This document discusses heap-spraying attacks and presents a new approach called BuBBle to counter them. Heap-spraying attacks involve flooding a program's memory with identical data to increase the likelihood of executing injected code. BuBBle monitors the heap for suspicious patterns and isolates suspect regions to prevent code execution. The authors evaluate BuBBle on Firefox and find it effectively prevents heap-spraying attacks with minimal performance overhead.
17. BuBBle
approach
• Introduce
diversity
in
contiguous
blocks
of
memory
• transform
Javascript
strings
(internal
structure)
18.
approach
Hi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
19.
approach
Hi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
20.
approach
Hi. I am a dangerous string to jump into a shellcode
<Define
string>
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
21.
approach
Hi. I am a dangerous string to jump into a shellcode
<Define
string>
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
22.
approach
Hi. I am a dangerous string to jump into a shellcode
<Define
string>
Transform
Hi. I am a dangerous string to jump into a shellcode
<Use
string> Restore
Hi. I am a dangerous string to jump into a shellcode
23.
approach
Hi. I am a dangerous string to jump into a shellcode
<Define
string>
Transform
Hi. I am a dangerous string to jump into a shellcode
<support
data
structure>
<Use
string> Restore
Hi. I am a dangerous string to jump into a shellcode
24. BuBBle
approach:
support
data
•
Interrupt
array
of
characters
•
Change
characters
at
random
positions:
how
many?
•
Save
support
data
25. BuBBle
approach:
support
data
•
Interrupt
array
of
characters
•
Change
characters
at
random
positions:
how
many?
•
Save
support
data
...
Value 2nd char
Pos. 2nd char
Value 1st char
Pos. 1st char
Num. intervals
26. BuBBle
approach:
js_Transform()
“blah blah blah is a normal string with appended
shellcode”
rand <- 8 12
rand <- generate_random_position(0,MINLEN)
len = 57
len <- string.length()
intervals = 2 intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
2 7 a 35 w
save_position(pos+rand)
save_value(character[pos+rand])
change_value(character[pos + rand])
“blah bl0xCCh blah is a normal string 0xCCith appended
shellcode”
27. BuBBle
approach:
js_Transform()
“blah blah blah is a normal string with appended
shellcode”
rand <- 8 12
rand <- generate_random_position(0,MINLEN)
len = 57
len <- string.length()
intervals = 2 intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
2 7 a 35 w
save_position(pos+rand)
save_value(character[pos+rand])
change_value(character[pos + rand])
“blah bl0xCCh blah is a normal string 0xCCith appended
shellcode”
28. BuBBle
approach:
js_Transform()
“blah blah blah is a normal string with appended
shellcode”
rand <- 8 12
rand <- generate_random_position(0,MINLEN)
len = 57
len <- string.length()
intervals = 2 intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
2 7 a 35 w
save_position(pos+rand)
save_value(character[pos+rand])
change_value(character[pos + rand])
“blah bl0xCCh blah is a normal string 0xCCith appended
shellcode”
29. BuBBle
approach:
js_Transform()
“blah blah blah is a normal string with appended
shellcode”
rand <- 8 12
rand <- generate_random_position(0,MINLEN)
len = 57
len <- string.length()
intervals = 2 intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
2 7 a 35 w
save_position(pos+rand)
save_value(character[pos+rand])
change_value(character[pos + rand])
“blah bl0xCCh blah is a normal string 0xCCith appended
shellcode”
30. BuBBle
approach:
js_Transform()
“blah blah blah is a normal string with appended
shellcode”
rand <- 8 12
rand <- generate_random_position(0,MINLEN)
len = 57
len <- string.length()
intervals = 2 intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
2 7 a 35 w
save_position(pos+rand)
save_value(character[pos+rand])
change_value(character[pos + rand])
“blah bl0xCCh blah is a normal string 0xCCith appended
shellcode”
31. BuBBle
approach:
security
evaluation
• What?
We
still
spray
the
heap!
• Interrupt
procedure
call
(.byte
0xcc)
• IE
and
Aurora
against
Google
(Jan
2010)
34. Benchmark Perf. Overhead Site URL Perf. overhead
Richards 5.6% economist.com 5.6%
DeltaBlue 3.6%
amazon.com 4.7%
Crypto 10%
ebay.com 4.2%
Ray Trace 1.5%
facebook.com 4.9%
Early Boyer 3.7%
maps.google.com 3.2%
RegExp 0.6%
docs.google.com 6.3%
Splay 1.8%
cnn.com 4.8%
Total 2.6%
V8 Javascript Benchmarks youtube.com 4.9%
Average 4.8%
Macrobenchmarks
Test Perf.Overhead
3d 0.17%
bitops 0.89%
controlflow 1.44%
math 0.62% Benchmark Perf. Overhead
regexp 0.23% Rendering 0.5%
string Social Networking 0.5%
base64 27.3%
Complex Graphics 2.2%
fasta 1.24%
Data 14%
tagcloud 2.20%
DOM ops. 0.2%
unpack 3.24%
Text parsing 2.0%
validate 9.30%
Average 5.19% Total 2.8%
Sunspider Javascript Benchmark Suite Peacekeeper Javascript Benchmarks
35. BuBBle:
memory
overhead
• 1/24
changes
• n-‐byte
original
string
• i
=
n/24
• support
data
structure
2i
bytes
long
• 8.3%
memory
overhead
(theoretical
and
room
for
improvement)
36. BuBBle:
memory
overhead
• 1/24
changes
• n-‐byte
original
string
• i
=
n/24 Benchmark
Sunspider
Mem. Overhead
5.6%
• support
data
structure
V8 4.2%
2i
bytes
long Peacekeeper 6.5%
• 8.3%
memory
overhead
Average 5.3%
Memory overhead analysis from proc file system
(theoretical
and
room
for
improvement)
37. Related
work
• ASLR
Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad
range of memory error exploits. Proceedings of the 12th USENIX Security Symposium, Washington,
D.C., U.S.A., August 2003
•
DEP
Data Execution Prevention: Windows Server 2003 with SP1
• Nozzle
Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A defense against heap-spraying code injection
attacks. Technical report, Microsoft Research (November 2008)
• Shellcode
detection
Egele,M.,Wurzinger,P.,Kruegel,C.,Kirda,E.:Defending browsers against drive-by downloads:
mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. (eds.) Detection of
Intrusions and Malware, and Vulnerability Assessment. LNCS, vol. 5587, pp. 88– 106. Springer,
Heidelberg (2009)
38. Conclusion
• Lightweight
solution(e.g.
Mozilla
Firefox,
Mozilla
Fennec)
• Implemented
for
Javascript
strings
• Allocation
of
malicious
objects
from
external
media
(mp3,
...
)
• Future
dev:
protect
arrays
of
integers,
protect
other
engines
• Not
just
for
browsers