1 / 29

NOZZLE: A Defense Against Heap-spraying Code Injection Attacks

NOZZLE: A Defense Against Heap-spraying Code Injection Attacks. Paruj Ratanaworabhan , Cornell University Benjamin Livshits , Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009. A Presentation at Advanced Defense Lab. Outline.

iola
Download Presentation

NOZZLE: A Defense Against Heap-spraying Code Injection Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NOZZLE: A Defense Against Heap-spraying Code Injection Attacks ParujRatanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn,Microsoft Research USENIX Security Symposium 2009 A Presentation at Advanced Defense Lab

  2. Outline • Introduce to Heap Spray • Nozzle Architecture • Design • Implement • Evaluation • Limitation Advanced Defense Lab

  3. Memory Corruption Heap Memory NOP Sled Corruption Shellcode Stack overflow, Heap overflow, Double free, Dangling pointer,… With many mechanism for stack protection Advanced Defense Lab

  4. Heap Spray Heap Memory NOP Sled NOP Sled NOP Sled NOP Sled <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock= unescape("%u0C0C%u0C0C"); varfullblock = oneblock; while(fullblock.length<0x40000) { fullblock+= fullblock; } sprayContainer= new Array(); for(i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT> Corruption Shellcode Shellcode Shellcode Shellcode Heap is less predictable, and some mechanism for randomizing the heap layout Advanced Defense Lab

  5. Heap Spray Requires… • Attacker must be able to control the contents of the heap. • Providing data • Ex: images, documents, … • Scripting language • Allocate object directly • Browsers are popular target. Advanced Defense Lab

  6. Nozzle Architecture Advanced Defense Lab

  7. Local vs. Global Detection • Code or Data? • Local Detection • Code and data: same on x86 • 80% objects of Firefox would become false positive • Global Detection • Sprayed heap: large attack surface 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000 add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al 0101010101 0101010101 0101010101 0101010101 0101010101 0101010101 0101010101 and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] Advanced Defense Lab

  8. Design • Definition: A sequence of bytes is legitimate, if it can be decoded as a sequence of valid x86 instructions. legitimate 00 00 0c 0a • bc 6f d3 0c 0a bc6f d3 • 00 00 0c 0a • bc 6f d3 0c 0a bc 6f d3 • 00 00 0c 0a • bc 6f d3 0c 0a bc 6f d3 X86 instructions Advanced Defense Lab

  9. Design (cont.) • Definition: A valid instruction sequence is a legitimate instruction sequence that does not include instructions in the following categories: • I/O or system calls (in, outs, etc) • interrupts (int) • privileged instructions (hlt, ltr) • jumps outside of the current object address range Advanced Defense Lab

  10. Design (cont.) • NOZZLE attempts to discover objects in which control flow through the object(the NOP sled) frequentlyreaches the same basic block(s) (the shellcode.) Control Flow Graph object disassemble Advanced Defense Lab

  11. A Example Bi: ith block SA(Bi): Attack Surface Area of Bi V: valid instruction block MASKi: mask self block Advanced Defense Lab

  12. Design (cont.) • Compute the attack surface area of object o as: • The attack surface area of heapcontaining n objects is defined as follows: • The normalized attack surface area of heap Advanced Defense Lab

  13. Detection Threshold • thabs =5 MB • 5MB is the size of Firefox heap when open a blank page. • A real attack would need to fill the heap with at least as many malicious objects. Advanced Defense Lab

  14. Implement • Using a binary rewriting infrastructure called Detours to intercept functions calls that allocate and free memory. • Within Mozilla Firefox these routines are malloc, calloc, realloc, and free, defined in MOZCRT19.dll. • Only consider objects of size greater than 32 bytes Advanced Defense Lab

  15. Implement (cont.) • Rewrite the main function to allocate a pool of N scanning threads to be used by NOZZLE • We scan the previously allocated object when we see the next object allocated. • Time-of-Check to Time-of-Use(TOCTTOU) vulnerability Advanced Defense Lab

  16. Evaluation Advanced Defense Lab

  17. Evaluation(cont.) • 10 heavily-used benign web site • 150 most visited sites as ranked by Alexa Advanced Defense Lab

  18. False Positive Results Set thnorm at 15% Advanced Defense Lab

  19. False Negative Evaluation • 12 published heap spray pages • 2,000 synthetic heap spray pages using MetaSploit • advanced NOP engine • Shellcode database Advanced Defense Lab

  20. Advanced Defense Lab

  21. Advanced Defense Lab

  22. Performance • Firefox version 2.0.0.16 • 2.4 GHz Intel Core 2 E6600 CPU • Windows XP SP3 • 2 GB memory Advanced Defense Lab

  23. Single Core Advanced Defense Lab

  24. 2 Core Advanced Defense Lab

  25. Error Rate with Sampling Advanced Defense Lab

  26. Porting for Adobe • In February 2009, a remote code execution vulnerability was discovered in Adobe Acrobat and Adobe Reader. • NOZZLE correctly detected this heap spraying attack, determining that the attack surface of the heap was greater than 94% Advanced Defense Lab

  27. Limitation • TOCTTOU vulnerability • Rescans could be triggered when NOZZLE observes a significant number of heap stores • Start with uninterpretableopcode • NOZZLE skip it • Attack with fewer malicious objects • Attacker will have high failure probability. Advanced Defense Lab

  28. Limitation (cont.) • Jump into Page • Attacker allocates page-size chunk of memory Page-size Page-size Page-size Shellcode Shellcode Shellcode Page alignment Fixed offset!! Page alignment Advanced Defense Lab

  29. Thank You Advanced Defense Lab

More Related