This talk presents a brief overview of Use-after-Free vulnerability and corresponding exploitation techniques for Internet Explorer (IE), followed by description of memory protection schemes implemented in newer versions of IE in order to mitigate exploitation of such vulnerabilities.

1. Internet Explorer
Memory Protection
A Brief Overview

2. Agenda
• Introduction to Use-After-Free (UaF) vulnerabilities
• Exploiting UaF vulnerabilities
• UaF exploit mitigation through MemoryProtector

3. Why Focus on UaF ?
http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-attacks.html

4. UaF: An
Example
Dangling Pointer Dereference
B1 B2
Object

5. UaF: An Example
Vftable Intact

6. UaF: A Browser Example
MS13-080

7. UaF: A Browser Example
Light Page Heap overwrites free’d chunks with 0xf0
https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx

8. UaF: Exploitation

9. UaF: Exploitation

10. UaF: Exploitation – Object Re-use
Object
B1
B2
Function 1
Function 2
Function …
Vftable
Objectdelete b1 [Object Freed]
0x414141fill(16) [Re-use memory block]
0x414141
B2
b2->hello()

11. UaF: Exploitation - Browser

12. Fundamental Mitigations
• Non-executable Data Pages [NX]
– PageExec [PaX/Grsecurity]
– DEP [Windows]
– W ^ X [OpenBSD]
– […]
• Address Space Layout Randomization (ASLR)

13. Environment Specific Mitigations
• Windows
– SafeSEH, SEHOP
– Stack Protection
– Vftable Guard
– Control Flow Guard
– […]
• Internet Explorer
– Enhanced Protected Mode (EPM)
– Nozzle & Bubble
– Isolated Heap
– Memory Protector
– […]

14. Internet Explorer: Memory Protector
• Manage De-allocation / Free of important
DOM objects
– Overwrite the free’d object with NULL content
– Queue for “free” in a per-thread wait-list instead
of immediate free at heap manager level.
– Real/Heap free is executed during certain
conditions.
– Ensure no reference to object in thread stack
before actual free at heap manager level
This prevents immediate re-use of free’d objects

15. Internet Explorer: Memory Protector
• MemoryProtection::CMemoryProtector
– ProtectedFree
– MarkBlocks
– ReclaimUnmarkedBlocks
Application Free
HeapFree
Application Free
CMemoryProtector::
ProtectedFree
HeapFree
Before
With MemoryProtector

16. Internet Explorer: Memory Protector
• Protected Free
– Maintains a per-thread wait-list of freed memory.
– On certain bytes threshold, perform mark & sweep:
• Mark each with a reference (pointer) in thread stack
• Perform Heap Manager level free for each unmarked block
• Memory Reclamation / Unprotected Free
– During main thread’s message dispatch callback
• Long lived Use-after-Free vulnerabilities are still exploitable!

17. Questions ?
http://www.twitter.com/abh1sek
http://www.3slabs.com
https://github.com/abhisek/RandomCode/tree/master/Misc/ie_memprotector_nullblr

18. References
• http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of-
MemoryProtection-against-use-after-free/ba-p/6556134#.VSeGDxOUenD
• https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-
spraying-demystified/
• https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx
• http://securityintelligence.com/understanding-ies-new-exploit-mitigations-the-
memory-protector-and-the-isolated-heap/#.VS-JRxOUenA
• Yuki Chen – The Birth of a Complete IE 11 Exploit Under The New Exploit Mitigation