ben livshits, paruj ratanaworabhan, and ben zorn microsoft research redmond, wa
TRANSCRIPT
![Page 1: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/1.jpg)
Nozzle: A Defense Against Heap Spraying Attacks
Ben Livshits, Paruj Ratanaworabhan, and Ben ZornMicrosoft Research
Redmond, WA
![Page 2: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/2.jpg)
Motivation
A Brief History of Memory Exploits
2
Freq
uen
cy
Year2000 2002 2004 2006 2008 2010
Stack overflow
StackGuard
Heap exploit
Vista heap,layout randomization
Nozzle
Heap spraying
![Page 3: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/3.jpg)
Motivation
Stack Overflow Exploit
3
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …഍഍"></IFRAME>
1 exploit
2 jump
NOP sled
shellcode
return address
stack
![Page 4: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/4.jpg)
Motivation
Heap Corruption Exploit
4
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …഍഍"></IFRAME>
1 exploit
2 jump
NOP sled
shellcode
Heap
vtablepointer
![Page 5: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/5.jpg)
Motivation
Heap Spraying Exploit in a Browser
5
2 exploit
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
vtablepointer
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
1 spray 3 jump
<SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; }
sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }</SCRIPT>
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …഍഍"></IFRAME>
Heap
![Page 6: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/6.jpg)
Motivation
Kittens of Doom. Is no Data Sacred?
6
Spraying: general attack Embed malicious code in images, documents, DLLs… Image example: Comments, transformed data
Documented at BlackHat’08
![Page 7: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/7.jpg)
Visiting a Site Can Compromise Your Whole Machine
7
![Page 8: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/8.jpg)
Techniques
Nozzle Overview
Relies on pre-existing exploit (in C/C++)
Spraying in type-safe language JavaScript, C#, Java JIT-ed languages: good targets
Randomization doesn’t help
Browsers are popular target
8
Heap SprayingNozzle
Detect / mitigate heap spray attack
Monitors heap for suspicious activity
Compare to HW “no-execute” page protection More compatible Doesn’t just crash
Focus on browser, but applicable to all applications
![Page 9: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/9.jpg)
Motivation
Nozzle Architecture
9
Browser processBrowser heapbrowser threads Nozzle detector
Allo
catio
n hi
sory
NOZZLE threads
Monitor allocations
Interpret heap objects as code
Maintain a global heap health metric: normalized surface area
![Page 10: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/10.jpg)
Local vs. Global Detection
Code or Data? Local Detection:Is this object dangerous?
Code and data: same on x86 Local detection: 80% FP rate
10
000000000000000000000000000000000000000000000000000000000000000000000000000000000000
add [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], al
0101010101010101010101010101010101010101010101010101010101010101010101
and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]
Global Detection:Is my heap under
attack? Nozzle: collections of objects
Sprayed heap: large attack surface
![Page 11: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/11.jpg)
Motivation
Nozzle Global Heap Metric
obj
Bi
SA(Bi)
SA(o)SA(H)
NSA(H)
11
build CFG
dataflow
in eax, 0x11
arithmatic
memory
I/O or syscall
control flow
sub [eax], eax
adc dh, bh
jecxz 021c7fd8
test cl, ah
add al, 30h
add al, 80h
or eax, 0d172004h
outs dx, [esi]
jecxz 021c7fde
add [ecx], 0
add [eax], al
xor [eax], eax
add al, 38h
imul eax, [eax], 6ch
or eax, 0d179004h
To ta
rget
blo
ck
Legend:
Compute threat ofsingle blockCompute threat of
single object
Compute threatof entire heap
Normalize to (approx):P(jump will cause exploit)
![Page 12: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/12.jpg)
Surface Area Calculation: Dataflow
Extract control flow graph (CFG) from heap object
SA(Bi) = likelihood of ending in Bi if we land within object boundaries
A BB contributes its effective size to another BB’s SA, if there is a path to that other BB
BB containing prohibitive instructions has zero effective size int, out, hlt, or ltr
12
An example object from visiting google.com
A
![Page 13: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/13.jpg)
Experiments
Nozzle Experimental Summary
0 False Positives•10 popular AJAX-heavy sites•150 top Web sites
0 False Negatives•12 published heap spraying exploits and•2,000 synthetic rogue pages generated using Metasploit
Runtime Overhead•As high as 2x without sampling•5-10% with sampling
13
![Page 14: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/14.jpg)
economist.com versus mw-612 (actual attack)
14Logical time (number of allocations/frees)
Nor
mal
ized
Surf
ace
Area
![Page 15: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/15.jpg)
False Positive Results
No more than 12% of max SA reported
No false positives reported for 20% threshold
What about SA for rogue sites?
15
![Page 16: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/16.jpg)
False Negative Evaluation
12 published heap spray pages
2,000 synthetic heap spray pages using MetaSploit
advanced NOP engine Shellcode database
16
![Page 17: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/17.jpg)
Normalized Surface Area Locally
17
![Page 18: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/18.jpg)
Nozzle Runtime Overhead
19
![Page 19: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/19.jpg)
Demo
21
![Page 20: Ben Livshits, Paruj Ratanaworabhan, and Ben Zorn Microsoft Research Redmond, WA](https://reader030.vdocuments.net/reader030/viewer/2022033000/5697c0021a28abf838cc3464/html5/thumbnails/20.jpg)
Conclusion
Nozzle: effective heap spraying prevention
No false positives, no false negatives
Can be used for online or offline scanning
22