Internet ExplorerMemory Protection

A Brief Overview

Agenda

• Introduction to Use-After-Free (UaF) vulnerabilities

• Exploiting UaF vulnerabilities

• UaF exploit mitigation through MemoryProtector

Why Focus on UaF ?

http://blog.tempest.com.br/breno-cunha/perspectives-on-exploit-development-and-cyber-attacks.html

UaF: An Example

Dangling Pointer Dereference

B1 B2

Object

UaF: An Example

Vftable Intact

UaF: A Browser Example

MS13-080

UaF: A Browser Example

Light Page Heap overwrites free’d chunks with 0xf0

https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx

UaF: Exploitation

UaF: Exploitation

UaF: Exploitation – Object Re-use

ObjectB1B2

Function 1

Function 2

Function …

Vftable

Objectdelete b1 [Object Freed]

0x414141fill(16) [Re-use memory block]

0x414141B2

b2->hello()

UaF: Exploitation - Browser

Fundamental Mitigations

• Non-executable Data Pages [NX]

– PageExec [PaX/Grsecurity]

– DEP [Windows]

– W ^ X [OpenBSD]

– […]

• Address Space Layout Randomization (ASLR)

Environment Specific Mitigations

• Windows– SafeSEH, SEHOP– Stack Protection– Vftable Guard– Control Flow Guard– […]

• Internet Explorer– Enhanced Protected Mode (EPM)– Nozzle & Bubble– Isolated Heap– Memory Protector– […]

Internet Explorer: Memory Protector

• Manage De-allocation / Free of important DOM objects

– Overwrite the free’d object with NULL content

– Queue for “free” in a per-thread wait-list instead of immediate free at heap manager level.

– Real/Heap free is executed during certain conditions.

– Ensure no reference to object in thread stack before actual free at heap manager level

This prevents immediate re-use of free’d objects

Internet Explorer: Memory Protector

• MemoryProtection::CMemoryProtector

– ProtectedFree

– MarkBlocks

– ReclaimUnmarkedBlocks

Application Free

HeapFree

Application Free

CMemoryProtector::ProtectedFree

HeapFree

BeforeWith MemoryProtector

Internet Explorer: Memory Protector

• Protected Free

– Maintains a per-thread wait-list of freed memory.

– On certain bytes threshold, perform mark & sweep:

• Mark each with a reference (pointer) in thread stack

• Perform Heap Manager level free for each unmarked block

• Memory Reclamation / Unprotected Free

– During main thread’s message dispatch callback

• Long lived Use-after-Free vulnerabilities are still exploitable!

Questions ?

http://www.twitter.com/abh1sekhttp://www.3slabs.com

https://github.com/abhisek/RandomCode/tree/master/Misc/ie_memprotector_nullblr

References

• http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of-MemoryProtection-against-use-after-free/ba-p/6556134#.VSeGDxOUenD

• https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

• https://msdn.microsoft.com/en-us/library/ms220938%28v=vs.90%29.aspx

• http://securityintelligence.com/understanding-ies-new-exploit-mitigations-the-memory-protector-and-the-isolated-heap/#.VS-JRxOUenA

• Yuki Chen – The Birth of a Complete IE 11 Exploit Under The New Exploit Mitigation