Abstract
Web browsers that support a safe language such as Javascript are becoming a platform of great interest for security attacks. One such attack is a heap-spraying attack: a new kind of attack that combines the notoriously hard to reliably exploit heap-based buffer overflow with the use of an in-browser scripting language for improved reliability. A typical heap-spraying attack allocates a high number of objects containing the attacker’s code on the heap, dramatically increasing the probability that the contents of one of these objects is executed. In this paper we present a lightweight approach that makes heap-spraying attacks in Javascript significantly harder. Our prototype, which is implemented in Firefox, has a negligible performance and memory overhead while effectively protecting against heap-spraying attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, Alexandria, Virginia, U.S.A., November 2005, pp. 340–353. ACM, New York (2005)
Anisimov, A.: Defeating microsoft windows xp sp2 heap protection and dep bypass, http://www.ptsecurity.com
Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanović, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS2003), Washington, D.C., U.S.A., October 2003, pp. 281–289. ACM, New York (2003)
Berry-Bryne, S.: Firefox 3.5 heap spray exploit (2009), http://www.milw0rm.com/exploits/9181
Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium, Washington, D.C., U.S.A., August 2003, pp. 105–120. USENIX Association (2003)
Bhatkar, S., Sekar, R.: Data space randomization. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 1–22. Springer, Heidelberg (2008)
Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: 14th USENIX Security Symposium, Baltimore, MD, August 2005, USENIX Association (2005)
Blog, M.A.L.: New backdoor attacks using pdf documents (2009), http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents/
Futuremark Corporation. Peacekeeper The Browser Benchmark, http://service.futuremark.com/peacekeeper/
Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th USENIX Security Symposium, Washington, D.C., U.S.A., August 2003, pp. 91–104. USENIX Association (2003)
Daniel, M., Honoroff, J., Miller, C.: Engineering heap overflow exploits with javascript. In: WOOT 2008: Proceedings of the 2nd conference on USENIX Workshop on offensive technologies, Berkeley, CA, USA, pp. 1–6. USENIX Association (2008)
Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)
Erlingsson, Ú.: Low-level software security: Attacks and defenses. Technical Report MSR-TR-2007-153, Microsoft Research (November 2007)
Etoh, H., Yoda, K.: Protecting from stack-smashing attacks. Technical report, IBM Research Divison, Tokyo Research Laboratory (June 2000)
Mozilla Foundation. Firefox 3.5b4 (2009), http://developer.mozilla.org
Google. V8 Benchmark Suite - version 5, http://v8.googlecode.com
Intel. Intel architecture software developer’s manual. vol. 2: Instruction set reference (2002)
E. C. M. A. International. ECMA-262: ECMAScript Language Specification. ECMA (European Association for Standardizing Information and Communication Systems), 3rd edn., Geneva, Switzerland (December 1999)
Jorendorff: Anatomy of a javascript object (2008), http://blog.mozilla.com/jorendorff/2008/11/17/anatomy-of-a-javascript-object
Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure execution via program shepherding. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, California, U.S.A., August 2002, USENIX Association (2002)
Krennmair, A.: ContraPolice: a libc extension for protecting applications from heap-smashing attacks (November 2003)
FireEye Malware Intelligence Lab. Heap spraying with actionscript (2009), http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html
Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A defense against heap-spraying code injection attacks. Technical report, Microsoft Research (November 2008)
Robertson, W., Kruegel, C., Mutz, D., Valeur, F.: Run-time detection of heap-based overflows. In: Proceedings of the 17th Large Installation Systems Administrators Conference, San Diego, California, U.S.A., October 2003, pp. 51–60. USENIX Association (2003)
securiteam.com. Heap spraying: Exploiting internet explorer vml 0-day xp sp2 (2009), http://blogs.securiteam.com/index.php/archives/641
Securitylab. Adobe reader 0-day critical vulnerability exploited in the wild, cve-2009-0658 (2009), http://en.securitylab.ru/nvd/368655.php
skypher.com. Heap spraying (2007), http://skypher.com/wiki/index.php
Sotirov, A.: Heap feng shui in javascript (2007)
TMS. Data execution prevention, http://technet.microsoft.com/en-us/library/cc738483.aspx
Wagle, P., Cowan, C.: Stackguard: Simple stack smash protection for gcc. In: Proceedings of the GCC Developers Summit, Ottawa, Ontario, Canada, May 2003, pp. 243–256 (2003)
www2.webkit.org Sunspider javascript benchmark (2009), http://www2.webkit.org/perf/sunspider-0.9/sunspider.html
www.milw0rm.com Safari (arguments) array integer overflow poc (new heap spray) (2009), http://www.milw0rm.com/exploits/7673
www.packetstormsecurity.org 25bytes-execve (2009), http://www.packetstormsecurity.org/shellcode/25bytes-execve.txt
Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent runtime randomization for security. In: 22nd International Symposium on Reliable Distributed Systems (SRDS 2003), Florence, Italy, October 2003, pp. 260–269. IEEE Computer Society, IEEE Press, Los Alamitos (2003)
Younan, Y., Joosen, W., Piessens, F.: Code injection in C and C++: A survey of vulnerabilities and countermeasures. Technical report, Departement Computerwetenschappen, Katholieke Universiteit Leuven (2004)
Younan, Y., Joosen, W., Piessens, F.: Efficient protection against heap-based buffer overflows without resorting to magic. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 379–398. Springer, Heidelberg (2006)
Younan, Y., Pozza, D., Piessens, F., Joosen, W.: Extended protection against stack smashing attacks without performance loss. In: Proceedings of the Twenty-Second Annual Computer Security Applications Conference (ACSAC 2006), pp. 429–438. IEEE Press, Los Alamitos (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gadaleta, F., Younan, Y., Joosen, W. (2010). BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-11747-3_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11746-6
Online ISBN: 978-3-642-11747-3
eBook Packages: Computer ScienceComputer Science (R0)