shellos: enabling fast detection and forensic analysis of code injection attacks
DESCRIPTION
SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks. Kevin Z. Snow, Srinivas Krishnan, Fabian Monrose University of North Carolina at Chapel Hill Niels Provos Google 20 th USENIX Security (August, 2011). Outline. Introduction Related Work - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/1.jpg)
SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection
AttacksKevin Z. Snow, Srinivas Krishnan, Fabian
MonroseUniversity of North Carolina at Chapel Hill
Niels ProvosGoogle
20th USENIX Security (August, 2011)
![Page 2: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/2.jpg)
A Seminar at Advaced Defense Lab 2
Outline Introduction Related Work Challenges for Software-based CPU
Emulation Detection Approaches Our Approach Evaluation Limitations
![Page 3: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/3.jpg)
A Seminar at Advaced Defense Lab 3
Introduction In recent years, code-injection attacks
have become a widely popular modus operandi for performing malicious actions on network services and client-based programs.[link]
Exploitation toolkits› Phoenix [link]
![Page 4: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/4.jpg)
A Seminar at Advaced Defense Lab 4
Malicious PDF Files Today, malicious PDFs are distributed
via mass mailing, targeted email, and drive-by downloads.
The “stream objects” in PDF allow many types of encodings to be used, including multi-level compression, obfuscation, and even encryption.
![Page 5: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/5.jpg)
A Seminar at Advaced Defense Lab 5
Dynamic Analysis The key to detecting these attacks lies in
accurately discovering the presence of the shellcode in network payloads or process buffers.
In this paper, we argue that a promising technique for detecting shellcode is to examine the input and efficiently execute its content to find what lurks within.
![Page 6: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/6.jpg)
A Seminar at Advaced Defense Lab 6
Related Work Finding the presence of malicious code
by searching for tell-tale signs of executable code
Toth and Kruegel, “Accurate Buffer Overflow Detection via Abstract Payload Execution”, 2002
![Page 7: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/7.jpg)
A Seminar at Advaced Defense Lab 7
Network-level Emulation Polychronakis et al., “Network-level
Polymorphic Shellcode Detection using Emulation”, 2006
![Page 8: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/8.jpg)
A Seminar at Advaced Defense Lab 8
Challenges for Software-based CPU Emulation Detection Approaches
the instruction set for modern CISC architectures is very complex, and so it is unlikely that software emulators will ever be bug free.› FPU-based GetPC instructions [link]
Special purpose CPU emulators› Nemu, libemu[link]› large subsets of instructions rarely used by
injected code are skipped
![Page 9: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/9.jpg)
A Seminar at Advaced Defense Lab 9
Emulation Performance the vast majority of network streams
will contain benign data, some of which might be significant in size.
A separate execution chain must be attempted for each offset in a network stream because the starting location of injected code is unknown.
![Page 10: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/10.jpg)
A Seminar at Advaced Defense Lab 10
Our Approach We allow instruction sequences to
execute directly on the CPU using hardware virtualization, and only trace specific memory reads, writes, and executions through hardware-supported paging mechanisms.
Our design for enabling hardware-support of code injection attacks is built upon Kernel-based Virtual Machine (KVM).
![Page 11: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/11.jpg)
A Seminar at Advaced Defense Lab 11
Architecture
![Page 12: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/12.jpg)
A Seminar at Advaced Defense Lab 12
The SHELLOS Kernel The kernel supports loading arbitrary
snapshots created using the minidump format[link].
instructions are executed directly on the CPU in usermode until execution is interrupted by a fault, trap, or timeout.
![Page 13: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/13.jpg)
A Seminar at Advaced Defense Lab 13
Detection We force a trap to occur on access to
an arbitrary virtual address by clearing the present bit of the page entry.
Any heuristic based on memory reads, writes, or executions can be supported with coarse-grained tracing.
![Page 14: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/14.jpg)
A Seminar at Advaced Defense Lab 14
Porting other’s solution we chose to implement the PEB
heuristic proposed by Polychronakis et al.
This heuristic detects injected code that parses the process-level TEB and PEB data structures.
![Page 15: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/15.jpg)
A Seminar at Advaced Defense Lab 15
Diagnostics We place traps on the addresses of the
specific functions, and when triggered, a handler for the corresponding call is invoked.
![Page 16: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/16.jpg)
A Seminar at Advaced Defense Lab 16
Extensibility We built two platforms that rely on
ShellOS to scan buffers for injected code.
For client-based programs› We implemented a lightweight memory
monitoring facility that allows ShellOS to scan buffers created by documents loaded.
![Page 17: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/17.jpg)
A Seminar at Advaced Defense Lab 17
![Page 18: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/18.jpg)
A Seminar at Advaced Defense Lab 18
Extensibility (cont.) For network services
› We build a platform to detect code injection attacks on network services by reassembling observed network streams and executing each of these streams.
![Page 19: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/19.jpg)
A Seminar at Advaced Defense Lab 19
Evaluation Environment
› Intel Xeon Quad Processor machine with 32 GB of memory.
› The host OS was Ubuntu with kernel version 2.6.35.
![Page 20: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/20.jpg)
A Seminar at Advaced Defense Lab 20
Attack samples Metasploit
› For each encoder, we generated 100s of attack instances by randomly selecting 1 of 7 exploits, 1 of 9 self-contained payloads.
As the attacks launched, we captured the network traffic for later network-level buffer analysis.
![Page 21: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/21.jpg)
A Seminar at Advaced Defense Lab 21
Detection Results
![Page 22: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/22.jpg)
A Seminar at Advaced Defense Lab 22
Performance
![Page 23: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/23.jpg)
A Seminar at Advaced Defense Lab 23
Throughput We built a testbed consisting of 32
machines running FreeBSD 6.0 and generated traffic using a state-of-the-art traffic generator, Tmix [link].
We supply Tmix with a network trace of HTTP connections captured on the border links of UNC-Chapel Hill in October, 2009.
![Page 24: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/24.jpg)
A Seminar at Advaced Defense Lab 24
Testbed
![Page 25: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/25.jpg)
A Seminar at Advaced Defense Lab 25
Result
![Page 26: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/26.jpg)
A Seminar at Advaced Defense Lab 26
Multi-core for ShellOS
![Page 27: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/27.jpg)
A Seminar at Advaced Defense Lab 27
Case Study: PDF Code Injection
The malicious PDFs were randomly selected from suspicious files flagged by a large-scale web malware detection system.
We also use a collection of 179 benign PDFs from various USENIX conferences.
![Page 28: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/28.jpg)
A Seminar at Advaced Defense Lab 28
CVE Distribution
All attacks use ROP
![Page 29: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/29.jpg)
A Seminar at Advaced Defense Lab 29
Sizes of the extracted buffers
512KB
![Page 30: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/30.jpg)
A Seminar at Advaced Defense Lab 30
Elapsed time for extracting heap objects
5 secs
26 secs
![Page 31: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/31.jpg)
A Seminar at Advaced Defense Lab 31
Average time of analysis
![Page 32: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/32.jpg)
A Seminar at Advaced Defense Lab 32
Forensic Analysis 85% of the injected code exhibited an
identical API call sequence.
![Page 33: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/33.jpg)
A Seminar at Advaced Defense Lab 33
Another Example
![Page 34: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/34.jpg)
34
Instruction-level trace Although the code copy is not apparent
in the API call sequence alone, ShellOS may also provide an instruction-level trace by single-stepping each instruction via the TRAP bit in the flags register.
A Seminar at Advaced Defense Lab
![Page 35: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/35.jpg)
A Seminar at Advaced Defense Lab 35
Analysis-resistant Shellcode
We note, however, that this particular challenge is not unique to ShellOS.
![Page 36: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/36.jpg)
A Seminar at Advaced Defense Lab 36
Limitations Shellcode designed to execute under very
specific conditions may not operate as expected.
Software-based emulators are able to quickly detect and exit an infinite loop.
It may still be possible to detect a virtualized environment through the small set of instructions.
![Page 37: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/37.jpg)
A Seminar at Advaced Defense Lab 37
Limitations (cont.) ShellOS provides a framework for fast
detection and analysis of a buffer, but an analyst or automated data pre-processor must provide these buffers.
![Page 38: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816934550346895de08ae5/html5/thumbnails/38.jpg)
A Seminar at Advaced Defense Lab 38
Thank You.Any Question?