1 / 29

DACODA [Crandall et al.; CCS 2005]

DACODA [Crandall et al.; CCS 2005]. DA vis mal COD e A nalyzer Discover invariants in the exploit vector ( ε ) Symbolic execution on the system trace during attacks that Minos catches Used for an empirical analysis of polymorphism and metamorphism Quantify and understand the limits.

melita
Download Presentation

DACODA [Crandall et al.; CCS 2005]

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DACODA [Crandall et al.; CCS 2005] • DAvis malCODe Analyzer • Discover invariants in the exploit vector (ε) • Symbolic execution on the system trace during attacks that Minos catches • Used for an empirical analysis of polymorphism and metamorphism • Quantify and understand the limits

  2. Worm Polymorphism and Metamorphism • Viruses: Defender has time to pick apart the attacker’s techniques • e.g. Algorithmic scanners, emulation • Worms: Attacker has time to pick apart the deployed network defense techniques • What can defenders do to evaluate the robustness of defenses against attacks that don’t exist yet?

  3. Measuring Poly/metamorphism • [Ma et al.; IMC 2006] • Found relatively little polymorphism “in the wild” • Worm defense designers don’t have samples of the poly/metamorphic techniques attackers will use on their defenses • (Have to build the defense first)

  4. How DACODA Works • “Information only has meaning in that it is subject to interpretation.”[Cohen, 1984] • Gives each byte of network data a unique label • Tracks these through the entire system • Discovers predicates about how the host under attack interprets the network bytes

  5. mov al,[AddressWithLabel1832] add al,4 cmp al,10 je JumpTargetIfEqualToTen ; AL.expr <= (Label 1832) ; AL.expr <= (ADD AL.Expr 4) ; /* AL.expr == (ADD (LABEL 1832) 4) */ ; ZFLAG.left <= AL.expr ; /* ZFLAG.left == (ADD (Label 1832) 4) */ ; ZFLAG.right <= 10 ; P <= new Predicate(EQUAL ZFLAG.Left ZFLAG.Right) ; /* P == (EQUAL (ADD (Label 1832) 4) 10) */ ; AddToSetOfKnownPredicates(P)

  6. Actual Worms/Attacks Caught by Minos and Analyzed by DACODA

  7. Other Attacks Caught by Minos and Analyzed by DACODA

  8. Single Contiguous Byte Strings

  9. Single Contiguous Signatures • Autograph [Kim and Karp; USENIX Security 2004] and EarlyBird [Singh et al.; OSDI 2004] both demonstrated good results at about 40 bytes for the signature length • [Newsome et al.; IEEE S&P 2005] came to the same conclusion as we did and proposed sets of smaller byte strings called tokens

  10. Tokens GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  11. Where do These Tokens Come From? • Scalper “Transfer-Encoding: chunked” • Same applies to most of these vulnerabilities • “The Horns of a Dilemma” • Use protocol framing as a signature • Be very precise

  12. Conclusions from DACODA • Whole system analysis is important • New focus on more semantic signatures • How to understand the semantics of the vulnerability? • We can learn a lot about emerging malware threats by studying existing malware samples and their interactions with the systems they run on

  13. Temporal Search[Crandall et al.; ASPLOS 2006] • Automated discovery of timebomb attacks • Analysis in the πstage • Prototype of behavior-based analysis • Proposed a framework for a problem space nobody has looked at before • Implemented parts of it • Identified the remaining challenges • By testing real worms with timebombs on our prototype

  14. You as an antivirus professionalcatch a new worm… • Unpack it • Polymorphism/ metamorphism? • Anti-debugger tricks? • Any behaviors predicated on time? • How it gets the time? • UTC/Local? • Conversions between formats?

  15. With Temporal Search… • Infect a VM • Automated, behavior-based Temporal Search • Respond

  16. How to respond? • Sober.X – 6 and 7 January 2006 • URLs blocked • Kama Sutra – 3rd of the month • Users removed infections • Code Red – 20th of the month • White House IP address changed What if we have just hours or even minutes, not days?

  17. Behavior-based Analysis • [Cohen, 1984] defined behavior-based detection as a question of “defining what is and is not a legitimate use of a service, and finding a means of detecting the difference.” • Behavior-based analysis is similar • Assume the system is infected with malware • Analyze its use of a service such as the PIT

  18. Why not just speed up the clock? • Dramatic time perturbation would be easy to detect • Also not easy to do for a busy system (effectively lowers perceived performance) • May miss some behaviors • Kama Sutra • Will not be able to explain behaviors it does elicit

  19. Basic Idea • Find timers • Run the PIT at different rates of perceived time • System performance stays the same • Correlate between PIT and memory writes • Symbolic execution • e.g. with DACODA • Weakest precondition calculation

  20. Filling in the Timetable time

  21. Filling in the Timetable time

  22. Filling in the Timetable time

  23. Windows

  24. Manual Analysis • Many different library calls, APIs for date and time • GetSystemTime(), GetLocalTime(), GetTimeZoneInformation(), DiffDate(), GetDateFormat(), etc. • System call not really necessary • Conversions back and forth between various represenations (e.g. MyParty.A, Blaster.E) • UTC vs. Local • 1600 vs. 1900 vs. 1970 • 32- vs 64-bit • integers for day, month, year, etc. • strings • Not always done with standard library functions • Have to unpack it first, anti-debugging tricks • All of this is simply dataflow from SystemTime timer

  25. Setup ARP cache poisoning, DNS spoofing, etc. Windows XP @ 192.168.33.2 Host @ 192.168.33.1 w/ DNS, NTP, HTTP, TIME, etc. Bochs VM w/ DACODA and Timer Discovery tuntap interface

  26. Temporal Search • Symbolic Execution (DACODA) • Cod Red, Blaster.E, MyParty.A, Klez.A • Discovers predicates on day, hour, minute, etc. on a real time trace • Control-flow sensitivity within loops • Cod Red, Blaster.E, MyParty.A, Klez.A, Sober.X Kama Sutra • Month and year

  27. Adversarial Analysis • For any technique, being applicable to every possible virus or worm is not a requirement • AV companies collect intelligence • More details in the paper on this

  28. Conclusions from Temporal Search • Manual analysis is tricky and time-consuming • Temporal Search can dramatically improve response time • Behavior-based analysis is all about the environment • Malware does not follow a linear timetable • Gregorian calendar poses its own challenges

  29. Why Behavior-Based Analysis? “An ant, viewed as a behaving system, is quite simple. The apparent complexity of its behavior over time is largely a reflection of the complexity of the environment in which it finds itself.” –Herbert Simon

More Related