O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

IE Memory Protector

929 visualizações

Publicada em

This talk presents a brief overview of Use-after-Free vulnerability and corresponding exploitation techniques for Internet Explorer (IE), followed by description of memory protection schemes implemented in newer versions of IE in order to mitigate exploitation of such vulnerabilities.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

IE Memory Protector

  1. 1. Internet Explorer Memory Protection A Brief Overview
  2. 2. Agenda • Introduction to Use-After-Free (UaF) vulnerabilities • Exploiting UaF vulnerabilities • UaF exploit mitigation through MemoryProtector
  3. 3. Why Focus on UaF ? http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-attacks.html
  4. 4. UaF: An Example Dangling Pointer Dereference B1 B2 Object
  5. 5. UaF: An Example Vftable Intact
  6. 6. UaF: A Browser Example MS13-080
  7. 7. UaF: A Browser Example Light Page Heap overwrites free’d chunks with 0xf0 https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx
  8. 8. UaF: Exploitation
  9. 9. UaF: Exploitation
  10. 10. UaF: Exploitation – Object Re-use Object B1 B2 Function 1 Function 2 Function … Vftable Objectdelete b1 [Object Freed] 0x414141fill(16) [Re-use memory block] 0x414141 B2 b2->hello()
  11. 11. UaF: Exploitation - Browser
  12. 12. Fundamental Mitigations • Non-executable Data Pages [NX] – PageExec [PaX/Grsecurity] – DEP [Windows] – W ^ X [OpenBSD] – […] • Address Space Layout Randomization (ASLR)
  13. 13. Environment Specific Mitigations • Windows – SafeSEH, SEHOP – Stack Protection – Vftable Guard – Control Flow Guard – […] • Internet Explorer – Enhanced Protected Mode (EPM) – Nozzle & Bubble – Isolated Heap – Memory Protector – […]
  14. 14. Internet Explorer: Memory Protector • Manage De-allocation / Free of important DOM objects – Overwrite the free’d object with NULL content – Queue for “free” in a per-thread wait-list instead of immediate free at heap manager level. – Real/Heap free is executed during certain conditions. – Ensure no reference to object in thread stack before actual free at heap manager level This prevents immediate re-use of free’d objects
  15. 15. Internet Explorer: Memory Protector • MemoryProtection::CMemoryProtector – ProtectedFree – MarkBlocks – ReclaimUnmarkedBlocks Application Free HeapFree Application Free CMemoryProtector:: ProtectedFree HeapFree Before With MemoryProtector
  16. 16. Internet Explorer: Memory Protector • Protected Free – Maintains a per-thread wait-list of freed memory. – On certain bytes threshold, perform mark & sweep: • Mark each with a reference (pointer) in thread stack • Perform Heap Manager level free for each unmarked block • Memory Reclamation / Unprotected Free – During main thread’s message dispatch callback • Long lived Use-after-Free vulnerabilities are still exploitable!
  17. 17. Questions ? http://www.twitter.com/abh1sek http://www.3slabs.com https://github.com/abhisek/RandomCode/tree/master/Misc/ie_memprotector_nullblr
  18. 18. References • http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of- MemoryProtection-against-use-after-free/ba-p/6556134#.VSeGDxOUenD • https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap- spraying-demystified/ • https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx • http://securityintelligence.com/understanding-ies-new-exploit-mitigations-the- memory-protector-and-the-isolated-heap/#.VS-JRxOUenA • Yuki Chen – The Birth of a Complete IE 11 Exploit Under The New Exploit Mitigation

×