Malware resistance

1. Malware resistance

2. Outline • Preliminaries • Virtual Address Layout • Stack Layout • Verification Problem • Remote Attestation • Methods • Code Injection • Interrupts • Identification

3. Virtual Address Space (Linux) 0 • 1 Gb is given for Kernel mapping • 3 GB for User app • Code, data segment, BSS • Stack and Heap • Which is where? • “Stack grows down” • “Heap grows up” Stack and Heap 4GB

4. VAS 4 GB Kernel • DS • Static int q =5; • BSS • Block Started by Symbol • Static int q; 3 GB Stack Grows Down Stack and Heap Heap Grows Up BSS Static uninitialized variables Data Segment Static initialized variables Text Segment ELF image 0

5. Sample Program int main(){ char *ptr; ptr = (char *) malloc((sizeof(char)*10)); printf("ptr on stack = %x", &ptr); printf("ptr on heap = %x", ptr); free(ptr); return 0;}

6. Results [rsriniv8@calypso4:~]$ ./stack_heap_t.o ptr on stack = bffaf194 ptr on heap = 9f2d008 Stack – bffaf194 = 3220499860 = 2.99 GB Heap – 9f2d008 = 166907912 = .15 GB

7. Stack layout High Address • Function call • Push context address on Stack • Jump to function • Subtract Stack pointer to accommodate Local variables Arguments Return Add Local variables Low Address

8. Program (Buffer Overflow) intfoo() { int a[4]; for (inti=0;i<=7;i++) scanf(“%d”, &a[i]); return 0; } int main() { …. foo(); printf(“something”); return 0; } • Program most likely crashes and never executes the printf in main • Or may jump to a new address and execute

9. Output address of main 8048368, address of function 80483ba a[0] = ffffffff a[1] = ffffffff a[2] = ffffffff a[3] = 80484f8 a[4] = bfe74b6c a[5] = 91aff4 a[6] = bfe74b88 a[7] = 80483b0 (Return address) a[8] = 4(argument) a[9] = 8048368 a[10] = 80483ba int i; int function(int); int main() { int a= 4; printf("\n address of main %x, address of function %x",main, function); function(a); return 0; } int function(int x) { int a[3]= {-1, -1,-1}; for (i=0;i<=10;i++) printf("\n a[%d] = %x", i, a[i]); return 0; } 80483a5: 83 ec 0c sub $0xc,%esp 80483a8: ff 75 fc pushl 0xfffffffc(%ebp) 80483ab: e8 0a 00 00 00 call 80483ba <function> 80483b0: 83 c4 10 add $0x10,%esp Excerpt from the objdump of main

10. Prevention and Detection • Prevention • Create genetic diversity among binaries • Memory randomization • Stack Randomization • Heap Randomization • Code Randomization • How? • Detection • Is It done?

11. Verified Code Execution • Assume Viruses have unlimited potential • Can patch on detectors • Why? • Same image • Difficult to find if any code actually executed • Results may be pre computed • Verification can be bounced

12. Remote Attestation (hardware) • Make an external entity check the system • Typically through TPM • Computes checksums • Plenty of literature on pros and cons Programs Trusted External Server Client OS Client HW TPM Network

13. Remote Attestation (Software) • No hardware support • Opens issues • Did the code actually execute • Is the attestation program patched • Was it bounced to another machine • Was it bounced to another process

14. Bounce to another machine Clean Program Patched Program Trusted External Server Program Client OS Client OS Network Relay Client HW Client HW Machine 2 Machine 1 • Send data to compute checksum • Send code to compute checksum

15. Bounce to another Process Clean Program Patched Program Trusted External Server Network Client OS Client HW Machine 1

16. Attestation Process op-code Patched Program Trusted External Server Network Client OS Client HW Results Machine 1

17. Characteristics • Inject code in the running process • Make the process inject code on itself • Use schemes to identify machine • Connection details should suffice • IP, port, etc • Use schemes to identify process • Identify all open ports to see if more than one process is communicating to server

18. ASM code • Injected code • No library calls • Required calls have to be written • Either C code, or ASM code if it is a system call • socket() • ioctl • send() • receive() • helper functions like write(), read(), exit(), getpid(), etc

19. Example: socket() http://www.digilife.be/quickreferences/QRC/LINUX%20System%20Call%20Quick%20Reference.pdf 102 socketcall socket system calls net/socket.c int sock_d(int sock){ sock = socket(PF_INET, SOCK_STREAM, 0); return sock;} linux/include/net.h intsock_d(int sock){ __asm__("sub $12,%%esp\n" "movl $2,(%%esp)\n" "movl $1,4(%%esp)\n" "movl $0,8(%%esp)\n" "movl $102,%%eax\n" "movl $1,%%ebx\n" "movl %%esp,%%ecx\n" "int $0x80\n" "add $12,%%esp\n" : "=a" (s) ); return sock;} 30 #define SYS_SOCKET 1 /* sys_socket(2) */ 31 #define SYS_BIND 2 /* sys_bind(2) */ 32 #define SYS_CONNECT 3 /* sys_connect(2) */ 33 #define SYS_LISTEN 4 /* sys_listen(2) */ 34 #define SYS_ACCEPT 5 /* sys_accept(2) */ 35 #define SYS_GETSOCKNAME 6 /* sys_getsockname(2) */ 36 #define SYS_GETPEERNAME 7 /* sys_getpeername(2) */ 37 #define SYS_SOCKETPAIR 8 /* sys_socketpair(2) */ 38 #define SYS_SEND 9 /* sys_send(2) */ 39 #define SYS_RECV 10 /* sys_recv(2) */ 40 #define SYS_SENDTO 11 /* sys_sendto(2) */ 41 #define SYS_RECVFROM 12 /* sys_recvfrom(2) */ 42 #define SYS_SHUTDOWN 13 /* sys_shutdown(2) */ 43 #define SYS_SETSOCKOPT 14 /* sys_setsockopt(2) */ 44 #define SYS_GETSOCKOPT 15 /* sys_getsockopt(2) */ 45 #define SYS_SENDMSG 16 /* sys_sendmsg(2) */ 46 #define SYS_RECVMSG 17 /* sys_recvmsg(2) */

20. Attestation Process • Identify the Machine • IP add works if there is no NAT • Take random checksums • Must differ each time • Why? • How? • Check open ports • How? • /proc/net/tcp, compare with open /proc/<pid>/fd which has symbolic links. • Identify Process ID • How? • Return results

21. Questions?