Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Similar presentations


Presentation on theme: "Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation."— Presentation transcript:

1 Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation at Advanced Defense Lab

2 Outline Introduce to Heap Spray Nozzle Architecture Design Implement Evaluation Limitation 2Advanced Defense Lab

3 Heap Memory Corruption Advanced Defense Lab3 Memory Corruption NOP Sled Shellcode Stack overflow, Heap overflow, Double free, Dangling pointer,… With many mechanism for stack protection

4 Heap Heap Spray Advanced Defense Lab4 Memory Corruption Heap is less predictable, and some mechanism for randomizing the heap layout NOP Sled Shellcode NOP Sled Shellcode NOP Sled Shellcode NOP Sled Shellcode shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }

5 Heap Spray Requires… Attacker must be able to control the contents of the heap. Providing data Ex: images, documents, … Scripting language Allocate object directly Browsers are popular target. Advanced Defense Lab5

6 Nozzle Architecture Advanced Defense Lab6 Monitor allocationsInterpret heap objects as codeMaintain a global heap health metric: normalized surface area

7 Local vs. Global Detection Local Detection Code and data: same on x86 80% objects of Firefox would become false positive Global Detection Sprayed heap: large attack surface Advanced Defense Lab7 Code or Data? add [eax], al and ah, [edx]

8 Design Definition: A sequence of bytes is legitimate, if it can be decoded as a sequence of valid x86 instructions. Advanced Defense Lab c 0a bc 6f d3 0c 0a bc 6f d c 0a bc 6f d3 0c 0a bc 6f d c 0a bc 6f d3 0c 0a bc 6f d c 0a bc 6f d3 0c 0a bc 6f d c 0a bc 6f d3 0c 0a bc 6f d c 0a bc 6f d3 0c 0a bc 6f d3 X86 instructions legitimate

9 Design (cont.) Definition: A valid instruction sequence is a legitimate instruction sequence that does not include instructions in the following categories: I/O or system calls (in, outs, etc) interrupts (int) privileged instructions (hlt, ltr) jumps outside of the current object address range Advanced Defense Lab9

10 Design (cont.) NOZZLE attempts to discover objects in which control flow through the object (the NOP sled) frequently reaches the same basic block(s) (the shellcode.) Advanced Defense Lab10 object disassemble Control Flow Graph

11 A Example Advanced Defense Lab11 B i : ith block SA(B i ): Attack Surface Area of Bi V: valid instruction block MASK i : mask self block

12 Design (cont.) Compute the attack surface area of object o as: The attack surface area of heap containing n objects is defined as follows: The normalized attack surface area of heap Advanced Defense Lab12

13 Detection Threshold th abs =5 MB 5MB is the size of Firefox heap when open a blank page. A real attack would need to fill the heap with at least as many malicious objects. Advanced Defense Lab13

14 Implement Using a binary rewriting infrastructure called Detours to intercept functions calls that allocate and free memory. Within Mozilla Firefox these routines are malloc, calloc, realloc, and free, defined in MOZCRT19.dll. Only consider objects of size greater than 32 bytes Advanced Defense Lab14

15 Implement (cont.) Rewrite the main function to allocate a pool of N scanning threads to be used by NOZZLE We scan the previously allocated object when we see the next object allocated. Time-of-Check to Time-of-Use(TOCTTOU) vulnerability Advanced Defense Lab15

16 Evaluation Advanced Defense Lab16

17 Evaluation(cont.) 10 heavily-used benign web site 150 most visited sites as ranked by Alexa Advanced Defense Lab17

18 False Positive Results Advanced Defense Lab18 Set th norm at 15%

19 False Negative Evaluation 12 published heap spray pages 2,000 synthetic heap spray pages using MetaSploit advanced NOP engine Shellcode database Advanced Defense Lab19

20 Advanced Defense Lab20

21 Advanced Defense Lab21

22 Performance Firefox version GHz Intel Core 2 E6600 CPU Windows XP SP3 2 GB memory Advanced Defense Lab22

23 Single Core Advanced Defense Lab23

24 2 Core Advanced Defense Lab24

25 Error Rate with Sampling Advanced Defense Lab25

26 Porting for Adobe In February 2009, a remote code execution vulnerability was discovered in Adobe Acrobat and Adobe Reader. NOZZLE correctly detected this heap spraying attack, determining that the attack surface of the heap was greater than 94% Advanced Defense Lab26

27 Limitation TOCTTOU vulnerability Rescans could be triggered when N OZZLE observes a significant number of heap stores Start with uninterpretable opcode NOZZLE skip it Attack with fewer malicious objects Attacker will have high failure probability. Advanced Defense Lab27

28 Limitation (cont.) Jump into Page Attacker allocates page-size chunk of memory Advanced Defense Lab28 Page-size Shellcode Page-size Shellcode Page-size Shellcode Page alignment Fixed offset!!

29 Thank You Advanced Defense Lab29


Download ppt "Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation."

Similar presentations


Ads by Google