Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall

Similar presentations


Presentation on theme: "1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall"— Presentation transcript:

1 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu

2 2 Overview Security is not a problem to be solved, but a battle to be waged by…  Antivirus professionals  Law enforcement  Next-generation security technology developers …… Give them the tools they need  Implementations of useful techniques  Theory planted firmly in practice

3 3 Vision How can we address emerging threats (poly/metamorphic worms/botnets, cryptovirology, advanced rootkits, etc.)?  Problem: We don’t have very many real-world samples of these to look at  Solution: Look at the way the samples we have interact with the systems we’re trying to defend

4 4 Outline Code Red II example  Define some basic terms and concepts Minos  Catches worms DACODA  Used to understand polymorphism and metamorphism Temporal Search  Analyzes the payload for timebomb attacks Looking ahead…

5 5 Outline Code Red II example  Define some basic terms and concepts Minos  Catches worms DACODA  Used to understand polymorphism and metamorphism Temporal Search  Analyzes the payload for timebomb attacks Looking ahead…

6 6 Code Red/Code Red II Code Red  359,000 hosts infected  $2.6 billion in cleanup [Computer Economics]  Attempted DoS on White House Averted after being discovered hours before the attack was to occur Code Red II  Exploit is basically the same

7 7 Exploit-based Worms Web Server’s Memory Next GET /bla?x=A1B28CD30EE17C

8 8 The Code Red II Exploit GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

9 9 Three stages of an attack

10 10 ε = Exploit Vector GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

11 11 γ = Bogus Control Data GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

12 12 π = Payload GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

13 13 Motivation for ε-γ-π Different polymorphic/metamorphic techniques for ε, γ, and π Data can be represented differently on the network and where it used in the attack trace  “25 75 62 63 64 33 25 75 37 38 30 31” vs. “d3 cb 01 78” for 0x7801cbd3 “Information only has meaning in that it is subject to interpretation.” [Cohen, 1984]

14 14 Network Signatures? GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

15 15 Polymorphism and metamorphism Change successive instances of the worm so signature-based network defenses fail  Polymorphic: think syntax  Metamorphic: think semantics Note: Some researchers call both polymorphism

16 16 ε = Exploit Vector GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

17 17 γ = Bogus Control Data GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

18 18 π = Payload GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

19 19 Poly/metamorphism in γ and π Poly/metamorphic possibilities of π are endless (self-modifying code) γ : Buttercup [Pasupulati et al. NOMS 2004]  “Register springs” – more details in [Crandall et al.; DIMVA 2005] 11,009 possibilities for Blaster 353 for Slammer

20 20 Polymorphism of ε GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

21 21 Polymorphism of ε GET /yutiodr.ida?CEOIUXJASKMDIDD EOXIJOEIJXDXNMDKJXNSKJNXIDOIW R…ATUD%u8743%ubc65%ua999%uffff%u 873f%ue875%u4568%u99cc%u8333%u7 621%ubb66%u9876%u1000%u8732%u98 54%u76cd%udddd%u5555%u5234%uff4 3%u7632%u5632%ucc=i HTTP/1.0

22 22 Metamorphism of ε GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

23 23 Metamorphism of ε GET /default.ida?X%u61XXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX\xd3\xcb\x01\x78XXXXXXXXXX XXXXXXXX=a HTTP/1.0

24 24 Metamorphism of ε

25 25 Outline Code Red II example  Define some basic terms and concepts Minos  Catches worms DACODA  Used to understand polymorphism and metamorphism Temporal Search  Analyzes the payload for timebomb attacks Looking ahead…

26 26 Minos [Crandall and Chong; MICRO 2004] Tagged architecture that tracks the integrity of every memory word  Network data is tainted  Control data (return pointers, function pointers, jump targets, etc.) should not be Taint tracking with every instruction Great for catching worms  Uses the γ mapping

27 27 Gratuitous Dante Quote Minos the dreadful snarls at the gate, … and wraps himself in his tail with as many turns as levels down that shade will have to dwell

28 28 Minos Implementation Implemented a full-system tagging scheme in a virtual machine  Linux (modified kernel) Tracks integrity in the file system Virtual memory swapping [used by Raksha project]  Windows (unmodified) Works great as a honeypot for cacthing worms

29 29 How to catch worms…

30 30 Only one false positive…

31 31 Actually a “non-target pest”

32 32 Minos Full-System Evaluation General Minos concept used in related works (DIFT [Suh et al.; ASPLOS 2004], TaintCheck [Newsome and Song; NDSS 2005] ), follow-on works, and at least one commercial product  Important to get things right e.g. Code Red II – must taint table lookups Able to build DACODA on top of Minos

33 33 Outline Code Red II example  Define some basic terms and concepts Minos  Catches worms DACODA  Used to understand polymorphism and metamorphism Temporal Search  Analyzes the payload for timebomb attacks Looking ahead…

34 34 DACODA [Crandall et al.; CCS 2005] DA vis mal COD e A nalyzer Discover invariants in the exploit vector ( ε )  Symbolic execution on the system trace during attacks that Minos catches Used for an empirical analysis of polymorphism and metamorphism  Quantify and understand the limits

35 35 Worm Polymorphism and Metamorphism Viruses: Defender has time to pick apart the attacker’s techniques  e.g. Algorithmic scanners, emulation Worms: Attacker has time to pick apart the deployed network defense techniques  What can defenders do to evaluate the robustness of defenses against attacks that don’t exist yet?

36 36 Measuring Poly/metamorphism [Ma et al.; IMC 2006]  Found relatively little polymorphism “in the wild” Worm defense designers don’t have samples of the poly/metamorphic techniques attackers will use on their defenses  (Have to build the defense first)

37 37 The Epsilon-Gamma-Pi Model

38 38 How DACODA Works “Information only has meaning in that it is subject to interpretation.” [Cohen, 1984] Gives each byte of network data a unique label Tracks these through the entire system Discovers predicates about how the host under attack interprets the network bytes

39 39 mov al,[AddressWithLabel1832] add al,4 cmp al,10 je JumpTargetIfEqualToTen ; AL.expr <= (Label 1832) ; AL.expr <= (ADD AL.Expr 4) ; /* AL.expr == (ADD (LABEL 1832) 4) */ ; ZFLAG.left <= AL.expr ; /* ZFLAG.left == (ADD (Label 1832) 4) */ ; ZFLAG.right <= 10 ; P <= new Predicate(EQUAL ZFLAG.Left ZFLAG.Right) ; /* P == (EQUAL (ADD (Label 1832) 4) 10) */ ; AddToSetOfKnownPredicates(P)

40 40 Why Full-System Analysis? Kernel –“Remote Windows Kernel Exploitation – Step Into the Ring 0” by Barnaby Jack –MS05-027 (SMB) Multiple processes –Base64 in IIS + ASN.1 in lsass.exe Multithreading –And listening on multiple ports –Even for Slammer, the simplest buffer overflow ever

41 41 Actual Worms/Attacks Caught by Minos and Analyzed by DACODA NameOSPortClass SasserWinXP445TCPBuff.Over. BlasterWinXP135TCPBuff.Over. Workstation Serv. WinXP445TCPBuff.Over. RPCSSWinXP135TCPBuff.Over. SlammerWhist.1434UDPBuff.Over. Code Red IIWhist.80TCPBuff.Over. ZotobWin2K445TCPBuff.Over.

42 42 Other Attacks Caught by Minos and Analyzed by DACODA NameOSPortClass SQL Auth.Whist.1434TCPBuff.Over. rpc.statdLinux111 & 918TCP Form.Str. inndLinux119TCPBuff.Over. ScalperOBSD80TCPInt.Over. ntpdFBSD123TCPBuff.Over. TurkeyFBSD21TCPOffByOne

43 43 Single Contiguous Byte Strings NameLongest String Sasser36 Blaster92 Work.23 RPCSS18 Slammer 1 CRII17 Zotob36 NameLongest String SQLAuth4 rpc.statd16 innd27 Scalper 32 ntpd8 Turkey21

44 44 Single Contiguous Signatures Autograph [Kim and Karp; USENIX Security 2004] and EarlyBird [Singh et al.; OSDI 2004] both demonstrated good results at about 40 bytes for the signature length [Newsome et al.; IEEE S&P 2005] came to the same conclusion as we did and proposed sets of smaller byte strings called tokens

45 45 Tokens GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6 858%ucbd3%u7801%u9090%u9090%u81 90%u00c3%u0003%u8b00%u531b%u53f f%u0078%u0000%u00=a HTTP/1.0

46 46 Where do These Tokens Come From? Scalper “Transfer-Encoding: chunked”  Same applies to most of these vulnerabilities “The Horns of a Dilemma”  Use protocol framing as a signature  Be very precise

47 47 Precision: ASN.1 Dangling Pointer Heap corruption (0x23 [SIZE]… ”AAAAAAAA” (0x23 [SIZE] 0x77665544 “BBBB”) …)

48 48 Conclusions from DACODA Whole system analysis is important New focus on more semantic signatures  How to understand the semantics of the vulnerability? We can learn a lot about emerging malware threats by studying existing malware samples and their interactions with the systems they run on

49 49 Outline Code Red II example  Define some basic terms and concepts Minos  Catches worms DACODA  Used to understand polymorphism and metamorphism Temporal Search  Analyzes the payload for timebomb attacks Looking ahead…

50 50 Temporal Search [Crandall et al.; ASPLOS 2006] Automated discovery of timebomb attacks  Analysis in the π stage Prototype of behavior-based analysis  Proposed a framework for a problem space nobody has looked at before  Implemented parts of it  Identified the remaining challenges By testing real worms with timebombs on our prototype

51 51 You as an antivirus professional catch a new worm… Unpack it Polymorphism/ metamorphism? Anti-debugger tricks? Any behaviors predicated on time?  How it gets the time?  UTC/Local?  Conversions between formats?

52 52 With Temporal Search… Infect a VM Automated, behavior-based Temporal Search Respond

53 53 How to respond? Sober.X – 6 and 7 January 2006  URLs blocked Kama Sutra – 3 rd of the month  Users removed infections Code Red – 20 th of the month  White House IP address changed What if we have just hours or even minutes, not days?

54 54 Behavior-based Analysis [Cohen, 1984] defined behavior-based detection as a question of “defining what is and is not a legitimate use of a service, and finding a means of detecting the difference.” Behavior-based analysis is similar  Assume the system is infected with malware  Analyze its use of a service such as the PIT

55 55 Why not just speed up the clock? Dramatic time perturbation would be easy to detect  Also not easy to do for a busy system (effectively lowers perceived performance) May miss some behaviors  Kama Sutra Will not be able to explain behaviors it does elicit

56 56 Basic Idea Find timers  Run the PIT at different rates of perceived time System performance stays the same Correlate between PIT and memory writes Symbolic execution  e.g. with DACODA Weakest precondition calculation

57 57 Filling in the Timetable SystemTimePredicateBehavior 126,396,288e12 (13 July 2001) ? >= 20Spread time

58 58 Filling in the Timetable SystemTimePredicateBehavior 126,396,288e12 (13 July 2001) ? >= 20Spread 126,402,336e12 (20 July 2001) ? >= 28DoS White House time

59 59 Filling in the Timetable SystemTimePredicateBehavior 126,396,288e12 (13 July 2001) ? >= 20Spread 126,402,336e12 (20 July 2001) ? >= 28DoS White House 126,409,248e12 (28 July 2001) NoneGo to sleep time

60 60 Windows

61 61 Manual Analysis Many different library calls, APIs for date and time  GetSystemTime(), GetLocalTime(), GetTimeZoneInformation(), DiffDate(), GetDateFormat(), etc.  System call not really necessary Conversions back and forth between various represenations (e.g. MyParty.A, Blaster.E)  UTC vs. Local  1600 vs. 1900 vs. 1970  32- vs 64-bit  integers for day, month, year, etc.  strings Not always done with standard library functions Have to unpack it first, anti-debugging tricks All of this is simply dataflow from SystemTime timer

62 62 Setup Bochs VM w/ DACODA and Timer Discovery Host @ 192.168.33.1 w/ DNS, NTP, HTTP, TIME, etc. Windows XP @ 192.168.33.2 tuntap interface ARP cache poisoning, DNS spoofing, etc.

63 63 Temporal Search Symbolic Execution (DACODA)  Cod Red, Blaster.E, MyParty.A, Klez.A Discovers predicates on day, hour, minute, etc. on a real time trace Control-flow sensitivity within loops  Cod Red, Blaster.E, MyParty.A, Klez.A, Sober.X Kama Sutra Month and year

64 64 Adversarial Analysis For any technique, being applicable to every possible virus or worm is not a requirement  AV companies collect intelligence More details in the paper on this

65 65 Conclusions from Temporal Search Manual analysis is tricky and time-consuming  Temporal Search can dramatically improve response time Behavior-based analysis is all about the environment Malware does not follow a linear timetable Gregorian calendar poses its own challenges

66 66 Why Behavior-Based Analysis? “An ant, viewed as a behaving system, is quite simple. The apparent complexity of its behavior over time is largely a reflection of the complexity of the environment in which it finds itself.” –Herbert Simon

67 67 Other recent projects… (Stuff I’m currently working on)

68 68 Replay-Based Entropy Measurement [Crandall et al.; work in progess]

69 69 Great Firewall of China [Zinn et al.; work in progress] My contribution: Model keyword-based censorship using Latent Semantic Analysis  Relate keywords to concepts  Efficient probing to discover unknown words that are filtered

70 70 Recovery [Oliveira et al.; work in progress] Virtual Time

71 71 Outline Code Red II example  Define some basic terms and concepts Minos  Catches worms DACODA  Used to understand polymorphism and metamorphism Temporal Search  Analyzes the payload for timebomb attacks Looking ahead…

72 72 Looking ahead… Worms, botnets, rootkits, ???  Not problems with purely technical solutions  Should give defenders the tools they need How to develop defenses for emerging threats…  Study real malware  Understand the systems that the battle takes place on  Use the interactions between the two to develop a theory of what is possible

73 73 Examples Behavior-based analysis  Fully-automated implementation of temporal search Different approaches [Reps et al; ESEC/FSE ‘97]?  Cryptovirology [Yung and Young; 2004] Vulnerability semantics  Vector semantics (such as LSA)? Testing for unknown vulnerabilities Policies for commodity systems  Biba’s low-water-mark integrity, Chinese Wall Policy [Fraser; IEEE S&P 2000]

74 74 Questions? Thank you for inviting me.

75 75 Related Work: Vigilante [Costa et al., SOSP 2005] Introduces the idea of Self Certifying Alerts  Goal is automatic patching, not network filtering  No distinction between what data looks like on the network and what it looks like when processed Filter generation is similar to DACODA’s symbolic execution DACODA is a whole system approach Shield [Wang et al.; SIGCOMM 2004]

76 76 Temporal Search Lessons Learned… Some interesting times are relative  Need to track TickCount Behavior-based analysis is all about the environment  Code Red and TCP RSTs

77 77 Minos Evaluation Attacks designed to subvert Minos  [Crandall and Chong; MICRO 2004]  [Crandall and Chong; WASSA 2004]  [Chen et al.; USENIX Security 2005]  [Dalton et al.; WDDD 2006]  [Piromsopa and Enbody; WDDD 2006]

78 78 Adversarial Analysis of Temporal Search For any technique, being applicable to every possible virus or worm is not a requirement  AV companies collect intelligence Challenges  What is and is not a malicious use of the PIT?  Cryptocounters, covert channels, etc.  VM detection [King et al.] Subvirt… at IEEE S&P 2006 Pioneer project and related work at CMU All analysis can be done on a trace  [Oliveira et al.; ASID 2006]


Download ppt "1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall"

Similar presentations


Ads by Google