Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.

Published byJason Glenn Modified over 9 years ago

Similar presentations

Presentation on theme: "Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS."— Presentation transcript:

1 Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS

2  Introduction  On the arms race  Related work  Our approach  Automatic generation  Implementation  Evaluation 2Advaced Defense Lab

3  Code-injection attack  Source code for script-language  Byte-code  Machine code  The common component  The injected code or …  shellcode Advaced Defense Lab3

4  Shellcode is delivered in tandem with the exploitation.  Store shellcode in memory, then exploit  Shellcode takes the form of directly executable machine code.  polymorphism Advaced Defense Lab4

5  Even polymorphic shellcode is constrained by an essential component: the decoder.  Shellcode is fundamentally different in structure than non-executable payload data.  This paper!!! Advaced Defense Lab5 Decoder Encoded data

6  Automatically producing English Shellcode  Although it is not indistinguishable form authentic English prose.  Do you want to analyze? Advaced Defense Lab6

7  Shellcode developers are often faced with constraints that limit the range of byte-values aceepted.  e.g. printable, alphanumeric, MIME  Encoding  Self-modification Advaced Defense Lab7

8  Much literature describing code injection attacks assumes a standard attack template.  A NOP sled, shellcode, and one or more pointer  While emulation and static analysis have bean successful in identifying some failings of advanced shellcode.  But…overhead Advaced Defense Lab8

9  It has been suggested that malicious polymorphic behavior cannot be modeled effectively.  On the infeasibility of Modeling Polymorphic Shellcode.  By Y. Song et al. Advaced Defense Lab9

10  Limit the spoils of exploitation and to prevent developers from writing vulnerable code  Preventing the execution of injected code  Content-based input-validation  Polymorphic ▪ To identify self-decrypting shellcode ▪ But … non-self-contained polymorphic shellcode Advaced Defense Lab10

11  Shellcode is simply an ordered list of machine instructions.  “Shake Shake Shake!”  push %ebx; push “ake ”; push %ebx; push “ake ”; push %ebx; push “ake!”;  But add, mov, call  To develop an automated approach  Arbitrary shellcode  English representation Advaced Defense Lab11

12  English shellcode is completely self- contained. Advaced Defense Lab12

13  The decoder must be English-cpmpatible  Cannot use many instruction ▪ E.g. loop instructions  Our decoder has the form:  Initialization  Decoder  Encoded payload Advaced Defense Lab13

14  Only English-compatible instructions  English-compatible instructions that can produce useful instructions  Favor instructions that have less-constrained ASCII equivalents  push %eax (“P”) > push %ecx (“Q”) Advaced Defense Lab14

15  Overwriting registers and patching some instructions  Using inc instruction and manipulatiing the alignment of the stack Advaced Defense Lab15

16 Advaced Defense Lab16

17  “and r/m8, r8”(0x20, ASCII space character)   add ▪  lods (load string from esi) Advaced Defense Lab17

18  Two pointer: %esi, %edi Advaced Defense Lab18  ”,” and “ ”  ”u” and “decode”  ”G”

19 Advaced Defense Lab19

20  Using popa instruction (ASCII character “a”) Advaced Defense Lab20

21  Taken as-is, the custom decoder will have common English characters, but will not appearance of English text.  Add some instructions between decoder instructions  Augmenting a statistical language generation algorithm. Advaced Defense Lab21

22  n-gram model length is 5   the i th instruction in decoder have a level i  A sentence have score i when it complete level i Advaced Defense Lab22

23 Advaced Defense Lab23

24  Using beam search algorithm  Keep the best m(=20,000) candidates during the process  For encoded payload, observe how many target byte are encoded Advaced Defense Lab24

25  The training data  Over 15,000 Wikipedia articles  27,000 books from the Project GutenbergProject Gutenberg  Language engine was constructed in the Java language using the LingPipe APILingPipe API  Scoring engine  using ptrace API  Executor  Watcher  Taking 12 hours Advaced Defense Lab25

26 Advaced Defense Lab26

27  Emulation  Expand 1 instruction into tens of instructions  Monitored direct execution  Maintain 2 machine state  Use 3 separate stacks  Pause 2 conditions ▪ Encounter a jump ▪ Change memory  Roughly in less than 1 hour Advaced Defense Lab27

28  Exit(0)  2054 bytes Advaced Defense Lab28

29  Windows Bind DLL Inject Advaced Defense Lab29

Download ppt "Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering.

Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.
Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.

Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
CS2422 Assembly Language & System Programming October 3, 2006.

CS2422 Assembly Language & System Programming October 3, 2006.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Similar presentations

Ads by Google