ie memory protection null meet april 2015
TRANSCRIPT
Internet ExplorerMemory Protection
A Brief Overview
Agenda
• Introduction to Use-After-Free (UaF) vulnerabilities
• Exploiting UaF vulnerabilities
• UaF exploit mitigation through MemoryProtector
Why Focus on UaF ?
http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-attacks.html
UaF: An Example
Dangling Pointer Dereference
B1 B2
Object
UaF: An Example
Vftable Intact
UaF: A Browser Example
MS13-080
UaF: A Browser Example
Light Page Heap overwrites free’d chunks with 0xf0
https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx
UaF: Exploitation
UaF: Exploitation
UaF: Exploitation – Object Re-use
ObjectB1B2
Function 1
Function 2
Function …
Vftable
Objectdelete b1 [Object Freed]
0x414141fill(16) [Re-use memory block]
0x414141B2
b2->hello()
UaF: Exploitation - Browser
Fundamental Mitigations
• Non-executable Data Pages [NX]
– PageExec [PaX/Grsecurity]
– DEP [Windows]
– W ^ X [OpenBSD]
– […]
• Address Space Layout Randomization (ASLR)
Environment Specific Mitigations
• Windows– SafeSEH, SEHOP– Stack Protection– Vftable Guard– Control Flow Guard– […]
• Internet Explorer– Enhanced Protected Mode (EPM)– Nozzle & Bubble– Isolated Heap– Memory Protector– […]
Internet Explorer: Memory Protector
• Manage De-allocation / Free of important DOM objects
– Overwrite the free’d object with NULL content
– Queue for “free” in a per-thread list instead of immediate free at heap manager level.
– Real/Heap free is executed during certain conditions.
– Ensure no reference to object in stack before actual free at heap manager level
This prevents immediate re-use of free’d objects
Internet Explorer: Memory Protector
• MemoryProtection::CMemoryProtector
– ProtectedFree
– MarkBlocks
– ReclaimUnmarkedBlocks
Application Free
HeapFree
Application Free
CMemoryProtector::ProtectedFree
HeapFree
BeforeWith MemoryProtector
Questions ?
http://www.twitter.com/abh1sekhttp://www.3slabs.com
https://github.com/abhisek/RandomCode/tree/master/Misc/ie_memprotector_nullblr
References
• http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of-MemoryProtection-against-use-after-free/ba-p/6556134#.VSeGDxOUenD
• https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
• https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx
• http://securityintelligence.com/understanding-ies-new-exploit-mitigations-the-memory-protector-and-the-isolated-heap/#.VS-JRxOUenA