1 tools and techniques for understanding and defending real systems jedidiah r. crandall...
TRANSCRIPT
![Page 1: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/1.jpg)
1
Tools and techniques for understanding and
defending real systems
Jedidiah R. Crandall
![Page 2: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/2.jpg)
2
Overview
Security is not a problem to be solved, but a battle to be waged by… Antivirus professionals Law enforcement Next-generation security technology developers …
Give them the tools they need Implementations of useful techniques Theory planted firmly in practice
![Page 3: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/3.jpg)
3
Vision
How can we address emerging threats (poly/metamorphic worms/botnets, cryptovirology, advanced rootkits, etc.)?Problem: We don’t have very many real-world
samples of these to look atSolution: Look at the way the samples we
have interact with the systems we’re trying to defend
![Page 4: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/4.jpg)
4
Outline
Code Red II example Define some basic terms and concepts
Minos Catches worms
DACODA Used to understand polymorphism and metamorphism
Temporal Search Analyzes the payload for timebomb attacks
Looking ahead…
![Page 5: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/5.jpg)
5
Outline
Code Red II example Define some basic terms and concepts
Minos Catches worms
DACODA Used to understand polymorphism and metamorphism
Temporal Search Analyzes the payload for timebomb attacks
Looking ahead…
![Page 6: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/6.jpg)
6
Code Red/Code Red II
Code Red359,000 hosts infected$2.6 billion in cleanup [Computer Economics]Attempted DoS on White House
Averted after being discovered hours before the attack was to occur
Code Red IIExploit is basically the same
![Page 7: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/7.jpg)
7
Exploit-based Worms
Web Server’s Memory
Next
GET /bla?x=A1B28CD30EE17C
![Page 8: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/8.jpg)
8
The Code Red II Exploit
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 9: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/9.jpg)
9
Three stages of an attack
![Page 10: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/10.jpg)
10
ε = Exploit Vector
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 11: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/11.jpg)
11
γ = Bogus Control Data
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 12: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/12.jpg)
12
π = Payload
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 13: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/13.jpg)
13
Motivation for ε-γ-π
Different polymorphic/metamorphic techniques for ε, γ, and π
Data can be represented differently on the network and where it used in the attack trace “25 75 62 63 64 33 25 75 37 38 30 31” vs.
“d3 cb 01 78” for 0x7801cbd3 “Information only has meaning in that it is
subject to interpretation.” [Cohen, 1984]
![Page 14: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/14.jpg)
14
Network Signatures?
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 15: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/15.jpg)
15
Polymorphism and metamorphism
Change successive instances of the worm so signature-based network defenses failPolymorphic: think syntaxMetamorphic: think semantics
Note: Some researchers call both polymorphism
![Page 16: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/16.jpg)
16
ε = Exploit Vector
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 17: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/17.jpg)
17
γ = Bogus Control Data
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 18: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/18.jpg)
18
π = Payload
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 19: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/19.jpg)
19
Poly/metamorphism in γ and π
Poly/metamorphic possibilities of π are endless (self-modifying code)
γ: Buttercup [Pasupulati et al. NOMS 2004]“Register springs” – more details in [Crandall et
al.; DIMVA 2005] 11,009 possibilities for Blaster 353 for Slammer
![Page 20: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/20.jpg)
20
Polymorphism of ε
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 21: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/21.jpg)
21
Polymorphism of ε
GET /yutiodr.ida?CEOIUXJASKMDIDD
EOXIJOEIJXDXNMDKJXNSKJNXIDOIW
R…ATUD%u8743%ubc65%ua999%uffff%u873f%ue875%u4568%u99cc%u8333%u7621%ubb66%u9876%u1000%u8732%u9854%u76cd%udddd%u5555%u5234%uff43%u7632%u5632%ucc=i HTTP/1.0
![Page 22: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/22.jpg)
22
Metamorphism of ε
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 23: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/23.jpg)
23
Metamorphism of ε
GET /default.ida?X%u61XXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\xd3\xcb\x01\x78XXXXXXXXXXXXXXXXXX=a HTTP/1.0
![Page 24: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/24.jpg)
24
Metamorphism of ε
![Page 25: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/25.jpg)
25
Outline
Code Red II example Define some basic terms and concepts
Minos Catches worms
DACODA Used to understand polymorphism and metamorphism
Temporal Search Analyzes the payload for timebomb attacks
Looking ahead…
![Page 26: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/26.jpg)
26
Minos [Crandall and Chong; MICRO 2004]
Tagged architecture that tracks the integrity of every memory wordNetwork data is taintedControl data (return pointers, function
pointers, jump targets, etc.) should not be Taint tracking with every instruction Great for catching worms
Uses the γ mapping
![Page 27: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/27.jpg)
27
Gratuitous Dante Quote
Minos the dreadful snarls at the gate, … and wraps himself in his tail with as many turns as levels down that shade will have to dwell
![Page 28: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/28.jpg)
28
Minos Implementation
Implemented a full-system tagging scheme in a virtual machineLinux (modified kernel)
Tracks integrity in the file system Virtual memory swapping [used by Raksha project]
Windows (unmodified) Works great as a honeypot for cacthing worms
![Page 29: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/29.jpg)
29
How to catch worms…
![Page 30: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/30.jpg)
30
Only one false positive…
![Page 31: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/31.jpg)
31
Actually a “non-target pest”
![Page 32: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/32.jpg)
32
Minos Full-System Evaluation
General Minos concept used in related works (DIFT [Suh et al.; ASPLOS 2004], TaintCheck [Newsome and Song; NDSS 2005]), follow-on works, and at least one commercial product Important to get things right
e.g. Code Red II – must taint table lookups
Able to build DACODA on top of Minos
![Page 33: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/33.jpg)
33
Outline
Code Red II example Define some basic terms and concepts
Minos Catches worms
DACODA Used to understand polymorphism and metamorphism
Temporal Search Analyzes the payload for timebomb attacks
Looking ahead…
![Page 34: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/34.jpg)
34
DACODA [Crandall et al.; CCS 2005]
DAvis malCODe Analyzer Discover invariants in the exploit vector (ε)
Symbolic execution on the system trace during attacks that Minos catches
Used for an empirical analysis of polymorphism and metamorphismQuantify and understand the limits
![Page 35: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/35.jpg)
35
Worm Polymorphism and Metamorphism Viruses: Defender has time to pick apart
the attacker’s techniques e.g. Algorithmic scanners, emulation
Worms: Attacker has time to pick apart the deployed network defense techniquesWhat can defenders do to evaluate the
robustness of defenses against attacks that don’t exist yet?
![Page 36: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/36.jpg)
36
Measuring Poly/metamorphism
[Ma et al.; IMC 2006]Found relatively little polymorphism “in the
wild” Worm defense designers don’t have
samples of the poly/metamorphic techniques attackers will use on their defenses(Have to build the defense first)
![Page 37: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/37.jpg)
37
The Epsilon-Gamma-Pi Model
![Page 38: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/38.jpg)
38
How DACODA Works
“Information only has meaning in that it is subject to interpretation.” [Cohen, 1984]
Gives each byte of network data a unique label
Tracks these through the entire system Discovers predicates about how the host
under attack interprets the network bytes
![Page 39: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/39.jpg)
39
mov al,[AddressWithLabel1832]
add al,4
cmp al,10
je JumpTargetIfEqualToTen
; AL.expr <= (Label 1832)
; AL.expr <= (ADD AL.Expr 4)
; /* AL.expr == (ADD (LABEL 1832) 4) */
; ZFLAG.left <= AL.expr
; /* ZFLAG.left == (ADD (Label 1832) 4) */
; ZFLAG.right <= 10
; P <= new Predicate(EQUAL ZFLAG.Left ZFLAG.Right)
; /* P == (EQUAL (ADD (Label 1832) 4) 10) */
; AddToSetOfKnownPredicates(P)
![Page 40: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/40.jpg)
40
Why Full-System Analysis?
• Kernel– “Remote Windows Kernel Exploitation – Step Into the
Ring 0” by Barnaby Jack– MS05-027 (SMB)
• Multiple processes– Base64 in IIS + ASN.1 in lsass.exe
• Multithreading– And listening on multiple ports– Even for Slammer, the simplest buffer overflow ever
![Page 41: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/41.jpg)
41
Actual Worms/Attacks Caught by Minos and Analyzed by DACODAName OS Port Class
Sasser WinXP 445TCP Buff.Over.
Blaster WinXP 135TCP Buff.Over.Workstation Serv. WinXP 445TCP Buff.Over.
RPCSS WinXP 135TCP Buff.Over.
Slammer Whist. 1434UDP Buff.Over.
Code Red II Whist. 80TCP Buff.Over.
Zotob Win2K 445TCP Buff.Over.
![Page 42: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/42.jpg)
42
Other Attacks Caught by Minos and Analyzed by DACODA
Name OS Port Class
SQL Auth. Whist. 1434TCP Buff.Over.
rpc.statd Linux 111 & 918TCP
Form.Str.
innd Linux 119TCP Buff.Over.
Scalper OBSD 80TCP Int.Over.
ntpd FBSD 123TCP Buff.Over.
Turkey FBSD 21TCP OffByOne
![Page 43: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/43.jpg)
43
Single Contiguous Byte Strings
Name Longest String
Sasser 36
Blaster 92
Work. 23
RPCSS 18Slammer 1
CRII 17
Zotob 36
Name Longest String
SQLAuth 4
rpc.statd 16
innd 27
Scalper 32
ntpd 8
Turkey 21
![Page 44: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/44.jpg)
44
Single Contiguous Signatures
Autograph [Kim and Karp; USENIX Security 2004] and EarlyBird [Singh et al.; OSDI 2004] both demonstrated good results at about 40 bytes for the signature length
[Newsome et al.; IEEE S&P 2005] came to the same conclusion as we did and proposed sets of smaller byte strings called tokens
![Page 45: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/45.jpg)
45
Tokens
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
![Page 46: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/46.jpg)
46
Where do These Tokens Come From? Scalper “Transfer-Encoding: chunked” Same applies to most of these vulnerabilities
“The Horns of a Dilemma” Use protocol framing as a signature Be very precise
![Page 47: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/47.jpg)
47
Precision: ASN.1 Dangling Pointer Heap corruption
(0x23 [SIZE]… ”AAAAAAAA” (0x23 [SIZE]
0x77665544 “BBBB”)
…)
![Page 48: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/48.jpg)
48
Conclusions from DACODA
Whole system analysis is important New focus on more semantic signatures
How to understand the semantics of the vulnerability?
We can learn a lot about emerging malware threats by studying existing malware samples and their interactions with the systems they run on
![Page 49: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/49.jpg)
49
Outline
Code Red II example Define some basic terms and concepts
Minos Catches worms
DACODA Used to understand polymorphism and metamorphism
Temporal Search Analyzes the payload for timebomb attacks
Looking ahead…
![Page 50: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/50.jpg)
50
Temporal Search[Crandall et al.; ASPLOS 2006]
Automated discovery of timebomb attacks Analysis in the π stage
Prototype of behavior-based analysis Proposed a framework for a problem space nobody
has looked at before Implemented parts of it Identified the remaining challenges
By testing real worms with timebombs on our prototype
![Page 51: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/51.jpg)
51
You as an antivirus professionalcatch a new worm…
Unpack it Polymorphism/
metamorphism? Anti-debugger tricks? Any behaviors predicated on
time? How it gets the time? UTC/Local? Conversions between
formats?
![Page 52: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/52.jpg)
52
With Temporal Search… Infect a VM Automated, behavior-based
Temporal Search Respond
![Page 53: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/53.jpg)
53
How to respond?
Sober.X – 6 and 7 January 2006 URLs blocked
Kama Sutra – 3rd of the month Users removed infections
Code Red – 20th of the month White House IP address changed
What if we have just hours or even minutes, not days?
![Page 54: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/54.jpg)
54
Behavior-based Analysis
[Cohen, 1984] defined behavior-based detection as a question of “defining what is and is not a legitimate use of a service, and finding a means of detecting the difference.”
Behavior-based analysis is similarAssume the system is infected with malwareAnalyze its use of a service such as the PIT
![Page 55: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/55.jpg)
55
Why not just speed up the clock?
Dramatic time perturbation would be easy to detectAlso not easy to do for a busy system
(effectively lowers perceived performance) May miss some behaviors
Kama Sutra Will not be able to explain behaviors it does
elicit
![Page 56: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/56.jpg)
56
Basic Idea
Find timersRun the PIT at different rates of perceived
time System performance stays the same Correlate between PIT and memory writes
Symbolic execution e.g. with DACODA
Weakest precondition calculation
![Page 57: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/57.jpg)
57
Filling in the Timetable
SystemTime Predicate Behavior
126,396,288e12
(13 July 2001)? >= 20 Spread
time
![Page 58: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/58.jpg)
58
Filling in the Timetable
SystemTime Predicate Behavior
126,396,288e12
(13 July 2001)? >= 20 Spread
126,402,336e12
(20 July 2001)? >= 28 DoS White
House
time
![Page 59: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/59.jpg)
59
Filling in the Timetable
SystemTime Predicate Behavior
126,396,288e12
(13 July 2001)? >= 20 Spread
126,402,336e12
(20 July 2001)? >= 28 DoS White
House
126,409,248e12
(28 July 2001)None Go to sleep
time
![Page 60: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/60.jpg)
60
Windows
0
100
200
300
400
500
600
700
0 60 120 180 240 300 360 420 480
Real Time (seconds)
# P
red
icat
es C
hec
ked
per
Sec
on
d
Windows TickCount
Windows SystemTime
![Page 61: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/61.jpg)
61
Manual Analysis
Many different library calls, APIs for date and time GetSystemTime(), GetLocalTime(), GetTimeZoneInformation(), DiffDate(),
GetDateFormat(), etc. System call not really necessary
Conversions back and forth between various represenations (e.g. MyParty.A, Blaster.E) UTC vs. Local 1600 vs. 1900 vs. 1970 32- vs 64-bit integers for day, month, year, etc. strings
Not always done with standard library functions Have to unpack it first, anti-debugging tricks All of this is simply dataflow from SystemTime timer
![Page 62: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/62.jpg)
62
Setup
Bochs VM
w/ DACODA and Timer Discovery
Host @ 192.168.33.1
w/ DNS, NTP, HTTP, TIME, etc.
Windows XP @ 192.168.33.2
tuntap interface
ARP cache poisoning, DNS spoofing, etc.
ARP cache poisoning, DNS spoofing, etc.
![Page 63: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/63.jpg)
63
Temporal Search
Symbolic Execution (DACODA)Cod Red, Blaster.E, MyParty.A, Klez.A
Discovers predicates on day, hour, minute, etc. on a real time trace
Control-flow sensitivity within loopsCod Red, Blaster.E, MyParty.A, Klez.A,
Sober.X Kama Sutra Month and year
![Page 64: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/64.jpg)
64
Adversarial Analysis
For any technique, being applicable to every possible virus or worm is not a requirementAV companies collect intelligence
More details in the paper on this
![Page 65: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/65.jpg)
65
Conclusions from Temporal Search
Manual analysis is tricky and time-consuming Temporal Search can dramatically improve response
time
Behavior-based analysis is all about the environment
Malware does not follow a linear timetable Gregorian calendar poses its own challenges
![Page 66: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/66.jpg)
66
Why Behavior-Based Analysis?
“An ant, viewed as a behaving system, is quite simple. The apparent complexity of its behavior over time is largely a reflection of the complexity of the environment in which it finds itself.” –Herbert Simon
![Page 67: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/67.jpg)
67
Other recent projects…
(Stuff I’m currently working on)
![Page 68: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/68.jpg)
68
Replay-Based Entropy Measurement[Crandall et al.; work in progess]
![Page 69: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/69.jpg)
69
Great Firewall of China[Zinn et al.; work in progress]
My contribution: Model keyword-based censorship using Latent Semantic Analysis Relate keywords to concepts Efficient probing to discover unknown words that
are filtered
![Page 70: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/70.jpg)
70
Recovery[Oliveira et al.; work in progress]
Virtu
al T
ime
![Page 71: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/71.jpg)
71
Outline
Code Red II example Define some basic terms and concepts
Minos Catches worms
DACODA Used to understand polymorphism and metamorphism
Temporal Search Analyzes the payload for timebomb attacks
Looking ahead…
![Page 72: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/72.jpg)
72
Looking ahead…
Worms, botnets, rootkits, ??? Not problems with purely technical solutions Should give defenders the tools they need
How to develop defenses for emerging threats… Study real malware Understand the systems that the battle takes place on Use the interactions between the two to develop a
theory of what is possible
![Page 73: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/73.jpg)
73
Examples
Behavior-based analysis Fully-automated implementation of temporal search
Different approaches [Reps et al; ESEC/FSE ‘97]? Cryptovirology [Yung and Young; 2004]
Vulnerability semantics Vector semantics (such as LSA)?
Testing for unknown vulnerabilities Policies for commodity systems
Biba’s low-water-mark integrity, Chinese Wall Policy [Fraser; IEEE S&P 2000]
![Page 74: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/74.jpg)
74
Questions?
Thank you for inviting me.
![Page 75: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/75.jpg)
75
Related Work: Vigilante [Costa et al., SOSP 2005]
Introduces the idea of Self Certifying Alerts Goal is automatic patching, not network filtering No distinction between what data looks like on the
network and what it looks like when processed
Filter generation is similar to DACODA’s symbolic execution
DACODA is a whole system approach Shield [Wang et al.; SIGCOMM 2004]
![Page 76: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/76.jpg)
76
Temporal Search Lessons Learned… Some interesting times are relative
Need to track TickCount Behavior-based analysis is all about the
environmentCode Red and TCP RSTs
![Page 77: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/77.jpg)
77
Minos Evaluation
Attacks designed to subvert Minos [Crandall and Chong; MICRO 2004] [Crandall and Chong; WASSA 2004] [Chen et al.; USENIX Security 2005] [Dalton et al.; WDDD 2006] [Piromsopa and Enbody; WDDD 2006]
![Page 78: 1 Tools and techniques for understanding and defending real systems Jedidiah R. Crandall crandall@cs.ucdavis.edu](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cae5503460f949721bd/html5/thumbnails/78.jpg)
78
Adversarial Analysis of Temporal Search For any technique, being applicable to every
possible virus or worm is not a requirement AV companies collect intelligence
Challenges What is and is not a malicious use of the PIT? Cryptocounters, covert channels, etc. VM detection
[King et al.] Subvirt… at IEEE S&P 2006 Pioneer project and related work at CMU
All analysis can be done on a trace [Oliveira et al.; ASID 2006]