Detile: Fine-Grained Information Leak Detection in Script Engines

TL;DR

Detile is a system that detects memory disclosure attacks in scripting engines by creating a synchronized clone with re-randomized memory, identifying leaks through inconsistencies in script contexts.

Contribution

The paper introduces Detile, a novel automated detection system for memory disclosure attacks in scripting engines, using process cloning and memory re-randomization.

Findings

Successfully detects memory disclosure attacks in JavaScript engines.

Effective against proprietary software like Internet Explorer.

Demonstrates robustness in empirical evaluation.

Abstract

Memory disclosure attacks play an important role in the exploitation of memory corruption vulnerabilities. By analyzing recent research, we observe that bypasses of defensive solutions that enforce control-flow integrity or attempt to detect return-oriented programming require memory disclosure attacks as a fundamental first step. However, research lags behind in detecting such information leaks. In this paper, we tackle this problem and present a system for fine-grained, automated detection of memory disclosure attacks against scripting engines. The basic insight is as follows: scripting languages, such as JavaScript in web browsers, are strictly sandboxed. They must not provide any insights about the memory layout in their contexts. In fact, any such information potentially represents an ongoing memory disclosure attack. Hence, to detect information leaks, our system creates a clone of the scripting engine process with a re-randomized memory layout. The clone is instrumented to be synchronized with the original process. Any inconsistency in the script contexts of both processes appears when a memory disclosure was conducted to leak information about the memory layout. Based on this detection approach, we have designed and implemented Detile (\underline{det}ection of \underline{i}nformation \underline{le}aks), a prototype for the JavaScript engine in Microsoft's Internet Explorer 10/11 on Windows 8.0/8.1. An empirical evaluation shows that our tool can successfully detect memory disclosure attacks even against this proprietary software.