Nozzle: A Defense Against Heap Spraying Attacks

Ben LivshitsParuj Ratanaworabhan

Ben Zorn

A Brief History of Memory Exploits

2

Freq

uenc

y

Year

2000 2002 2004 2006 2008 2010

Stack overflow

StackGuard

Heap exploit

Vista heap,layout randomization

Nozzle

Heap spraying

Stack Overflow Exploit

3

<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …&#3341;&#3341;"></IFRAME>

1 exploit

2 jump

nop sled

shellcode

return address

stack

Heap Corruption Exploit

4

<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …&#3341;&#3341;"></IFRAME>

1 exploit

2 jumpnop sled

shellcode

Heap

vtablepointer

Heap Spraying Exploit

5

<SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; }

sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }</SCRIPT>

<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …&#3341;&#3341;"></IFRAME>

1 exploit

sled

shellcode

sled

shellcode

sled

shellcode

sled

shellcode

sled

shellcode sled

shellcode

Heap

vtablepointer

sled

shellcode

sled

shellcode

sled

shellcode

sled

shellcode

sled

shellcode

2 spray

3 jump

Kittens of Doom. Is no data sacred?

• Spraying: general attack– Embed malicious code

in images, documents, DLLs, etc.

– Image example:• Comments• Transformed data

• Documented at BH’08

6

Heap Spraying is a Real Problem

7

• Drive-by exploits– Just visiting a site can compromise your whole machine

Nozzle Overview

Heap Spraying

• Relies on pre-existing exploit (in C/C++)

• Spraying in type-safe language– JavaScript, C#, Java– JIT-ed languages: good targets

• Randomization doesn’t help

• Browsers are popular target

Nozzle

• Detect / mitigate heap spray attack

• Monitors heap for suspicious activity

• Compare to HW “no-execute” page protection

– More compatible– Doesn’t just crash

• Focus on browser, but applicable to all applications

8

Nozzle Architecture

9

Browser processBrowser heapbrowser threads Nozzle detector

Allo

catio

n hi

sory

NOZZLE threads

Monitor allocations

Interpret heap objects as code

Maintain a global heap health metric

Nozzle Experimental Summary

0 False Positives•150 top Web sites•10 popular AJAX sites

0 False Negatives•12 published heap spraying exploits and•2000 synthetic rogue pages generated using Metasploit

Runtime Overhead•As high as 2x without sampling•5-10% with sampling

10

Local vs. Global Detection

Code or Data?Local Detection:

Is this object dangerous?• Code and data: same on x86• Local detection: 80% FP rate

11

000000000000000000000000000000000000000000000000000000000000000000000000000000000000

add [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], al

0101010101010101010101010101010101010101010101010101010101010101010101

and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]

Global Detection:Is my heap under attack?

• Nozzle: collections of objects• Sprayed heap: large attack

surface

Nozzle Global Heap Metric

o

Bi

SA(Bi)

SA(o)SA(H)

NSA(H)

12

build CFG

dataflow

in eax, 0x11

arithmatic

memory

I/O or syscall

control flow

sub [eax], eax

adc dh, bh

jecxz 021c7fd8

test cl, ah

add al, 30h

add al, 80h

or eax, 0d172004h

outs dx, [esi]

jecxz 021c7fde

add [ecx], 0

add [eax], al

xor [eax], eax

add al, 38h

imul eax, [eax], 6ch

or eax, 0d179004h

To ta

rget

blo

ck

Legend:

Compute threat ofsingle blockCompute threat of

single object

Compute threatof entire heap

Normalize to (approx):P(jump will cause exploit)

Attack Surface Calculation

13

• Extract control flow graph (CFG) from heap object

• SA(Bi) = likelihood of ending in Bi if we land within object boundaries

• A BB contributes its effective size to another BB’s SA, if there is a path to that other BB

• BB containing prohibitive instructions has zero effective size

– int, out, hlt, or ltr

An example object from visiting google.com

D

CB

A

in eax, 0x11

arithmetic

memory

I/O or syscall

control flow

sub [eax], eax

adc dh, bh

jecxz 021c7fd8

test cl, ah

add al, 30h

add al, 80h

or eax, 0d172004h

outs dx, [esi]

jecxz 021c7fde

add [ecx], 0

add [eax], al

xor [eax], eax

add al, 38h

imul eax, [eax], 6ch

or eax, 0d179004h

To ta

rget

blo

ck

Legend:

economist.com versus mw-612 (actual attack)

14

Logical time (number of allocations/frees)

Nor

mal

ize

Sur

face

Are

a

Nozzle Runtime Overhead

15

3.2 3.6 2.2 5.1 13.8 3.4 8.0 9.1 3.2 4.0

4X 50% 20% 10%

Summary

• Heap spraying is a real threat to Windows, Office, …– Can be launched with JavaScript, C#, Java, Images, mp3s,…– Code/data is difficult to distinguish– Published approaches fail

• Heap spraying affects global heap health, – Detected by Nozzle– Effectively identifies spraying at low cost– Product groups have already expressed interest

16

Future Work

• Closely integrate Nozzle with – IE– .NET/CLR (garbage-collected heap vulnerable too)

• Improve filtering, anticipate new attacks• Mitigate after detecting• Address TOCTOU with GC and/or identifying

stores to heap

17

Nozzle: A Defense Against Heap Spraying Attacks

Ben LivshitsParuj Ratanaworabhan

Ben Zorn

0

0.02

0.04

0.06

0.08

0.1

0.12

False positive results

19

0

0.02

0.04

0.06

0.08

0.1

0.12

• No more than 12% of max SA reported

• No false positives reported for 20% threshold

• What about SA for rogue sites?

Maximum normalized SA for Alexa top 150 (top) and 10 selected sites (bottom)

Backup: SA for various benign sites

20

Nozzle versus DEP

• DEP prevents code execution in memory

21

• Can be disabled at runtime• Has compatibility issue• Circumvented with Java (Applet)

But,

Nozzle is more compatible and more selective

False negative results

• 12 published heap spray pages• 2000 synthetic heap spray pages

– Use MetaSploit’s advance NOP engine and shellcode database

22

published exploits synthetic exploitsmean std mean std0.98 0.01 0.76 0.02

Maximum normalize SA

Over 8 times of the max of the benign sites

Over 6 times of the max of the benign sites

Effect of sampling on max SA calculation

23

Average error rate

• Test with the 10 selected sites• Measure the error with respect to 100%

0 0.05 0.1 0.15 0.2 0.25 0.3

25%

10%

5%

1%

0.10%