1 / 20

Heap Taichi : Exploiting Memory Allocation Granularity in Heap-Spraying Attacks

Heap Taichi : Exploiting Memory Allocation Granularity in Heap-Spraying Attacks. Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University. 26 th ACSAC (December, 2010). Outline. Introduction Research Approaches

franz
Download Presentation

Heap Taichi : Exploiting Memory Allocation Granularity in Heap-Spraying Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Heap Taichi: Exploiting Memory Allocation Granularity inHeap-Spraying Attacks Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26th ACSAC (December, 2010)

  2. Outline • Introduction • Research Approaches • Heap Spraying with Little Surface Area • Experiment and Evaluation A Seminar at Advanced Defense Lab

  3. Introduction • A news from Microsoft Security Research & Defense • 2010/12/20 • http://blogs.technet.com/b/srd/archive/2010/12/22/new-internet-explorer-vulnerability-affecting-all-versions-of-ie.aspx A Seminar at Advanced Defense Lab

  4. Heap Spray Heap Memory NOP Sled NOP Sled NOP Sled NOP Sled <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock= unescape("%u0C0C%u0C0C"); varfullblock = oneblock; while(fullblock.length<0x40000) { fullblock+= fullblock; } sprayContainer= new Array(); for(i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT> Corruption Shellcode Shellcode Shellcode Shellcode Heap is less predictable, and some mechanism for randomizing the heap layout A Seminar at Advanced Defense Lab

  5. Heap spraying (cont.) • Why spraying? • We need to jump into the object. • Why NOP-sled? • We need to execute first instruction in the shellcode. A Seminar at Advanced Defense Lab

  6. Research Approaches • Shellcode-oriented • But … “English Shellcode”? (my opinion) • Sled-oriented • NOZZLE A Seminar at Advanced Defense Lab

  7. The Design of NOZZLE • NOZZLE attempts to discover objects in which control flow through the object(the NOP sled) frequentlyreaches the same basic block(s) (the shellcode.) Control Flow Graph object disassemble Advanced Defense Lab

  8. The Design of NOZZLE (cont.) • Compute the attack surface area of object o as: • The attack surface area of heap containing n objects is defined as follows: • The normalized attack surface area of heap Advanced Defense Lab

  9. Limitation (In The Paper of NOZZLE) • Jump into Page • Attacker allocates page-size chunk of memory The goal of this paper!! Page-size Page-size Page-size Shellcode Shellcode Shellcode Page alignment Fixed offset!! Page alignment Advanced Defense Lab

  10. Heap Spraying with Little Surface Area • Memory Allocation Granularity • Linux: 4KB • Windows: 64KB • When a heap object is bigger than a certain threshold, 512K in our experiment, Windows always allocates a separate heap block for this object. A Seminar at Advanced Defense Lab

  11. Observation • If an EIP assigned by an attacker have few possible locations in a large heap object, the attacker only need to put jump-equivalent instructions at those locations. • In fact, an EIP assigned by an attacker can only point to EIGHT possible locations in a 512K-byte heap object A Seminar at Advanced Defense Lab

  12. A Seminar at Advanced Defense Lab

  13. Malicious Heap Object A Seminar at Advanced Defense Lab

  14. If the alignment is small A Seminar at Advanced Defense Lab

  15. Detecting Heap Taichi Attacks • NOZZLE can be enhanced to detect some of the new attacks by considering the effect of memory allocation granularity. A Seminar at Advanced Defense Lab

  16. Detecting Heap Taichi Attacks(cont.) • A natural solution to prevent Heap Taichi attacks and similar attacks is to aligning memory allocation at a smaller-sized boundary. • But … there are many heap managers on different levels of a program, each of which has its own heap management strategy. A Seminar at Advanced Defense Lab

  17. Experiment and Evaluation • Case study: A Seminar at Advanced Defense Lab

  18. A Seminar at Advanced Defense Lab

  19. Result A Seminar at Advanced Defense Lab

  20. Thank You A Seminar at Advanced Defense Lab

More Related