heap feng shui in javascript alexander sotirov asotirov
play

Heap Feng Shui in JavaScript Alexander Sotirov - PowerPoint PPT Presentation

Dec 12, 2023 •42 likes •592 views

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program control flow to the

  1. 風水 Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007

  2. Introduction What is Heap Feng Shui? • ○ the ancient art of arranging heap blocks in order to redirect the program control flow to the shellcode Heap Feng Shui in JavaScript • ○ precise application data overwrites ○ reliable browser exploitation

  3. Overview State of the art in browser exploitation • Internet Explorer heap internals • HeapLib JavaScript library • Heap manipulation • Mitigation •

  4. State of the art in browser exploitation Part I

  5. Stack overflows Very hard to exploit in most cases: Target Protection return address stack cookies (/ GS flag) SEH frame SafeSEH exception handler table local variables local variable reordering in the Visual C+ + compiler

  6. Heap overflows Generic heap exploitation is also difficult: Target Protection doubly-linked list safe unlinking of free chunks heap chunk header 8-bit header cookie in XP, XOR of the header data in Vista lookaside linked list removed in Vista

  7. What's left? Non-array stack overflows • ○ very rare Use of uninitialized variables • ○ stack variables ○ use after free Application data on the heap • ○ application specific memory allocators ○ function pointers ○ C+ + object pointers

  8. WebView setSlice exploit Uses heap spraying to fill the browser • heap with shellcode Overwrites application data in the • previous heap chunk Multiple attempts until it either hits an • object pointer, or crashes

  9. Heap spraying Developed by Blazde and SkyLined, used by most browser exploits since 2004. var x = new Ar r ay( ) ; / / Fi l l 200M B of m em or y wi t h copi es of t he / / NO P sl i de and shel l code f or ( var i = 0; i < 200; i ++) { x[ i ] = nop + shel l code; }

  10. Normal heap layout 300 MB used memory: free memory: 200 MB 100 MB 0 MB

  11. After heap spraying 300 MB used memory: free memory: shellcode: 200 MB shellcode Address 0x0C0C0C0C is very 100 MB likely to contain shellcode. 0 MB

  12. Function pointer overwrite Spray the heap with 200MB of shellcode 1. Overwrite a function pointer with 2. 0x0C0C0C0C Call the function pointer 3. Function Shellcode at 0x0C0C0C0C pointer 0x0C0C0C0C nop slide shellcode

  13. Object pointer overwrite Spray the heap with 200MB of shellcode, 1. using byte 0xC as a nop slide Overwrite an object pointer with 2. 0x0C0C0C0C Call a virtual function of the object 3. Fake object at Fake vtable at Shellcode at 0x0C0C0C0C 0x0C0C0C0C 0x0C0C0C0C vtable pointer virtual func + 0 nop slide virtual func + 4 shellcode

  14. Unreliable exploitation Heap spraying is a great technique, but • the setSlice exploit is still not reliable Overwriting application data requires a • specific layout of heap chunks We need to control the heap state •

  15. Heap Feng Shui Part II

  16. Heap Feng Shui The heap allocator is deterministic • Specific sequences of allocations and • frees can be used to control the layout used: free:

  17. Heap Feng Shui The heap allocator is deterministic • Specific sequences of allocations and • frees can be used to control the layout used: We allocate two 4KB blocks free: our data:

  18. Heap Feng Shui The heap allocator is deterministic • Specific sequences of allocations and • frees can be used to control the layout used: We free the first 4KB block free: our data:

  19. Heap Feng Shui The heap allocator is deterministic • Specific sequences of allocations and • frees can be used to control the layout used: The application allocates a 4KB block and reuses our data free: our data:

  20. Heap Feng Shui The heap allocator is deterministic • Specific sequences of allocations and • frees can be used to control the layout used: We just exploited an uninitialized data vulnerability free: our data:

  21. Heap Feng Shui in JavaScript We want to set the heap state before • triggering a vulnerability Heap spraying proves that JavaScript can • access the system heap We need a way to allocate and free • blocks of an arbitrary size

  22. Internet Explorer heap internals Part III

  23. Internet Explorer heap usage JavaScript ActiveX MSHTML runtime objects engine strings objects JavaScript Default process Dedicated Dedicated heap heap heaps Dedicated heaps heaps

  24. JavaScript strings The string "AAAA" is stored as: string size string data null terminator 4 bytes length / 2 bytes 2 bytes 08 00 00 00 41 00 41 00 41 00 41 00 00 00 We can calculate its size in bytes with: byt es = l en * 2 + 6 l en = ( byt es - 6) / 2

  25. String allocation var st r 1 = " AAAAAAAAAA" ; / / no al l ocat i on / / al l ocat es a 10 char act er st r i ng var st r 2 = st r 1. subst r ( 0, 10) ; / / al l ocat es a 20 char act er st r i ng var st r 3 = st r 1 + st r 2;

  26. String garbage collection Mark-and-sweep algorithm, frees all • unreferenced objects Triggered by a number of heuristics • Explicitly by the Col l ect G ar bage( ) call • in Internet Explorer

  27. JavaScript alloc and free var paddi ng = " AAAAAAAAAAAAAAAAAAAAAAAAAAAA… " var st r ; f unct i on al l oc( byt es) { st r = paddi ng. subst r ( 0, ( byt es- 6) / 2) ; } f unct i on f r ee( ) { st r = nul l ; Col l ect G ar bage( ) ; } al l oc( 0x10000) ; / / al l ocat e 64KB m em or y bl ock f r ee( ) ; / / f r ee m em or y bl ock

  28. OLEAUT32 allocator Not all string allocations and frees reach the system memory allocator custom memory allocator in OLEAUT32 • caching of free memory blocks • 4 bins for blocks of different sizes • up to 6 free blocks stored in each bin •

  29. OLEAUT32 alloc function bi n = t he r i ght bi n f or t he r equest ed si ze i f ( bi n not em pt y) f i nd a bl ock i n t he bi n > r equest ed si ze i f ( f ound) r et ur n bl ock el se r et ur n sysal l oc( si ze) el se r et ur n sysal l oc( si ze)

  30. OLEAUT32 free function bi n = t he r i ght bi n f or t he bl ock si ze i f ( bi n not f ul l ) add bl ock t o bi n el se f i nd t he sm al l est bl ock i n t he bi n i f ( sm al l est bl ock < new bl ock) sysf r ee( sm al l est bl ock) add new bl ock t o bi n el se sysf r ee( new bl ock)

  31. Bypassing the cache Our freed blocks will go into the cache • Freeing 6 maximum sized blocks for each • bin will push all smaller blocks out Allocating the 6 blocks again will leave • the cache empty When the cache is empty, allocations will • come from the system heap

  32. Plunger Technique 1. Allocate 6 maximum size blocks ► 2. Allocate our blocks 3. Free our blocks 4. Free 6 maximum size blocks 5. Allocate 6 maximum size blocks OLEAUT32 cache maximum size blocks empty

  33. Plunger Technique 1. Allocate 6 maximum size blocks 2. Allocate our blocks ► 3. Free our blocks 4. Free 6 maximum size blocks 5. Allocate 6 maximum size blocks OLEAUT32 cache maximum size blocks our blocks empty

  34. Plunger Technique 1. Allocate 6 maximum size blocks 2. Allocate our blocks 3. Free our blocks ► 4. Free 6 maximum size blocks 5. Allocate 6 maximum size blocks OLEAUT32 cache maximum size blocks our blocks

  35. Plunger Technique 1. Allocate 6 maximum size blocks 2. Allocate our blocks 3. Free our blocks 4. Free 6 maximum size blocks ► 5. Allocate 6 maximum size blocks OLEAUT32 cache maximum size blocks free blocks

  36. Plunger Technique 1. Allocate 6 maximum size blocks 2. Allocate our blocks 3. Free our blocks 4. Free 6 maximum size blocks 5. Allocate 6 maximum size blocks ► OLEAUT32 cache maximum size blocks free blocks empty

  37. Part IV HeapLib - JavaScript heap manipulation library

  38. Introducing HeapLib Supports Internet Explorer 5-7 • Object oriented API • Functions for: • ○ heap logging and debugging ○ allocation and freeing of blocks with arbitrary size and contents ○ high-level heap manipulation function (not yet supported on Vista)

  39. Hello world! <scr i pt sr c=" heapLi b. j s" ></ scr i pt > <scr i pt > var heap = new heapLi b. i e( ) ; heap. gc( ) ; heap. debugHeap( t r ue) ; heap. al l oc( 512) ; heap. al l oc( " BBBBB" , " f oo" ) ; heap. f r ee( " f oo" ) ; heap. debugHeap( f al se) ; </ scr i pt >

  40. HeapLib Demo

  41. Part V Windows Heap Manipulation

  42. Windows Heap Overview Heap Pre-Vista FreeList[ 0] 1024 2080 8192 FreeList[ 1] 8 … 1016 1016 FreeList[ 127] Lookaside Lookaside Table Lookaside[ 0] 8 8 Lookaside[ 1] … 1016 Lookaside[ 126]

  43. Free Algorithm i f si ze >= 512KB f r ee wi t h Vi r t ual Fr ee r et ur n i f si ze < 1KB and l ookasi de not f ul l add t o l ookasi de l i st r et ur n coal esce bl ock wi t h f r ee bl ocks ar ound i t i f si ze < 1KB add t o Fr eeLi st [ si ze/ 8] el se add t o Fr eeLi st [ 0]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat USA 2007

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat USA 2007

Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat USA 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program control flow to the

870 views • 55 slides
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
!&quot;#$%&amp;'()% Feng shui is the study of how humans interact with their environment.

!&quot;#$%&amp;'()% Feng shui is the study of how humans interact with their environment.

!&quot;#$%&amp;'()% Feng shui is the study of how humans interact with their environment. The aim is to create environments where the people living and working there can best succeed. Feng shui is based on the idea that people react

535 views • 25 slides
Probing Hydrogen Bond Energies by Mass Spectrometry Hai-Feng Su, Lan Xue,* Yun-Hua Li, Shui-Chao

Probing Hydrogen Bond Energies by Mass Spectrometry Hai-Feng Su, Lan Xue,* Yun-Hua Li, Shui-Chao

Probing Hydrogen Bond Energies by Mass Spectrometry Hai-Feng Su, Lan Xue,* Yun-Hua Li, Shui-Chao Lin, Yi-Mei Wen, Rong-Bin Huang, Su-Yuan Xie,* and Lan-Sun Zheng State Key Laboratory for Physical Chemistry of Solid Surfaces and Department of

700 views • 18 slides
Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com

Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com

BlackHat Briefings, 2009 Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com Mike Zusman intrepidusgroup.com Introduction Chosen-prefix MD5 collisions allowed us to create a rogue Certificate

493 views • 37 slides
MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime

MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime

MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime Advanced attack techniques detector Heap spraying Static detector Nozzle Heap feng shui JIT spraying Drive-by malware and browsers

1.11k views • 43 slides
Flip Feng Shui: Hammering a Needle in the Software Stack Ben Gras Kaveh Razavi Erik Bosman Bart

Flip Feng Shui: Hammering a Needle in the Software Stack Ben Gras Kaveh Razavi Erik Bosman Bart

Flip Feng Shui: Hammering a Needle in the Software Stack Ben Gras Kaveh Razavi Erik Bosman Bart Preneel 1 Cristiano Giuffrida Herbert Bos August 10, 2016 1 Teaser OpenSSH compromise apt-get compromise by GPG signature forgery No

721 views • 44 slides
Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual memory management is error prone

574 views • 35 slides
Shui On Land Limited (272.HK) 2010 Interim Results 19 August 2010 Member of Shui On Group

Shui On Land Limited (272.HK) 2010 Interim Results 19 August 2010 Member of Shui On Group

Shui On Land Limited (272.HK) 2010 Interim Results 19 August 2010 Member of Shui On Group www.shuionland.com 1 1. Corporate Strategy 2. Financial Highlights and Business Review 3. Three-Year Plan 4. Key Launches in 2H 2010 2 Corporate

563 views • 22 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Lightweight Scheduling in a Single-Pass JavaScript JIT Compiler Alexander Jordan, Vienna

Lightweight Scheduling in a Single-Pass JavaScript JIT Compiler Alexander Jordan, Vienna

Lightweight Scheduling in a Single-Pass JavaScript JIT Compiler Alexander Jordan, Vienna University of Technology ajordan@complang.tuwien.ac.at Christophe Guillon, STMicroelectronics christophe.guillon@st.com January 22, 2013 1/16 Alexander

456 views • 26 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
CS-5630 / CS-6630 Visualization JavaScript Basics Alexander Lex alex@sci.utah.edu [xkcd] This

CS-5630 / CS-6630 Visualization JavaScript Basics Alexander Lex alex@sci.utah.edu [xkcd] This

CS-5630 / CS-6630 Visualization JavaScript Basics Alexander Lex alex@sci.utah.edu [xkcd] This Week Homework1: due Friday! Readings: D3: Chapters 3, 4, 5 and 6 Lecture Thursday: Intro D3 HW 1 Questions? Survey Results registered: 7

432 views • 21 slides
Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce

JavaScript Primer Basic Introduction of JavaScript JavaScript History Why (re)introduce JavaScript? Notorious for being worlds most misunderstood programming language o (Douglas Crockford -

432 views • 11 slides
Rachel Zahn, Paris, France Theatre trained, Catholic University AT study grant: ACT San Francisco

Rachel Zahn, Paris, France Theatre trained, Catholic University AT study grant: ACT San Francisco

Rachel Zahn, Paris, France Theatre trained, Catholic University AT study grant: ACT San Francisco ACAT trained N.Y. 1969 ACAT faculty: N.Y. 1970-1982 Performance Coach: 1975-1988 Psychotherapist: 1979-present Intercultural researcher:

961 views • 69 slides
The e eff ffect ect of f exerc ercis ise e and phys ysic ical al tr training ining on

The e eff ffect ect of f exerc ercis ise e and phys ysic ical al tr training ining on

The e eff ffect ect of f exerc ercis ise e and phys ysic ical al tr training ining on fa falls ls and d physical ysical func nctio ion n in olde der r adults lts with th vision ision impa pairm irmen ent: t: An upda

341 views • 19 slides
The design and maintenance of affordable urban water quality improvements Michael Alexander, PE

The design and maintenance of affordable urban water quality improvements Michael Alexander, PE

The design and maintenance of affordable urban water quality improvements Michael Alexander, PE Lake Tahoe Basin Management Unit - LTBMU Urban Water Quality Priorities Techniques based in science should be used for the design and

509 views • 28 slides
The Rare Genomics Institute patient research initiative: Probono patient services enabling deep

The Rare Genomics Institute patient research initiative: Probono patient services enabling deep

1 The Rare Genomics Institute patient research initiative: Probono patient services enabling deep insights into rare disease conditions through genome analysis Rajini R Haraksingh, PhD Vice President, Patient Research Rare Genomics Institute

593 views • 20 slides
The Sam Buxton Sunflower Healing Trust Reg Charity Number 1115614 Created in 2006 with funds

The Sam Buxton Sunflower Healing Trust Reg Charity Number 1115614 Created in 2006 with funds

The Sam Buxton Sunflower Healing Trust Reg Charity Number 1115614 Created in 2006 with funds from The NHS Healer Providing a Ray of Light To Cancer Patients and their Carers Providing Funds to NHS and Other Cancer Related Care Steps

656 views • 36 slides
Student Support &amp; Welfare Jane Gray Student Support &amp; Welfare Support at the RNCM 2

Student Support &amp; Welfare Jane Gray Student Support &amp; Welfare Support at the RNCM 2

Student Support &amp; Welfare Jane Gray Student Support &amp; Welfare Support at the RNCM 2 Counsellors 3 Alexander Technique Tutors Specific Medical Advice/Support for Performers Chaplaincy based at Manchester University

360 views • 9 slides
Scalability Analysis of the Hierarchical Architecture for Distributed Virtual Environments

Scalability Analysis of the Hierarchical Architecture for Distributed Virtual Environments

Introduction Queueing Theory Analysis: Analytic Results Consistency Summary Scalability Analysis of the Hierarchical Architecture for Distributed Virtual Environments Michael Kwok Johnny W. Wong Presentation by Alexander Pokluda Cheriton

516 views • 36 slides
Shadow Robot Company Rich Walker Turning Ideas Into Profit Managing Director IagrE 2016

Shadow Robot Company Rich Walker Turning Ideas Into Profit Managing Director IagrE 2016

Shadow Robot Company Rich Walker Turning Ideas Into Profit Managing Director IagrE 2016 rw@shadowrobot.com 1/53 Corporate Summary Company established 1997 in London, UK Manufactures Hand product for R&amp;D customers Significant

569 views • 53 slides

More recommend