290 likes | 492 Views
NOZZLE: A Defense Against Heap-spraying Code Injection Attacks. Paruj Ratanaworabhan , Cornell University Benjamin Livshits , Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009. A Presentation at Advanced Defense Lab. Outline.
E N D
NOZZLE: A Defense Against Heap-spraying Code Injection Attacks ParujRatanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn,Microsoft Research USENIX Security Symposium 2009 A Presentation at Advanced Defense Lab
Outline • Introduce to Heap Spray • Nozzle Architecture • Design • Implement • Evaluation • Limitation Advanced Defense Lab
Memory Corruption Heap Memory NOP Sled Corruption Shellcode Stack overflow, Heap overflow, Double free, Dangling pointer,… With many mechanism for stack protection Advanced Defense Lab
Heap Spray Heap Memory NOP Sled NOP Sled NOP Sled NOP Sled <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock= unescape("%u0C0C%u0C0C"); varfullblock = oneblock; while(fullblock.length<0x40000) { fullblock+= fullblock; } sprayContainer= new Array(); for(i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT> Corruption Shellcode Shellcode Shellcode Shellcode Heap is less predictable, and some mechanism for randomizing the heap layout Advanced Defense Lab
Heap Spray Requires… • Attacker must be able to control the contents of the heap. • Providing data • Ex: images, documents, … • Scripting language • Allocate object directly • Browsers are popular target. Advanced Defense Lab
Nozzle Architecture Advanced Defense Lab
Local vs. Global Detection • Code or Data? • Local Detection • Code and data: same on x86 • 80% objects of Firefox would become false positive • Global Detection • Sprayed heap: large attack surface 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000 add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al 0101010101 0101010101 0101010101 0101010101 0101010101 0101010101 0101010101 and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] Advanced Defense Lab
Design • Definition: A sequence of bytes is legitimate, if it can be decoded as a sequence of valid x86 instructions. legitimate 00 00 0c 0a • bc 6f d3 0c 0a bc6f d3 • 00 00 0c 0a • bc 6f d3 0c 0a bc 6f d3 • 00 00 0c 0a • bc 6f d3 0c 0a bc 6f d3 X86 instructions Advanced Defense Lab
Design (cont.) • Definition: A valid instruction sequence is a legitimate instruction sequence that does not include instructions in the following categories: • I/O or system calls (in, outs, etc) • interrupts (int) • privileged instructions (hlt, ltr) • jumps outside of the current object address range Advanced Defense Lab
Design (cont.) • NOZZLE attempts to discover objects in which control flow through the object(the NOP sled) frequentlyreaches the same basic block(s) (the shellcode.) Control Flow Graph object disassemble Advanced Defense Lab
A Example Bi: ith block SA(Bi): Attack Surface Area of Bi V: valid instruction block MASKi: mask self block Advanced Defense Lab
Design (cont.) • Compute the attack surface area of object o as: • The attack surface area of heapcontaining n objects is defined as follows: • The normalized attack surface area of heap Advanced Defense Lab
Detection Threshold • thabs =5 MB • 5MB is the size of Firefox heap when open a blank page. • A real attack would need to fill the heap with at least as many malicious objects. Advanced Defense Lab
Implement • Using a binary rewriting infrastructure called Detours to intercept functions calls that allocate and free memory. • Within Mozilla Firefox these routines are malloc, calloc, realloc, and free, defined in MOZCRT19.dll. • Only consider objects of size greater than 32 bytes Advanced Defense Lab
Implement (cont.) • Rewrite the main function to allocate a pool of N scanning threads to be used by NOZZLE • We scan the previously allocated object when we see the next object allocated. • Time-of-Check to Time-of-Use(TOCTTOU) vulnerability Advanced Defense Lab
Evaluation Advanced Defense Lab
Evaluation(cont.) • 10 heavily-used benign web site • 150 most visited sites as ranked by Alexa Advanced Defense Lab
False Positive Results Set thnorm at 15% Advanced Defense Lab
False Negative Evaluation • 12 published heap spray pages • 2,000 synthetic heap spray pages using MetaSploit • advanced NOP engine • Shellcode database Advanced Defense Lab
Performance • Firefox version 2.0.0.16 • 2.4 GHz Intel Core 2 E6600 CPU • Windows XP SP3 • 2 GB memory Advanced Defense Lab
Single Core Advanced Defense Lab
2 Core Advanced Defense Lab
Error Rate with Sampling Advanced Defense Lab
Porting for Adobe • In February 2009, a remote code execution vulnerability was discovered in Adobe Acrobat and Adobe Reader. • NOZZLE correctly detected this heap spraying attack, determining that the attack surface of the heap was greater than 94% Advanced Defense Lab
Limitation • TOCTTOU vulnerability • Rescans could be triggered when NOZZLE observes a significant number of heap stores • Start with uninterpretableopcode • NOZZLE skip it • Attack with fewer malicious objects • Attacker will have high failure probability. Advanced Defense Lab
Limitation (cont.) • Jump into Page • Attacker allocates page-size chunk of memory Page-size Page-size Page-size Shellcode Shellcode Shellcode Page alignment Fixed offset!! Page alignment Advanced Defense Lab
Thank You Advanced Defense Lab