Nozzle: detecting heap spraying attacks

Projects

Publications

People

Downloads

Home

Our Research

Collaboration

Careers

Project Tuva Enhanced Video Player

Watch the Feynman Lectures

> Projects > Nozzle: detecting heap spraying attacks

Nozzle: Protecting Browsers Against Heap Spraying Attacks

Problem:

Heap spraying is a new security attack that significantly increases the exploitability of existing memory corruption errors in type unsafe applications. With heap spraying, attackers leverage their ability to allocate arbitrary objects in the heap of a type-safe language, such as JavaScript, literally filling the heap with objects that contain dangerous exploit code. In recent years, spraying has been used in many real security exploits, especially in Web browsers.

Solution:

We propose Nozzle, a runtime monitoring infrastructure that detects attempts by attackers to spray the heap. Nozzle uses lightweight emulation techniques to detect the presence of objects that contain executable code. To reduce false positives, we developed a notion of global “heap health”.

Unlike previous security attacks, a successful heap spraying attack has the property that a large fraction of the heap is affected by the attack. Nozzle proposes a two-level approach to detecting such attacks: scanning objects locally while at the same time maintaining heap health metrics globally.

At the individual object level, Nozzle performs lightweight interpretation of heap-allocated objects, treating them as though they were code. This allows us to recognize potentially unsafe code by interpreting it within a safe environment the way they would be run on a CPU and looking for indications of malicious activity.

The Nozzle lightweight emulator scans heap allocated object data to identify valid x86 code sequences, disassembling the code and building a control flow graph. Because the attack jump target cannot be precisely controlled, the emulator follows control flow to identify basic blocks that are likely to be reached through jumps from multiple offsets into the object. Our local detection process has elements in common with published methods for sled detection in network packet processing. Unfortunately, the density of the x86 instruction set makes the contents of many objects look like executable code, and as a result, published methods lead to high false positive rates.

We have developed a novel approach to mitigate this problem using global heap health metrics, which effectively distinguishes benign allocation behavior from malicious attacks. Fortunately, an inherent property of heap spraying attacks is the fact such attacks affect the heap globally. Consequently, Nozzle exploits this property to drastically reduce the false positive rate.

People

Ben Zorn (zorn@microsoft.com)
Ben Livshits (livshits@microsoft.com)
Paruj Ratanaworabhan (pr57@cornell.edu)

Media

NEW "Nozzle: Counteracting Memory Exploits", by Janie Chang, Dr. Dobbs Journal, November 24, 2009 (also on the MSR website).
MSDN Channel 9 Video: "Heap Spraying Attack Detection with Nozzle", Ben Livshits and Ben Zorn, interviewed by Peli de Halleux, March 25, 2009

Documents

"Nozzle: A Defense Against Heap-spraying Code Injection Attacks", Paruj Ratanaworabhan, Benjamin Livshits, and Benjamin Zorn
USENIX Security Symposium, August 2009. (pdf) (slides)
The Nozzle Tech Report
Three-slide overview of Nozzle
Nozzle: A defense against heap-spraying code injection attacks (Usenix Security)
A recent presentation (32 slides).
Another presentation (23 slides)