Heap Taichi: Exploiting Memory Allocation Granularity in Heap-Spraying Attacks Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)
Feb 24, 2016
Heap Taichi: Exploiting Memory Allocation Granularity in
Heap-Spraying AttacksYu Ding, Tao Wei, TieLei Wang
Peking UniversityZhenkai Liang
National University of SingaporeWei Zou
Peking University26th ACSAC (December, 2010)
A Seminar at Advanced Defense Lab 2
OutlineIntroductionResearch ApproachesHeap Spraying with Little Surface AreaExperiment and Evaluation
A Seminar at Advanced Defense Lab 3
IntroductionA news from Microsoft Security Research &
Defense2010/12/20http://blogs.technet.com/b/srd/archive/2010/12/
22/new-internet-explorer-vulnerability-affecting-all-versions-of-ie.aspx
A Seminar at Advanced Defense Lab 4
Heap
Heap Spray
MemoryCorruption
Heap is less predictable, and some mechanism for
randomizing the heap layout
NOP Sled
Shellcode
NOP Sled
Shellcode
NOP Sled
Shellcode
NOP Sled
Shellcode
<SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; }
sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }</SCRIPT>
A Seminar at Advanced Defense Lab 5
Heap spraying (cont.)Why spraying?
We need to jump into the object.
Why NOP-sled?We need to execute first instruction in the
shellcode.
A Seminar at Advanced Defense Lab 6
Research ApproachesShellcode-oriented
But … “English Shellcode”? (my opinion)
Sled-orientedNOZZLE
Advanced Defense Lab 7
The Design of NOZZLENOZZLE attempts to discover objects in
which control flow through the object (the NOP sled) frequently reaches the same basic block(s) (the shellcode.)
object
disassemble
Control Flow Graph
8
The Design of NOZZLE (cont.)Compute the attack surface area of object o
as:
The attack surface area of heap containing n objects is defined as follows:
The normalized attack surface area of heap
Advanced Defense Lab
)),(max()( CBBSAoSA ii
ni
ioSAHSA,,1
)()(
HHSAHNSA )()(
Advanced Defense Lab 9
Limitation (In The Paper of NOZZLE)Jump into Page
Attacker allocates page-size chunk of memoryPage-size
Shellcode
Page-size
Shellcode
Page-size
Shellcode
Page alignment
Page alignment
Fixed offset!!
The goal of this paper!!
A Seminar at Advanced Defense Lab 10
Heap Spraying with Little Surface AreaMemory Allocation Granularity
Linux: 4KBWindows: 64KB
When a heap object is bigger than a certain threshold, 512K in our experiment, Windows always allocates a separate heap block for this object.
A Seminar at Advanced Defense Lab 11
ObservationIf an EIP assigned by an attacker have few
possible locations in a large heap object, the attacker only need to put jump-equivalent instructions at those locations.In fact, an EIP assigned by an attacker can only
point to EIGHT possible locations in a 512K-byte heap object
A Seminar at Advanced Defense Lab 12
A Seminar at Advanced Defense Lab 13
Malicious Heap Object
A Seminar at Advanced Defense Lab 14
If the alignment is small
A Seminar at Advanced Defense Lab 15
Detecting Heap Taichi AttacksNOZZLE can be enhanced to detect some of
the new attacks by considering the effect of memory allocation granularity.
A Seminar at Advanced Defense Lab 16
Detecting Heap Taichi Attacks(cont.)A natural solution to prevent Heap Taichi
attacks and similar attacks is to aligning memory allocation at a smaller-sized boundary.
But … there are many heap managers on different levels of a program, each of which has its own heap management strategy.
A Seminar at Advanced Defense Lab 17
Experiment and EvaluationCase study:
A Seminar at Advanced Defense Lab 18
A Seminar at Advanced Defense Lab 19
Result
A Seminar at Advanced Defense Lab 20
Thank You