270 likes | 390 Views
Exploit Hijacking: Side Effects of Smart Defenses. Costin Raiciu, Mark Handley, David S. Rosenblum University College London LSAD 2006. What is this about?. Hijacking. Worms. Defenses. Research. Does this matter?. Worm. Defense. Hijacking. Defenses not deployed yet!
E N D
Exploit Hijacking: Side Effects of Smart Defenses Costin Raiciu, Mark Handley, David S. Rosenblum University College London LSAD 2006
What is this about? Hijacking Worms Defenses Research
Does this matter? Worm Defense Hijacking • Defenses not deployed yet! • Competitive pressure Hosts Time
Story • Smart Defenses • Hijacking • Impact • Defenses
Self Certifying Alerts • Population of hosts • Detectors • Susceptible Hosts • Protected Hosts • Infected Hosts • Detectors • Detect break-ins • Create Self Certifying Alerts • SCAs propagated P2P, checked at every hop
What do SCAs contain? Example SCA Service: Microsoft SQL Server 8.00.194 Alert type: Arbitrary Code Execution Verification Information: Address offset 101 of message 0 Number messages: 1 Message: 0 to endpoint UDP:1434 Message data: 04, 41, 41, 41, 41, 42, 42, 42, 42, 43, 43, 43, 43, 44, 44, 44, 44, 45, 45, 45, 45, 46, 46, 46, 46, 47, 47, 47, 47, 48, 48, 48, 48, 49,49,49, 49, 4A, 4A, 4A, 4A, 4B,...
SCA Hijacking • Population of hosts • Detectors • Susceptible Hosts • Protected Hosts • Infected Hosts • Hijacker • Waits for exploit to appear • Uses SCA to create worm
Hijacking • Can we steal an existing exploit and use it to create malware that works in our benefit? • Motivation • Creating exploits is generally hard • Using other people’s exploits is easy • Can hijacking be automated? • Using detectors – yes, Castaneda et al. [2004] • Using Self-Certifying Alerts • Using network level techniques - see paper Can we steal an existing exploit and use it to create malware that works in our benefit?
Exploit … … ShellCode Hijacking using SCAs Example SCA Service: Microsoft SQL Server … Alert type: Arbitrary Code Execution Verify: … offset 101 … Message: ... • The hijacker uses generic exploit code • Pastes it in the message at the specified offset • Sends the message to vulnerable hosts • Tested using • Portable shellcode (332 bytes) • Slammer and Blaster attack messages
In reality, more complicated • Two additional types of SCAs • Arbitrary Execution Control – make the program jump to a user specified address • Arbitrary Function Argument – supply parameters to sensitive functions
Exploit Jmp esp Arbitrary Execution Control SCAs • If overflow is stack based • Use as jump address a “jmp esp” – found one in kernel32.dll • Build database of kernel32.dll offsets in applications • Paste exploit after return address SCA Offset ESP … … ShellCode Addr
Arbitrary Execution Control SCAs(2) • Other vulnerabilities, use two-phase exploit: • Use application functionality to map code at predictable address • Paste address in message using SCA data • Mapping code at predictable addresses: • Database of mappings – per application • Tested: Microsoft IIS 5.1: • Memory mapped logging • Predictable heap addresses • Stack IIS 5.1 Memory Layout GET /resource1 … GET /resource2 … …
Arbitrary Function Argument SCAs • Cannot hijack in the general case: depends on function! • Simple to hijack for: • exec syscall • SQL interpreter
Story • Smart Defenses • Hijacking • Impact • Defenses
Scenario 1: Auto-Worms Start with Bot-Net + Use Hijacking Larger or more valuable Bot-Net • Hijacker: • Runs detectors and registers for SCAs • Creates hit-lists for different software products • Spreads as fast as possible
Speed Matters! 10% Hit-list 1% detectors0.1% bots
Hit-List Size Matters! Auto-worm speed 4x 1% detectors 0.1% bots
Auto-Worms Impact • Competitive pressure • On exploits – turn them into worms • On worms – be fast or have little impact • On SCAs – be simultaneous or be harmful
Scenario 2: Targeted Attacks Start with few hosts + Use SCA Hijacking Infect hosts in a given company, country or your ex girlfriend’s machine • Targeted attacker • Maps software on target machines slowly • Registers for SCAs • When receives an SCA, attacks only the target machines
Targeted Attacks Impact 10 bots (0.01%) Targets: 1000 random hosts
Targeted Attacks Impact • Hijacker does not need many bots – uses SCAs instead • Assume SCAs are deployed and target machine does not use them => hijacker always wins • Everybody must use SCAs, otherwise things are worse
Story • Smart Defenses • Hijacking • Impact • Defenses
What now? • SCAs can be hijacked. Are they doomed? • Hijacking is possible even without SCAs • All exploits are pushed to become flash worms • SCAs are needed! • Can they be fixed? • SCAs are disseminated in a peer to peer fashion: • Tradeoff between timeliness and risk of DoS • Mainly due to complete lack of trust
Proposal 1: ISP level SCA • Disseminate SCAs to ISP nodes • Install filters based on SCAs at ISP nodes • End hosts do not receive SCAs • Pros • Smaller group means faster propagation – less opportunity for hijacking • Cons • Can we protect end-hosts using filters in the network?
Proposal 2: Two Phase Dissemination • Mimic simultaneous delivery of SCAs using 2 phases: • Deliver a warning to all hosts • Deliver the SCA after all hosts received warning • If SCA is fake, take punitive action • Two types of warnings – none perfect • Crash SCAs – inspired after ZKP protocols • Commitments – signatures of SCA sensitive information. • This can be used in tandem with ISP solutions
Conclusions SCAs Host-Based Detectors Attacks Hijacking • Advances in defenses make hijacking feasible today • Competitive pressure makes attackers create flash worms • SCAs are highly needed but need fixing • Fixing SCAs to cope with hijacking • Initial steps look promising • Creating a full solution is challenging
Q&A Costin Raiciu c.raiciu@cs.ucl.ac.uk Thank You