1 exploit 2 jump nop sled shellcode return address stack"> 1 exploit 2 jump nop sled shellcode return address stack">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Published bySawyer Doherty Modified over 9 years ago

Similar presentations

Presentation on theme: "Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn."— Presentation transcript:

1 Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn

2 A Brief History of Memory Exploits 2 Frequency Year 200020022004200620082010 Stack overflow StackGuard Heap exploit Vista heap, layout randomization Nozzle Heap spraying

3 Stack Overflow Exploit 3 <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCC … ഍഍"> 1 exploit 2 jump nop sled shellcode return address stack

4 Heap Corruption Exploit 4 <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCC … ഍഍"> 1 exploit 2 jump nop sled shellcode Heap vtable pointer

5 Heap Spraying Exploit 5 shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCC … ഍഍"> 1 exploit sled shellcode sled shellcode sled shellcode sled shellcode sled shellcode sled shellcode Heap vtable pointer sled shellcode sled shellcode sled shellcode sled shellcode sled shellcode 2 spray 3 jump

6 Kittens of Doom. Is no data sacred? Spraying: general attack – Embed malicious code in images, documents, DLLs, etc. – Image example: Comments Transformed data Documented at BH’08 6

7 Heap Spraying is a Real Problem 7 Drive-by exploits – Just visiting a site can compromise your whole machine

8 Nozzle Overview Heap Spraying Relies on pre-existing exploit (in C/C++) Spraying in type-safe language – JavaScript, C#, Java – JIT-ed languages: good targets Randomization doesn’t help Browsers are popular target Nozzle Detect / mitigate heap spray attack Monitors heap for suspicious activity Compare to HW “no-execute” page protection – More compatible – Doesn’t just crash Focus on browser, but applicable to all applications 8

9 Nozzle Architecture 9 Monitor allocationsInterpret heap objects as codeMaintain a global heap health metric

10 Nozzle Experimental Summary 10

11 Local vs. Global Detection Code or Data? Local Detection: Is this object dangerous? Code and data: same on x86 Local detection: 80% FP rate 11 000000000000 000000000000 000000000000 000000000000 add [eax], al 0101010101 and ah, [edx] Global Detection: Is my heap under attack? Nozzle: collections of objects Sprayed heap: large attack surface

12 Nozzle Global Heap Metric o Bi SA(Bi)SA(o) SA(H) NSA(H) 12 build CFG dataflow Compute threat of single block Compute threat of single object Compute threat of entire heap Normalize to (approx): P(jump will cause exploit)

13 Attack Surface Calculation 13 Extract control flow graph (CFG) from heap object SA(B i ) = likelihood of ending in B i if we land within object boundaries A BB contributes its effective size to another BB’s SA, if there is a path to that other BB BB containing prohibitive instructions has zero effective size – int, out, hlt, or ltr An example object from visiting google.com D CB A

14 economist.com versus mw-612 (actual attack) 14 Logical time (number of allocations/frees) Normalize Surface Area

15 Nozzle Runtime Overhead 15 4X50% 20%10%

16 Summary Heap spraying is a real threat to Windows, Office, … – Can be launched with JavaScript, C#, Java, Images, mp3s,… – Code/data is difficult to distinguish – Published approaches fail Heap spraying affects global heap health, – Detected by Nozzle – Effectively identifies spraying at low cost – Product groups have already expressed interest 16

17 Future Work Closely integrate Nozzle with – IE –.NET/CLR (garbage-collected heap vulnerable too) Improve filtering, anticipate new attacks Mitigate after detecting Address TOCTOU with GC and/or identifying stores to heap 17

18 Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn

19 False positive results 19 No more than 12% of max SA reported No false positives reported for 20% threshold What about SA for rogue sites? Maximum normalized SA for Alexa top 150 (top) and 10 selected sites (bottom)

20 Backup: SA for various benign sites 20

21 Nozzle versus DEP DEP prevents code execution in memory 21 Can be disabled at runtime Has compatibility issue Circumvented with Java (Applet) But, Nozzle is more compatible and more selective

22 False negative results 12 published heap spray pages 2000 synthetic heap spray pages – Use MetaSploit’s advance NOP engine and shellcode database 22 Maximum normalize SA Over 8 times of the max of the benign sites Over 6 times of the max of the benign sites

23 Effect of sampling on max SA calculation 23 Average error rate Test with the 10 selected sites Measure the error with respect to 100%

Download ppt "Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Nozzle: A Defense Against Heap-spraying Code Injection Attacks
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
Address Space Layout Permutation

Address Space Layout Permutation
Finding Malware on a Web Scale

Finding Malware on a Web Scale

Similar presentations

Ads by Google