90 likes | 228 Views
A Framework for Diversifying Windows Native APIs to Tolerate Code Injection Attacks. Lynette Qu Nguyen, Tufan Demir, Jeff Rowe, Francis Hsu and Karl Levitt Monday, February 09, 2009 Cho, Ho-Gi. Abstract. Code injection attacks
E N D
A Framework for Diversifying Windows Native APIs to Tolerate Code Injection Attacks Lynette Qu Nguyen, Tufan Demir, Jeff Rowe, Francis Hsu and Karl Levitt Monday, February 09, 2009 Cho, Ho-Gi
Abstract • Code injection attacks • take advantage of software memory errors to gain complete control of a victim machine by injecting malicious instructions into the victim’s process memory • Problem • The kernel serves both from malicious injected instructions and from the legitimate user processes without distinctions • Solution • First-tier • permute the Native API dispatch ID number for diversifying Windows Native APIs • Second-tier • provide an authentication process in case an attacker guesses the first-tier permutation order [WePu07]
Code Injection Attacks Victim Process Memory Malicious Code or Program … mov eax, 0x19 mov edx, 0x7ffe0300 call dword ptr[edx] ret 0x4 mov edx, esp mov sysenter ret … Attacker … mov eax, 0x19 mov edx, 0x7ffe0300 call dword ptr[edx] ret 0x4 … Injection Native API … mov eax, 0x19 mov edx, 0x7ffe0300 call dword ptr[edx] ret 0x4 … The kernel serves both from malicious injected instructions and from the legitimate user processes without distinctions. [WePu07]
Native API Calls in Windows User Application kernel32.dll ntdll.dll User-level fastcall/interrupt Kernel-level KiSystemService 0x19 NtClose B8 19 00 00 00 mov eax, 0x19 BA 00 03 FE 7F mov edx, 0x7ffe0300 FF 12 call dword ptr[edx] C2 04 00 ret 0x4 8B D4 mov edx, esp 0F 34 mov sysenter C3 ret 0x10 NtXXX 0~283 … Fast call stub in Windows XP NtClose Native API call System Service Dispatch Table [WePu07]
Design and Implementation • Overview Permute De-permute User-Process Kernel call NtCreateFile NtCreateFile NtCreateFile call NtClose NtClose NtClose … … … call NtClose NtReadFile NtReadFile … … Malicious Code call NtCrateFile [WePu07]
Design Binary static analysis ntdll.dll Permuted Protected Application Original Protected Application Monitoring Program Permute malcode First tier Natve API Calls User Mode Kernel Mode Second tier Filter PID De-Perm Authentication Intercept Back-trace of the function call stack Native API Call hook the SSDT [WePu07]
Evaluation • Probabilistic P(n_calls) = 1/284*1/283*…*1/(284-n+1) = (284-n)!/284! [WePu07]
Evaluation • Performance • Test Machine • 1.6GHz Pentium M processor • 128MB RAM • Windows XP with Service Pack 0 • intercept 8 Native API calls Overhead 3% ~ 9% [WePu07]
Conclusions • can not easily bypass this monitor by guessing • does not require access to source code • can be easily deployed without major changes to the system • indicate minor run-time overhead [WePu07]