This talk presents a brief overview of Use-after-Free vulnerability and corresponding exploitation techniques for Internet Explorer (IE), followed by description of memory protection schemes implemented in newer versions of IE in order to mitigate exploitation of such vulnerabilities.
12. Fundamental Mitigations
• Non-executable Data Pages [NX]
– PageExec [PaX/Grsecurity]
– DEP [Windows]
– W ^ X [OpenBSD]
– […]
• Address Space Layout Randomization (ASLR)
13. Environment Specific Mitigations
• Windows
– SafeSEH, SEHOP
– Stack Protection
– Vftable Guard
– Control Flow Guard
– […]
• Internet Explorer
– Enhanced Protected Mode (EPM)
– Nozzle & Bubble
– Isolated Heap
– Memory Protector
– […]
14. Internet Explorer: Memory Protector
• Manage De-allocation / Free of important
DOM objects
– Overwrite the free’d object with NULL content
– Queue for “free” in a per-thread wait-list instead
of immediate free at heap manager level.
– Real/Heap free is executed during certain
conditions.
– Ensure no reference to object in thread stack
before actual free at heap manager level
This prevents immediate re-use of free’d objects
15. Internet Explorer: Memory Protector
• MemoryProtection::CMemoryProtector
– ProtectedFree
– MarkBlocks
– ReclaimUnmarkedBlocks
Application Free
HeapFree
Application Free
CMemoryProtector::
ProtectedFree
HeapFree
Before
With MemoryProtector
16. Internet Explorer: Memory Protector
• Protected Free
– Maintains a per-thread wait-list of freed memory.
– On certain bytes threshold, perform mark & sweep:
• Mark each with a reference (pointer) in thread stack
• Perform Heap Manager level free for each unmarked block
• Memory Reclamation / Unprotected Free
– During main thread’s message dispatch callback
• Long lived Use-after-Free vulnerabilities are still exploitable!
On free, adds block in free’d list without actually free’ing at Heap Manager level. Fills with zero. At the time of sweep, free’s block only if there is no reference in stack