1 / 78

Tools and techniques for understanding and defending real systems

Tools and techniques for understanding and defending real systems. Jedidiah R. Crandall crandall@cs.ucdavis.edu. Overview. Security is not a problem to be solved, but a battle to be waged by… Antivirus professionals Law enforcement Next-generation security technology developers …

avery
Download Presentation

Tools and techniques for understanding and defending real systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu

  2. Overview • Security is not a problem to be solved, but a battle to be waged by… • Antivirus professionals • Law enforcement • Next-generation security technology developers • … • Give them the tools they need • Implementations of useful techniques • Theory planted firmly in practice

  3. Vision • How can we address emerging threats (poly/metamorphic worms/botnets, cryptovirology, advanced rootkits, etc.)? • Problem: We don’t have very many real-world samples of these to look at • Solution: Look at the way the samples we have interact with the systems we’re trying to defend

  4. Outline • Code Red II example • Define some basic terms and concepts • Minos • Catches worms • DACODA • Used to understand polymorphism and metamorphism • Temporal Search • Analyzes the payload for timebomb attacks • Looking ahead…

  5. Outline • Code Red II example • Define some basic terms and concepts • Minos • Catches worms • DACODA • Used to understand polymorphism and metamorphism • Temporal Search • Analyzes the payload for timebomb attacks • Looking ahead…

  6. Code Red/Code Red II • Code Red • 359,000 hosts infected • $2.6 billion in cleanup [Computer Economics] • Attempted DoS on White House • Averted after being discovered hours before the attack was to occur • Code Red II • Exploit is basically the same

  7. Exploit-based Worms Web Server’s Memory Next GET /bla?x=A1B28CD30EE17C

  8. The Code Red II Exploit GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  9. Three stages of an attack

  10. ε = Exploit Vector GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  11. γ = Bogus Control Data GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  12. π = Payload GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  13. Motivation for ε-γ-π • Different polymorphic/metamorphic techniques for ε, γ, and π • Data can be represented differently on the network and where it used in the attack trace • “25 75 62 63 64 33 25 75 37 38 30 31” vs. “d3 cb 01 78” for 0x7801cbd3 • “Information only has meaning in that it is subject to interpretation.” [Cohen, 1984]

  14. Network Signatures? GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  15. Polymorphism and metamorphism • Change successive instances of the worm so signature-based network defenses fail • Polymorphic: think syntax • Metamorphic: think semantics • Note: Some researchers call both polymorphism

  16. ε = Exploit Vector GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  17. γ = Bogus Control Data GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  18. π = Payload GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  19. Poly/metamorphism in γ and π • Poly/metamorphic possibilities of π are endless (self-modifying code) • γ: Buttercup [Pasupulati et al. NOMS 2004] • “Register springs” – more details in [Crandall et al.; DIMVA 2005] • 11,009 possibilities for Blaster • 353 for Slammer

  20. Polymorphism of ε GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  21. Polymorphism of ε GET /yutiodr.ida?CEOIUXJASKMDIDD EOXIJOEIJXDXNMDKJXNSKJNXIDOIW R…ATUD%u8743%ubc65%ua999%uffff%u873f%ue875%u4568%u99cc%u8333%u7621%ubb66%u9876%u1000%u8732%u9854%u76cd%udddd%u5555%u5234%uff43%u7632%u5632%ucc=i HTTP/1.0

  22. Metamorphism of ε GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  23. Metamorphism of ε GET /default.ida?X%u61XXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\xd3\xcb\x01\x78XXXXXXXXXXXXXXXXXX=a HTTP/1.0

  24. Metamorphism of ε

  25. Outline • Code Red II example • Define some basic terms and concepts • Minos • Catches worms • DACODA • Used to understand polymorphism and metamorphism • Temporal Search • Analyzes the payload for timebomb attacks • Looking ahead…

  26. Minos [Crandall and Chong; MICRO 2004] • Tagged architecture that tracks the integrity of every memory word • Network data is tainted • Control data (return pointers, function pointers, jump targets, etc.) should not be • Taint tracking with every instruction • Great for catching worms • Uses the γ mapping

  27. Gratuitous Dante Quote Minos the dreadful snarls at the gate, … and wraps himself in his tail with as many turns as levels down that shade will have to dwell

  28. Minos Implementation • Implemented a full-system tagging scheme in a virtual machine • Linux (modified kernel) • Tracks integrity in the file system • Virtual memory swapping [used by Raksha project] • Windows (unmodified) • Works great as a honeypot for cacthing worms

  29. How to catch worms…

  30. Only one false positive…

  31. Actually a “non-target pest”

  32. Minos Full-System Evaluation • General Minos concept used in related works (DIFT [Suh et al.; ASPLOS 2004], TaintCheck [Newsome and Song; NDSS 2005]), follow-on works, and at least one commercial product • Important to get things right • e.g. Code Red II – must taint table lookups • Able to build DACODA on top of Minos

  33. Outline • Code Red II example • Define some basic terms and concepts • Minos • Catches worms • DACODA • Used to understand polymorphism and metamorphism • Temporal Search • Analyzes the payload for timebomb attacks • Looking ahead…

  34. DACODA [Crandall et al.; CCS 2005] • DAvis malCODe Analyzer • Discover invariants in the exploit vector (ε) • Symbolic execution on the system trace during attacks that Minos catches • Used for an empirical analysis of polymorphism and metamorphism • Quantify and understand the limits

  35. Worm Polymorphism and Metamorphism • Viruses: Defender has time to pick apart the attacker’s techniques • e.g. Algorithmic scanners, emulation • Worms: Attacker has time to pick apart the deployed network defense techniques • What can defenders do to evaluate the robustness of defenses against attacks that don’t exist yet?

  36. Measuring Poly/metamorphism • [Ma et al.; IMC 2006] • Found relatively little polymorphism “in the wild” • Worm defense designers don’t have samples of the poly/metamorphic techniques attackers will use on their defenses • (Have to build the defense first)

  37. The Epsilon-Gamma-Pi Model

  38. How DACODA Works • “Information only has meaning in that it is subject to interpretation.” [Cohen, 1984] • Gives each byte of network data a unique label • Tracks these through the entire system • Discovers predicates about how the host under attack interprets the network bytes

  39. mov al,[AddressWithLabel1832] add al,4 cmp al,10 je JumpTargetIfEqualToTen ; AL.expr <= (Label 1832) ; AL.expr <= (ADD AL.Expr 4) ; /* AL.expr == (ADD (LABEL 1832) 4) */ ; ZFLAG.left <= AL.expr ; /* ZFLAG.left == (ADD (Label 1832) 4) */ ; ZFLAG.right <= 10 ; P <= new Predicate(EQUAL ZFLAG.Left ZFLAG.Right) ; /* P == (EQUAL (ADD (Label 1832) 4) 10) */ ; AddToSetOfKnownPredicates(P)

  40. Why Full-System Analysis? • Kernel • “Remote Windows Kernel Exploitation – Step Into the Ring 0” by Barnaby Jack • MS05-027 (SMB) • Multiple processes • Base64 in IIS + ASN.1 in lsass.exe • Multithreading • And listening on multiple ports • Even for Slammer, the simplest buffer overflow ever

  41. Actual Worms/Attacks Caught by Minos and Analyzed by DACODA

  42. Other Attacks Caught by Minos and Analyzed by DACODA

  43. Single Contiguous Byte Strings

  44. Single Contiguous Signatures • Autograph [Kim and Karp; USENIX Security 2004] and EarlyBird [Singh et al.; OSDI 2004] both demonstrated good results at about 40 bytes for the signature length • [Newsome et al.; IEEE S&P 2005] came to the same conclusion as we did and proposed sets of smaller byte strings called tokens

  45. Tokens GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  46. Where do These Tokens Come From? • Scalper “Transfer-Encoding: chunked” • Same applies to most of these vulnerabilities • “The Horns of a Dilemma” • Use protocol framing as a signature • Be very precise

  47. Precision: ASN.1 Dangling Pointer • Heap corruption (0x23 [SIZE]… ”AAAAAAAA” (0x23 [SIZE] 0x77665544 “BBBB”) …)

  48. Conclusions from DACODA • Whole system analysis is important • New focus on more semantic signatures • How to understand the semantics of the vulnerability? • We can learn a lot about emerging malware threats by studying existing malware samples and their interactions with the systems they run on

  49. Outline • Code Red II example • Define some basic terms and concepts • Minos • Catches worms • DACODA • Used to understand polymorphism and metamorphism • Temporal Search • Analyzes the payload for timebomb attacks • Looking ahead…

  50. Temporal Search[Crandall et al.; ASPLOS 2006] • Automated discovery of timebomb attacks • Analysis in the πstage • Prototype of behavior-based analysis • Proposed a framework for a problem space nobody has looked at before • Implemented parts of it • Identified the remaining challenges • By testing real worms with timebombs on our prototype

More Related