skip to main content
10.1145/1920261.1920310acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

Heap Taichi: exploiting memory allocation granularity in heap-spraying attacks

Published: 06 December 2010 Publication History

Abstract

Heap spraying is an attack technique commonly used in hijacking browsers to download and execute malicious code. In this attack, attackers first fill a large portion of the victim process's heap with malicious code. Then they exploit a vulnerability to redirect the victim process's control to attackers' code on the heap. Because the location of the injected code is not exactly predictable, traditional heap-spraying attacks need to inject a huge amount of executable code to increase the chance of success. Injected executable code usually includes lots of NOP-like instructions leading to attackers' shellcode. Targeting this attack characteristic, previous solutions detect heap-spraying attacks by searching for the existence of such large amount of NOP sled and other shellcode.
In this paper, we analyze the implication of modern operating systems' memory allocation granularity and present Heap Taichi, a new heap spraying technique exploiting the weakness in memory alignment. We describe four new heap object structures that can evade existing detection tools, as well as proof-of-concept heap-spraying code implementing our technique. Our research reveals that a large amount of NOP sleds is not necessary for a reliable heap-spraying attack. In our experiments, we showed that our heap-spraying attacks are a realistic threat by evading existing detection mechanisms. To detect and prevent the new heap-spraying attacks, we propose enhancement to existing approaches and propose to use finer memory allocation granularity at memory managers of all levels. We also studied the impact of our solution on system performance.

References

[1]
Microsoft Corporation. Data execution prevention. http://technet.microsoft.com/enus/library/cc738483.aspx.
[2]
The PaX team. http://pax.grsecurity.net.
[3]
Why is address space allocation granularity 64k? http://blogs.msdn.com/oldnewthing/archive/2003/10/08/55239.aspx.
[4]
Microsoft Internet Explorer. ANI file "anjh" header BoF exploit, 2004. http://skypher.com/wiki/index.php?title=www.edup.tudelft.nl/~bjwever/details_msie_ani.html.php.
[5]
Microsoft Internet Explorer DHTML object handling valuerabilities (MS05-20), 2004. http://skypher.com/wiki/index.php?title=www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php.
[6]
Microsoft Internet Explorer IFRAME src&name parameter BoF remote compromise, 2004. http://skypher.com/wiki/index.php?title=www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php.
[7]
Microsoft Internet Explorer javaprxy.dll COM object vulnerability, 2005. http://www.frsirt.com/english/advisories/2005/0935.
[8]
Microsoft Internet Explorer "msdds.dll" remote code execution, 2005. http://www.frsirt.com/english/advisories/2005/1450.
[9]
libemu - shellcode detection, 2007. http://libemu.carnivore.it.
[10]
Pwn2own 2010, 2010. http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010.
[11]
P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. STRIDE: Polymorphic sled detection through instruction sequence analysis. In Security and Privacy in the Age of Ubiquitous Computing, 2005.
[12]
C. Anley, J. Heasman, F. Lindner, and G. Richarte. The Shellcoder's Handbook: Discovering and Exploiting Security Holes. Wiley, 2004.
[13]
S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceeding of 12th USENIX Security Symposium, 2003.
[14]
S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of 14th USENIX Security Symposium, 2005.
[15]
D. Blazakis. Interpreter exploitation: Pointer inference and jit spraying. In Blackhat, USA, 2010.
[16]
D. Brumley, T. Chiueh, R. Johnson, H. Lin, and D. Song. RICH: Automatically protecting against integer-based vulnerabilities. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS), 2007.
[17]
C. Collberg, C. Thomborson, and D. Low. Manufacturing cheap, resilient, and stealthy opaque constructs. In POPL '98: Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, 1998.
[18]
CVE, 2007. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0038.
[19]
M. Daniel, J. Honoroff, and C. Miller. Engineering heap overflow exploits with JavaScript. In Proceedings of the 2nd USENIX Workshop on Offensive Technologies, 2008.
[20]
T. Detristan, T. Ulenspiegel, and Yann_malcom. Polymorphic shellcode engine using spectrum analysis. Phrack 11, 57--15 (2001).
[21]
M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browser against drive-by downloads: Mitigating heap-srpaying code injection attacks. In Proceedings of the 6th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009.
[22]
M. E. Russinovich and D. A. Solomon. Microsoft Wndows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows Xp, and Windows 2000. Microsoft Press, 2008.
[23]
J. Evans. A scalable concurrent malloc(3) implementation for freebsd. In BSDCan conference, 2006.
[24]
P. Fogla and W. Lee. Evading network anomaly detection systems: formal reasoning and practical techniques. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, 2006.
[25]
D. R. Hanson. Fast allocation and deallocation of memory based on object lifetimes. Softw. Pract. Exper., 20(1):5--12, 1990.
[26]
C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In ACSAC'06: Proceedings of the 22th Annual Computer Security Applications Conference, 2006.
[27]
C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In CCS '03: Proceedings of the 10th ACM conference on Computer and communications security, 2003.
[28]
J. Mason, S. Small, F. Monrose, and G. MacManus. English shellcode. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, 2009.
[29]
M. Polychronakis, K. Anagnostakis, and E. Markatos. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), 2007.
[30]
M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. In Proceedings of the 3rd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2006.
[31]
I. V. Popov, S. K. Debray, and G. R. Andrews. Binary obfuscation using signals. In SS'07: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, Berkeley, CA, USA, 2007.
[32]
P. Ratanaworabhan, B. Livshits, and B. Zorn. NOZZLE: A defense against heap-spraying code injection attacks. In Proceedings of the 18th USENIX Security Symposium, 2009.
[33]
J. Richter and C. Nasarre. Windows via C/C++ 5th edition. Microsoft Press, 2008.
[34]
RIX. Writing ia32 alphanumeric shellcodes. Phrack 11, 57--15 (2001).
[35]
P. M. Sanjay Ghemawat, 2005. http://goog-perftools.sourceforge.net/doc/tcmalloc.html.
[36]
SecurityFocus. Mozilla Firefox 3.5 'TraceMonkey' component remote code execution vulnerability, 2009. http://www.securityfocus.com/bid/35660.
[37]
Y. Song, M. E. Locasto, A. Stavrou, A. D. Keromytis, and S. J. Stolfo. On the infeasibility of modeling polymorphic shellcode. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security. ACM, 2007.
[38]
A. Sotirov. Heap feng shui in JavaScript. In Blackhat, USA, 2007.
[39]
A. Sotirov. Bypassing browser memory protections in windows vista. In Blackhat, USA, 2008.
[40]
A. Sotirov and M. Dowd. Bypassing browser memory protections. In BlackHat, USA, 2008.
[41]
N. Stojanovski, M. Gusev, D. Gligoroski, and Svein. J. Knapskog. Bypassing data execution prevention on microsoftwindows xp sp2. In The Second International Conference on Availability, Reliability and Security (ARES), 2007.
[42]
T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), 2002.
[43]
T. Wang, T. Wei, Z. Lin, and W. Zou. IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
[44]
O. Whitehouse. An analysis of address space layout randomization on windows vista#8482;. In Symantec Advanced Threat Research, 2007.
[45]
Y. Younan, W. Joosen, and F. Piessens. Code injection in C and C++: A survey of vulnerabilities and countermeasures. Technical Report CW386, Department of Computer Science, Katholieke Universiteit Leuven, 2004.
[46]
A. Young and M. Yung. Cryptovirology: Extortion-based security threats and countermeasures. In SP '96: Proceedings of the 1996 IEEE Symposium on Security and Privacy, page 129, Washington, DC, USA, 1996. IEEE Computer Society.
[47]
J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou. Studying malicious websites and the underground economy on the chinese web. In Proceedings of the 7th Workshop on the Economics of Information Security (WEIS'08), 2008.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference
December 2010
419 pages
ISBN:9781450301336
DOI:10.1145/1920261
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

  • ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2010

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Funding Sources

Conference

ACSAC '10
Sponsor:
  • ACSA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)30
  • Downloads (Last 6 weeks)5
Reflects downloads up to 18 Jan 2025

Other Metrics

Citations

Cited By

View all

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media