The Economist Web site\u2019s normal number of heap allocations is shown in blue. The purple line shows the number of allocations resulting from an attack named exploit-612, a sharp jump that Nozzle would flag.<\/p><\/div>\n
\u201cIn a spray attack, we don\u2019t have just a few suspicious objects.\u201d Zorn says. \u201cThere are thousands, representing a large percentage of the heap. So we came up with an index that would indicate the health of the entire heap\u2014essentially a measure of the fraction of the heap that contains suspicious objects.\u201d<\/p>\n
A few suspicious objects won\u2019t raise an alarm. But a high density of suspicious objects is a reliable indication of a heap-spraying attack. The global heap metric index dramatically reduced the false-positive rate.<\/p>\n
\u201cWe take advantage of the very scheme attackers depend on for exploitation,\u201d Zorn says. \u201cIn order for such attacks to work, they must allocate many, many objects; so we monitor whether a significant percentage of the heap contains suspicious objects.\u201d<\/p>\n
Using their findings, the team built Nozzle, a run-time tool that takes a two-level approach to detecting heap-spraying attacks.<\/p>\n
Nozzle\u2019s lightweight emulator scans heap-allocated objects and treats them as though they are code: It disassembles the code, follows the flow, and builds a control-flow graph. This analysis identifies potentially unsafe code within a safe environment. Nozzle also maintains the global heap metric index.<\/p>\n
During testing, Nozzle proved its effectiveness by detecting 100 percent of 12 published and 2,000 synthetically constructed heap-spraying exploits. Even with a detection threshold set six times lower than what is required to detect published malicious attacks, Nozzle reported zero false positives when run against 150 popular Internet sites.<\/p>\n
Ben Livshits<\/p><\/div>\n
But how does Nozzle affect application performance?<\/p>\n
\u201cWhen we designed the algorithms,\u201d Livshits says, \u201cgiven that our primary target for protection is the highly competitive browser market, we had to minimize overhead. If browsers slow down to a crawl when Nozzle is running, the technology just wouldn\u2019t be interesting to manufacturers.<\/p>\n
\u201cIf we examine every single heap object, Nozzle slows down execution by 2 to 14 times. However, by using sampling, we can achieve effective detection and reduce overhead significantly. A sampling rate of 1 in 20 worked for us and incurred only a 5 to 10 percent performance overhead.\u201d<\/p>\n
Not Just for Browsers<\/h2>\n
When the researchers started work on the Nozzle project, they had browsers in mind. But when they heard about the PDF exploit earlier this year, they tried an experiment.<\/p>\n
\u201cWe downloaded the latest copy of Adobe Reader.\u201d Zorn recalls. \u201cWe instrumented it using Nozzle, and everything worked without any extra effort on our part. We were thrilled, because this suggested that Nozzle is very general and that its techniques can be applied to any attack that uses embedded JavaScript to fill the address space with malicious code objects.\u201d<\/p>\n
Adds Livshits: \u201cThe point is that Nozzle raises the bar considerably for the state of the art in this space. It is the first defensive technology to explicitly go after heap spraying. Plus, there is evidence to show that it can be an effective and reliable general tool.\u201d<\/p>\n
Always a Next Step<\/h2>\n
Zorn and Livshits would never suggest that Nozzle alone is sufficient protection against heap spraying. Defense in depth is their recommendation, a combination of tactics to counteract memory exploits.<\/p>\n
\u201cNozzle is orthogonal to other defensive strategies,\u201d Zorn says. \u201cDefensive programming will always be important, and as more systems support mechanisms such as Data Execution Prevention (DEP), there will be more obstacles to heap exploits.\u201d<\/p>\n
But doesn\u2019t enabling DEP to prevent execution of code within the heap effectively block all instances of heap exploits?<\/p>\n
\u201cThere are technical and compatibility issues that prevent DEP from being used in some environments,\u201d Livshits says. \u201cPlus, we are already hearing of attacks that start by turning off DEP. Also, there have been code-injection-spraying attacks in areas where DEP can\u2019t be used. So DEP is not the silver bullet\u2014and neither is Nozzle.\u201d<\/p>\n
There is no doubt that once heap-memory exploits are a thing of the past, other threats will appear. Livshits and Zorn relish the challenge, though, because the results of their work are so satisfyingly obvious and demonstrable.<\/p>\n
For now, they are interested in those recent code-injection-spraying attacks that foil DEP. They plan to show that Nozzle also can be effective in detecting such attacks\u2015and that the forces for good can count on another tool to help keep software secure.<\/p>\n","protected":false},"excerpt":{"rendered":"
By Janie Chang, Writer, Microsoft Research Computer security has been described as a game of one-upmanship, an ongoing escalation of techniques as both sides attempt to find new ways to assault and protect system vulnerabilities. The most prevalent forms of incursion over the last decade have been aimed at computer memory\u2014and of these, the newest, […]<\/p>\n","protected":false},"author":39507,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"footnotes":""},"categories":[194489],"tags":[214727,214721,214703,201057,214709,214718,214706,214724,186529,214712,214700,214715],"research-area":[13558],"msr-region":[],"msr-event-type":[],"msr-locale":[268875],"msr-post-option":[],"msr-impact-theme":[],"msr-promo-type":[],"msr-podcast-series":[],"class_list":["post-306362","post","type-post","status-publish","format-standard","hentry","category-security","tag-address-based-layout-randomization","tag-buffer-stack-overflows","tag-computer-memory","tag-computer-security","tag-dynamic-memory-allocation","tag-exploit-code","tag-heap-spraying","tag-heap-based-overflows","tag-javascript","tag-nozzle","tag-system-vulnerabilities","tag-usenix-security-symposium","msr-research-area-security-privacy-cryptography","msr-locale-en_us"],"msr_event_details":{"start":"","end":"","location":""},"podcast_url":"","podcast_episode":"","msr_research_lab":[199565],"msr_impact_theme":[],"related-publications":[],"related-downloads":[],"related-videos":[],"related-academic-programs":[],"related-groups":[],"related-projects":[170075],"related-events":[],"related-researchers":[],"msr_type":"Post","byline":"","formattedDate":"November 23, 2009","formattedExcerpt":"By Janie Chang, Writer, Microsoft Research Computer security has been described as a game of one-upmanship, an ongoing escalation of techniques as both sides attempt to find new ways to assault and protect system vulnerabilities. The most prevalent forms of incursion over the last decade…","locale":{"slug":"en_us","name":"English","native":"","english":"English"},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/306362"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/users\/39507"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/comments?post=306362"}],"version-history":[{"count":2,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/306362\/revisions"}],"predecessor-version":[{"id":306404,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/306362\/revisions\/306404"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=306362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/categories?post=306362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/tags?post=306362"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=306362"},{"taxonomy":"msr-region","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-region?post=306362"},{"taxonomy":"msr-event-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-event-type?post=306362"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=306362"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=306362"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=306362"},{"taxonomy":"msr-promo-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-promo-type?post=306362"},{"taxonomy":"msr-podcast-series","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-podcast-series?post=306362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}