Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Embedded Device Insecurity: Next Gen Exploitation and Defense ONR BotNet Project Review Feb 9, 2010 Ang Cui Columbia IDS Lab

Similar presentations


Presentation on theme: "Network Embedded Device Insecurity: Next Gen Exploitation and Defense ONR BotNet Project Review Feb 9, 2010 Ang Cui Columbia IDS Lab"— Presentation transcript:

1 Network Embedded Device Insecurity: Next Gen Exploitation and Defense ONR BotNet Project Review Feb 9, 2010 Ang Cui Columbia IDS Lab Salvatore J. Stolfo Columbia IDS Lab

2 Embedded Devices Are Insecure and available as a source for new, stealthy botnets A global scan indicates there are a large number of trivially vulnerable devices in the wild – default passwords requiring no effort Traditional Anti-Virus does not work on embedded devices Advanced router exploitation techniques and router botnets exist today We should expect to see massive stealthy botnets composed of embedded devices __________________________________________ The Main Message Parasitic Embedded Machines: a solution to embed defenses into legacy embedded devices in situ

3 Parasitic Embedded Machines Can Protect Legacy Devices against exploitation A PEM that protects standard Cisco IOS against rootkit installation exists today in our lab Our Current Status

4 Network Embedded Insecurity: Global Vulnerability Scan Embedded devices can be compromised using out-of-the-box default passwords and used in Botnets How many trivially vulnerable embedded devices are there?

5 1. Scan the World 2. Identify Embedded Devices 3. Automatically Try Default Password Automatically verify default passwords using profiles like this: cisco-IOS | web_cisco-web level_15_access | web_cisco-web Linksys SPA Configuration | web_linksys-spa Linksys PAP2 Configuration | web_linksys-pap2 SpeedStream Router Configurator | web_speedstream DD-WRT Control Panel | web_ddwrt root: username_prompt: ['sername:'] username: ['cisco] askuser: true passstr: ['assword:'] incorrect: [sername, assword] success: ['\$', '\#', '>'] passwords: ['cisco] deviceType: cisco linesep: '' Scan the worlds largest Residential ISPs Commercial ISPs EDU, GOV etc Scan in United States Asia Europe (easy as pie) Global Vulnerability Scan Procedure

6 3 weeks 5 machines 1 Billion Ips Scanned 102,896 Devices Owned (As of Jan, 2010) Global Vulnerability Scan Results Cisco, Juniper, Polycom, Tandberg, Linksys, Huawei, Belkin, Ubiquitos, Lantronics, Axis, ZTE, SpeedStream Home Routers, DVRS, Corporate IPSec, VoIP Gateways, Edge Routers, Teleconferencing Units, VoIP Adapters, Print Servers, Firewalls, Web Camera Servers, Wireless Access Points, Switches, IPTV Major Vulnerable Device Types Devices found over a 4 day period MW-2010R 4025 SI314T 2555 BCM 1203 speedstream 923 ipserver_dvrdvs 560 zte 484 cisco 423 h3c 322 linksys-wrt 305 linksys-spa 205 webbox 194 huawei-ma netscreen 101 polycom

7 [www.hacktory.cs.columbia.edu]

8 What we should expect next… –Router Exploitation DIK (Da IOS Rootkit, Sebastian Muniz) –http://eusecwest.com/esw08/esw08-muniz.pdf Router Transit Vulnerabilities (Felix Linder) –http://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit- SLIDES.pdf Reliable Cisco IOS Exploit (Felix Linder) –http://www.phenoelit-us.org/stuff/FX_Phenoelit_25c3_Cisco_IOS.pdf –Router Botnet Network Bluepill –http://dronebl.org/blog Keiten Bot –Helel Mod 1.0 – EzbaElohim –Runs on D-link routers –http://packetstormsecurity.nl/irc/kaiten.c Host-based Embedded Device Defense Does not yet Exist (Norton for IOS?) Detection of compromise is Very difficult (Tripwire for IOS?) Polymorphism has made signature-based protection obsolete (White-listing?) Parasitic Embedded Machines are the Solution.

9 Parasitic Embedded Machines (Next Gen Embedded Defense) Embedded Device Population is Diverse 270,000+ Unique IOS Images (Cisco) Many Vendors, Many Devices, Many Revisions on Same Device Traditional Host-Based Software Cannot be ported to Embedded Devices Computational Resource Constraint Too many types of devices to protect can not leverage economies of scale Parasitic Embedded Machines are a Solution Operating System Agnostic Code Injection Invisible to Original Device Firmware Protect Embedded Devices With White-list based Technology Retrofit Legacy Devices With Low Overhead protection

10 Cross Platform Operating System Agnostic Code Injection

11 Standard Function Interception

12 Improved Function Hooking PEMM (PEM Manager) Manages an Isolated Execution Context for PEM Payload Gives PEM Payload Cross-Device/Platform Portability PEM Payload Executes In Parallel to Native OS Payload is invisible to Native OS Payload has full access to Native OS Internals Payload Controls CPU Allocation Between Native OS and Itself

13 Choose arbitrary functions to hook PEMM and Payload are injected into Native OS Many native OS functions are arbitrarily intercepted by PEMM PEM Continuously regains control of CPU as intercepted functions are invoked PEM Function hooks can be modified at runtime PEM can be obfuscated to evade adversarial attack

14 PEM Injection (Demonstrated for Cisco IOS) Injection process can be done at runtime (via exploit) or at boot-time (patching IOS image)

15 Usable Gap Memory In IOS Available Gaps in 24MB of IOS 12.2 Code A Typical Usable Gap Approximately 100KB of usable space was automatically detected Using The Gap Method alone Several other slightly more sophisticated methods can be used to automatically detect more usable space.

16 A Trivial PEM Payload void dummyPEMPayload( register unsigned int * saveLocation, register unsigned int * checkMemStart, register unsigned int * checkMemStop, register unsigned int * statusRegister) { unsigned int * x; while (1) { for(x=(checkMemStart); x < checkMemStop; x+=1) { \\ do something useful (calculate checksum) if ((int) x % 0x7FF == 0) { asm("jalr $t9"); } *(statusRegister) = (unsigned int) *(x); } This can be compiled by GCC, and injected directly into IOS as a PEM Payload Void dummyPEMPayload(PEM args) { While(True) { scan through memory segment perform computation on memory segment periodically yield control of CPU to native OS }

17 1.Inject Code Verification Payload Into Cisco IOS PEM Payload Injected into IOS Image Can be done at runtime or boot-time 1.Continuously Monitor Changes to IOS Code PEM payload calculates checksum over protected OS memory regions Code Section Static data Sections Empty gap regions 2.Catch IOS Rootkits In Real-Time PEM prevents function Interception Attacker can not modify Device OS Persistent Rootkits not possible under PEM protection Parasitic Embedded Machine Rootkit Defense Cisco IOS Case Study IOS memory layout Defense Strategy does not rely on Attack Signatures Continuous checksum validates IOS integrity White-list Strategy will detect Any OS modification attempts

18 Implementation Stats

19 PEM Rootkit Detection Overhead PEMM Regulates CPU allocation between the Native OS and Itself Above shows CPU utilization on Cisco 7121 Router with PEM Set to different CPU usage levels

20 IOS Modification Detection Latency There is a direct relationship between PEM CPU usage and IOS modification detection speed

21 Next Steps Expand range of devices in the scan (including.MIL via NPS.edu) Expand the range of devices with PEM injection Improve the PEM injection method (hooking returns) to broaden range of attack detection End-to-end demo of attack and defense against a router in the lab Develop an embedded device attack sensor Deploy sensors to detect attacks against routers in a network with outside collaborators (possibly FI infrastructure)

22 Columbia IDS Lab


Download ppt "Network Embedded Device Insecurity: Next Gen Exploitation and Defense ONR BotNet Project Review Feb 9, 2010 Ang Cui Columbia IDS Lab"

Similar presentations


Ads by Google