Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper.
"Heap spraying is a new security attack that significantly increases
the exploitability of existing memory corruption errors in type-unsafe
applications. With heap spraying, attackers leverage their ability to
allocate arbitrary objects in the heap of a type-safe language, such as
JavaScript, literally filling the heap with objects that contain dangerous
exploit code. In recent years, spraying has been used in many real
security exploits, especially in web browsers. In this paper, we describe
Nozzle, a runtime monitoring infrastructure that detects attempts
by attackers to spray the heap. Nozzle uses lightweight emulation
techniques to detect the presence of objects that contain executable
code. To reduce false positives, we developed a notion of global “heap
health”.
We measure the effectiveness of Nozzle by demonstrating that
it successfully detects 12 published and 2,000 synthetically generated
heap-spraying exploits. We also show that even with a detection
threshold set six times lower than is required to detect published malicious
attacks, Nozzle reports no false positives when run over 150
popular Internet sites. Using sampling and concurrent scanning to reduce
overhead, we show that the performance overhead of Nozzle is
less than 7% on average. While Nozzle currently targets heap-based
spraying attacks, its techniques can be applied to a more general class
of attacks in which an attacker attempts to fill the address space with
dangerous code objects."
Good to see MS publishing this sort of research. DDJ has also published an extensive article describing the tool and heap spraying.
Whitepaper: http://research.microsoft.com/pubs/76528/tr-2008-176.pdf
DDJ Article: http://www.ddj.com/security/221900969?cid=RSSfeed_DDJ_Security
Where does one get this Nozzle?
Gip
Posted by: Anonymous | Dec 3, 2009 3:26:48 PM