Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn A Brief History of Memory Exploits Frequency Stack overflow Heap exploit StackGuard Heap spraying Vista heap, layout randomization Nozzle Year.
Download ReportTranscript Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn A Brief History of Memory Exploits Frequency Stack overflow Heap exploit StackGuard Heap spraying Vista heap, layout randomization Nozzle Year.
Nozzle:
A Defense Against Heap Spraying Attacks
Ben Livshits
Paruj Ratanaworabhan
Ben Zorn
A Brief History of Memory Exploits
Frequency
Stack overflow
Heap exploit
StackGuard
2000
2002
2004
Heap spraying
Vista heap,
layout
randomization
2006
2008
Nozzle
2010
Year
2
Stack Overflow Exploit
stack
return
address
2
jump
nop sled
shellcode
<IFRAME
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB …
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCC …
഍഍"></IFRAME>
1
exploit
3
Heap Corruption Exploit
Heap
vtable
pointer
2
jump
nop sled
shellcode
<IFRAME
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB …
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCC …
഍഍"></IFRAME>
1
exploit
4
Heap Spraying Exploit
Heap
sled
sled
sled
shellcode
shellcode
shellcode
vtable
pointer
3
jump
sled
sled
shellcode
shellcode
sled
sled
shellcode
shellcode
sled
sled
sled
sled
shellcode
shellcode
shellcode
shellcode
<SCRIPT language="text/javascript">
shellcode = unescape("%u4343%u4343%...'');
oneblock = unescape("%u0C0C%u0C0C");
var fullblock = oneblock;
while (fullblock.length<0x40000) {
fullblock += fullblock;
}
<IFRAME
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB …
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCC …
഍഍"></IFRAME>
1
exploit
2
spray
sprayContainer = new Array();
for (i=0; i<1000; i++) {
sprayContainer[i] = fullblock + shellcode;
}
5
</SCRIPT>
Kittens of Doom. Is no data sacred?
• Spraying: general attack
– Embed malicious code
in images, documents,
DLLs, etc.
– Image example:
• Comments
• Transformed data
• Documented at BH’08
6
Heap Spraying is a Real Problem
• Drive-by exploits
– Just visiting a site can compromise your whole machine
7
Nozzle Overview
Heap Spraying
• Relies on pre-existing exploit
(in C/C++)
Nozzle
• Detect / mitigate heap spray attack
• Monitors heap for suspicious activity
• Spraying in type-safe language
– JavaScript, C#, Java
– JIT-ed languages: good targets
• Randomization doesn’t help
• Browsers are popular target
• Compare to HW “no-execute” page
protection
– More compatible
– Doesn’t just crash
• Focus on browser, but applicable to
all applications
8
Nozzle Architecture
Browser process
Browser heap
Nozzle detector
Allocation hisory
browser threads
NOZZLE threads
Monitor allocations
Interpret heap objects as code
Maintain a global heap health metric
9
Nozzle Experimental Summary
0 False Positives
• 150 top Web sites
• 10 popular AJAX sites
0 False Negatives
• 12 published heap spraying exploits and
• 2000 synthetic rogue pages generated using Metasploit
Runtime Overhead
• As high as 2x without sampling
• 5-10% with sampling
10
Local vs. Global Detection
Code or Data?
000000000000
000000000000
000000000000
000000000000
000000000000
000000000000
000000000000
0101010101
0101010101
0101010101
0101010101
0101010101
0101010101
0101010101
add
add
add
add
add
add
add
and
and
and
and
and
and
and
[eax],
[eax],
[eax],
[eax],
[eax],
[eax],
[eax],
ah,
ah,
ah,
ah,
ah,
ah,
ah,
al
al
al
al
al
al
al
[edx]
[edx]
[edx]
[edx]
[edx]
[edx]
[edx]
Local Detection:
Is this object dangerous?
• Code and data: same on x86
• Local detection: 80% FP rate
Global Detection:
Is my heap under attack?
• Nozzle: collections of objects
• Sprayed heap: large attack
surface
11
Nozzle Global Heap Metric
Normalize to (approx):
P(jump will cause exploit)
NSA(H)
o
build CFG
sub [eax], eax
Legend:
adc dh, bh
arithmatic
SA(H)
Bi
Compute threat
of entire heap
memory
or eax, 0d172004h
I/O or syscall
in eax, 0x11
control flow
test cl, ah
jecxz 021c7fd8
add [eax], al
add al, 30h
add [ecx], 0
add al, 80h
add al, 38h
outs dx, [esi]
jecxz 021c7fde
dataflow
SA(o)
Compute threat of
single object
or eax, 0d179004h
To target block
xor [eax], eax
imul eax, [eax], 6ch
SA(Bi)
Compute threat of
single block
12
Attack Surface Calculation
•
Extract control flow graph (CFG) from
heap object
A
sub [eax], eax
Legend:
adc dh, bh
arithmetic
or eax, 0d172004h
memory
•
SA(Bi) = likelihood of ending in Bi if
we land within object boundaries
I/O or syscall
in eax, 0x11
control flow
test cl, ah
jecxz 021c7fd8
B
•
A BB contributes its effective size to
another BB’s SA, if there is a path to
that other BB
C
add [eax], al
add al, 30h
add [ecx], 0
add al, 80h
outs dx, [esi]
add al, 38h
jecxz 021c7fde
D
BB containing prohibitive instructions
has zero effective size
imul eax, [eax], 6ch
or eax, 0d179004h
– int, out, hlt, or ltr
To target block
•
xor [eax], eax
An example object from
visiting google.com
13
Normalize Surface Area
economist.com versus mw-612 (actual attack)
Logical time (number of allocations/frees)
14
Nozzle Runtime Overhead
3.2
3.6
2.2
4X
5.1
13.8 3.4
8.0
9.1
3.2
4.0
50% 20% 10%
15
Summary
• Heap spraying is a real threat to Windows, Office, …
– Can be launched with JavaScript, C#, Java, Images, mp3s,…
– Code/data is difficult to distinguish
– Published approaches fail
• Heap spraying affects global heap health,
– Detected by Nozzle
– Effectively identifies spraying at low cost
– Product groups have already expressed interest
16
Future Work
• Closely integrate Nozzle with
– IE
– .NET/CLR (garbage-collected heap vulnerable too)
• Improve filtering, anticipate new attacks
• Mitigate after detecting
• Address TOCTOU with GC and/or identifying
stores to heap
17
Nozzle:
A Defense Against Heap Spraying Attacks
Ben Livshits
Paruj Ratanaworabhan
Ben Zorn
False positive results
0.12
• No more than
12% of max SA
reported
• No false positives
reported for 20%
threshold
• What about SA for
rogue sites?
0.1
0.08
0.06
0.04
0.02
0
0.12
0.1
0.08
0.06
0.04
0.02
0
Maximum normalized SA for Alexa top 150 (top)
and 10 selected sites (bottom)
19
Backup: SA for various benign sites
20
Nozzle versus DEP
• DEP prevents code execution in memory
But,
• Can be disabled at runtime
• Has compatibility issue
• Circumvented with Java (Applet)
Nozzle is more compatible and more selective
21
False negative results
• 12 published heap spray pages
• 2000 synthetic heap spray pages
– Use MetaSploit’s advance NOP engine and
shellcode database
Maximum normalize SA
published exploits
mean
std
0.98
0.01
Over 8 times of
the max of the
benign sites
synthetic exploits
mean
std
0.76
0.02
Over 6 times of
the max of the
benign sites
22
Effect of sampling on max SA calculation
• Test with the 10 selected sites
• Measure the error with respect to 100%
0.10%
1%
5%
10%
25%
0
0.05
0.1
0.15
0.2
0.25
0.3
Average error rate
23