Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)

Published byWilfred Farmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)"— Presentation transcript:

1 Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)

2 Outline Introduction Research Approaches Heap Spraying with Little Surface Area Experiment and Evaluation 2A Seminar at Advanced Defense Lab

3 Introduction A news from Microsoft Security Research & Defense 2010/12/20 http://blogs.technet.com/b/srd/archive/2010/12/22/new -internet-explorer-vulnerability-affecting-all-versions- of-ie.aspx http://blogs.technet.com/b/srd/archive/2010/12/22/new -internet-explorer-vulnerability-affecting-all-versions- of-ie.aspx A Seminar at Advanced Defense Lab3

4 Heap Heap Spray A Seminar at Advanced Defense Lab4 Memory Corruption Heap is less predictable, and some mechanism for randomizing the heap layout NOP Sled Shellcode NOP Sled Shellcode NOP Sled Shellcode NOP Sled Shellcode shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }

5 Heap spraying (cont.) Why spraying? We need to jump into the object. Why NOP-sled? We need to execute first instruction in the shellcode. A Seminar at Advanced Defense Lab5

6 Research Approaches Shellcode-oriented But … “English Shellcode”? (my opinion) Sled-oriented NOZZLE A Seminar at Advanced Defense Lab6

7 The Design of NOZZLE NOZZLE attempts to discover objects in which control flow through the object (the NOP sled) frequently reaches the same basic block(s) (the shellcode.) Advanced Defense Lab7 object disassemble Control Flow Graph

8 The Design of NOZZLE (cont.) Compute the attack surface area of object o as: The attack surface area of heap containing n objects is defined as follows: The normalized attack surface area of heap Advanced Defense Lab8

9 Limitation (In The Paper of NOZZLE) Jump into Page Attacker allocates page-size chunk of memory Advanced Defense Lab9 Page-size Shellcode Page-size Shellcode Page-size Shellcode Page alignment Fixed offset!! The goal of this paper!!

10 Heap Spraying with Little Surface Area Memory Allocation Granularity Linux: 4KB Windows: 64KB When a heap object is bigger than a certain threshold, 512K in our experiment, Windows always allocates a separate heap block for this object. A Seminar at Advanced Defense Lab10

11 Observation If an EIP assigned by an attacker have few possible locations in a large heap object, the attacker only need to put jump-equivalent instructions at those locations. In fact, an EIP assigned by an attacker can only point to EIGHT possible locations in a 512K-byte heap object A Seminar at Advanced Defense Lab11

12 A Seminar at Advanced Defense Lab12

13 Malicious Heap Object A Seminar at Advanced Defense Lab13

14 If the alignment is small A Seminar at Advanced Defense Lab14

15 Detecting Heap Taichi Attacks NOZZLE can be enhanced to detect some of the new attacks by considering the effect of memory allocation granularity. A Seminar at Advanced Defense Lab15

16 Detecting Heap Taichi Attacks(cont.) A natural solution to prevent Heap Taichi attacks and similar attacks is to aligning memory allocation at a smaller-sized boundary. But … there are many heap managers on different levels of a program, each of which has its own heap management strategy. A Seminar at Advanced Defense Lab16

17 Experiment and Evaluation Case study: A Seminar at Advanced Defense Lab17

18 A Seminar at Advanced Defense Lab18

19 Result A Seminar at Advanced Defense Lab19

20 Thank You A Seminar at Advanced Defense Lab20

Download ppt "Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)"

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Understanding heap data Using Windows Performance Analyzer.

Understanding heap data Using Windows Performance Analyzer.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Framing Signals— A Return to Portable Shellcode

Framing Signals— A Return to Portable Shellcode
English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.
Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.

Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.
Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.

Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Similar presentations

Ads by Google