Nozzle: A Defense Against Heap-spraying Code Injection Attacks - - PowerPoint PPT Presentation

nozzle
SMART_READER_LITE
LIVE PREVIEW

Nozzle: A Defense Against Heap-spraying Code Injection Attacks - - PowerPoint PPT Presentation

Jul 24, 2023 358 likes •619 views

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond, WA) Heap Spraying is a Problem

slide-1
SLIDE 1

Nozzle:

A Defense Against Heap-spraying Code Injection Attacks

Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond, WA)

slide-2
SLIDE 2

Heap Spraying is a Problem

Firefox 3.5 July 14, 2009

http://www.web2secure.com/2009/07/mozilla-firefox-35-heap-spray.html

Adobe Acrobat / Reader February 19, 2009

Flash July 23, 2009

http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html

Common Element: All vulnerable applications support embedded scripting languages (JavaScript, ActionScript, etc.)

2

slide-3
SLIDE 3

Drive-By Heap Spraying

3

Owned!

slide-4
SLIDE 4

Drive-By Heap Spraying (2)

4

<HTML> <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … &#3341;&#3341;"> </IFRAME> </HTML>

  • k

bad

  • k

Creates the malicious object Triggers the jump Program Heap ASLR prevents the attack PC

slide-5
SLIDE 5

Drive-By Heap Spraying (3)

5

<SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...'');

  • neblock = unescape("%u0C0C%u0C0C");

var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT>

  • k

bad

  • k

Program Heap

bad bad bad bad bad

Allocate 1000s of malicious objects

slide-6
SLIDE 6

Kittens of Doom What data can you trust?

  • Heap spraying is quite

general, easy to implement

  • Many applications allow

scripts in type safe languages

– JavaScript, ActionScript – Java, C#

  • Many applications accept

data from untrusted sources

– Embed malicious code in images, documents, DLLs, etc.

  • [Sotirov & Dowd BH’08]

6

slide-7
SLIDE 7

Nozzle – Runtime Heap Spraying Detection

Logical time (number of allocations/frees)

Normalized Surface Area Malicious Site Normal Site

Application: Web Browser Nozzle answers: How much of my heap is suspicious?

7

slide-8
SLIDE 8

Outline

  • Nozzle design & implementation
  • Evaluation

– False positives – False negatives – New threats (Adobe Reader)

  • Summary

8

slide-9
SLIDE 9

Nozzle Design

Application Threads Nozzle Threads Application Heap

new

  • bject

Create Object Initialize Object

init

  • bject

scan object and classify

suspect

  • bject

Repeat

suspect

  • bject

benign

  • bject

benign

  • bject

benign

  • bject

suspect

  • bject

benign

  • bject

Advantages

  • Just need to hook standard APIs –

malloc, free, HeapAlloc, HeapFree, etc.

  • Monitor new applications using Detours
  • Can be applied to existing binaries

9

slide-10
SLIDE 10

Local Malicious Object Detection

Code or Data? Is this object dangerous?

  • Is this object code?

– Code and data look the same on x86

  • Focus on sled detection

– Majority of object is sled – Spraying scripts build simple sleds

  • Is this code a NOP sled?

– Previous techniques do not look at heap – Many heap objects look like NOP sleds – 80% false positive rates using previous techniques

  • Need stronger local techniques

10

000000000000 000000000000 000000000000 000000000000 000000000000 000000000000 000000000000 add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al 0101010101 0101010101 0101010101 0101010101 0101010101 0101010101 0101010101 and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx]

10

NOP sled

shellcode

slide-11
SLIDE 11

Object Surface Area Calculation (1)

  • Assume: attacker wants

to reach shell code from jump to any point in

  • bject
  • Goal: find blocks that

are likely to be reached via control flow

  • Strategy: use dataflow

analysis to compute “surface area” of each block

11 11

An example object from visiting google.com

slide-12
SLIDE 12

Object Surface Area Calculation (2)

  • Each block starts with

its own size as weight

  • Weights are propagated

forward with flow

  • Invalid blocks don’t

propagate

  • Iterate until a fixpoint is

reached

  • Compute block with

highest weight

12 12

An example object from visiting google.com

4 2 4 2 2 3 10 14 4 12 6 9 12 14 12 12 12 15

slide-13
SLIDE 13

Nozzle Global Heap Metric

  • bj

Bi SA(Bi) SA(o) SA(H) NSA(H)

13

build CFG dataflow

in eax, 0x11 arithmatic memory I/O or syscall control flow sub [eax], eax adc dh, bh jecxz 021c7fd8 test cl, ah add al, 30h add al, 80h
  • r eax, 0d172004h
  • uts dx, [esi]
jecxz 021c7fde add [ecx], 0 add [eax], al xor [eax], eax add al, 38h imul eax, [eax], 6ch
  • r eax, 0d179004h
To target block Legend:

Compute threat of single block Compute threat of single object Compute threat

  • f entire heap

Normalize to (approx): P(jump will cause exploit)

slide-14
SLIDE 14

Nozzle Experimental Summary

0 False Positives

  • 10 popular AJAX-heavy sites
  • 150 top Web sites

0 False Negatives

  • 12 published heap spraying exploits and
  • 2,000 synthetic rogue pages generated using Metasploit

Runtime Overhead

  • As high as 2x without sampling
  • 5-10% with sampling

14

slide-15
SLIDE 15

Nozzle on Benign Sites

  • Benign sites

have low Nozzle NSA

  • Max NSA

always less than 12%

  • Thresholds

can be set much higher for detection (50% or more)

15 15

slide-16
SLIDE 16

Nozzle with Known Heap Sprays

  • 12 published heap spray

pages in multiple browsers

  • 2,000 synthetic heap

spray pages using MetaSploit – advanced NOP engine – shellcode database

16

Result: max NSA between 76% and 96% Nozzle detects real spraying attacks

slide-17
SLIDE 17

Nozzle Runtime Overhead

17 17

slide-18
SLIDE 18

Using Nozzle in Adobe Reader

18

AcroRd32.exe nozzlert.dll Detours det- AcroRd32.exe Results

  • Detected a published heap spray attack (NSA > 75%)
  • Runtime overhead was 8% on average
  • NSA of normal document < 10%

Demo

slide-19
SLIDE 19

Summary

  • Heap spraying attacks are

– Easy to implement, easy to retarget – In widespread use

  • Existing detection methods fail to classify

malicious objects on x86 architecture

  • Nozzle

– Effectively detects published attacks (known and new) – Has acceptable runtime overhead – Can be used both online and offline

19

slide-20
SLIDE 20

Questions?

Paruj Ratanaworabhan (paruj.r@gmail.com) Ben Livshits (livshits@microsoft.com) Ben Zorn (zorn@microsoft.com)

20

Nozzle heap spraying

See us on Channel 9: http://channel9.msdn.com/posts/Peli/ Heap-Spraying-Attack-Detection-with-Nozzle/

slide-21
SLIDE 21

Backup

21

slide-22
SLIDE 22

Attacks on Nozzle

  • Injecting junk into start of object

– Where does the exploit code begin?

  • TOCTTOU – When do you scan the object?
  • Attacks on surface area calculation

– Jumps outside of objects – Multiple instances of shellcode inside an object

  • Hiding the code itself

– Code that rewrites heap at last minute

22

slide-23
SLIDE 23

What about Data Execution Prevention?

  • DEP / NX bit = hardware to prevent code

execution on the heap

  • DEP is great , but isn’t used everywhere

– Issues with app compatibility – DEP can be circumvented – JIT compilers complicate the story

  • Nozzle augments DEP for defense in depth

23

slide-24
SLIDE 24

Normalized Surface Area Locally

25