Upload File

ie memory protection null meet april 2015

17
Internet Explorer Memory Protection A Brief Overview

Upload: nu-the-open-security-community

Post on 20-Jul-2015

78 views

Category:

Technology


6 download

Report

TRANSCRIPT

Page 1: IE memory protection Null meet april 2015

Internet ExplorerMemory Protection

A Brief Overview

Page 2: IE memory protection Null meet april 2015

Agenda

• Introduction to Use-After-Free (UaF) vulnerabilities

• Exploiting UaF vulnerabilities

• UaF exploit mitigation through MemoryProtector

Page 3: IE memory protection Null meet april 2015

Why Focus on UaF ?

http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-attacks.html

Page 4: IE memory protection Null meet april 2015

UaF: An Example

Dangling Pointer Dereference

B1 B2

Object

Page 5: IE memory protection Null meet april 2015

UaF: An Example

Vftable Intact

Page 6: IE memory protection Null meet april 2015

UaF: A Browser Example

MS13-080

Page 7: IE memory protection Null meet april 2015

UaF: A Browser Example

Light Page Heap overwrites free’d chunks with 0xf0

https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx

Page 8: IE memory protection Null meet april 2015

UaF: Exploitation

Page 9: IE memory protection Null meet april 2015

UaF: Exploitation

Page 10: IE memory protection Null meet april 2015

UaF: Exploitation – Object Re-use

ObjectB1B2

Function 1

Function 2

Function …

Vftable

Objectdelete b1 [Object Freed]

0x414141fill(16) [Re-use memory block]

0x414141B2

b2->hello()

Page 11: IE memory protection Null meet april 2015

UaF: Exploitation - Browser

Page 12: IE memory protection Null meet april 2015

Fundamental Mitigations

• Non-executable Data Pages [NX]

– PageExec [PaX/Grsecurity]

– DEP [Windows]

– W ^ X [OpenBSD]

– […]

• Address Space Layout Randomization (ASLR)

Page 13: IE memory protection Null meet april 2015

Environment Specific Mitigations

• Windows– SafeSEH, SEHOP– Stack Protection– Vftable Guard– Control Flow Guard– […]

• Internet Explorer– Enhanced Protected Mode (EPM)– Nozzle & Bubble– Isolated Heap– Memory Protector– […]

Page 14: IE memory protection Null meet april 2015

Internet Explorer: Memory Protector

• Manage De-allocation / Free of important DOM objects

– Overwrite the free’d object with NULL content

– Queue for “free” in a per-thread list instead of immediate free at heap manager level.

– Real/Heap free is executed during certain conditions.

– Ensure no reference to object in stack before actual free at heap manager level

This prevents immediate re-use of free’d objects

Page 15: IE memory protection Null meet april 2015

Internet Explorer: Memory Protector

• MemoryProtection::CMemoryProtector

– ProtectedFree

– MarkBlocks

– ReclaimUnmarkedBlocks

Application Free

HeapFree

Application Free

CMemoryProtector::ProtectedFree

HeapFree

BeforeWith MemoryProtector

Page 16: IE memory protection Null meet april 2015

Questions ?

http://www.twitter.com/abh1sekhttp://www.3slabs.com

https://github.com/abhisek/RandomCode/tree/master/Misc/ie_memprotector_nullblr

http://www.twitter.com/abh1sek
http://www.3slabs.com
https://github.com/abhisek/RandomCode/tree/master/Misc/ie_memprotector_nullblr
Page 17: IE memory protection Null meet april 2015

References

• http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of-MemoryProtection-against-use-after-free/ba-p/6556134#.VSeGDxOUenD

• https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

• https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx

• http://securityintelligence.com/understanding-ies-new-exploit-mitigations-the-memory-protector-and-the-isolated-heap/#.VS-JRxOUenA


30 66. on a QR2— B' --> QR2— kinjyo@kknrg · Title (null) Author (null) Subject (null) Keywords (null) Created Date: Thursday, June 20, 2019

SQL Tuning Briefing Null is not equal to null but null is null

Null object

B-trees and Hash Tables Dynamic Indexability and …yike/talks/external-lb-overview.pdfExternal Hashing null null null null null null null 1 21 32 82 64 34 24 55 h(x) = last digit

THE IOS MDM PROTOCOL - Darth Null | Darth Null

FAX 06 TEL -6386-2123 E—Mail : [email protected] FAX ......E-Mail Title (null) Author (null) Subject (null) Keywords (null) Created Date Friday, April 10, 2009

(null) - Erika-tanoda · Title (null) Author \(null\) Subject \(null\) Keywords \(null\) Created Date: 4/18/2012 5:40:54 PM

Acute Stress Throughout the Memory Cycle: Diverging ... · mentioned null effects on associative memory, one study found that postencoding stress enhanced memory for verbal film infor-mation

Next-Generation Programming: Rust and Elm · no “billion dollar mistake” (null) immutable by default Rust Elm. Rust: “Memory safety, no data races”

ampatuanfiles.comampatuanfiles.com/media/cf/AMP02/AMP02.031.pdf · Author (null) Subject (null) Keywords (null) Created Date: 2011/10/18 16:35

IEX Bulletin VOlUME 5 India... · 07bUll Power Market Update: February’18 bUllETIN llET IE IE lETIN IE IE IE IE IE IE IE IE bUllETIN bUllETIN bUllETIN IE bUll bUllETIN ll bUll 08bUll

Beat Guard Recruitment 2016‐ List of Additional Candidates ... · 1032810 187418229947mr. hiren keshubhai gediya 28/07/1995m amreli amreli sebc false null null null 112.25null null

Plus loin avec SQLLagaffe Gaston (null) Prunelle Léon (3 rows) L’affichage(null)estobtenuaveclaméta-commande\pset null (null)dushellpsql. 1.2.4 NULLETLESPRÉDICATS • DansunprédicatduWHERE:

Null subjects and null D: historical evidence from Germanicwalkden.space/Walkden_2016_D.pdf · Null subjects and null D: historical evidence from Germanic George Walkden Division

Null Terminators

The ‘Epidemiological Signal Detection’ Package · timeunit mu0 theta alpha cARL Mtilde M Change week NULL log(1.2) NULL 0.25 1 -1 intercept month NULL log(1.2) NULL 0.25 1 -1

Bayes Factor Null Hypothesis Tests are still Null Hypothesis Tests.pdf

Null Subject vs. Null Object: Some Evidence from the ... · Null Subjectvs. Null Object: Some Evidence from the Acquisition ofChinese and English* Qi Wang,t Diane Lillo-Martin,tCatherineT

Memory Taken from Digital Design and Computer Architecture by Harris and Harris and Computer Organization and Architecture by Null and Lobur

CALIFORNIA EVICTIONS ARE FAST AND FREQUENT...Del Norte 0 0 0 110 0% El Dorado 7 0 7 536 1% Fresno 2,625 172 2,797 4,492 62% Glenn null (database error) null null null null Humboldt

12500 TI Boulevard, MS 8640, Dallas, Texas 75243 PCN ......LM2990T-15/NOPB null LM2990T-5.0 null LM2990T-5.0/NOPB null LM2990T-5.2/NOPB null LM2991S/NOPB null LM2991SX/NOPB null LM2991T/NOPB

Null Graph

NLP-EYE: Detecting Memory Corruptions via Semantic-Aware …romangol/publications/raid19.pdf · 2020-03-16 · NLP-EYE reports typical memory corruption vulnerabili-ties, i.e., null

Release 0.2dev Christian S. Perone · nome 512 non-null values nomeParlamentar 512 non-null values partido 512 non-null values sexo 512 non-null values uf 512 non-null values dtypes:

IE Memory Protector

(null) - Gouv

[email protected] PENNSYLVANIA VEGETABLE › wp-content › uploads › PA... · Washington Venetia 10 19 21 Westmoreland Jeannette null 22.5 null null 8 null York York 60 45 52.5

An analysis of the gravitational waves null memory

Firebird Null Guide · Firebird Null Guide NULL behaviour and pitfalls in Firebird SQL Paul Vinkenoog Version 1.2, 30 June 2020

Naam: - Collegiate...dr ie v ie r t ie n f ie ts d ie p t ie r m ie r d ie r s ie k d ie f p ie p s ie n br ie f pap ie r w ie n ie ie PIEP! PIEP! sounds like “ i ” in English

NULL Functions

Null Constituents.ppt

IE IL IE vrr vrr IE IE&

Null subjects

NULL - OpenSAMM