livshits@microsoft.com)

23

Nozzle MSR _