1 / 13

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits. 1. Introduction. A vulnerability gives the attacker an important primitive . the attacker can build different exploits using this primitive Need to generate vulnerability-specific signatures from exploits.

vnowak
Download Presentation

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits

  2. 1. Introduction • A vulnerability gives the attacker an important primitive. • the attacker can build different exploits using this primitive • Need to generate vulnerability-specific signatures from exploits. • Add more precision to the signature and use heuristics, such as look at the length of fields. • Relax the requirement that no portion of a valid protocol be dropped.

  3. 1.2 The DAvisMalCODe Analyzer • Many exploits can involve more than one network connection, multiple processes, multithreading. • Two different models in order to be more perspicuous in discussing polymorphism and metamorphism • The Epsilon-Gamma-Pi model • Control flow hijacking attacks • PD-Requires-Provides model • exploits

  4. 2. The Epsilon-Gamma-Pi Model

  5. 2. The Epsilon-Gamma-Pi Model • ε maps the exploit vector from the attacker’s network packets onto the trace of the machine being attacked before control flow hijacking occurs. • A vulnerability can be thought of as a set of projections for ε that will lead to control flow hijacking • γ maps the bogus control data used for hijacking control flow. • π maps the payload executed after control flow has been hijacked.

  6. 2. The Epsilon-Gamma-Pi Model • Worm signature generation with any particular technique can bee seen as a characterization of one or more of the three mappings possibly combined with information about the attack trace on the infected host. • Polymorphism change bytes in the row spaces of the three projections without changing the mappings. π and γ permit too much polymorphism • Metamorphism uses different mappings each time.

  7. 3. How DACODA works • Using symbolic execution, DACODA is able to discover strong, explicit equality predicates about ε. • strong, explicit equality predicate is an equality predicate that is exposed because of an explicit check for equality. • These predicates can be used for signature generation.

  8. 3. How DACODA works • Currently is being emulated in a full-system Pentium environment based on the Bochs emulator. • Needs an oracle to raise an alert when bogus control flow transfer has occurred. • Tracks the data through all kernel- and user-space processes and discovers equality predicates every time the labeled data or a symbolic expression is explicitly used in a conditional control flow transfer.

  9. 4. Exploits analyzed by DACODA • Processing of Network Data in the Kernel • Multiple Processes Involved • Multithreading and Multiple Ports • Side Channels • Encodings and Encryption • Undesirable Predicates • Lack of Good Signature for Some Exploits

  10. 5. Poly/Metamorphism • Polymorphism of ε • Change some bytes mapped by εwithout changing the mapping. • Metamorphism of ε • Take an equivalent path • Add paths that are unnecessary • Changing the order • What about multithreading ?

  11. 5.3 The PD-Requires-Provides Model Metamorphic techniques that use arbitrary memory corruption primitives in multithreaded applications to build complex exploits require a model that views the system “from-the-architecture-up”. • Requirements and What They Provide • Should Focus on Primitives, not Vulnerabilities

  12. 7. Conclusions • Single contiguous byte string signatures are not effective for content filtering. • Token-based byte string signatures composed from smaller strings are only semantically rich enough to be effective for content filtering if the vulnerability lies in a part of a protocol that is not commonly used. • Whole-system analysis is critical in understanding exploits.

  13. 3. How DACODA Works: An Example

More Related