Channels ▼
RSS

.NET

Nozzle: Counteracting Memory Exploits


It Begins with JavaScript

"Every time you download a Web page," Zorn says, "it can contain JavaScript, which is executable code. It's perfectly valid for JavaScript to allocate objects. So attackers use JavaScript to propagate copies of malicious objects and then exploit some known bug in the browser to execute malicious code."

Such an approach may not work every time; there is always an element of luck involved. But if the attacker lures enough users to the page, enough of the attempts will succeed, and enough machines would be compromised to cause nuisance or damage.

Adds Zorn: "The interesting thing about heap spraying is that, from the attacker's point of view, it's easy to implement. The actual spray is just a loop written in JavaScript, and the exploit code is a JavaScript string. Ten lines of code in JavaScript are sufficient to create a heap-spray attack."

Kittens of Doom

It's disturbing enough to know how little effort it takes to create a heap spray, but browsers are not the only programs at risk. Any program that enables JavaScript execution is vulnerable. Attacks on Adobe Reader and Acrobat proved that PDF files, which users consider passive and read-only, can be a source of heap-spraying attacks, too.

"Applications such as Adobe Reader have evolved to be more dynamic," Livshits says. "They allow some scripting, to support more extensibility, and rely on languages such as JavaScript to enable that. This is a widespread phenomenon, and, as a result, heap spraying as an attack vector is also widespread. In fact, another program susceptible to this is Flash, since you can embed script in a Flash player in a similar way. So it's important to understand it's not just Web pages that are vulnerable."

Just about any form of data can be used for exploitation, Zorn says. To drive this point home during the Usenix Security Symposium, the researchers displayed a slide titled "Kittens of Doom: Is No Data Sacred?"

Kittens of Doom: Be it a Web page, a PDF, or a Flash files, any form of data can be used for exploitation. Malicious code has been found embedded in image-file comment fields, documents, and dynamic-link libraries.

"We wanted to convey that the most innocent of files can be used for exploitation," Livshits says. "This is an apparently harmless image of a kitten, but there is a malicious payload in the comment field of the image that initiates a heap-spraying attack on the browser.

"Not every heap-spraying attack works, so it's possible the data you receive had passed harmlessly through other users, because the spray worked but the exploit failed. What's benign to another user else could be a problem for you."

All Roads Lead to Shell Code

Given that any data can be used for exploitation, the researchers took the perspective that they should examine all objects on the heap. In some cases, data can look like code and vice versa, making it even more difficult to reliably identify harmful objects.

The first breakthrough for the team came when they decided that, instead of looking at individual instructions in an object, they would analyze its control flow.

"The ultimate goal of these objects is to get to the shell code." Zorn says, "That's what we call the code that causes actual damage. If the object can't direct control to the shell code, the attack fails.

"If there is an object and, no matter where we jump into it, we almost always end up going to the same place, then it qualifies as suspicious. Now, there could be non-malicious objects in the heap that contain what look like instructions -- but it's very unlikely that they will also try to make you go to the same place. So control flow is a semantic property that helped us zero in on malicious objects."

This approach proved more reliable than other detection schemes, with only a 10 percent false-positive rate. The researchers, though, were aiming for zero false-positives, if possible.

"We are talking about stopping the program each time we detect a suspicious object," Livshits says. "If objects are actually harmless 10 percent of the time, it's an unacceptable amount of disruption to the user." Profile of an Exploit

Fortunately, there is another characteristic of heap spraying the researchers could leverage: To be successful, attackers have to allocate thousands of objects into the heap. This understanding led to the researchers' second breakthrough: the notion of the global heap metric index, an aggregate of measurements across all heap objects.

The Economist Web site's normal number of heap allocations is shown in blue. The purple line shows the number of allocations resulting from an attack named exploit-612, a sharp jump that Nozzle would flag.

"In a spray attack, we don't have just a few suspicious objects." Zorn says. "There are thousands, representing a large percentage of the heap. So we came up with an index that would indicate the health of the entire heap—essentially a measure of the fraction of the heap that contains suspicious objects."

A few suspicious objects won't raise an alarm. But a high density of suspicious objects is a reliable indication of a heap-spraying attack. The global heap metric index dramatically reduced the false-positive rate.

"We take advantage of the very scheme attackers depend on for exploitation," Zorn says. "In order for such attacks to work, they must allocate many, many objects; so we monitor whether a significant percentage of the heap contains suspicious objects."


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video