280 likes | 349 Views
Instruction Subsets in Software Diversity. Malware Project Nguyet Nguyen Nov. 30 th 2004. Motivation: Visit the company Computer. CPU is the main worker of the company Computer CPU joins a set of parts called Insts into robots called Softs.
E N D
Instruction Subsets in Software Diversity Malware Project Nguyet Nguyen Nov. 30th 2004
Motivation: Visit the company Computer • CPU is the main worker of the company Computer • CPU joins a set of parts called Insts into robots called Softs • Softs work at the Computer office • Computer stores some gold boxes in the office • Insts are delivered by Developers • Gold boxes have some holes on it • The office door is opened
Computer’s Office Software Gold boxes Inst Inst CPU Inst Inst
Motivation: meet Evil • Mr Evil knows how CPU works • Mr Evil knows the holes of gold boxes • Evil creates a new array of Insts that CPU will assemble them in to a new kinds of Robots called Worms • Worms can steal gold via the holes
Problems occur In Computer Office Software Worms Gold boxes Inst Inst CPU Inst Inst
Current Solutions • Using a Gatekeeper before CPU • Dye the Insts with dying solution Key • Gatekeeper applies rev-Key to dyed Insts Randomizing Instruction DIALECTS
Hu hu, I cannot do anything Illustrator Inst Inst Inst Inst Inst
Is it good? • Portable? No • Performance? reduce • Security? • Rely on the enforcement environment • Key can be guessed
Hu hu, I cannot do anything Subset Inst Inst Inst
Is Instruction Subset better? • Portable • Performance: Hardware Gatekeeper • Security: • work without the enforcement environment • Difference size of versions
Groups of Instructions • Divide the Instruction Set in to Groups: • Group of unique instructions (UI) • Groups of equivalent instructions (EIs) • New IS = UI + new EI • EI’s members are selected from each of old EIs
Unique Instructions • Call • Int/Ret • Convert Instructions: Cbw, Cdq • Set/Clear Interrupt Flag: CLI, SLI • Ascii and Decimal Adjust: Aaa, Aad • ESC, Halt • Lea • Lock • Nop • Push/Pop, PushF/PopF • Wait/FWait • In/Out
Groups of EIs • Load instructions: lds, lodsb, lodsw • Store instructions: sodsb, sodw • Branch instructions: jump, loop, repeat 35+5+5=45 insts • Move instructions: Mov, Movs, Movsx, Movsz • Add/Sub: Add, Inc, Dec, Sub • Mul/Div: imul, mul, idiv, div • Test: ; • Interchange: Cmp and Change • Flags set: • Logical Operation: and, or, xor, not (4 insts)
Transformation • Some transformation is easy, others are not • Transformation complexity depends from other groups Ex: • dec and sub • Jmp Mov ax,0 Je ax;
Instruction selecting in EI sets • Insts with transformation complexity are statically omitted or allowed (50% of allowing) • Inc, dec, mov, jmp • Pick randomly 1 of remaining instructions
Does it work? • 3 questions: • Is it possible for a worm to use only UI to complete its work? • How many diverse subsets we have? • How long should a worm be to ensure an acceptable rate of protection?
Question 1: UI is enough? • NO • Why? • A worm should use a Jump • A worm should use a load • Verification? • CodeRed • Shapphire • Nimda • Unix worms: ADM Worm v1
Question 2: How diverse this approach is? • The number of difference version we have is: 2number_of_static_instx number_of_EI1x… • Depends on the number of EIs that we apply selecting process and how many instruction that we pick up in a set
Question 3: Performance? • Not depends on how long a worm is • It is how many different instruction a worm uses • Using only opcode limits opportunities of subset diversity
Example: Sapphire • push • mov • xor • loop • lea • call • cmp • jz • or • shl • jmp UI: push, call, lea • OI: • Logical Operation: or,xor, cmp, shl • Branch Operation: loop, jz, jmp • Move Operation: mov PERFOMANCE: P(all insts pass)=2(3/4)(2/3)(1/45)(1/45)(1/2) =10-4 Anything wrong?
How to enhance Diversity? • Determine how many instructions needed to complete a worm? • Enhance diversity of UI by adding addressing mode/operant mode • Complicated? Yes • How to reduce costs: apply with only “important instructions”
High Level Hypothesis about worms • Every worm needs to use a call • Every worm needs to use a push • Every worm needs communication instructions? • Every worm needs a load or a store • Every worm needs at least one of arithmetic instructions What are we need?
Push and Call • Push: 6 Operant Modes • Call: 30 Operant Modes • 6 near • 8 far • 4 task • 12 gate
Example: Sapphire (II) • Call call eax call dword ptr [esi] • Push: push 42B0C9DCh push eax call esi PERFOMANCE: P(all call/push passed)=(1/6)(1/8)(1/6)(1/6)(1/6)
Issues? • Instruction Guessing? • Worms may not be fast enough • People can try to guess from simple to complicated instruction • Hypothesis proof • Disassembled code • Static Analysis
Conclusions Nothing is perfect More solutions of diversity better diversity