Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Heap spraying poses a significant threat to vulnerable applications that support embedded scripting languages like JavaScript and ActionScript. Nozzle offers a defense mechanism to combat this type of code injection attacks. By detecting suspicious activities in the runtime heap, Nozzle helps web browsers identify potential threats from malicious sites, thereby enhancing overall security measures in the digital landscape.

• Nozzle defense
• Heap-spraying
• Code injection
• Security
• Web browsers

hoer442 Follow

Uploaded on Feb 18, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond, WA)

2. Heap Spraying is a Problem http://www.web2secure.com/2009/07/mozilla-firefox-35-heap-spray.html Common Element: All vulnerable applications support embedded scripting languages (JavaScript, ActionScript, etc.) Flash Firefox 3.5 July 14, 2009 July 23, 2009 Adobe Acrobat / Reader February 19, 2009 http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html 2

3. Drive-By Heap Spraying Owned! 3

4. Drive-By Heap Spraying (2) ASLR prevents the attack Program Heap ok bad PC Creates the malicious object ok <HTML> <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); </SCRIPT> Triggers the jump <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC &#3341;&#3341;"> </IFRAME> </HTML> 4

5. Drive-By Heap Spraying (3) Program Heap bad ok bad bad bad bad ok bad <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } Allocate 1000s of malicious objects sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT> 5

6. Kittens of Doom What data can you trust? Heap spraying is quite general, easy to implement Many applications allow scripts in type safe languages JavaScript, ActionScript Java, C# Many applications accept data from untrusted sources Embed malicious code in images, documents, DLLs, etc. [Sotirov & Dowd BH 08] 6

7. Nozzle Runtime Heap Spraying Detection Application: Web Browser Malicious Site Normalized Surface Area Nozzle answers: How much of my heap is suspicious? Normal Site Logical time (number of allocations/frees) 7

8. Outline Nozzle design & implementation Evaluation False positives False negatives New threats (Adobe Reader) Summary 8

9. Nozzle Design Application Threads Nozzle Threads Advantages -Just need to hook standard APIs malloc, free, HeapAlloc, HeapFree, etc. - Monitor new applications using Detours - Can be applied to existing binaries scan object and classify Repeat Create Object Object Initialize benign object suspect new object object object init suspect object suspect object benign object benign object benign object Application Heap 9

10. Local Malicious Object Detection Is this object dangerous? Code or Data? Is this object code? Code and data look the same on x86 Focus on sled detection Majority of object is sled Spraying scripts build simple sleds Is this code a NOP sled? Previous techniques do not look at heap Many heap objects look like NOP sleds 80% false positive rates using previous techniques Need stronger local techniques 000000000000 000000000000 000000000000 000000000000 000000000000 000000000000 000000000000 add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al add [eax], al sled NOP 0101010101 0101010101 0101010101 0101010101 0101010101 0101010101 0101010101 and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] and ah, [edx] shellcode 10 10

11. Object Surface Area Calculation (1) Assume: attacker wants to reach shell code from jump to any point in object Goal: find blocks that are likely to be reached via control flow Strategy: use dataflow analysis to compute surface area of each block An example object from visiting google.com 11 11

12. Object Surface Area Calculation (2) 4 4 12 Each block starts with its own size as weight Weights are propagated forward with flow Invalid blocks don t propagate Iterate until a fixpoint is reached Compute block with highest weight 2 6 12 3 15 9 4 10 12 2 12 12 2 14 14 An example object from visiting google.com 12 12

13. Nozzle Global Heap Metric Normalize to (approx): P(jump will cause exploit) obj NSA(H) build CFG sub [eax], eax Legend: adc dh, bh arithmatic or eax, 0d172004h memory SA(H) Bi I/O or syscall in eax, 0x11 control flow test cl, ah jecxz 021c7fd8 Compute threat of entire heap add [eax], al add al, 30h add [ecx], 0 add al, 80h add al, 38h outs dx, [esi] jecxz 021c7fde xor [eax], eax To target block imul eax, [eax], 6ch dataflow or eax, 0d179004h SA(o) SA(Bi) Compute threat of single block Compute threat of single object 13

14. Nozzle Experimental Summary 0 False Positives 10 popular AJAX-heavy sites 150 top Web sites 0 False Negatives 12 published heap spraying exploits and 2,000 synthetic rogue pages generated using Metasploit Runtime Overhead As high as 2x without sampling 5-10% with sampling 14

15. Nozzle on Benign Sites Benign sites have low Nozzle NSA Max NSA always less than 12% Thresholds can be set much higher for detection (50% or more) 15 15

16. Nozzle with Known Heap Sprays 12 published heap spray pages in multiple browsers 2,000 synthetic heap spray pages using MetaSploit advanced NOP engine shellcode database Result: max NSA between 76% and 96% Nozzle detects real spraying attacks 16

17. Nozzle Runtime Overhead 17 17

18. Using Nozzle in Adobe Reader det- AcroRd32.exe Detours AcroRd32.exe nozzlert.dll Demo Results - Detected a published heap spray attack (NSA > 75%) - Runtime overhead was 8% on average - NSA of normal document < 10% 18

19. Summary Heap spraying attacks are Easy to implement, easy to retarget In widespread use Existing detection methods fail to classify malicious objects on x86 architecture Nozzle Effectively detects published attacks (known and new) Has acceptable runtime overhead Can be used both online and offline 19

20. Questions? Paruj Ratanaworabhan (paruj.r@gmail.com) Ben Livshits (livshits@microsoft.com) Ben Zorn (zorn@microsoft.com) Nozzle heap spraying See us on Channel 9: http://channel9.msdn.com/posts/Peli/ Heap-Spraying-Attack-Detection-with-Nozzle/ 20

21. Backup 21

22. Attacks on Nozzle Injecting junk into start of object Where does the exploit code begin? TOCTTOU When do you scan the object? Attacks on surface area calculation Jumps outside of objects Multiple instances of shellcode inside an object Hiding the code itself Code that rewrites heap at last minute 22

23. What about Data Execution Prevention? DEP / NX bit = hardware to prevent code execution on the heap DEP is great , but isn t used everywhere Issues with app compatibility DEP can be circumvented JIT compilers complicate the story Nozzle augments DEP for defense in depth 23

24. Normalized Surface Area Locally 25