The document provides an overview of use-after-free (UAF) vulnerabilities, exploitation methods, and mitigation strategies implemented in Internet Explorer. It details how the memory protector manages object deallocation to prevent re-use of freed objects, along with various application and environment-specific mitigations. The presentation includes links to references and resources for further understanding of UAF exploit development and mitigation techniques.

1. Internet Explorer
Memory Protection
A Brief Overview

2. Agenda
• Introduction to Use-After-Free (UaF) vulnerabilities
• Exploiting UaF vulnerabilities
• UaF exploit mitigation through MemoryProtector

3. Why Focus on UaF ?
http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-attacks.html

4. UaF: An
Example
Dangling Pointer Dereference
B1 B2
Object

5. UaF: An Example
Vftable Intact

6. UaF: A Browser Example
MS13-080

7. UaF: A Browser Example
Light Page Heap overwrites free’d chunks with 0xf0
https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx

8. UaF: Exploitation

9. UaF: Exploitation

10. UaF: Exploitation – Object Re-use
Object
B1
B2
Function 1
Function 2
Function …
Vftable
Objectdelete b1 [Object Freed]
0x414141fill(16) [Re-use memory block]
0x414141
B2
b2->hello()

11. UaF: Exploitation - Browser

12. Fundamental Mitigations
• Non-executable Data Pages [NX]
– PageExec [PaX/Grsecurity]
– DEP [Windows]
– W ^ X [OpenBSD]
– […]
• Address Space Layout Randomization (ASLR)

13. Environment Specific Mitigations
• Windows
– SafeSEH, SEHOP
– Stack Protection
– Vftable Guard
– Control Flow Guard
– […]
• Internet Explorer
– Enhanced Protected Mode (EPM)
– Nozzle & Bubble
– Isolated Heap
– Memory Protector
– […]

14. Internet Explorer: Memory Protector
• Manage De-allocation / Free of important
DOM objects
– Overwrite the free’d object with NULL content
– Queue for “free” in a per-thread wait-list instead
of immediate free at heap manager level.
– Real/Heap free is executed during certain
conditions.
– Ensure no reference to object in thread stack
before actual free at heap manager level
This prevents immediate re-use of free’d objects

15. Internet Explorer: Memory Protector
• MemoryProtection::CMemoryProtector
– ProtectedFree
– MarkBlocks
– ReclaimUnmarkedBlocks
Application Free
HeapFree
Application Free
CMemoryProtector::
ProtectedFree
HeapFree
Before
With MemoryProtector

16. Internet Explorer: Memory Protector
• Protected Free
– Maintains a per-thread wait-list of freed memory.
– On certain bytes threshold, perform mark & sweep:
• Mark each with a reference (pointer) in thread stack
• Perform Heap Manager level free for each unmarked block
• Memory Reclamation / Unprotected Free
– During main thread’s message dispatch callback
• Long lived Use-after-Free vulnerabilities are still exploitable!

17. Questions ?
http://www.twitter.com/abh1sek
http://www.3slabs.com
https://github.com/abhisek/RandomCode/tree/master/Misc/ie_memprotector_nullblr

18. References
• http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of-
MemoryProtection-against-use-after-free/ba-p/6556134#.VSeGDxOUenD
• https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-
spraying-demystified/
• https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx
• http://securityintelligence.com/understanding-ies-new-exploit-mitigations-the-
memory-protector-and-the-isolated-heap/#.VS-JRxOUenA
• Yuki Chen – The Birth of a Complete IE 11 Exploit Under The New Exploit Mitigation