210 likes | 306 Views
How Twiggy Saved Sparky. Joseph Calandrino Matt Spear Malware Seminar – Fall 2004. Meet Twiggy. Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data. http://goatload.com/mt/. Meet Robbie.
E N D
How Twiggy Saved Sparky Joseph Calandrino Matt Spear Malware Seminar – Fall 2004
Meet Twiggy Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data. http://goatload.com/mt/
Meet Robbie http://www.mumi.org/metissages/fr/artificiel/artificiel.html http://www.dachshundalley.com/
Robbie’s Setup walkAnimal(name) feedAnimal(name) petAnimal(name) call doAction(action, name)
Evil Is Afoot If only I could modify the action for doAction… http://www.austinpowers.com/ http://www.rit.edu/~sli4356/
More on Robbie petAnimal(name) name action doAction(action, name) Disclaimer: This is simplified
Evil Is Afoot petAnimal(“SPARKYEA”)… Sparky is mine!!!
More on Robbie petAnimal(name) name action doAction(action, name)
Sparky Senses Danger petAnimal(name) name action doAction(action, name) http://www.svet-je-lep.com/gallery/slike/Twiggy/Zanimiv_morfing.jpg
The Dreaded Double Pointer name action http://www.austinpowers.com/
Evil Will Not Be Deterred name action
Turn on the Twiggy-Signal http://www.erva.com/pics/ProductIdeal/SQUIRREL%201.jpg
Twiggy to the Rescue Secret key = 32589Robbie needs to store this somewhere inaccessible to Dr. Evil… name action Modify Robbie’s code tomaintain hashes of all buffers: addr len hash Also stores data for name: http://kevintdriver.hopto.org/images/squirrel.ski.jpg
Without Spoiling Your Day But Twiggy is a busy squirrel, so he enlists the aid of a source-to-source transformer. http://www.lemta.com/boatshows/midamerica/twiggy-history.shtml
Stop That Modification! Check it before use: petAnimal(name) if(hash(_) != _) exit doAction(action, name)
Dr. Evil Is Foiled Dr. Evil can’t effectively modify buffers without altering entries in the table… which are hashed using a secret key. http://www.cotbn.com/2002_12_01_archive.html
But At What Cost? Hashes and checks can be computationally expensive Can Robbie feed Twiggy and Sparky on time? http://www.pets.info.vic.gov.au/02/sdd_dlang.htm http://www.nd.edu/~tdavidso/Mexico.htm
Reduce the Cost Do we need to check all buffers? What about only checking buffers used as inputs to dangerous methods? (That’s all the buffers in our example, but likely far fewer than in the program) Can Twiggy use call-graph analysis to find those buffers?
Did It Work? • Basic defense method protects buffers from modification. • Aliasing ignored. • Can we track down critical buffer values? • We’re still working on that. • But, for Twiggy, yes (this is supposed to be a happy story)
Happily Ever After By maintaining hashes of critical buffer values and verifying them before dangerous function calls, Twiggy efficiently prevents malicious modifications and moves on to new adventures. http://greywolf.critter.net/gallery/ironclawgallery-icsu04.htm