DICE: A NONDETERMINISTIC MEMORY ALIGNMENT DEFENSE AGAINST HEAP TAICHI

Open Access
Author:
Zhong, Wei
Graduate Program:
Computer Science and Engineering
Degree:
Master of Science
Document Type:
Master Thesis
Date of Defense:
July 07, 2011
Committee Members:
  • Daniel Kifer, Thesis Advisor
  • Sencun Zhu, Thesis Advisor
Keywords:
  • heap spraying
  • allocation granularity
  • shellcode injection
  • security
Abstract:
Heap spraying is a security attack that mostly accounts for the popularity of exploits targeting web browsers and Adobe family products over the last few years. Such an attack, when combined with memory corruption techniques, can lead to arbitrary code execution on victim’s host. A typical heap spraying attack populates application’s heap by allocating large number of heap objects, each composed of NOP sled and malicious code, and then relies on a corrupted pointer to transfer control flow to a location within NOP sled, eventually causing the malicious code to be executed. A recent enhanced heap spraying attack that exploits the allocation granularity of system has a more precise control of the location of malicious code, thus effectively removes the requirement of using NOP sled and renders existing defenses powerless. In this paper, we present Dice, a runtime guard that prevents enhanced heap spraying attack and detects any attempt that targets bypassing our countermeasure. Dice works by randomizing the location of heap object to be allocated and examines the content of heap object for a particular long NOP sled. Our prototype is implemented in SpiderMonkey and integrated into Firefox. We measure the effectiveness of Dice by performing a wide variety of benchmarks and compare the results with genuine Firefox. With sampling employed, the performance slowdown is less than 5% on average, and the memory overhead in the worst case is roughly 2%.