Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Published byAubrey Seavey Modified over 9 years ago

Similar presentations

Presentation on theme: "Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation."— Presentation transcript:

1 Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation at Advanced Defense Lab

2 Outline Introduce to Heap Spray Nozzle Architecture Design Implement Evaluation Limitation 2Advanced Defense Lab

3 Heap Memory Corruption Advanced Defense Lab3 Memory Corruption NOP Sled Shellcode Stack overflow, Heap overflow, Double free, Dangling pointer,… With many mechanism for stack protection

4 Heap Heap Spray Advanced Defense Lab4 Memory Corruption Heap is less predictable, and some mechanism for randomizing the heap layout NOP Sled Shellcode NOP Sled Shellcode NOP Sled Shellcode NOP Sled Shellcode shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }

5 Heap Spray Requires… Attacker must be able to control the contents of the heap. Providing data Ex: images, documents, … Scripting language Allocate object directly Browsers are popular target. Advanced Defense Lab5

6 Nozzle Architecture Advanced Defense Lab6 Monitor allocationsInterpret heap objects as codeMaintain a global heap health metric: normalized surface area

7 Local vs. Global Detection Local Detection Code and data: same on x86 80% objects of Firefox would become false positive Global Detection Sprayed heap: large attack surface Advanced Defense Lab7 Code or Data? 000000000000 000000000000 000000000000 000000000000 000000000000 000000000000 000000000000 000000000000 0101010101 add [eax], al and ah, [edx]

8 Design Definition: A sequence of bytes is legitimate, if it can be decoded as a sequence of valid x86 instructions. Advanced Defense Lab8 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 00 00 0c 0a bc 6f d3 0c 0a bc 6f d3 X86 instructions legitimate

9 Design (cont.) Definition: A valid instruction sequence is a legitimate instruction sequence that does not include instructions in the following categories: I/O or system calls (in, outs, etc) interrupts (int) privileged instructions (hlt, ltr) jumps outside of the current object address range Advanced Defense Lab9

10 Design (cont.) NOZZLE attempts to discover objects in which control flow through the object (the NOP sled) frequently reaches the same basic block(s) (the shellcode.) Advanced Defense Lab10 object disassemble Control Flow Graph

11 A Example Advanced Defense Lab11 B i : ith block SA(B i ): Attack Surface Area of Bi V: valid instruction block MASK i : mask self block

12 Design (cont.) Compute the attack surface area of object o as: The attack surface area of heap containing n objects is defined as follows: The normalized attack surface area of heap Advanced Defense Lab12

13 Detection Threshold th abs =5 MB 5MB is the size of Firefox heap when open a blank page. A real attack would need to fill the heap with at least as many malicious objects. Advanced Defense Lab13

14 Implement Using a binary rewriting infrastructure called Detours to intercept functions calls that allocate and free memory. Within Mozilla Firefox these routines are malloc, calloc, realloc, and free, defined in MOZCRT19.dll. Only consider objects of size greater than 32 bytes Advanced Defense Lab14

15 Implement (cont.) Rewrite the main function to allocate a pool of N scanning threads to be used by NOZZLE We scan the previously allocated object when we see the next object allocated. Time-of-Check to Time-of-Use(TOCTTOU) vulnerability Advanced Defense Lab15

16 Evaluation Advanced Defense Lab16

17 Evaluation(cont.) 10 heavily-used benign web site 150 most visited sites as ranked by Alexa Advanced Defense Lab17

18 False Positive Results Advanced Defense Lab18 Set th norm at 15%

19 False Negative Evaluation 12 published heap spray pages 2,000 synthetic heap spray pages using MetaSploit advanced NOP engine Shellcode database Advanced Defense Lab19

20 Advanced Defense Lab20

21 Advanced Defense Lab21

22 Performance Firefox version 2.0.0.16 2.4 GHz Intel Core 2 E6600 CPU Windows XP SP3 2 GB memory Advanced Defense Lab22

23 Single Core Advanced Defense Lab23

24 2 Core Advanced Defense Lab24

25 Error Rate with Sampling Advanced Defense Lab25

26 Porting for Adobe In February 2009, a remote code execution vulnerability was discovered in Adobe Acrobat and Adobe Reader. NOZZLE correctly detected this heap spraying attack, determining that the attack surface of the heap was greater than 94% Advanced Defense Lab26

27 Limitation TOCTTOU vulnerability Rescans could be triggered when N OZZLE observes a significant number of heap stores Start with uninterpretable opcode NOZZLE skip it Attack with fewer malicious objects Attacker will have high failure probability. Advanced Defense Lab27

28 Limitation (cont.) Jump into Page Attacker allocates page-size chunk of memory Advanced Defense Lab28 Page-size Shellcode Page-size Shellcode Page-size Shellcode Page alignment Fixed offset!!

29 Thank You Advanced Defense Lab29

Download ppt "Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation."

Similar presentations

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.

Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.
StackGuard: A Historical Perspective

StackGuard: A Historical Perspective
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Use After Free Defcon Russia # 14 21 Feb. 2012

Use After Free Defcon Russia # Feb. 2012
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Fault Tolerant, Efficient, and Secure Runtimes Ben Zorn Research in Software Engineering (RiSE) Microsoft Research In collaboration with: Emery Berger.

Fault Tolerant, Efficient, and Secure Runtimes Ben Zorn Research in Software Engineering (RiSE) Microsoft Research In collaboration with: Emery Berger.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
JSZap: Compressing JavaScript Code Martin Burtscher, UT Austin Ben Livshits & Ben Zorn, Microsoft Research Gaurav Sinha, IIT Kanpur.

JSZap: Compressing JavaScript Code Martin Burtscher, UT Austin Ben Livshits & Ben Zorn, Microsoft Research Gaurav Sinha, IIT Kanpur.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

Similar presentations

Ads by Google