Heap Taichi: Exploiting memory allocation granularity in heap-spraying attacks

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2010, Pages 327-336

  Ding, Yu ^a   Wei, Tao ^a   Wang, Tielei ^a   Liang, Zhenkai ^b   Zou, Wei ^a  

^a PEKING UNIVERSITY   (China)

^b NATIONAL UNIVERSITY OF SINGAPORE   (Singapore)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); MEMORY ARCHITECTURE; STORAGE ALLOCATION (COMPUTER);

DETECTION TOOLS; EXECUTABLE CODES; HEAP SPRAYING; LARGE AMOUNTS; MALICIOUS CODES; OBJECT STRUCTURE; PROOF OF CONCEPT; SHELLCODE; SPRAYING TECHNIQUES; SYSTEM MEMORY;

MALWARE;

EID: 78751539789     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1920261.1920310     Document Type: Conference Paper

References (47)

1. Microsoft Corporation. Data execution prevention. http://technet. microsoft.com/enus/library/cc738483.aspx.
2. The PaX team. http://pax.grsecurity.net.
3. Why is address space allocation granularity 64k? http://blogs.msdn.com/ oldnewthing/archive/2003/10/08/55239.aspx.
4. Microsoft Internet Explorer .ANI file "anjh" header BoF exploit, 2004. http://skypher.com/wiki/index.php?title=www.edup.tudelft.nl/ ~bjwever/details-msie-ani.html.php.
5. Microsoft Internet Explorer DHTML object handling valuerabilities (MS05-20), 2004. http://skypher.com/wiki/index.php?title=www.edup.tudelft.nl/ ~bjwever/advisory-msie-R6025.html.php.
6. Microsoft Internet Explorer IFRAME src&name parameter BoF remote compromise, 2004. http://skypher.com/wiki/index.php?title=www.edup.tudelft.nl/ ~bjwever/advisory-iframe.html.php.
7. Microsoft Internet Explorer javaprxy.dll COM object vulnerability, 2005. http://www.frsirt.com/english/advisories/2005/0935.
8. Microsoft Internet Explorer "msdds.dll" remote code execution, 2005. http://www.frsirt.com/english/advisories/2005/1450.
9. libemu - shellcode detection, 2007. http://libemu.carnivore.it.
10. Pwn2own 2010, 2010. http://dvlabs.tippingpoint.com/blog/2010/02/15/ pwn2own-2010.
11. P. Akritidis, E. P. Markatos, M. Polychronakis, and K. Anagnostakis. STRIDE: Polymorphic sled detection through instruction sequence analysis. In Security and Privacy in the Age of Ubiquitous Computing, 2005.
12. C. Anley, J. Heasman, F. Lindner, and G. Richarte. The Shellcoder's Handbook: Discovering and Exploiting Security Holes. Wiley, 2004.
13. S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceeding of 12th USENIX Security Symposium, 2003.
14. S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of 14th USENIX Security Symposium, 2005.
15. D. Blazakis. Interpreter exploitation: Pointer inference and jit spraying. In Blackhat, USA, 2010.
16. D. Brumley, T. Chiueh, R. Johnson, H. Lin, and D. Song. RICH: Automatically protecting against integer-based vulnerabilities. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS), 2007.
17. C. Collberg, C. Thomborson, and D. Low. Manufacturing cheap, resilient, and stealthy opaque constructs. In POPL '98: Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, 1998.
18. CVE, 2007. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007- 0038.
19. M. Daniel, J. Honoroff, and C. Miller. Engineering heap overflow exploits with JavaScript. In Proceedings of the 2nd USENIX Workshop on Offensive Technologies, 2008.
20. T. Detristan, T. Ulenspiegel, and Yann malcom. Polymorphic shellcode engine using spectrum analysis. Phrack 11,57-15 (2001).
21. M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browser against drive-by downloads: Mitigating heap-srpaying code injection attacks. In Proceedings of the 6th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009.
22. M. E.Russinovich and D. A.solomon. Microsoft Wndows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows Xp, and Windows 2000. Microsoft Press, 2008.
23. J. Evans. A scalable concurrent malloc(3) implementation for freebsd. In BSDCan conference, 2006.
24. P. Fogla and W. Lee. Evading network anomaly detection systems: formal reasoning and practical techniques. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, 2006.
25. D. R. Hanson. Fast allocation and deallocation of memory based on object lifetimes. Softw. Pract. Exper., 20(1):5-12, 1990.
26. C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In ACSAC'06: Proceedings of the 22th Annual Computer Security Applications Conference, 2006.
27. C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In CCS '03: Proceedings of the 10th ACM conference on Computer and communications security, 2003.
28. J. Mason, S. Small, F. Monrose, and G. MacManus. English shellcode. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, 2009.
29. M. Polychronakis, K. Anagnostakis, and E. Markatos. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), 2007.
30. M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. In Proceedings of the 3rd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2006.
31. I. V. Popov, S. K. Debray, and G. R. Andrews. Binary obfuscation using signals. In SS'07: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, Berkeley, CA, USA, 2007.
32. P. Ratanaworabhan, B. Livshits, and B. Zorn. NOZZLE: A defense against heap-spraying code injection attacks. In Proceedings of the 18th USENIX Security Symposium, 2009.
33. J. Richter and C. Nasarre. Windows via C/C++ 5th edition. Microsoft Press, 2008.
34. RIX. Writing ia32 alphanumeric shellcodes. Phrack 11,57-15 (2001).
35. P. M. Sanjay Ghemawat, 2005. http://goog-perftools.sourceforge.net/doc/ tcmalloc.html.
36. SecurityFocus. Mozilla Firefox 3.5 'TraceMonkey' component remote code execution vulnerability, 2009. http://www.securityfocus.com/bid/35660.
37. Y. Song, M. E. Locasto, A. Stavrou, A. D. Keromytis, and S. J. Stolfo. On the infeasibility of modeling polymorphic shellcode. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security. ACM, 2007.
38. A. Sotirov. Heap feng shui in JavaScript. In Blackhat, USA, 2007.
39. A. Sotirov. Bypassing browser memory protections in windows vista. In Blackhat, USA, 2008.
40. A. Sotirov and M. Dowd. Bypassing browser memory protections. In BlackHat, USA, 2008.
41. N. Stojanovski, M. Gusev, D. Gligoroski, and Svein.J.Knapskog. Bypassing data execution prevention on microsoftwindows xp sp2. In The Second International Conference on Availability, Reliability and Security (ARES), 2007.
42. T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), 2002.
43. T. Wang, T. Wei, Z. Lin, and W. Zou. IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
44. O. Whitehouse. An analysis of address space layout randomization on windows vista™. In Symantec Advanced Threat Research, 2007.
45. Y. Younan, W. Joosen, and F. Piessens. Code injection in C and C++ : A survey of vulnerabilities and countermeasures. Technical Report CW386, Department of Computer Science, Katholieke Universiteit Leuven, 2004.
46. A. Young and M. Yung. Cryptovirology: Extortion-based security threats and countermeasures. In SP '96: Proceedings of the 1996 IEEE Symposium on Security and Privacy, page 129, Washington, DC, USA, 1996. IEEE Computer Society.
47. J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou. Studying malicious websites and the underground economy on the chinese web. In Proceedings of the 7th Workshop on the Economics of Information Security (WEIS'08), 2008.