Presentation is loading. Please wait.

Presentation is loading. Please wait.

Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam.

Published byCharlotte Golden Modified over 8 years ago

Similar presentations

Presentation on theme: "Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam."— Presentation transcript:

1 Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam

2 Georgios Portokalidis VU Amsterdam2 CERT/CC Reported Vulnerabilities Why? Too many vulnerabilities New worm attacks Human intervention too slow Current solutions are problematic –Time consuming –Inaccurate

3 Georgios Portokalidis VU Amsterdam3 Goals Platform for next generation honeypots Protect entire OS Detect most common attack vectors Accuracy

4 Georgios Portokalidis VU Amsterdam4 It Works! Apache chunked encoding overflow IIS ISAPI.printer host header overflow WebDav ntdll.dll overflow FrontPage Server Extensions Debug Overflow War-FTP overflow ASN.1 Library Bitstring Heap Overflow Windows Message Queueing Remote Overflow RPC DCOM Interface overflow LSASS Overflow Windows PnP Service Remote Overflow nbSMTP remote format string exploit WMF exploit

5 Georgios Portokalidis VU Amsterdam5 Argos Overview Argos Emulator Guest OS Host OS Applications Log Forensics Snitch Signature Post-Processing Sub-system

6 Georgios Portokalidis VU Amsterdam6 Network Data Tracking Register = network_readRegisters Reg. A = Reg. A + Reg. B Registers Memory Memory(A) = Reg. A Reg.B = Reg.A / 156.345 Registers

7 Georgios Portokalidis VU Amsterdam7 Capturing Attacks Diverting control flow Executing arbitrary instructions Overwriting system call arguments JMP CALL RET Tagged Register Operands Tagged Memory SYSCALL

8 Georgios Portokalidis VU Amsterdam8 Forensics Registers RAM Argos Emulator Guest OS Applications Virtual Address Space Virtual Address Space Process name Linked Libraries Open Ports

9 Georgios Portokalidis VU Amsterdam9 Logged Network Flows Signature Generation Argos Memory LogCritical Exploit Bytes (e.g. value loaded on EIP) New Signature Similar Signatures Generalised Signature

10 Georgios Portokalidis VU Amsterdam10 Emulator Performance Overhead (y times slower)

11 Georgios Portokalidis VU Amsterdam11 Signature Generation Performance Tcpdump trace size(MB) Time to generate signature(sec)

12 Georgios Portokalidis VU Amsterdam12 Future Work Replaying attacks Integration with nepenthes honeypot Increase data tracking precision Protocol aware signature generation Generate self certifying alerts

13 Georgios Portokalidis VU Amsterdam13 On The Web http://www.few.vu.nl/argos

14 Georgios Portokalidis VU Amsterdam14 Network Data Tracking Tag network data as “tainted” EAXEBXECXEDX RAM Port I/O EBX

15 Georgios Portokalidis VU Amsterdam15 EBX Network Data Tracking Tag network data as “tainted” Track “tainted” data propagation –Arithmetic, logical operations –Memory operations EAXECXEDX RAM EAX A

16 Georgios Portokalidis VU Amsterdam16 EAXEBX Network Data Tracking Tag network data as “tainted” Track “tainted” data propagation –Arithmetic, logical operations –Memory operations Sanitise data –Floating point, SSE ECXEDX RAM A EAXEBX

17 Georgios Portokalidis VU Amsterdam17 Identifying Attacks Jumps Function calls Function returns System calls EAXEBXECXEDX RAM EBX JMP EAX CALL EAX RET JMP A INT 0x80

18 Georgios Portokalidis VU Amsterdam18 SweetBait Design

19 Georgios Portokalidis VU Amsterdam19 Logs Format TypeRIDFormatTimestamp Register values Register tags EIP value EIP origin EFLAGS FormatTainted FlagV. AddressP. AddressSize Memory Block Contents

20 Georgios Portokalidis VU Amsterdam20 Forensics Shellcode Injection Lookup process’s read-only pages Inject code at last text segment page Point EIP to shellcode.text Process Address Space (Windows PE, ELF, etc)

21 Georgios Portokalidis VU Amsterdam21 Forensics – The Snitch Pid = getpid() Rid [injected by Argos] Connect(localhost) Send(pid & rid) Listen() Accept() Read(pid & rid) Exec(Netstat or OpenPorts) Connect(argos host) Send(info)

Download ppt "Argos Emulator Georgios Portokalidis Asia Slowinska Herbert Bos Vrije Universiteit Amsterdam."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Countermeasures 0x610~0x650 2014. 12. 4 Seokmyung Hong.

Countermeasures 0x610~0x Seokmyung Hong.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.

Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
Framing Signals— A Return to Portable Shellcode

Framing Signals— A Return to Portable Shellcode
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.

Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

Similar presentations

Ads by Google