Heap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks

Similar documents
Heap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks

Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks

Heaps of Heap-based Memory Attacks

Remix: On-demand Live Randomization

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Outline. Memory Exploit

What Cannot be Read, Cannot be Leveraged?

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Digital Forensics Lecture 02 PDF Structure

From Assembly to JavaScript and Back

SoK: Eternal War in Memory

Software Security II: Memory Errors - Attacks & Defenses

Advanced Buffer Overflow

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Bypassing Browser Memory Protections

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

DICE: A NONDETERMINISTIC MEMORY ALIGNMENT DEFENSE AGAINST HEAP TAICHI

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

Advanced Buffer Overflow

Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying

An NCC Group Publication. Exploiting CVE Prepared by: Katy Winterborn. Copyright 2015 NCC Group

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

How to Impress Girls with Browser Memory Protection Bypasses

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Teflon: Anti-stick for the browser's attack surface

Return-orientated Programming

CSC 405 Computer Security Stack Canaries & ASLR

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Outline. Format string attack layout. Null pointer dereference

in memory: an evolution of attacks Mathias Payer Purdue University

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Smashing the Buffer. Miroslav Štampar

20: Exploits and Containment

CS 161 Computer Security

Hackveda Training - Ethical Hacking, Networking & Security

Defeating Return-Oriented Rootkits with Return-less Kernels

Vulnerability Analysis I:

Outline. Heap meta-data. Non-control data overwrite

Adaptive Android Kernel Live Patching

Runtime Defenses against Memory Corruption

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

Memory Deduplication: The Curse that Keeps on Giving

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Undermining Information Hiding (And What to do About it)

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Advanced Systems Security: Program Diversity

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Shellcode Analysis. Chapter 19

Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps

CSE 127 Computer Security

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

CSE 127 Computer Security

Preventing Use-after-free with Dangling Pointers Nullification

Advanced Systems Security: Control-Flow Integrity

Introduction to software exploitation ISSISP 2017

Lecture 10 Code Reuse

JITDefender: A Defense against JIT Spraying Attacks

Writing Exploits. Nethemba s.r.o.

Writing your first windows exploit in less than one hour

A Heap of Trouble Exploiting the Linux Kernel SLOB Allocator

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring

TABLE OF CONTENT 1. Abstract: Terminology Introduction Basic Shellcoding Solving The Addressing Problem Hash API

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

From bottom to top: Exploiting hardware side channels in web browsers

Using type analysis in compiler to mitigate integer-overflow-to-buffer-overflow threat

PlatPal: Detecting Malicious Documents with Platform Diversity

Metasploit Exploit CVE MS IE7 CFunctionPointer Uninitialized Memory Corruption

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Invasion of Malware Evading the Behavior-based Analysis

Exploit Mitigation - PIE

Back To The Epilogue

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

Operating Systems. 11. Memory Management Part 3 Kernel Memory Allocation. Paul Krzyzanowski Rutgers University Spring 2015

Buffer Overflow and Protection Technology. Department of Computer Science,

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

BLACKBERRY PWNAGE THE BLUEJAY STRIKES

Inline Reference Monitoring Techniques

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

Performance Bugs and How to Find Them

CS 161 Computer Security

Abusing Silent Mitigations

Kernel Self Protection

CSE 509: Computer Security

Atomizer: Fast, Scalable and Lightweight Heap Analyzer for Virtual Machines in a Cloud Environment

Lecture 08 Control-flow Hijacking Defenses

A File-System-Aware FTL Design for Flash Memory Storage Systems

CS399 New Beginnings. Jonathan Walpole

Breaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX. Yeongjin Jang, Sangho Lee, and Taesoo Kim Georgia Institute of Technology

Taintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Transcription:

Heap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks Yu Ding 1, Tao Wei 1, Tielei Wang 1, Zhenkai Liang 2, Wei Zou 1 1 Peking University, 2 National University of Singapore

A Typical Heap-Spraying Attack var cc = unescape("%u0c0c"); var sc = unescape("%u785c%u3334...") while (cc.length * 2 < 0x100000) cc+=cc; cc=cc.substring(sc.length + 0x38, 0x100000/2); var m = new Array(); for(i = 0; i < 200; i++) m[i] = cc + sc; PC landing points Heap Area nop-sledge nop-sledge nop-sledge nop-sledge nop-sledge nop-sledge 2 landing area

Existing Solutions Measure how much of the heap can be used as nop-sledge Because of randomization (ASLR), the large amount of nop instructions is required. A direct detection method is to measure how much of the heap can be used as nop-sledge and flows to a common sink. Surface Area But how reliable the randomization is? sizeof(heap data that can be used as nop-sledge) Normalized Surface Area = Surface Area / sizeof (all heap data) If the NSA > threshold, generate an alarm. Heap Area nop-sledge nop-sledge nop-sledge nop-sledge nop-sledge nop-sledge Nozzle [USENIX'09] 3

Observation Memory Allocation Granularity The memory allocation is much more predictable than expected. E.g. address 0c0c0c0c can only be 8 possible positions in a 512kbytes block 0x0c050000 0x0c060000 0x0c0c0c0c Memory Address 512kbytes offset heap = 0x70c0c memory block 64Kbytes offset = 0x60c0c offset = 0x50c0c offset = 0x70c0c offset = 0x60c0c offset = 0x40c0c offset = 0x50c0c offset = 0x30c0c offset = 0x40c0c offset = 0x30c0c offset = 0x20c0c offset = 0x20c0c 0x0c0c0c0c offset = 0x10c0c offset = 0x10c0c offset = 0x00c0c offset = 0x00c0c 4

Proof of Concept: Heap Taichi Memory allocation granularity makes defense mechanisms less flexible We discuss a few transformations to reduce heapspraying attacks footprint without loosing its Countering force with agility 以柔克刚 5

Basic Structure of TypeA (Passing Flower)aa alignment size = 64Kbytes blocksize = 512Kbytes NSA(sledge) 7 / 512K 0% 6

The Structure of TypeA Attack (Detail) A sample JavaScript code creating Type A heap objects The size of each heap memory block is 1Mbytes. Try to allocate 200 heap memory blocks to cover address 0x0c0c0c0c 7

Basic Structure of TypeB (Jumping together) alignment size = 64Kbytes blocksize = 512Kbytes NSA(sledge) 7 / 512K 0% 8

Basic Structure of TypeC (Returning Home) alignment size = 64Kbytes blocksize = 512Kbytes NSA sizeof() / 512K 0% 9

A Mix Type of TypeA, B, C than the alignment size? What if the is larger 10

The TypeD Attack (alignment size = 32bytes) sc piece sc piece sc piece sc piece To a entry header jmp sc piece 5 bytes less or equal to 25 bytes tail jmp To the next sc piece 2bytes 11 AVAILABLE LANDING POSITIONS a linked

The TypeD Attack (alignment size = 32bytes) linked linked linked linked 12

More complicated jumps 13

Relationship between Attack Type and Alignment Size Summarize Alignment size Type A Type B Type C Type D 64 kbytes 32 bytes X 8 bytes X X 4 bytes X X X Small amount of instructions keep high success rate with help of memory allocation granularity. 14

Evaluation of Heap Taichi Attack Surface Area Calculation 15

Detecting Heap Taichi Attacks 16

Detecting Heap Taichi Alignment size Type A Type B Type C Type D 64 kbytes 32 bytes X 8 bytes X X 4 bytes X X X 1. Decrease the alignment size. 2. Improve the normalized surface TypeC area calculation. and TypeD can Coarse memory allocation evade Nozzle algorithm granularity helps hide the using multiple copies of and jump instructions. 17

Difficulty in Lower the Memory Allocation Granularity Our Approach: We modified JSarena and Firefox to support 8-byte alignment size Application alignment size =2Mbytes JSarena in Firefox Library alignment size = 8 bytes? jemalloc tcmalloc Kernel heap manager (Windows) SLUB allocator (Linux) 18

8-byte alignment is feasible The performance overhead is less than 5% 1300 1250 1200 1150 1100 1050 1000 Sunspider Benchmark Firefox Modified Firefox 400 350 300 250 200 150 100 50 0 V8 Benchmark Firefox Modified Firefox 19

Enhance Nozzle (Alignment size = 8 bytes) A B C 20

Enhance Nozzle (Alignment size = 8 bytes) On offset 0x2 On offset 0x5 Success rate on offset 0x2 = 1/3 = 33% 21

RELATED WORK Shellcode-based detection Egele et, al. DIMVA'09 Sam Small et, al. CCS'09 Yingbo Song et,al. CCS'07 Heap spraying with ASLR The granularity is still ytes Heap spraying with DEP DEP can be bypassed Peter Vreugdenhil, Pwn2Own Solid Heap Memory Allocator DieHard, DieHarder Memory exploit detection and prevention 22

Conclusion We analysis the weakness of memory alignment size. We present Heap Taichi, a new heap-spraying skill utilizing the weakness of memory alignments. We present an enhanced nozzle algorithm. The new algorithm can recognize these Heap Taichi attacks cooperating with finer memory allocation granularity. 23

Thank you! 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback