Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nozzle: A Defense Against Heap Spraying Attacks

Published byJune Carr Modified over 8 years ago

Similar presentations

Presentation on theme: "Nozzle: A Defense Against Heap Spraying Attacks"— Presentation transcript:

1 Nozzle: A Defense Against Heap Spraying Attacks
Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA

2 A Brief History of Memory Exploits
Stack overflow Heap exploit Heap spraying Frequency Vista heap, layout randomization Nozzle StackGuard Year 2000 2002 2004 2006 2008 2010

3 Stack Overflow Exploit
return address 2 jump NOP sled shellcode <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … ഍഍"></IFRAME> 1 exploit

4 Heap Corruption Exploit
2 jump vtable pointer NOP sled shellcode <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … ഍഍"></IFRAME> 1 exploit

5 Heap Spraying Exploit in a Browser
sled shellcode sled shellcode <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; </SCRIPT> sled shellcode sled shellcode sled shellcode <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … ഍഍"></IFRAME> sled shellcode sled shellcode vtable pointer sled shellcode sled shellcode sled shellcode sled shellcode 1 spray 2 exploit 3 jump

6 Kittens of Doom. Is no Data Sacred?
Spraying: general attack Embed malicious code in images, documents, DLLs… Image example: Comments, transformed data Documented at BlackHat’08 cmd.exe opened

7 Visiting a Site Can Compromise Your Whole Machine

8 Nozzle Overview Heap Spraying Nozzle
Relies on pre-existing exploit (in C/C++) Spraying in type-safe language JavaScript, C#, Java JIT-ed languages: good targets Randomization doesn’t help Browsers are popular target Detect / mitigate heap spray attack Monitors heap for suspicious activity Compare to HW “no-execute” page protection More compatible Doesn’t just crash Focus on browser, but applicable to all applications

9 Nozzle Architecture Monitor allocations Interpret heap objects as code
Maintain a global heap health metric: normalized surface area

10 Local vs. Global Detection
Code or Data? Local Detection: Is this object dangerous? Code and data: same on x86 Local detection: 80% FP rate add [eax], al Global Detection: Is my heap under attack? and ah, [edx] Nozzle: collections of objects Sprayed heap: large attack surface 10

11 Nozzle Global Heap Metric
Normalize to (approx): P(jump will cause exploit) obj Bi SA(Bi) SA(o) SA(H) NSA(H) build CFG Compute threat of entire heap dataflow Compute threat of single block Compute threat of single object

12 Surface Area Calculation: Dataflow
Extract control flow graph (CFG) from heap object SA(Bi) = likelihood of ending in Bi if we land within object boundaries A BB contributes its effective size to another BB’s SA, if there is a path to that other BB BB containing prohibitive instructions has zero effective size int, out, hlt, or ltr An example object from visiting google.com 12

13 Nozzle Experimental Summary
0 False Positives 10 popular AJAX-heavy sites 150 top Web sites 0 False Negatives 12 published heap spraying exploits and 2,000 synthetic rogue pages generated using Metasploit Runtime Overhead As high as 2x without sampling 5-10% with sampling

14 economist.com versus mw-612 (actual attack)
Normalized Surface Area Logical time (number of allocations/frees)

15 False Positive Results
No more than 12% of max SA reported No false positives reported for 20% threshold What about SA for rogue sites? 15

16 False Negative Evaluation
12 published heap spray pages 2,000 synthetic heap spray pages using MetaSploit advanced NOP engine Shellcode database

17 Normalized Surface Area Locally

18 Global Detection is Necessary
P. Akritidis, E. P. Markatos, M. Polychronakis, and K. G. Anagnostakis, STRIDE: Polymorphic sled detection through instruction sequence

19 Nozzle Runtime Overhead
19

20 Nozzle is more compatible and more selective
Nozzle vs. DEP DEP prevents code execution in memory But, Can be disabled at runtime Has compatibility issue Circumvented with Java (Applet) Nozzle is more compatible and more selective 20

21 Demo

22 Conclusion Nozzle: effective heap spraying prevention
No false positives, no false negatives Can be used for online or offline scanning

23 Contact us Ben Livshits Nozzle MSR _

Download ppt "Nozzle: A Defense Against Heap Spraying Attacks"

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA.

Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Use After Free Defcon Russia # 14 21 Feb. 2012

Use After Free Defcon Russia # Feb. 2012
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Eran Tromer Slides credit: Avishai Wool, Tel Aviv University

Eran Tromer Slides credit: Avishai Wool, Tel Aviv University
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google