Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
If a node calculates that it does not have enough storage capacity for the table, it initiates the group formation algo- rithm. To minimize the number of times an original tuple must be transmitted to make it available to every member of a group, we require that all nodes in the group are within broadcast range of each other. A second required property of a group is that it must have enough cumulative storage capacity to accommodate the table of predicates. If these requirements can not be met, the join classification (see Section 3.2) is not intermediate but rather. | Nozzle a Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan Cornell University paruj@csl.cornell.edu Benjamin Livshits Microsoft Research livshits@microsoft.com Benjamin zorn Microsoft Research zorn@microsoft.com Abstract Heap spraying is a security attack that increases the exploitability of memory corruption errors in type-unsafe applications. In a heap-spraying attack an attacker coerces an application to allocate many objects containing malicious code in the heap increasing the success rate of an exploit that jumps to a location within the heap. Because heap layout randomization necessitates new forms of attack spraying has been used in many recent security exploits. Spraying is especially effective in web browsers where the attacker can easily allocate the malicious objects using JavaScript embedded in a web page. In this paper we describe Nozzle a runtime heap-spraying detector. NozzLE examines individual objects in the heap interpreting them as code and performing a static analysis on that code to detect malicious intent. To reduce false positives we aggregate measurements across all heap objects and define a global heap health metric. We measure the effectiveness of Nozzle by demonstrating that it successfully detects 12 published and 2 000 synthetically generated heap-spraying exploits. We also show that even with a detection threshold set six times lower than is required to detect published malicious attacks Nozzle reports no false positives when run over 150 popular Internet sites. Using sampling and concurrent scanning to reduce overhead we show that the performance overhead of Nozzle is less than 7 on average. While Nozzle currently targets heap-based spraying attacks its techniques can be applied to any attack that attempts to fill the address space with malicious code objects e.g. stack spraying 42 . 1 Introduction In recent years security improvements have made it increasingly difficult for attackers to compromise systems. .