nozzle
play

Nozzle: A Defense Against Heap-spraying Code Injection Attacks - PowerPoint PPT Presentation

Jul 24, 2023 •358 likes •616 views

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond, WA) Heap Spraying is a Problem

  1. Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond, WA)

  2. Heap Spraying is a Problem http://www.web2secure.com/2009/07/mozilla-firefox-35-heap-spray.html Common Element: All vulnerable applications support Flash Firefox 3.5 embedded scripting languages July 23, 2009 July 14, 2009 (JavaScript, ActionScript, etc.) Adobe Acrobat / Reader February 19, 2009 http:// blog.fireeye.com/research/2009/07/actionscript_heap_spray.html 2

  3. Drive-By Heap Spraying Owned! 3

  4. Drive-By Heap Spraying (2) ASLR prevents the attack Program Heap ok bad PC Creates the ok malicious object <HTML> <SCRIPT language="text/javascript"> Triggers the jump shellcode = unescape("%u4343%u4343%...''); </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … &#3341;&#3341;"> </IFRAME> </HTML> 4

  5. Drive-By Heap Spraying (3) Program Heap bad ok bad bad bad bad ok bad <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); Allocate 1000s of var fullblock = oneblock; while (fullblock.length<0x40000) { malicious objects fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT> 5

  6. Kittens of Doom What data can you trust? • Heap spraying is quite general, easy to implement • Many applications allow scripts in type safe languages – JavaScript, ActionScript – Java, C# • Many applications accept data from untrusted sources – Embed malicious code in images, documents, DLLs, etc. • [Sotirov & Dowd BH’08] 6

  7. Nozzle – Runtime Heap Spraying Detection Application: Web Browser Malicious Site Normalized Surface Area Nozzle answers: How much of my heap is suspicious? Normal Site Logical time (number of allocations/frees) 7

  8. Outline • Nozzle design & implementation • Evaluation – False positives – False negatives – New threats (Adobe Reader) • Summary 8

  9. Nozzle Design Application Threads Nozzle Threads Advantages scan object Repeat -Just need to hook standard APIs – Initialize Create and classify Object Object malloc, free, HeapAlloc, HeapFree, etc. - Monitor new applications using Detours benign suspect new init - Can be applied to existing binaries object object object object suspect object suspect benign object object benign object benign object Application Heap 9

  10. Local Malicious Object Detection Is this object dangerous? Code or Data? • Is this object code? 000000000000 add [eax], al 000000000000 add [eax], al – Code and data look the same on x86 000000000000 add [eax], al NOP • Focus on sled detection 000000000000 add [eax], al 000000000000 add [eax], al – Majority of object is sled 000000000000 add [eax], al sled – Spraying scripts build simple sleds 000000000000 add [eax], al • Is this code a NOP sled? – Previous techniques do not look at heap 0101010101 and ah, [edx] 0101010101 and ah, [edx] – Many heap objects look like NOP sleds 0101010101 and ah, [edx] 0101010101 and ah, [edx] – 80% false positive rates using previous shellcode 0101010101 and ah, [edx] techniques 0101010101 and ah, [edx] • 0101010101 and ah, [edx] Need stronger local techniques 10 10

  11. Object Surface Area Calculation (1) • Assume: attacker wants to reach shell code from jump to any point in object • Goal: find blocks that are likely to be reached via control flow • Strategy: use dataflow analysis to compute “surface area” of each block An example object from visiting google.com 11 11

  12. Object Surface Area Calculation (2) 4 4 12 • Each block starts with its own size as weight • Weights are propagated forward with flow 2 6 12 • Invalid blocks don’t 3 9 4 10 12 15 propagate • Iterate until a fixpoint is reached 2 12 12 • Compute block with highest weight 2 14 14 An example object from visiting google.com 12 12

  13. Nozzle Global Heap Metric Normalize to (approx): P(jump will cause exploit) obj NSA(H) build CFG sub [eax], eax Legend: arithmatic adc dh, bh memory or eax, 0d172004h SA(H) B i I/O or syscall in eax, 0x11 control flow test cl, ah jecxz 021c7fd8 Compute threat add [eax], al add al, 30h add [ecx], 0 add al, 80h outs dx, [esi] add al, 38h of entire heap jecxz 021c7fde xor [eax], eax To target block imul eax, [eax], 6ch dataflow or eax, 0d179004h SA(o) SA(B i ) Compute threat of Compute threat of single block single object 13

  14. Nozzle Experimental Summary 0 False Positives • 10 popular AJAX-heavy sites • 150 top Web sites 0 False Negatives • 12 published heap spraying exploits and • 2,000 synthetic rogue pages generated using Metasploit Runtime Overhead • As high as 2x without sampling • 5-10% with sampling 14

  15. Nozzle on Benign Sites • Benign sites have low Nozzle NSA • Max NSA always less than 12% • Thresholds can be set much higher for detection (50% or more) 15 15

  16. Nozzle with Known Heap Sprays • 12 published heap spray pages in multiple browsers • 2,000 synthetic heap spray pages using MetaSploit – advanced NOP engine – shellcode database Result: max NSA between 76% and 96% Nozzle detects real spraying attacks 16

  17. Nozzle Runtime Overhead 17 17

  18. Using Nozzle in Adobe Reader det- AcroRd32.exe Detours AcroRd32.exe Demo nozzlert.dll Results - Detected a published heap spray attack (NSA > 75%) - Runtime overhead was 8% on average - NSA of normal document < 10% 18

  19. Summary • Heap spraying attacks are – Easy to implement, easy to retarget – In widespread use • Existing detection methods fail to classify malicious objects on x86 architecture • Nozzle – Effectively detects published attacks (known and new) – Has acceptable runtime overhead – Can be used both online and offline 19

  20. Questions? Paruj Ratanaworabhan (paruj.r@gmail.com) Ben Livshits (livshits@microsoft.com) Ben Zorn (zorn@microsoft.com) Nozzle heap spraying See us on Channel 9: http://channel9.msdn.com/posts/Peli/ Heap-Spraying-Attack-Detection-with-Nozzle/ 20

  21. Backup 21

  22. Attacks on Nozzle • Injecting junk into start of object – Where does the exploit code begin? • TOCTTOU – When do you scan the object? • Attacks on surface area calculation – Jumps outside of objects – Multiple instances of shellcode inside an object • Hiding the code itself – Code that rewrites heap at last minute 22

  23. What about Data Execution Prevention? • DEP / NX bit = hardware to prevent code execution on the heap • DEP is great , but isn’t used everywhere – Issues with app compatibility – DEP can be circumvented – JIT compilers complicate the story • Nozzle augments DEP for defense in depth 23

  24. Normalized Surface Area Locally 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CFD Simulation B Y : E V A N N E Y 1 2 / 1 6 / 1 4 Converging Diverging Nozzle - Background

CFD Simulation B Y : E V A N N E Y 1 2 / 1 6 / 1 4 Converging Diverging Nozzle - Background

Converging Diverging Nozzle CFD Simulation B Y : E V A N N E Y 1 2 / 1 6 / 1 4 Converging Diverging Nozzle - Background Hour glass shaped nozzle HIGH Fully subsonic isentropic flow Velocity increases in converging section and

254 views • 8 slides
General Overview of Nozzles Sebastian Szustkowski 02/22/18 Capillary Vs Nozzle Generally

General Overview of Nozzles Sebastian Szustkowski 02/22/18 Capillary Vs Nozzle Generally

General Overview of Nozzles Sebastian Szustkowski 02/22/18 Capillary Vs Nozzle Generally sonic nozzle have higher molecular intensity Sonic nozzle has a significantly narrow velocity distribution Both capillary and sonic nozzle can

346 views • 6 slides
T-870-INTE Mjlnir Fuel and nozzle team Milestone presentation Instructor: Joe Foley Students:

T-870-INTE Mjlnir Fuel and nozzle team Milestone presentation Instructor: Joe Foley Students:

T-870-INTE Mjlnir Fuel and nozzle team Milestone presentation Instructor: Joe Foley Students: Ingi Mar Jnsson, Jhannes E. Valberg Sverrir Haraldsson Department of Science and Engineering (TVD) Reykjavk University April 28, 2014

370 views • 13 slides
Evaluation of A New TwinJet Nozzle for Weed Control in Peanut Eric P. Prostko 1 , Brock A. Ward 1

Evaluation of A New TwinJet Nozzle for Weed Control in Peanut Eric P. Prostko 1 , Brock A. Ward 1

Evaluation of A New TwinJet Nozzle for Weed Control in Peanut Eric P. Prostko 1 , Brock A. Ward 1 , Glenn C. Rains 3 ,O. Wen Carter 2 1 Department of Crop &amp; Soil Sciences 2 Miller County Extension Agent 3 Department of Entomology Peanut and

670 views • 25 slides
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond, WA) Heap Spraying is a Problem

665 views • 21 slides
ULTRASONIC INSPECTION of DISSIMILAR WELDS Standard PWR Steam Generator Nozzle DMW Configuration

ULTRASONIC INSPECTION of DISSIMILAR WELDS Standard PWR Steam Generator Nozzle DMW Configuration

ULTRASONIC LECTURES CONSULTING Michael Krning ULTRASONIC INSPECTION of DISSIMILAR WELDS Standard PWR Steam Generator Nozzle DMW Configuration (1) May 28 th , 2012 CITEC Su Zhou CONSULTING State-of-the-Art Ultrasonic Material Inspection

663 views • 55 slides
AIR PROPPY RD-039 Artful shape ,easy hold Rotate nozzle,clean thoroughly3-point spray,better

AIR PROPPY RD-039 Artful shape ,easy hold Rotate nozzle,clean thoroughly3-point spray,better

AIR PROPPY RD-039 Artful shape ,easy hold Rotate nozzle,clean thoroughly3-point spray,better clean result Usage: Powder and pipeline connections: two hole, four-hole-type powder box, powder box directly to the phone lines into the rear port

499 views • 34 slides
Davis-Besse Nuclear Power Station Reactor Vessel Incore Monitoring Instrumentation Nozzle

Davis-Besse Nuclear Power Station Reactor Vessel Incore Monitoring Instrumentation Nozzle

Davis-Besse Nuclear Power Station Reactor Vessel Incore Monitoring Instrumentation Nozzle Leakage Simulation Results 1 Davis-Besse Davis-Besse April 4, 2003 Nuclear Power Station Nuclear Power Station Agenda Opening Remarks . . . . . . .

600 views • 31 slides
Isokinetic Sample Nozzle www.rometec.it Sentry-equipment Rometec srl - www.rometec.it - Rometec

Isokinetic Sample Nozzle www.rometec.it Sentry-equipment Rometec srl - www.rometec.it - Rometec

Rometec srl - www.rometec.it - Rometec srl - www.rometec.it - Rometec srl - www.rometec.it Isokinetic Sample Nozzle www.rometec.it Sentry-equipment Rometec srl - www.rometec.it - Rometec srl - www.rometec.it - Rometec srl - www.rometec.it

370 views • 12 slides
Reinven&amp;ng Aeronau&amp;cs through the Future ACHEON - Aerial

Reinven&amp;ng Aeronau&amp;cs through the Future ACHEON - Aerial

Reinven&amp;ng Aeronau&amp;cs through the Future ACHEON - Aerial Coanda High Efficiency Orien&amp;ng-jet Nozzle Thrust Propulsion Concept for the Future

383 views • 17 slides
Implementation of Transport Model into CavitatingFoam to simulate the Cavitation in Diesel

Implementation of Transport Model into CavitatingFoam to simulate the Cavitation in Diesel

Implementation of Transport Model into CavitatingFoam to simulate the Cavitation in Diesel Injector Nozzle Bar BER Energy and Fluid Science Lab . Graduate School of Maritime Sciences, Kobe University, JAPAN bicerbaris@hotmail.com MSc/PhD

421 views • 31 slides
PREPARATION AND CHARACTERIZATION OF CORE-SHELL TYPE P3HT@PEO COMPOSITE NANOFIBERS USING SINGLE

PREPARATION AND CHARACTERIZATION OF CORE-SHELL TYPE P3HT@PEO COMPOSITE NANOFIBERS USING SINGLE

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS PREPARATION AND CHARACTERIZATION OF CORE-SHELL TYPE P3HT@PEO COMPOSITE NANOFIBERS USING SINGLE NOZZLE SYSTEM T. Kim, C.R. Park* Carbon Nanomaterials Design Laboratory, Global Research

249 views • 4 slides
Water atomization in spray nozzles Division of Fluid Mechanics Contents Introduction Techniques

Water atomization in spray nozzles Division of Fluid Mechanics Contents Introduction Techniques

Water atomization in spray nozzles Division of Fluid Mechanics Contents Introduction Techniques used in STAR-CCM+ Case definition Nozzle description Results Conclusions General facts about Epsilon 1 500 employees and 10000 independent

259 views • 13 slides
Products Introduction Non-Ferrous Casting Products High conductivity cooper castings of electric

Products Introduction Non-Ferrous Casting Products High conductivity cooper castings of electric

Products Introduction Non-Ferrous Casting Products High conductivity cooper castings of electric furnace parts and blast furnace parts; Water jacket(Cooper panel), Electrode holder, Lance nozzle, Burner and Bushing. Company Introduce Tae Sung

272 views • 6 slides
MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime

MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime

MALWARE DEFENSES Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Runtime Advanced attack techniques detector Heap spraying Static detector Nozzle Heap feng shui JIT spraying Drive-by malware and browsers

1.11k views • 43 slides
Homemade Solid Propulsion Solid Propulsion Team Sebastian, Trevor, David, Josef, Johnny, Jerry

Homemade Solid Propulsion Solid Propulsion Team Sebastian, Trevor, David, Josef, Johnny, Jerry

Homemade Solid Propulsion Solid Propulsion Team Sebastian, Trevor, David, Josef, Johnny, Jerry Nozzle Cone High thrust and specific impulse Long and Heavy Bell Lighter than cone Shape is key Spike

833 views • 10 slides
Disks and File Systems Regardless of the partition style or disk type, the basic unit of

Disks and File Systems Regardless of the partition style or disk type, the basic unit of

27/05/2013 Disks and File Systems Regardless of the partition style or disk type, the basic unit of storage is a disk. When you format a disk with a file system, the file system structures the disk using clusters which are logical groupings

1k views • 49 slides
PPS-Design einer eigenen WWW-Homepage WS 2002/2003 Praxis II - 29.11.2002: Cascading Style

PPS-Design einer eigenen WWW-Homepage WS 2002/2003 Praxis II - 29.11.2002: Cascading Style

PPS Design einer eigenen WWW- WS 2002/2003 Homepage PPS-Design einer eigenen WWW-Homepage WS 2002/2003 Praxis II - 29.11.2002: Cascading Style Sheets (CSS) David Hausheer (hausheer@tik.ee.ethz.ch) Anforderungen an eine Webseite 1.

333 views • 8 slides
Internet Publication of Geneva Justice Decisions A case study laurent.dami@justice.ge.ch LD,

Internet Publication of Geneva Justice Decisions A case study laurent.dami@justice.ge.ch LD,

Internet Publication of Geneva Justice Decisions A case study laurent.dami@justice.ge.ch LD, PJ-GE, july 2006 2 Agenda context presentation justice.ge.ch/jurisprudence : short tour technical information some lessons about Perl

601 views • 28 slides
www.plat-forms.org Web programming competition report from the Geneva team Laurent Dami, Etat de

www.plat-forms.org Web programming competition report from the Geneva team Laurent Dami, Etat de

1 www.plat-forms.org Web programming competition report from the Geneva team Laurent Dami, Etat de Genve (Etat de Genve) Cdric Bouvier (Optaros) Jean-Christophe Durand (Optaros) together since oct. 2006 to build the new business

442 views • 23 slides
Web Queries with Style: Rendering Xcerpt Programs with CSS NG Fran cois Bry and Christoph

Web Queries with Style: Rendering Xcerpt Programs with CSS NG Fran cois Bry and Christoph

Web Queries with Style: Rendering Xcerpt Programs with CSS NG Fran cois Bry and Christoph Wieser Presentation: Christoph Wieser University of Munich http://www.pms.ifi.lmu.de 11th June 2006 PPSWR 2006 Web Queries with Style: Rendering

384 views • 5 slides
Chapter 7 Accessing the Internet Page 1 We Shall be Covering ... Basic Internet concepts

Chapter 7 Accessing the Internet Page 1 We Shall be Covering ... Basic Internet concepts

Chapter 7 Accessing the Internet Page 1 We Shall be Covering ... Basic Internet concepts Internet configuration and set-up dial-up connection xDSL connection Page 2 The Internet Revolutionised information usage and

543 views • 15 slides
CS 3640: Introduction to Networks and Their Applications Fall 2018, Lecture 2: More layering and

CS 3640: Introduction to Networks and Their Applications Fall 2018, Lecture 2: More layering and

CS 3640: Introduction to Networks and Their Applications Fall 2018, Lecture 2: More layering and the end-to-end principle. Instructor: Rishab Nithyanand Teaching Assistant: Md. Kowsar Hossain 1 Today in class 1. 2. 3. Some Layering and

621 views • 35 slides
ConnectHome Nation Webinar Using Data for ConnectHomeUSA September 25, 2019 1 Agenda Agenda

ConnectHome Nation Webinar Using Data for ConnectHomeUSA September 25, 2019 1 Agenda Agenda

ConnectHome Nation Webinar Using Data for ConnectHomeUSA September 25, 2019 1 Agenda Agenda ACS Computer and Internet 1. American Community Survey (ACS) Computer and Data on Internet Data on data.census.gov data.census.gov Using ACS

432 views • 16 slides

More recommend