Nozzle: A Defense Against Heap Spraying Attacks
Ben LivshitsParuj Ratanaworabhan
Ben Zorn
A Brief History of Memory Exploits
2
Freq
uenc
y
Year
2000 2002 2004 2006 2008 2010
Stack overflow
StackGuard
Heap exploit
Vista heap,layout randomization
Nozzle
Heap spraying
Stack Overflow Exploit
3
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …഍഍"></IFRAME>
1 exploit
2 jump
nop sled
shellcode
return address
stack
Heap Corruption Exploit
4
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …഍഍"></IFRAME>
1 exploit
2 jumpnop sled
shellcode
Heap
vtablepointer
Heap Spraying Exploit
5
<SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; }
sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }</SCRIPT>
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …഍഍"></IFRAME>
1 exploit
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode sled
shellcode
Heap
vtablepointer
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
sled
shellcode
2 spray
3 jump
Kittens of Doom. Is no data sacred?
• Spraying: general attack– Embed malicious code
in images, documents, DLLs, etc.
– Image example:• Comments• Transformed data
• Documented at BH’08
6
Heap Spraying is a Real Problem
7
• Drive-by exploits– Just visiting a site can compromise your whole machine
Nozzle Overview
Heap Spraying
• Relies on pre-existing exploit (in C/C++)
• Spraying in type-safe language– JavaScript, C#, Java– JIT-ed languages: good targets
• Randomization doesn’t help
• Browsers are popular target
Nozzle
• Detect / mitigate heap spray attack
• Monitors heap for suspicious activity
• Compare to HW “no-execute” page protection
– More compatible– Doesn’t just crash
• Focus on browser, but applicable to all applications
8
Nozzle Architecture
9
Browser processBrowser heapbrowser threads Nozzle detector
Allo
catio
n hi
sory
NOZZLE threads
Monitor allocations
Interpret heap objects as code
Maintain a global heap health metric
Nozzle Experimental Summary
0 False Positives•150 top Web sites•10 popular AJAX sites
0 False Negatives•12 published heap spraying exploits and•2000 synthetic rogue pages generated using Metasploit
Runtime Overhead•As high as 2x without sampling•5-10% with sampling
10
Local vs. Global Detection
Code or Data?Local Detection:
Is this object dangerous?• Code and data: same on x86• Local detection: 80% FP rate
11
000000000000000000000000000000000000000000000000000000000000000000000000000000000000
add [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], aladd [eax], al
0101010101010101010101010101010101010101010101010101010101010101010101
and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]and ah, [edx]
Global Detection:Is my heap under attack?
• Nozzle: collections of objects• Sprayed heap: large attack
surface
Nozzle Global Heap Metric
o
Bi
SA(Bi)
SA(o)SA(H)
NSA(H)
12
build CFG
dataflow
in eax, 0x11
arithmatic
memory
I/O or syscall
control flow
sub [eax], eax
adc dh, bh
jecxz 021c7fd8
test cl, ah
add al, 30h
add al, 80h
or eax, 0d172004h
outs dx, [esi]
jecxz 021c7fde
add [ecx], 0
add [eax], al
xor [eax], eax
add al, 38h
imul eax, [eax], 6ch
or eax, 0d179004h
To ta
rget
blo
ck
Legend:
Compute threat ofsingle blockCompute threat of
single object
Compute threatof entire heap
Normalize to (approx):P(jump will cause exploit)
Attack Surface Calculation
13
• Extract control flow graph (CFG) from heap object
• SA(Bi) = likelihood of ending in Bi if we land within object boundaries
• A BB contributes its effective size to another BB’s SA, if there is a path to that other BB
• BB containing prohibitive instructions has zero effective size
– int, out, hlt, or ltr
An example object from visiting google.com
D
CB
A
in eax, 0x11
arithmetic
memory
I/O or syscall
control flow
sub [eax], eax
adc dh, bh
jecxz 021c7fd8
test cl, ah
add al, 30h
add al, 80h
or eax, 0d172004h
outs dx, [esi]
jecxz 021c7fde
add [ecx], 0
add [eax], al
xor [eax], eax
add al, 38h
imul eax, [eax], 6ch
or eax, 0d179004h
To ta
rget
blo
ck
Legend:
economist.com versus mw-612 (actual attack)
14
Logical time (number of allocations/frees)
Nor
mal
ize
Sur
face
Are
a
Nozzle Runtime Overhead
15
3.2 3.6 2.2 5.1 13.8 3.4 8.0 9.1 3.2 4.0
4X 50% 20% 10%
Summary
• Heap spraying is a real threat to Windows, Office, …– Can be launched with JavaScript, C#, Java, Images, mp3s,…– Code/data is difficult to distinguish– Published approaches fail
• Heap spraying affects global heap health, – Detected by Nozzle– Effectively identifies spraying at low cost– Product groups have already expressed interest
16
Future Work
• Closely integrate Nozzle with – IE– .NET/CLR (garbage-collected heap vulnerable too)
• Improve filtering, anticipate new attacks• Mitigate after detecting• Address TOCTOU with GC and/or identifying
stores to heap
17
Nozzle: A Defense Against Heap Spraying Attacks
Ben LivshitsParuj Ratanaworabhan
Ben Zorn
0
0.02
0.04
0.06
0.08
0.1
0.12
False positive results
19
0
0.02
0.04
0.06
0.08
0.1
0.12
• No more than 12% of max SA reported
• No false positives reported for 20% threshold
• What about SA for rogue sites?
Maximum normalized SA for Alexa top 150 (top) and 10 selected sites (bottom)
Backup: SA for various benign sites
20
Nozzle versus DEP
• DEP prevents code execution in memory
21
• Can be disabled at runtime• Has compatibility issue• Circumvented with Java (Applet)
But,
Nozzle is more compatible and more selective
False negative results
• 12 published heap spray pages• 2000 synthetic heap spray pages
– Use MetaSploit’s advance NOP engine and shellcode database
22
published exploits synthetic exploitsmean std mean std0.98 0.01 0.76 0.02
Maximum normalize SA
Over 8 times of the max of the benign sites
Over 6 times of the max of the benign sites
Effect of sampling on max SA calculation
23
Average error rate
• Test with the 10 selected sites• Measure the error with respect to 100%
0 0.05 0.1 0.15 0.2 0.25 0.3
25%
10%
5%
1%
0.10%