IE Memory Protector
Download as PPTX, PDF2 likes1,238 views
The document provides an overview of use-after-free (UAF) vulnerabilities, exploitation methods, and mitigation strategies implemented in Internet Explorer. It details how the memory protector manages object deallocation to prevent re-use of freed objects, along with various application and environment-specific mitigations. The presentation includes links to references and resources for further understanding of UAF exploit development and mitigation techniques.
![UaF: Exploitation – Object Re-use
Object
B1
B2
Function 1
Function 2
Function …
Vftable
Objectdelete b1 [Object Freed]
0x414141fill(16) [Re-use memory block]
0x414141
B2
b2->hello()](https://image.slidesharecdn.com/iememoryprotection-150427092942-conversion-gate01/85/IE-Memory-Protector-10-320.jpg)
![Fundamental Mitigations
• Non-executable Data Pages [NX]
– PageExec [PaX/Grsecurity]
– DEP [Windows]
– W ^ X [OpenBSD]
– […]
• Address Space Layout Randomization (ASLR)](https://image.slidesharecdn.com/iememoryprotection-150427092942-conversion-gate01/85/IE-Memory-Protector-12-320.jpg)
![Environment Specific Mitigations
• Windows
– SafeSEH, SEHOP
– Stack Protection
– Vftable Guard
– Control Flow Guard
– […]
• Internet Explorer
– Enhanced Protected Mode (EPM)
– Nozzle & Bubble
– Isolated Heap
– Memory Protector
– […]](https://image.slidesharecdn.com/iememoryprotection-150427092942-conversion-gate01/85/IE-Memory-Protector-13-320.jpg)
IE Memory Protector
- 1. Internet Explorer Memory Protection A Brief Overview
- 2. Agenda • Introduction to Use-After-Free (UaF) vulnerabilities • Exploiting UaF vulnerabilities • UaF exploit mitigation through MemoryProtector
- 3. Why Focus on UaF ? http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-attacks.html
- 4. UaF: An Example Dangling Pointer Dereference B1 B2 Object
- 5. UaF: An Example Vftable Intact
- 6. UaF: A Browser Example MS13-080
- 7. UaF: A Browser Example Light Page Heap overwrites free’d chunks with 0xf0 https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx
- 10. UaF: Exploitation – Object Re-use Object B1 B2 Function 1 Function 2 Function … Vftable Objectdelete b1 [Object Freed] 0x414141fill(16) [Re-use memory block] 0x414141 B2 b2->hello()
- 11. UaF: Exploitation - Browser
- 12. Fundamental Mitigations • Non-executable Data Pages [NX] – PageExec [PaX/Grsecurity] – DEP [Windows] – W ^ X [OpenBSD] – […] • Address Space Layout Randomization (ASLR)
- 13. Environment Specific Mitigations • Windows – SafeSEH, SEHOP – Stack Protection – Vftable Guard – Control Flow Guard – […] • Internet Explorer – Enhanced Protected Mode (EPM) – Nozzle & Bubble – Isolated Heap – Memory Protector – […]
- 14. Internet Explorer: Memory Protector • Manage De-allocation / Free of important DOM objects – Overwrite the free’d object with NULL content – Queue for “free” in a per-thread wait-list instead of immediate free at heap manager level. – Real/Heap free is executed during certain conditions. – Ensure no reference to object in thread stack before actual free at heap manager level This prevents immediate re-use of free’d objects
- 15. Internet Explorer: Memory Protector • MemoryProtection::CMemoryProtector – ProtectedFree – MarkBlocks – ReclaimUnmarkedBlocks Application Free HeapFree Application Free CMemoryProtector:: ProtectedFree HeapFree Before With MemoryProtector
- 16. Internet Explorer: Memory Protector • Protected Free – Maintains a per-thread wait-list of freed memory. – On certain bytes threshold, perform mark & sweep: • Mark each with a reference (pointer) in thread stack • Perform Heap Manager level free for each unmarked block • Memory Reclamation / Unprotected Free – During main thread’s message dispatch callback • Long lived Use-after-Free vulnerabilities are still exploitable!
- 18. References • http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of- MemoryProtection-against-use-after-free/ba-p/6556134#.VSeGDxOUenD • https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap- spraying-demystified/ • https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx • http://securityintelligence.com/understanding-ies-new-exploit-mitigations-the- memory-protector-and-the-isolated-heap/#.VS-JRxOUenA • Yuki Chen – The Birth of a Complete IE 11 Exploit Under The New Exploit Mitigation
Editor's Notes
- #15: On free, adds block in free’d list without actually free’ing at Heap Manager level. Fills with zero. At the time of sweep, free’s block only if there is no reference in stack