IE memory protection Null meet april 2015
Download as PPTX, PDF0 likes512 views
Internet Explorer implements a Memory Protector to help mitigate use-after-free (UaF) vulnerabilities. The Memory Protector manages the deallocation of important DOM objects by overwriting freed objects with null content, queueing them for delayed free, and ensuring no references remain before final heap free. This prevents immediate reuse of freed memory blocks and exploits involving UaF vulnerabilities.
![UaF: Exploitation – Object Re-use
Object
B1
B2
Function 1
Function 2
Function …
Vftable
Objectdelete b1 [Object Freed]
0x414141fill(16) [Re-use memory block]
0x414141
B2
b2->hello()](https://image.slidesharecdn.com/iememoryprotection-150523094832-lva1-app6891/85/IE-memory-protection-Null-meet-april-2015-10-320.jpg)
![Fundamental Mitigations
• Non-executable Data Pages [NX]
– PageExec [PaX/Grsecurity]
– DEP [Windows]
– W ^ X [OpenBSD]
– […]
• Address Space Layout Randomization (ASLR)](https://image.slidesharecdn.com/iememoryprotection-150523094832-lva1-app6891/85/IE-memory-protection-Null-meet-april-2015-12-320.jpg)
![Environment Specific Mitigations
• Windows
– SafeSEH, SEHOP
– Stack Protection
– Vftable Guard
– Control Flow Guard
– […]
• Internet Explorer
– Enhanced Protected Mode (EPM)
– Nozzle & Bubble
– Isolated Heap
– Memory Protector
– […]](https://image.slidesharecdn.com/iememoryprotection-150523094832-lva1-app6891/85/IE-memory-protection-Null-meet-april-2015-13-320.jpg)
IE memory protection Null meet april 2015
- 1. Internet Explorer Memory Protection A Brief Overview
- 2. Agenda • Introduction to Use-After-Free (UaF) vulnerabilities • Exploiting UaF vulnerabilities • UaF exploit mitigation through MemoryProtector
- 3. Why Focus on UaF ? http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-attacks.html
- 4. UaF: An Example Dangling Pointer Dereference B1 B2 Object
- 5. UaF: An Example Vftable Intact
- 6. UaF: A Browser Example MS13-080
- 7. UaF: A Browser Example Light Page Heap overwrites free’d chunks with 0xf0 https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx
- 10. UaF: Exploitation – Object Re-use Object B1 B2 Function 1 Function 2 Function … Vftable Objectdelete b1 [Object Freed] 0x414141fill(16) [Re-use memory block] 0x414141 B2 b2->hello()
- 11. UaF: Exploitation - Browser
- 12. Fundamental Mitigations • Non-executable Data Pages [NX] – PageExec [PaX/Grsecurity] – DEP [Windows] – W ^ X [OpenBSD] – […] • Address Space Layout Randomization (ASLR)
- 13. Environment Specific Mitigations • Windows – SafeSEH, SEHOP – Stack Protection – Vftable Guard – Control Flow Guard – […] • Internet Explorer – Enhanced Protected Mode (EPM) – Nozzle & Bubble – Isolated Heap – Memory Protector – […]
- 14. Internet Explorer: Memory Protector • Manage De-allocation / Free of important DOM objects – Overwrite the free’d object with NULL content – Queue for “free” in a per-thread list instead of immediate free at heap manager level. – Real/Heap free is executed during certain conditions. – Ensure no reference to object in stack before actual free at heap manager level This prevents immediate re-use of free’d objects
- 15. Internet Explorer: Memory Protector • MemoryProtection::CMemoryProtector – ProtectedFree – MarkBlocks – ReclaimUnmarkedBlocks Application Free HeapFree Application Free CMemoryProtector:: ProtectedFree HeapFree Before With MemoryProtector
- 17. References • http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of- MemoryProtection-against-use-after-free/ba-p/6556134#.VSeGDxOUenD • https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap- spraying-demystified/ • https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx • http://securityintelligence.com/understanding-ies-new-exploit-mitigations-the- memory-protector-and-the-isolated-heap/#.VS-JRxOUenA
Editor's Notes
- #15: On free, adds block in free’d list without actually free’ing at Heap Manager level. Fills with zero. At the time of sweep, free’s block only if there is no reference in stack