1 tools and techniques for understanding and defending real systems jedidiah r. crandall...

1

Tools and techniques for understanding and

defending real systems

Jedidiah R. Crandall

crandall@cs.ucdavis.edu

2

Overview

Security is not a problem to be solved, but a battle to be waged by… Antivirus professionals Law enforcement Next-generation security technology developers …

Give them the tools they need Implementations of useful techniques Theory planted firmly in practice

3

Vision

How can we address emerging threats (poly/metamorphic worms/botnets, cryptovirology, advanced rootkits, etc.)?Problem: We don’t have very many real-world

samples of these to look atSolution: Look at the way the samples we

have interact with the systems we’re trying to defend

4

Outline

Code Red II example Define some basic terms and concepts

Minos Catches worms

DACODA Used to understand polymorphism and metamorphism

Temporal Search Analyzes the payload for timebomb attacks

Looking ahead…

5

Outline

Code Red II example Define some basic terms and concepts

Minos Catches worms

DACODA Used to understand polymorphism and metamorphism

Temporal Search Analyzes the payload for timebomb attacks

Looking ahead…

6

Code Red/Code Red II

Code Red359,000 hosts infected$2.6 billion in cleanup [Computer Economics]Attempted DoS on White House

Averted after being discovered hours before the attack was to occur

Code Red IIExploit is basically the same

7

Exploit-based Worms

Web Server’s Memory

Next

GET /bla?x=A1B28CD30EE17C

8

The Code Red II Exploit

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

9

Three stages of an attack

10

ε = Exploit Vector

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

11

γ = Bogus Control Data

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

12

π = Payload

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

13

Motivation for ε-γ-π

Different polymorphic/metamorphic techniques for ε, γ, and π

Data can be represented differently on the network and where it used in the attack trace “25 75 62 63 64 33 25 75 37 38 30 31” vs.

“d3 cb 01 78” for 0x7801cbd3 “Information only has meaning in that it is

subject to interpretation.” [Cohen, 1984]

14

Network Signatures?

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

15

Polymorphism and metamorphism

Change successive instances of the worm so signature-based network defenses failPolymorphic: think syntaxMetamorphic: think semantics

Note: Some researchers call both polymorphism

16

ε = Exploit Vector

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

17

γ = Bogus Control Data

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

18

π = Payload

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

19

Poly/metamorphism in γ and π

Poly/metamorphic possibilities of π are endless (self-modifying code)

γ: Buttercup [Pasupulati et al. NOMS 2004]“Register springs” – more details in [Crandall et

al.; DIMVA 2005] 11,009 possibilities for Blaster 353 for Slammer

20

Polymorphism of ε

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

21

Polymorphism of ε

GET /yutiodr.ida?CEOIUXJASKMDIDD

EOXIJOEIJXDXNMDKJXNSKJNXIDOIW

R…ATUD%u8743%ubc65%ua999%uffff%u873f%ue875%u4568%u99cc%u8333%u7621%ubb66%u9876%u1000%u8732%u9854%u76cd%udddd%u5555%u5234%uff43%u7632%u5632%ucc=i HTTP/1.0

22

Metamorphism of ε

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

23

Metamorphism of ε

GET /default.ida?X%u61XXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\xd3\xcb\x01\x78XXXXXXXXXXXXXXXXXX=a HTTP/1.0

24

Metamorphism of ε

25

Outline

Code Red II example Define some basic terms and concepts

Minos Catches worms

DACODA Used to understand polymorphism and metamorphism

Temporal Search Analyzes the payload for timebomb attacks

Looking ahead…

26

Minos [Crandall and Chong; MICRO 2004]

Tagged architecture that tracks the integrity of every memory wordNetwork data is taintedControl data (return pointers, function

pointers, jump targets, etc.) should not be Taint tracking with every instruction Great for catching worms

Uses the γ mapping

27

Gratuitous Dante Quote

Minos the dreadful snarls at the gate, … and wraps himself in his tail with as many turns as levels down that shade will have to dwell

28

Minos Implementation

Implemented a full-system tagging scheme in a virtual machineLinux (modified kernel)

Tracks integrity in the file system Virtual memory swapping [used by Raksha project]

Windows (unmodified) Works great as a honeypot for cacthing worms

29

How to catch worms…

30

Only one false positive…

31

Actually a “non-target pest”

32

Minos Full-System Evaluation

General Minos concept used in related works (DIFT [Suh et al.; ASPLOS 2004], TaintCheck [Newsome and Song; NDSS 2005]), follow-on works, and at least one commercial product Important to get things right

e.g. Code Red II – must taint table lookups

Able to build DACODA on top of Minos

33

Outline

Code Red II example Define some basic terms and concepts

Minos Catches worms

DACODA Used to understand polymorphism and metamorphism

Temporal Search Analyzes the payload for timebomb attacks

Looking ahead…

34

DACODA [Crandall et al.; CCS 2005]

DAvis malCODe Analyzer Discover invariants in the exploit vector (ε)

Symbolic execution on the system trace during attacks that Minos catches

Used for an empirical analysis of polymorphism and metamorphismQuantify and understand the limits

35

Worm Polymorphism and Metamorphism Viruses: Defender has time to pick apart

the attacker’s techniques e.g. Algorithmic scanners, emulation

Worms: Attacker has time to pick apart the deployed network defense techniquesWhat can defenders do to evaluate the

robustness of defenses against attacks that don’t exist yet?

36

Measuring Poly/metamorphism

[Ma et al.; IMC 2006]Found relatively little polymorphism “in the

wild” Worm defense designers don’t have

samples of the poly/metamorphic techniques attackers will use on their defenses(Have to build the defense first)

37

The Epsilon-Gamma-Pi Model

38

How DACODA Works

“Information only has meaning in that it is subject to interpretation.” [Cohen, 1984]

Gives each byte of network data a unique label

Tracks these through the entire system Discovers predicates about how the host

under attack interprets the network bytes

39

mov al,[AddressWithLabel1832]

add al,4

cmp al,10

je JumpTargetIfEqualToTen

; AL.expr <= (Label 1832)

; AL.expr <= (ADD AL.Expr 4)

; /* AL.expr == (ADD (LABEL 1832) 4) */

; ZFLAG.left <= AL.expr

; /* ZFLAG.left == (ADD (Label 1832) 4) */

; ZFLAG.right <= 10

; P <= new Predicate(EQUAL ZFLAG.Left ZFLAG.Right)

; /* P == (EQUAL (ADD (Label 1832) 4) 10) */

; AddToSetOfKnownPredicates(P)

40

Why Full-System Analysis?

• Kernel– “Remote Windows Kernel Exploitation – Step Into the

Ring 0” by Barnaby Jack– MS05-027 (SMB)

• Multiple processes– Base64 in IIS + ASN.1 in lsass.exe

• Multithreading– And listening on multiple ports– Even for Slammer, the simplest buffer overflow ever

41

Actual Worms/Attacks Caught by Minos and Analyzed by DACODAName OS Port Class

Sasser WinXP 445TCP Buff.Over.

Blaster WinXP 135TCP Buff.Over.Workstation Serv. WinXP 445TCP Buff.Over.

RPCSS WinXP 135TCP Buff.Over.

Slammer Whist. 1434UDP Buff.Over.

Code Red II Whist. 80TCP Buff.Over.

Zotob Win2K 445TCP Buff.Over.

42

Other Attacks Caught by Minos and Analyzed by DACODA

Name OS Port Class

SQL Auth. Whist. 1434TCP Buff.Over.

rpc.statd Linux 111 & 918TCP

Form.Str.

innd Linux 119TCP Buff.Over.

Scalper OBSD 80TCP Int.Over.

ntpd FBSD 123TCP Buff.Over.

Turkey FBSD 21TCP OffByOne

43

Single Contiguous Byte Strings

Name Longest String

Sasser 36

Blaster 92

Work. 23

RPCSS 18Slammer 1

CRII 17

Zotob 36

Name Longest String

SQLAuth 4

rpc.statd 16

innd 27

Scalper 32

ntpd 8

Turkey 21

44

Single Contiguous Signatures

Autograph [Kim and Karp; USENIX Security 2004] and EarlyBird [Singh et al.; OSDI 2004] both demonstrated good results at about 40 bytes for the signature length

[Newsome et al.; IEEE S&P 2005] came to the same conclusion as we did and proposed sets of smaller byte strings called tokens

45

Tokens

GET /default.ida?XXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX

X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

46

Where do These Tokens Come From? Scalper “Transfer-Encoding: chunked” Same applies to most of these vulnerabilities

“The Horns of a Dilemma” Use protocol framing as a signature Be very precise

47

Precision: ASN.1 Dangling Pointer Heap corruption

(0x23 [SIZE]… ”AAAAAAAA” (0x23 [SIZE]

0x77665544 “BBBB”)

…)

48

Conclusions from DACODA

Whole system analysis is important New focus on more semantic signatures

How to understand the semantics of the vulnerability?

We can learn a lot about emerging malware threats by studying existing malware samples and their interactions with the systems they run on

49

Outline

Code Red II example Define some basic terms and concepts

Minos Catches worms

DACODA Used to understand polymorphism and metamorphism

Temporal Search Analyzes the payload for timebomb attacks

Looking ahead…

50

Temporal Search[Crandall et al.; ASPLOS 2006]

Automated discovery of timebomb attacks Analysis in the π stage

Prototype of behavior-based analysis Proposed a framework for a problem space nobody

has looked at before Implemented parts of it Identified the remaining challenges

By testing real worms with timebombs on our prototype

51

You as an antivirus professionalcatch a new worm…

Unpack it Polymorphism/

metamorphism? Anti-debugger tricks? Any behaviors predicated on

time? How it gets the time? UTC/Local? Conversions between

formats?

52

With Temporal Search… Infect a VM Automated, behavior-based

Temporal Search Respond

53

How to respond?

Sober.X – 6 and 7 January 2006 URLs blocked

Kama Sutra – 3rd of the month Users removed infections

Code Red – 20th of the month White House IP address changed

What if we have just hours or even minutes, not days?

54

Behavior-based Analysis

[Cohen, 1984] defined behavior-based detection as a question of “defining what is and is not a legitimate use of a service, and finding a means of detecting the difference.”

Behavior-based analysis is similarAssume the system is infected with malwareAnalyze its use of a service such as the PIT

55

Why not just speed up the clock?

Dramatic time perturbation would be easy to detectAlso not easy to do for a busy system

(effectively lowers perceived performance) May miss some behaviors

Kama Sutra Will not be able to explain behaviors it does

elicit

56

Basic Idea

Find timersRun the PIT at different rates of perceived

time System performance stays the same Correlate between PIT and memory writes

Symbolic execution e.g. with DACODA

Weakest precondition calculation

57

Filling in the Timetable

SystemTime Predicate Behavior

126,396,288e12

(13 July 2001)? >= 20 Spread

time

58

Filling in the Timetable

SystemTime Predicate Behavior

126,396,288e12

(13 July 2001)? >= 20 Spread

126,402,336e12

(20 July 2001)? >= 28 DoS White

House

time

59

Filling in the Timetable

SystemTime Predicate Behavior

126,396,288e12

(13 July 2001)? >= 20 Spread

126,402,336e12

(20 July 2001)? >= 28 DoS White

House

126,409,248e12

(28 July 2001)None Go to sleep

time

60

Windows

0

100

200

300

400

500

600

700

0 60 120 180 240 300 360 420 480

Real Time (seconds)

# P

red

icat

es C

hec

ked

per

Sec

on

d

Windows TickCount

Windows SystemTime

61

Manual Analysis

Many different library calls, APIs for date and time GetSystemTime(), GetLocalTime(), GetTimeZoneInformation(), DiffDate(),

GetDateFormat(), etc. System call not really necessary

Conversions back and forth between various represenations (e.g. MyParty.A, Blaster.E) UTC vs. Local 1600 vs. 1900 vs. 1970 32- vs 64-bit integers for day, month, year, etc. strings

Not always done with standard library functions Have to unpack it first, anti-debugging tricks All of this is simply dataflow from SystemTime timer

62

Setup

Bochs VM

w/ DACODA and Timer Discovery

Host @ 192.168.33.1

w/ DNS, NTP, HTTP, TIME, etc.

Windows XP @ 192.168.33.2

tuntap interface

ARP cache poisoning, DNS spoofing, etc.

ARP cache poisoning, DNS spoofing, etc.

63

Temporal Search

Symbolic Execution (DACODA)Cod Red, Blaster.E, MyParty.A, Klez.A

Discovers predicates on day, hour, minute, etc. on a real time trace

Control-flow sensitivity within loopsCod Red, Blaster.E, MyParty.A, Klez.A,

Sober.X Kama Sutra Month and year

64

Adversarial Analysis

For any technique, being applicable to every possible virus or worm is not a requirementAV companies collect intelligence

More details in the paper on this

65

Conclusions from Temporal Search

Manual analysis is tricky and time-consuming Temporal Search can dramatically improve response

time

Behavior-based analysis is all about the environment

Malware does not follow a linear timetable Gregorian calendar poses its own challenges

66

Why Behavior-Based Analysis?

“An ant, viewed as a behaving system, is quite simple. The apparent complexity of its behavior over time is largely a reflection of the complexity of the environment in which it finds itself.” –Herbert Simon

67

Other recent projects…

(Stuff I’m currently working on)

68

Replay-Based Entropy Measurement[Crandall et al.; work in progess]

69

Great Firewall of China[Zinn et al.; work in progress]

My contribution: Model keyword-based censorship using Latent Semantic Analysis Relate keywords to concepts Efficient probing to discover unknown words that

are filtered

70

Recovery[Oliveira et al.; work in progress]

Virtu

al T

ime

71

Outline

Code Red II example Define some basic terms and concepts

Minos Catches worms

DACODA Used to understand polymorphism and metamorphism

Temporal Search Analyzes the payload for timebomb attacks

Looking ahead…

72

Looking ahead…

Worms, botnets, rootkits, ??? Not problems with purely technical solutions Should give defenders the tools they need

How to develop defenses for emerging threats… Study real malware Understand the systems that the battle takes place on Use the interactions between the two to develop a

theory of what is possible

73

Examples

Behavior-based analysis Fully-automated implementation of temporal search

Different approaches [Reps et al; ESEC/FSE ‘97]? Cryptovirology [Yung and Young; 2004]

Vulnerability semantics Vector semantics (such as LSA)?

Testing for unknown vulnerabilities Policies for commodity systems

Biba’s low-water-mark integrity, Chinese Wall Policy [Fraser; IEEE S&P 2000]

74

Questions?

Thank you for inviting me.

75

Related Work: Vigilante [Costa et al., SOSP 2005]

Introduces the idea of Self Certifying Alerts Goal is automatic patching, not network filtering No distinction between what data looks like on the

network and what it looks like when processed

Filter generation is similar to DACODA’s symbolic execution

DACODA is a whole system approach Shield [Wang et al.; SIGCOMM 2004]

76

Temporal Search Lessons Learned… Some interesting times are relative

Need to track TickCount Behavior-based analysis is all about the

environmentCode Red and TCP RSTs

77

Minos Evaluation

Attacks designed to subvert Minos [Crandall and Chong; MICRO 2004] [Crandall and Chong; WASSA 2004] [Chen et al.; USENIX Security 2005] [Dalton et al.; WDDD 2006] [Piromsopa and Enbody; WDDD 2006]

78

Adversarial Analysis of Temporal Search For any technique, being applicable to every

possible virus or worm is not a requirement AV companies collect intelligence

Challenges What is and is not a malicious use of the PIT? Cryptocounters, covert channels, etc. VM detection

[King et al.] Subvirt… at IEEE S&P 2006 Pioneer project and related work at CMU

All analysis can be done on a trace [Oliveira et al.; ASID 2006]