1 / 9

A Framework for Diversifying Windows Native APIs to Tolerate Code Injection Attacks

A Framework for Diversifying Windows Native APIs to Tolerate Code Injection Attacks. Lynette Qu Nguyen, Tufan Demir, Jeff Rowe, Francis Hsu and Karl Levitt Monday, February 09, 2009 Cho, Ho-Gi. Abstract. Code injection attacks

xiang
Download Presentation

A Framework for Diversifying Windows Native APIs to Tolerate Code Injection Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Framework for Diversifying Windows Native APIs to Tolerate Code Injection Attacks Lynette Qu Nguyen, Tufan Demir, Jeff Rowe, Francis Hsu and Karl Levitt Monday, February 09, 2009 Cho, Ho-Gi

  2. Abstract • Code injection attacks • take advantage of software memory errors to gain complete control of a victim machine by injecting malicious instructions into the victim’s process memory • Problem • The kernel serves both from malicious injected instructions and from the legitimate user processes without distinctions • Solution • First-tier • permute the Native API dispatch ID number for diversifying Windows Native APIs • Second-tier • provide an authentication process in case an attacker guesses the first-tier permutation order [WePu07]

  3. Code Injection Attacks Victim Process Memory Malicious Code or Program … mov eax, 0x19 mov edx, 0x7ffe0300 call dword ptr[edx] ret 0x4 mov edx, esp mov sysenter ret … Attacker … mov eax, 0x19 mov edx, 0x7ffe0300 call dword ptr[edx] ret 0x4 … Injection Native API … mov eax, 0x19 mov edx, 0x7ffe0300 call dword ptr[edx] ret 0x4 … The kernel serves both from malicious injected instructions and from the legitimate user processes without distinctions. [WePu07]

  4. Native API Calls in Windows User Application kernel32.dll ntdll.dll User-level fastcall/interrupt Kernel-level KiSystemService 0x19 NtClose B8 19 00 00 00 mov eax, 0x19 BA 00 03 FE 7F mov edx, 0x7ffe0300 FF 12 call dword ptr[edx] C2 04 00 ret 0x4 8B D4 mov edx, esp 0F 34 mov sysenter C3 ret 0x10 NtXXX 0~283 … Fast call stub in Windows XP NtClose Native API call System Service Dispatch Table [WePu07]

  5. Design and Implementation • Overview Permute De-permute User-Process Kernel call NtCreateFile NtCreateFile NtCreateFile call NtClose NtClose NtClose … … … call NtClose NtReadFile NtReadFile … … Malicious Code call NtCrateFile [WePu07]

  6. Design Binary static analysis ntdll.dll Permuted Protected Application Original Protected Application Monitoring Program Permute malcode First tier Natve API Calls User Mode Kernel Mode Second tier Filter PID De-Perm Authentication Intercept Back-trace of the function call stack Native API Call hook the SSDT [WePu07]

  7. Evaluation • Probabilistic P(n_calls) = 1/284*1/283*…*1/(284-n+1) = (284-n)!/284! [WePu07]

  8. Evaluation • Performance • Test Machine • 1.6GHz Pentium M processor • 128MB RAM • Windows XP with Service Pack 0 • intercept 8 Native API calls Overhead 3% ~ 9% [WePu07]

  9. Conclusions • can not easily bypass this monitor by guessing • does not require access to source code • can be easily deployed without major changes to the system • indicate minor run-time overhead [WePu07]

More Related