DICE: A NONDETERMINISTIC MEMORY ALIGNMENT DEFENSE AGAINST HEAP TAICHI
Open Access
- Author:
- Zhong, Wei
- Graduate Program:
- Computer Science and Engineering
- Degree:
- Master of Science
- Document Type:
- Master Thesis
- Date of Defense:
- July 07, 2011
- Committee Members:
- Daniel Kifer, Thesis Advisor/Co-Advisor
Sencun Zhu, Thesis Advisor/Co-Advisor - Keywords:
- heap spraying
allocation granularity
shellcode injection
security - Abstract:
- Heap spraying is a security attack that mostly accounts for the popularity of exploits targeting web browsers and Adobe family products over the last few years. Such an attack, when combined with memory corruption techniques, can lead to arbitrary code execution on victim’s host. A typical heap spraying attack populates application’s heap by allocating large number of heap objects, each composed of NOP sled and malicious code, and then relies on a corrupted pointer to transfer control flow to a location within NOP sled, eventually causing the malicious code to be executed. A recent enhanced heap spraying attack that exploits the allocation granularity of system has a more precise control of the location of malicious code, thus effectively removes the requirement of using NOP sled and renders existing defenses powerless. In this paper, we present Dice, a runtime guard that prevents enhanced heap spraying attack and detects any attempt that targets bypassing our countermeasure. Dice works by randomizing the location of heap object to be allocated and examines the content of heap object for a particular long NOP sled. Our prototype is implemented in SpiderMonkey and integrated into Firefox. We measure the effectiveness of Dice by performing a wide variety of benchmarks and compare the results with genuine Firefox. With sampling employed, the performance slowdown is less than 5% on average, and the memory overhead in the worst case is roughly 2%.