ben livshits, paruj ratanaworabhan, and ben zorn microsoft research redmond, wa
TRANSCRIPT
Nozzle: A Defense Against Heap Spraying Attacks
Ben Livshits, Paruj Ratanaworabhan, and Ben ZornMicrosoft Research
Redmond, WA
Motivation
A Brief History of Memory Exploits
2
Freq
uen
cy
Year2000 2002 2004 2006 2008 2010
Stack overflow
StackGuard
Heap exploit
Vista heap,layout randomization
Nozzle
Heap spraying
Motivation
Stack Overflow Exploit
3
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …഍഍"></IFRAME>
1 exploit
2 jump
NOP sled
shellcode
return address
stack
Motivation
Heap Corruption Exploit
4
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …഍഍"></IFRAME>
1 exploit
2 jump
NOP sled
shellcode
Heap
vtablepointer
Motivation
Heap Spraying Exploit in a Browser
5
2 exploit
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
vtablepointer
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
1 spray 3 jump
<SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; }
sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }</SCRIPT>
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …഍഍"></IFRAME>
Heap
Motivation
Kittens of Doom. Is no Data Sacred?
6
Spraying: general attack Embed malicious code in images, documents, DLLs… Image example: Comments, transformed data
Documented at BlackHat’08
Visiting a Site Can Compromise Your Whole Machine
7
Techniques
Nozzle Overview
Relies on pre-existing exploit (in C/C++)
Spraying in type-safe language JavaScript, C#, Java JIT-ed languages: good targets
Randomization doesn’t help
Browsers are popular target
8
Heap SprayingNozzle
Detect / mitigate heap spray attack
Monitors heap for suspicious activity
Compare to HW “no-execute” page protection More compatible Doesn’t just crash
Focus on browser, but applicable to all applications
Motivation
Nozzle Architecture
9
Browser processBrowser heapbrowser threads Nozzle detector
Allo
catio
n hi
sory
NOZZLE threads
Monitor allocations
Interpret heap objects as code
Maintain a global heap health metric: normalized surface area
Local vs. Global Detection
Code or Data? Local Detection:Is this object dangerous?
Code and data: same on x86 Local detection: 80% FP rate
10
000000000000000000000000000000000000000000000000000000000000000000000000000000000000
add [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], al
0101010101010101010101010101010101010101010101010101010101010101010101
and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]
Global Detection:Is my heap under
attack? Nozzle: collections of objects
Sprayed heap: large attack surface
Motivation
Nozzle Global Heap Metric
obj
Bi
SA(Bi)
SA(o)SA(H)
NSA(H)
11
build CFG
dataflow
in eax, 0x11
arithmatic
memory
I/O or syscall
control flow
sub [eax], eax
adc dh, bh
jecxz 021c7fd8
test cl, ah
add al, 30h
add al, 80h
or eax, 0d172004h
outs dx, [esi]
jecxz 021c7fde
add [ecx], 0
add [eax], al
xor [eax], eax
add al, 38h
imul eax, [eax], 6ch
or eax, 0d179004h
To ta
rget
blo
ck
Legend:
Compute threat ofsingle blockCompute threat of
single object
Compute threatof entire heap
Normalize to (approx):P(jump will cause exploit)
Surface Area Calculation: Dataflow
Extract control flow graph (CFG) from heap object
SA(Bi) = likelihood of ending in Bi if we land within object boundaries
A BB contributes its effective size to another BB’s SA, if there is a path to that other BB
BB containing prohibitive instructions has zero effective size int, out, hlt, or ltr
12
An example object from visiting google.com
A
Experiments
Nozzle Experimental Summary
0 False Positives•10 popular AJAX-heavy sites•150 top Web sites
0 False Negatives•12 published heap spraying exploits and•2,000 synthetic rogue pages generated using Metasploit
Runtime Overhead•As high as 2x without sampling•5-10% with sampling
13
economist.com versus mw-612 (actual attack)
14Logical time (number of allocations/frees)
Nor
mal
ized
Surf
ace
Area
False Positive Results
No more than 12% of max SA reported
No false positives reported for 20% threshold
What about SA for rogue sites?
15
False Negative Evaluation
12 published heap spray pages
2,000 synthetic heap spray pages using MetaSploit
advanced NOP engine Shellcode database
16
Normalized Surface Area Locally
17
Nozzle Runtime Overhead
19
Demo
21
Conclusion
Nozzle: effective heap spraying prevention
No false positives, no false negatives
Can be used for online or offline scanning
22