Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA Motivation Frequency Stack overflow Heap exploit StackGuard Heap spraying Vista heap, layout randomization Nozzle Year.

Download Report

Transcript Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA Motivation Frequency Stack overflow Heap exploit StackGuard Heap spraying Vista heap, layout randomization Nozzle Year. 

Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn
Microsoft Research
Redmond, WA
Motivation
Frequency
Stack overflow
Heap exploit
StackGuard
Heap spraying
Vista heap,
layout
randomization
Nozzle
Year
2000
2002
2004
2006
2008
2010
2
Motivation
stack
return
address
2
jump
NOP sled
shellcode
<IFRAME
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB …
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCC …
&#3341;&#3341;"></IFRAME>
1
exploit
3
Motivation
Heap
vtable
pointer
2
jump
NOP sled
shellcode
<IFRAME
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB …
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCC …
&#3341;&#3341;"></IFRAME>
1
exploit
4
Motivation
Heap
<SCRIPT language="text/javascript">
sled
sled
shellcode = unescape("%u4343%u4343%...'');
sled
sled
oneblock
= unescape("%u0C0C%u0C0C");
<IFRAME
shellcode
var fullblock = oneblock;
shellcode
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
shellcode
while
shellcode…(fullblock.length<0x40000) {
BBBBB
fullblock += fullblock;
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
sled
}
vtable
pointer
CCCCCC …
&#3341;&#3341;"></IFRAME>
sprayContainer = new Array();
shellcode
for (i=0; i<1000; i++) {
sled
sprayContainer[i] = fullblock + shellcode;
sled
sled
}
sled
shellcode
</SCRIPT>
shellcode
sled
shellcode
sled
shellcode
shellcode
shellcode
1
spray
2
exploit
3
jump
5
Motivation

Spraying: general attack
 Embed malicious code in images, documents, DLLs…
 Image example: Comments, transformed data

Documented at BlackHat’08
6
7
Techniques
Heap Spraying


Relies on pre-existing exploit
(in C/C++)
Nozzle

Detect / mitigate heap spray attack

Monitors heap for suspicious
activity

Compare to HW “no-execute” page
protection
Spraying in type-safe language
 JavaScript, C#, Java
 JIT-ed languages: good targets

Randomization doesn’t help

Browsers are popular target

More compatible
 Doesn’t just crash

Focus on browser, but applicable to
all applications
8
Motivation
Browser process
Browser heap
Nozzle detector
Allocation hisory
browser threads
NOZZLE threads
Monitor allocations
Interpret heap objects as code
Maintain a global heap health metric: normalized surface area
9
Code or Data?
000000000000
000000000000
000000000000
000000000000
000000000000
000000000000
000000000000
0101010101
0101010101
0101010101
0101010101
0101010101
0101010101
0101010101
add
add
add
add
add
add
add
and
and
and
and
and
and
and
[eax],
[eax],
[eax],
[eax],
[eax],
[eax],
[eax],
ah,
ah,
ah,
ah,
ah,
ah,
ah,
al
al
al
al
al
al
al
[edx]
[edx]
[edx]
[edx]
[edx]
[edx]
[edx]
Local Detection:
Is this object dangerous?
 Code and data: same on x86
 Local detection: 80% FP rate
Global Detection:
Is my heap under attack?

Nozzle: collections of objects

Sprayed heap: large attack
surface
10
Motivation
Normalize to (approx):
P(jump will cause exploit)
NSA(H)
obj
build CFG
Legend:
arithmatic
SA(H)
Bi
Compute threat
of entire heap
memory
I/O or syscall
control flow
sub [eax], eax
adc dh, bh
or eax, 0d172004h
in eax, 0x11
test cl, ah
jecxz 021c7fd8
add [eax], al
add [ecx], 0
outs dx, [esi]
add al, 30h
add al, 80h
add al, 38h
jecxz 021c7fde
dataflow
SA(o)
Compute threat of
single object
SA(Bi)
or eax, 0d179004h
To target block
xor [eax], eax
imul eax, [eax], 6ch
Compute threat of
single block
11
A

Extract control flow graph (CFG) from heap
object

SA(Bi) = likelihood of ending in Bi if we land
within object boundaries

A BB contributes its effective size to another
BB’s SA, if there is a path to that other BB

BB containing prohibitive instructions has zero
effective size
 int, out, hlt, or ltr
An example object from visiting google.com
12
Experiments
0 False Positives
• 10 popular AJAX-heavy sites
• 150 top Web sites
0 False Negatives
• 12 published heap spraying exploits and
• 2,000 synthetic rogue pages generated using Metasploit
Runtime Overhead
• As high as 2x without sampling
• 5-10% with sampling
13
Normalized Surface Area
Logical time (number of allocations/frees)
14

No more than 12% of max
SA reported

No false positives reported
for 20% threshold

What about SA for rogue
sites?
15

12 published heap spray
pages

2,000 synthetic heap spray
pages using MetaSploit
 advanced NOP engine
 Shellcode database
16
17
19
21

Nozzle: effective heap spraying prevention

No false positives, no false negatives

Can be used for online or offline scanning
22
Ben Livshits ([email protected])
Nozzle MSR _
23