More Web Proxy on the site http://driver.im/

research-article

Heap Taichi: exploiting memory allocation granularity in heap-spraying attacks

Authors:

Wei ZouAuthors Info & Claims

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 327 - 336

https://doi.org/10.1145/1920261.1920310

Published: 06 December 2010 Publication History

Abstract

Heap spraying is an attack technique commonly used in hijacking browsers to download and execute malicious code. In this attack, attackers first fill a large portion of the victim process's heap with malicious code. Then they exploit a vulnerability to redirect the victim process's control to attackers' code on the heap. Because the location of the injected code is not exactly predictable, traditional heap-spraying attacks need to inject a huge amount of executable code to increase the chance of success. Injected executable code usually includes lots of NOP-like instructions leading to attackers' shellcode. Targeting this attack characteristic, previous solutions detect heap-spraying attacks by searching for the existence of such large amount of NOP sled and other shellcode.

In this paper, we analyze the implication of modern operating systems' memory allocation granularity and present Heap Taichi, a new heap spraying technique exploiting the weakness in memory alignment. We describe four new heap object structures that can evade existing detection tools, as well as proof-of-concept heap-spraying code implementing our technique. Our research reveals that a large amount of NOP sleds is not necessary for a reliable heap-spraying attack. In our experiments, we showed that our heap-spraying attacks are a realistic threat by evading existing detection mechanisms. To detect and prevent the new heap-spraying attacks, we propose enhancement to existing approaches and propose to use finer memory allocation granularity at memory managers of all levels. We also studied the impact of our solution on system performance.

References

[1]

Microsoft Corporation. Data execution prevention. http://technet.microsoft.com/enus/library/cc738483.aspx.

[2]

The PaX team. http://pax.grsecurity.net.

[3]

Why is address space allocation granularity 64k? http://blogs.msdn.com/oldnewthing/archive/2003/10/08/55239.aspx.

[4]

Microsoft Internet Explorer. ANI file "anjh" header BoF exploit, 2004. http://skypher.com/wiki/index.php?title=www.edup.tudelft.nl/~bjwever/details_msie_ani.html.php.

[5]

Microsoft Internet Explorer DHTML object handling valuerabilities (MS05-20), 2004. http://skypher.com/wiki/index.php?title=www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php.

[6]

Microsoft Internet Explorer IFRAME src&name parameter BoF remote compromise, 2004. http://skypher.com/wiki/index.php?title=www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php.

[7]

Microsoft Internet Explorer javaprxy.dll COM object vulnerability, 2005. http://www.frsirt.com/english/advisories/2005/0935.

[8]

Microsoft Internet Explorer "msdds.dll" remote code execution, 2005. http://www.frsirt.com/english/advisories/2005/1450.

[9]

libemu - shellcode detection, 2007. http://libemu.carnivore.it.

[10]

Pwn2own 2010, 2010. http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010.

[11]

P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. STRIDE: Polymorphic sled detection through instruction sequence analysis. In Security and Privacy in the Age of Ubiquitous Computing, 2005.

[12]

C. Anley, J. Heasman, F. Lindner, and G. Richarte. The Shellcoder's Handbook: Discovering and Exploiting Security Holes. Wiley, 2004.

Digital Library

[13]

S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceeding of 12th USENIX Security Symposium, 2003.

Digital Library

[14]

S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of 14th USENIX Security Symposium, 2005.

Digital Library

[15]

D. Blazakis. Interpreter exploitation: Pointer inference and jit spraying. In Blackhat, USA, 2010.

[16]

D. Brumley, T. Chiueh, R. Johnson, H. Lin, and D. Song. RICH: Automatically protecting against integer-based vulnerabilities. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS), 2007.

[17]

C. Collberg, C. Thomborson, and D. Low. Manufacturing cheap, resilient, and stealthy opaque constructs. In POPL '98: Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, 1998.

Digital Library

[18]

CVE, 2007. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0038.

[19]

M. Daniel, J. Honoroff, and C. Miller. Engineering heap overflow exploits with JavaScript. In Proceedings of the 2nd USENIX Workshop on Offensive Technologies, 2008.

Digital Library

[20]

T. Detristan, T. Ulenspiegel, and Yann_malcom. Polymorphic shellcode engine using spectrum analysis. Phrack 11, 57--15 (2001).

[21]

M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browser against drive-by downloads: Mitigating heap-srpaying code injection attacks. In Proceedings of the 6th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009.

Digital Library

[22]

M. E. Russinovich and D. A. Solomon. Microsoft Wndows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows Xp, and Windows 2000. Microsoft Press, 2008.

Digital Library

[23]

J. Evans. A scalable concurrent malloc(3) implementation for freebsd. In BSDCan conference, 2006.

[24]

P. Fogla and W. Lee. Evading network anomaly detection systems: formal reasoning and practical techniques. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, 2006.

Digital Library

[25]

D. R. Hanson. Fast allocation and deallocation of memory based on object lifetimes. Softw. Pract. Exper., 20(1):5--12, 1990.

Digital Library

[26]

C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In ACSAC'06: Proceedings of the 22th Annual Computer Security Applications Conference, 2006.

Digital Library

[27]

C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In CCS '03: Proceedings of the 10th ACM conference on Computer and communications security, 2003.

Digital Library

[28]

J. Mason, S. Small, F. Monrose, and G. MacManus. English shellcode. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, 2009.

Digital Library

[29]

M. Polychronakis, K. Anagnostakis, and E. Markatos. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), 2007.

Digital Library

[30]

M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. In Proceedings of the 3rd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2006.

Digital Library

[31]

I. V. Popov, S. K. Debray, and G. R. Andrews. Binary obfuscation using signals. In SS'07: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, Berkeley, CA, USA, 2007.

Digital Library

[32]

P. Ratanaworabhan, B. Livshits, and B. Zorn. NOZZLE: A defense against heap-spraying code injection attacks. In Proceedings of the 18th USENIX Security Symposium, 2009.

Digital Library

[33]

J. Richter and C. Nasarre. Windows via C/C++ 5th edition. Microsoft Press, 2008.

Digital Library

[34]

RIX. Writing ia32 alphanumeric shellcodes. Phrack 11, 57--15 (2001).

[35]

P. M. Sanjay Ghemawat, 2005. http://goog-perftools.sourceforge.net/doc/tcmalloc.html.

[36]

SecurityFocus. Mozilla Firefox 3.5 'TraceMonkey' component remote code execution vulnerability, 2009. http://www.securityfocus.com/bid/35660.

[37]

Y. Song, M. E. Locasto, A. Stavrou, A. D. Keromytis, and S. J. Stolfo. On the infeasibility of modeling polymorphic shellcode. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security. ACM, 2007.

Digital Library

[38]

A. Sotirov. Heap feng shui in JavaScript. In Blackhat, USA, 2007.

[39]

A. Sotirov. Bypassing browser memory protections in windows vista. In Blackhat, USA, 2008.

[40]

A. Sotirov and M. Dowd. Bypassing browser memory protections. In BlackHat, USA, 2008.

[41]

N. Stojanovski, M. Gusev, D. Gligoroski, and Svein. J. Knapskog. Bypassing data execution prevention on microsoftwindows xp sp2. In The Second International Conference on Availability, Reliability and Security (ARES), 2007.

Digital Library

[42]

T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), 2002.

Digital Library

[43]

T. Wang, T. Wei, Z. Lin, and W. Zou. IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.

[44]

O. Whitehouse. An analysis of address space layout randomization on windows vista#8482;. In Symantec Advanced Threat Research, 2007.

[45]

Y. Younan, W. Joosen, and F. Piessens. Code injection in C and C++: A survey of vulnerabilities and countermeasures. Technical Report CW386, Department of Computer Science, Katholieke Universiteit Leuven, 2004.

[46]

A. Young and M. Yung. Cryptovirology: Extortion-based security threats and countermeasures. In SP '96: Proceedings of the 1996 IEEE Symposium on Security and Privacy, page 129, Washington, DC, USA, 1996. IEEE Computer Society.

Digital Library

[47]

J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou. Studying malicious websites and the underground economy on the chinese web. In Proceedings of the 7th Workshop on the Economics of Information Security (WEIS'08), 2008.

Cited By

Park YLee HJung JKoo HKim H(2024)Benzene: A Practical Root Cause Analysis System with an Under-Constrained State Mutation2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00074(1865-1883)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00074
Decourcelle JTeabe BHagimont D(2024)JITBULL: Securing JavaScript Runtime with a Go/No-Go Policy for JIT Engine2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00028(156-168)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00028
Lee YKwak JKang JJeon YLee BCalandrino JTroncoso C(2023)PSPRAYProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620619(6825-6842)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620619
Show More Cited By

Index Terms

Heap Taichi: exploiting memory allocation granularity in heap-spraying attacks
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Comprehensively and efficiently protecting the heap
Proceedings of the 2006 ASPLOS Conference

The goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library ...
Comprehensively and efficiently protecting the heap
Proceedings of the 2006 ASPLOS Conference

The goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library ...
Comprehensively and efficiently protecting the heap
Proceedings of the 2006 ASPLOS Conference

The goal of this paper is to propose a scheme that provides comprehensive security protection for the heap. Heap vulnerabilities are increasingly being exploited for attacks on computer programs. In most implementations, the heap management library ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

December 2010

419 pages

ISBN:9781450301336

DOI:10.1145/1920261

Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

ACSAC '10

Sponsor:

ACSA

ACSAC '10: 2010 Annual Computer Security Applications Conference

December 6 - 10, 2010

Texas, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
504
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Park YLee HJung JKoo HKim H(2024)Benzene: A Practical Root Cause Analysis System with an Under-Constrained State Mutation2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00074(1865-1883)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00074
Decourcelle JTeabe BHagimont D(2024)JITBULL: Securing JavaScript Runtime with a Go/No-Go Policy for JIT Engine2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00028(156-168)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00028
Lee YKwak JKang JJeon YLee BCalandrino JTroncoso C(2023)PSPRAYProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620619(6825-6842)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620619
Qi XXie TPan RZhu JYang YBu K(2022)Towards Practical Deployment-Stage Backdoor Attack on Deep Neural Networks2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)10.1109/CVPR52688.2022.01299(13337-13347)Online publication date: Jun-2022
https://doi.org/10.1109/CVPR52688.2022.01299
Hu ZChen PZhu MLiu P(2021)A Co-Design Adaptive Defense Scheme With Bounded Security Damages Against Heartbleed-Like AttacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2021.311351216(4691-4704)Online publication date: 2021
https://doi.org/10.1109/TIFS.2021.3113512
Liu BOlivier PRavindran B(2019)SlimGuardProceedings of the 20th International Middleware Conference10.1145/3361525.3361532(1-13)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3361525.3361532
Jang DKim JLee HPark MJung YKim MKang B(2019)On the Analysis of Byte-Granularity Heap RandomizationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.2947913(1-1)Online publication date: 2019
https://doi.org/10.1109/TDSC.2019.2947913
Jangda AMishra M(2017)RandHeap: Heap Randomization for Mitigating Heap Spray Attacks in Virtual Machines2017 15th Annual Conference on Privacy, Security and Trust (PST)10.1109/PST.2017.00028(169-16909)Online publication date: Aug-2017
https://doi.org/10.1109/PST.2017.00028
Sood AZeadally S(2016)Drive-By Download Attacks: A Comparative StudyIT Professional10.1109/MITP.2016.8518:5(18-25)Online publication date: Sep-2016
https://doi.org/10.1109/MITP.2016.85
Song JSong JKim J(2015)Detection of Heap-Spraying Attacks Using String Trace GraphInformation Security Applications10.1007/978-3-319-15087-1_2(17-26)Online publication date: 22-Jan-2015
https://doi.org/10.1007/978-3-319-15087-1_2
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents