Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA Motivation Frequency Stack overflow Heap exploit StackGuard Heap spraying Vista heap, layout randomization Nozzle Year.
Download
Report
Transcript Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA Motivation Frequency Stack overflow Heap exploit StackGuard Heap spraying Vista heap, layout randomization Nozzle Year.
Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn
Microsoft Research
Redmond, WA
Motivation
Frequency
Stack overflow
Heap exploit
StackGuard
Heap spraying
Vista heap,
layout
randomization
Nozzle
Year
2000
2002
2004
2006
2008
2010
2
Motivation
stack
return
address
2
jump
NOP sled
shellcode
<IFRAME
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB …
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCC …
഍഍"></IFRAME>
1
exploit
3
Motivation
Heap
vtable
pointer
2
jump
NOP sled
shellcode
<IFRAME
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB …
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCC …
഍഍"></IFRAME>
1
exploit
4
Motivation
Heap
<SCRIPT language="text/javascript">
sled
sled
shellcode = unescape("%u4343%u4343%...'');
sled
sled
oneblock
= unescape("%u0C0C%u0C0C");
<IFRAME
shellcode
var fullblock = oneblock;
shellcode
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
shellcode
while
shellcode…(fullblock.length<0x40000) {
BBBBB
fullblock += fullblock;
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
sled
}
vtable
pointer
CCCCCC …
഍഍"></IFRAME>
sprayContainer = new Array();
shellcode
for (i=0; i<1000; i++) {
sled
sprayContainer[i] = fullblock + shellcode;
sled
sled
}
sled
shellcode
</SCRIPT>
shellcode
sled
shellcode
sled
shellcode
shellcode
shellcode
1
spray
2
exploit
3
jump
5
Motivation
Spraying: general attack
Embed malicious code in images, documents, DLLs…
Image example: Comments, transformed data
Documented at BlackHat’08
6
7
Techniques
Heap Spraying
Relies on pre-existing exploit
(in C/C++)
Nozzle
Detect / mitigate heap spray attack
Monitors heap for suspicious
activity
Compare to HW “no-execute” page
protection
Spraying in type-safe language
JavaScript, C#, Java
JIT-ed languages: good targets
Randomization doesn’t help
Browsers are popular target
More compatible
Doesn’t just crash
Focus on browser, but applicable to
all applications
8
Motivation
Browser process
Browser heap
Nozzle detector
Allocation hisory
browser threads
NOZZLE threads
Monitor allocations
Interpret heap objects as code
Maintain a global heap health metric: normalized surface area
9
Code or Data?
000000000000
000000000000
000000000000
000000000000
000000000000
000000000000
000000000000
0101010101
0101010101
0101010101
0101010101
0101010101
0101010101
0101010101
add
add
add
add
add
add
add
and
and
and
and
and
and
and
[eax],
[eax],
[eax],
[eax],
[eax],
[eax],
[eax],
ah,
ah,
ah,
ah,
ah,
ah,
ah,
al
al
al
al
al
al
al
[edx]
[edx]
[edx]
[edx]
[edx]
[edx]
[edx]
Local Detection:
Is this object dangerous?
Code and data: same on x86
Local detection: 80% FP rate
Global Detection:
Is my heap under attack?
Nozzle: collections of objects
Sprayed heap: large attack
surface
10
Motivation
Normalize to (approx):
P(jump will cause exploit)
NSA(H)
obj
build CFG
Legend:
arithmatic
SA(H)
Bi
Compute threat
of entire heap
memory
I/O or syscall
control flow
sub [eax], eax
adc dh, bh
or eax, 0d172004h
in eax, 0x11
test cl, ah
jecxz 021c7fd8
add [eax], al
add [ecx], 0
outs dx, [esi]
add al, 30h
add al, 80h
add al, 38h
jecxz 021c7fde
dataflow
SA(o)
Compute threat of
single object
SA(Bi)
or eax, 0d179004h
To target block
xor [eax], eax
imul eax, [eax], 6ch
Compute threat of
single block
11
A
Extract control flow graph (CFG) from heap
object
SA(Bi) = likelihood of ending in Bi if we land
within object boundaries
A BB contributes its effective size to another
BB’s SA, if there is a path to that other BB
BB containing prohibitive instructions has zero
effective size
int, out, hlt, or ltr
An example object from visiting google.com
12
Experiments
0 False Positives
• 10 popular AJAX-heavy sites
• 150 top Web sites
0 False Negatives
• 12 published heap spraying exploits and
• 2,000 synthetic rogue pages generated using Metasploit
Runtime Overhead
• As high as 2x without sampling
• 5-10% with sampling
13
Normalized Surface Area
Logical time (number of allocations/frees)
14
No more than 12% of max
SA reported
No false positives reported
for 20% threshold
What about SA for rogue
sites?
15
12 published heap spray
pages
2,000 synthetic heap spray
pages using MetaSploit
advanced NOP engine
Shellcode database
16
17
19
21
Nozzle: effective heap spraying prevention
No false positives, no false negatives
Can be used for online or offline scanning
22
Ben Livshits ([email protected])
Nozzle MSR _
23