Escolar Documentos
Profissional Documentos
Cultura Documentos
Saman Amarasinghe
Associate Professor, MIT EECS/CSAIL CTO, Determina Inc.
Outline
Worm Basics Program Shepherding Intrusion Prevention Systems Anatomy of an Attack The Determina Story
Outline
Worm Basics Program Shepherding Intrusion Prevention Systems Anatomy of an Attack The Determina Story
What is a worm?
Worm - a program which replicates itself and causes execution of the new copy.
Self-replication Self-contained; does not require a host Activated by hijacking or creating a process
Types of Worms
Self propagate The payload arrive as packets on an open port Takes advantage of a program vulnerability Hijacks the program Self propagate
History of Worms
1982
1987
1988
Code Red Worm Slammer Worm Blaster Worm Sasser Worm Witty Worm
One of the biggest threats to the modern information infrastructure Characteristics of Modern Worm Threat
700,000 machines infected $2-2.9 billion in damage (Computer Economics) $200 million in damage per day during attacks
Outline
Worm Basics Program Shepherding Intrusion Prevention Systems Anatomy of an Attack The Determina Story
Memory based attacks Motivating Example: A buffer overflow attack Dissecting the lifecycle in the penetration phase Overview of Program Shepherding DynamoRIO basics Technique 1: Restricted Code Origins Technique 2: Restricted Control Transfer Technique 3: Uncircumventable Sandboxing Self Protection
Attack that that directly enters an application, corrupts the applications memory and hijack the application Types of memory based attacks
Buffer Overflow Heap Manipulation Format String Vulnerabilities Shatter Attacks Return to Libc Attacks Once the application is hijacked, the attack can do anything that the application can do
Network
Operating System
Application
Instructions
Operating System
Stack
Arguments: Return Address Local Variables: Argument: h Return Address Local Variables: tmp
URL:
http://cag.lcs.mit.edu/~saman/tmp/doitnow.pl?helper=foobar myid=123453;junk=23#42@$@FFNLQ!_@##*RFNL!~@#+
Stack
Arguments: Return Address Local Variables: Argument: h Return Address Local Variables: tmp
URL:
http://cag.lcs.mit.edu/~saman/tmp/doitnow.pl?helper=foobar myid=123453;junk=23#42@$@FFNLQ!_@##*RFNL!~@#+
Application
Data
Instructions
Operating System
Stack
lea %ecx%eax sub 0x1c(%edi) %eax movzx 0x8(%edi) %ecx shl $0x07 %ecx cmp %eax %ecx
Arguments:
Return Address
Local Variables: Malicious code segment Argument: h Return Address 0x12FA2 Local Variables: tmp
URL:
http://0011101101101110110100010101101011010101101101 10110110110110101011010101010110101011010101010110...
Application
Data Hijack
Instructions
Attack Operating System
Enter
Monitoring is simple
Port monitoring or system call monitoring only known criminals can be identified
ABI
Processor Execution Environment
encrypted channels
Catch in the act of criminal behavior Systematically catch an entire class of attacks All programs follow strict conventions
No false positives ABI (Application Binary Interface) Catch them before they do ANY bad activity no attack code is ever run The Calling Convention
All attacks violate some of these conventions Need to be inside the application
Attack
Need to monitor activity at a very fine-grain each instruction at a time Overhead will can be overwhelming Monitoring be done Able to amortize the cost of enforcement, eliminating the overhead Leads to false positives
Hard to distinguish between actions of a normal program vs. a compromised program
Run-time System
jmp
br
ret
A Basic Interpreter
next VPC
decode
execute
Validate
Instruction Interpreter
PC is in the interpreter
Slowdown factor
26.03 2.97
basic block cache with direct linking
1.20
1.08
basic block cache basic block+trace with linking caches with linking (direct+indirect)
context switch
Slowdown factor
26.03
Performance Problem: basic block cache basic block cache basic block+trace High cost of frequent with direct linking with linking caches with linking (direct+indirect) context switches
2.97
1.20
1.08
context switch
Slowdown factor
26.03 2.97
basic block cache with direct linking
Performance Problem: basic High block cache cost basic of block+trace with linking caches with linking mispredicted indirect (direct+indirect) branches
1.20
1.08
miss
Slowdown factor
26.03 2.97
basic block cache with direct linking
1.20
basic block cache basic block+trace with linking caches with linking (direct+indirect)
dispatch
26.03 2.97
basic block cache with direct linking
1.20
1.08
basic block cache basic block+trace with linking caches with linking (direct+indirect)
Exceptions Call backs in Windows Asynchronous procedure calls Setjmp/longjmp Set thread context Application
ntdll.dll / *32.dll Code Cache
Kernel
Windows
Application behavior cannot change! No assumptions beyond the ISA and the OS interface Actions of DynamoRIO is transparent to the application Data Transparency I/O Transparency Transparent Exception Handling Program Address Transparency
Code Cache
A D E
Modified pages
As code is copied to the code cache, check where its coming from Check the security policy only once
What
Stack
Arguments: Fake arguments Return Address Local Variables: Fake arguments Argument: h Return Address 0x7F8B0 Local Variables: tmp
0x8A234
Libraries
0x7F8B0setuid() 0x8A234 unlink()
URL:
http://001110110110111011010001010110101101010110 10110110110110101011010101010110101011010101...
Only to known function entry points Only if the function is exported by the destination segment Only if the function is imported by the source segment
Only within a known function or to a known function entry point
Intra-Segment Jumps
Returns
Only to after a call instruction If a direct call, called function should be the same as the function returning from
DynamoRIO runs in the applications address space Must not allow application to manipulate DynamoRIO data or code cache How?
Protect Dynamo data structures and the code cache Sandbox system calls that can change protection and thread behavior
Memory protection
Application Privileges DynamoRIO Privileges
Page type
Application code
Application data DynamoRIO code DynamoRIO data
R
RW R R
R
RW R RW
Code cache
RW
Memory protection
Application Privileges DynamoRIO Privileges
Page type
Application code
Application data DynamoRIO code DynamoRIO data
R
RW R R
R
RW RE RW
Code cache
RE
RW
Outline
Worm Basics Program Shepherding Intrusion Prevention Systems Anatomy of an Attack The Determina Story
2.
3. 4. 5. 6.
7.
1. Accuracy
2. Maintainability
3. Scalability
4. Coverage
Is there a map anywhere? I have N products, what do they stop and where are the holes?
5. Proactivity
Attack Released
Lsass (MS04-011)
Internet Explorer
4/04
11/04
2 weeks (Sasser)
-1day no patch (Mydoom.ag)
6. Uncirumventability
Phrack Article Smashing Stack for Fun and Profit Any fool-proof systems?
Complex systems are never fool-proof Should we just give up? Is crypto fool-proof? How do you evaluate crypto? 10/90 rule of thumb Nothing is perfect, make it hard...
7. Containment
Did malicious code got executed? Any machine got infected? Other machines got compromised?
Network Firewalls Signature Based Deep Packet Inspection Vulnerability-Based Deep Packet Inspection
Compile-Time Solutions
1. 2. 3. 4. 5. 6. 7.
Hardware-Based Solutions
NX Bit
1. 2. 3. 4. 5. 6. 7.
Host-Based Solutions
Anti-Virus File scanning Personal Firewalls File Change Detection Patch Management Signature-Based System Call Interception Policy-Based System Call Interception Learning-Based System Call Interception Program Shepherding
1. 2. 3. 4. 5. 6. 7.
Outline
Worm Basics Program Shepherding Intrusion Prevention Systems Anatomy of an Attack The Determina Story
Anatomy of an Attack
1. Probing Techniques
E-mail Based
Get the address book Scan the disk Generate random Spam generator algorithms
Random IP Weighted Random IP Mine the ARP table Sniff existing connections
Network Based
2. Penetration Techniques
Social Engineering
Ambiguous text Generated messages with familiar or privilege information Compressed attachments Compressed and encrypted attachments Buffer Overflow Heap Manipulation Format String Vulnerabilities Shatter Attacks Return to Libc Attacks
Program Vulnerabilities
Privilege Escalation Cross-Site Scripting / SQL Injection Weak Passwords / Open Network Shares Known Backdoors
3. Persisting Techniques
Create new files Infect the boot sector Modify files (DLLs or executables) Install new services Modify Registry
4. Propagation Techniques
Use the e-mail client Find an open e-mail relay Bring your own SMTP server
Bring your own http server
Web connection
5. Paralyzation Techniques
Example: The Witty worm Sloppy use of excessive resources Spyware Not seen in mass worms For fun and fame vs. profit Zombie farms for DDOS attacks
Denial of Service
Information leaks
Directed Attacks
1999 Dec 2001 Dec 2002 Jan 2003 Feb 2003 April 2003 May 2003 Jan 2004 April 2004 May 2004 June 2004 Nov 2004
DynamoRIO Project Started Optimize Programs The Idea of Program Shepherding Provisional Patent Filed The Slammer worm Program Shepherding published at USENIX Security Started talking to VCs Araksha founded with $ 3M Series A funding Preview version released, 1st customers Series B funding of $ 16M Sasser worm stopped at customer sites Company unveiled, name changed to Determina Enterprise-ready product released