1 DACODA [Crandall et al.; CCS 2005] DA vis mal COD e A nalyzer Discover invariants in the exploit...
-
Upload
antonia-franklin -
Category
Documents
-
view
219 -
download
5
Transcript of 1 DACODA [Crandall et al.; CCS 2005] DA vis mal COD e A nalyzer Discover invariants in the exploit...
1
DACODA [Crandall et al.; CCS 2005]
DAvis malCODe Analyzer Discover invariants in the exploit vector (ε)
Symbolic execution on the system trace during attacks that Minos catches
Used for an empirical analysis of polymorphism and metamorphismQuantify and understand the limits
2
Worm Polymorphism and Metamorphism Viruses: Defender has time to pick apart
the attacker’s techniques e.g. Algorithmic scanners, emulation
Worms: Attacker has time to pick apart the deployed network defense techniquesWhat can defenders do to evaluate the
robustness of defenses against attacks that don’t exist yet?
3
Measuring Poly/metamorphism
[Ma et al.; IMC 2006]Found relatively little polymorphism “in the
wild” Worm defense designers don’t have
samples of the poly/metamorphic techniques attackers will use on their defenses(Have to build the defense first)
4
How DACODA Works
“Information only has meaning in that it is subject to interpretation.” [Cohen, 1984]
Gives each byte of network data a unique label
Tracks these through the entire system Discovers predicates about how the host
under attack interprets the network bytes
5
mov al,[AddressWithLabel1832]
add al,4
cmp al,10
je JumpTargetIfEqualToTen
; AL.expr <= (Label 1832)
; AL.expr <= (ADD AL.Expr 4)
; /* AL.expr == (ADD (LABEL 1832) 4) */
; ZFLAG.left <= AL.expr
; /* ZFLAG.left == (ADD (Label 1832) 4) */
; ZFLAG.right <= 10
; P <= new Predicate(EQUAL ZFLAG.Left ZFLAG.Right)
; /* P == (EQUAL (ADD (Label 1832) 4) 10) */
; AddToSetOfKnownPredicates(P)
6
Actual Worms/Attacks Caught by Minos and Analyzed by DACODAName OS Port Class
Sasser WinXP 445TCP Buff.Over.
Blaster WinXP 135TCP Buff.Over.Workstation Serv. WinXP 445TCP Buff.Over.
RPCSS WinXP 135TCP Buff.Over.
Slammer Whist. 1434UDP Buff.Over.
Code Red II Whist. 80TCP Buff.Over.
Zotob Win2K 445TCP Buff.Over.
7
Other Attacks Caught by Minos and Analyzed by DACODA
Name OS Port Class
SQL Auth. Whist. 1434TCP Buff.Over.
rpc.statd Linux 111 & 918TCP
Form.Str.
innd Linux 119TCP Buff.Over.
Scalper OBSD 80TCP Int.Over.
ntpd FBSD 123TCP Buff.Over.
Turkey FBSD 21TCP OffByOne
8
Single Contiguous Byte Strings
Name Longest String
Sasser 36
Blaster 92
Work. 23
RPCSS 18Slammer 1
CRII 17
Zotob 36
Name Longest String
SQLAuth 4
rpc.statd 16
innd 27
Scalper 32
ntpd 8
Turkey 21
9
Single Contiguous Signatures
Autograph [Kim and Karp; USENIX Security 2004] and EarlyBird [Singh et al.; OSDI 2004] both demonstrated good results at about 40 bytes for the signature length
[Newsome et al.; IEEE S&P 2005] came to the same conclusion as we did and proposed sets of smaller byte strings called tokens
10
Tokens
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
11
Where do These Tokens Come From? Scalper “Transfer-Encoding: chunked”
Same applies to most of these vulnerabilities “The Horns of a Dilemma”
Use protocol framing as a signature Be very precise
12
Conclusions from DACODA
Whole system analysis is important New focus on more semantic signatures
How to understand the semantics of the vulnerability?
We can learn a lot about emerging malware threats by studying existing malware samples and their interactions with the systems they run on
13
Temporal Search[Crandall et al.; ASPLOS 2006]
Automated discovery of timebomb attacks Analysis in the π stage
Prototype of behavior-based analysis Proposed a framework for a problem space nobody
has looked at before Implemented parts of it Identified the remaining challenges
By testing real worms with timebombs on our prototype
14
You as an antivirus professionalcatch a new worm…
Unpack it Polymorphism/
metamorphism? Anti-debugger tricks? Any behaviors predicated on
time? How it gets the time? UTC/Local? Conversions between
formats?
15
With Temporal Search… Infect a VM Automated, behavior-based
Temporal Search Respond
16
How to respond?
Sober.X – 6 and 7 January 2006 URLs blocked
Kama Sutra – 3rd of the month Users removed infections
Code Red – 20th of the month White House IP address changed
What if we have just hours or even minutes, not days?
17
Behavior-based Analysis
[Cohen, 1984] defined behavior-based detection as a question of “defining what is and is not a legitimate use of a service, and finding a means of detecting the difference.”
Behavior-based analysis is similarAssume the system is infected with malwareAnalyze its use of a service such as the PIT
18
Why not just speed up the clock?
Dramatic time perturbation would be easy to detectAlso not easy to do for a busy system
(effectively lowers perceived performance) May miss some behaviors
Kama Sutra Will not be able to explain behaviors it does
elicit
19
Basic Idea
Find timersRun the PIT at different rates of perceived
time System performance stays the same Correlate between PIT and memory writes
Symbolic execution e.g. with DACODA
Weakest precondition calculation
20
Filling in the Timetable
SystemTime Predicate Behavior
126,396,288e12
(13 July 2001)? >= 20 Spread
time
21
Filling in the Timetable
SystemTime Predicate Behavior
126,396,288e12
(13 July 2001)? >= 20 Spread
126,402,336e12
(20 July 2001)? >= 28 DoS White
House
time
22
Filling in the Timetable
SystemTime Predicate Behavior
126,396,288e12
(13 July 2001)? >= 20 Spread
126,402,336e12
(20 July 2001)? >= 28 DoS White
House
126,409,248e12
(28 July 2001)None Go to sleep
time
23
Windows
0
100
200
300
400
500
600
700
0 60 120 180 240 300 360 420 480
Real Time (seconds)
# P
red
icat
es C
hec
ked
per
Sec
on
d
Windows TickCount
Windows SystemTime
24
Manual Analysis
Many different library calls, APIs for date and time GetSystemTime(), GetLocalTime(), GetTimeZoneInformation(), DiffDate(),
GetDateFormat(), etc. System call not really necessary
Conversions back and forth between various represenations (e.g. MyParty.A, Blaster.E) UTC vs. Local 1600 vs. 1900 vs. 1970 32- vs 64-bit integers for day, month, year, etc. strings
Not always done with standard library functions Have to unpack it first, anti-debugging tricks All of this is simply dataflow from SystemTime timer
25
Setup
Bochs VM
w/ DACODA and Timer Discovery
Host @ 192.168.33.1
w/ DNS, NTP, HTTP, TIME, etc.
Windows XP @ 192.168.33.2
tuntap interface
ARP cache poisoning, DNS spoofing, etc.
ARP cache poisoning, DNS spoofing, etc.
26
Temporal Search
Symbolic Execution (DACODA)Cod Red, Blaster.E, MyParty.A, Klez.A
Discovers predicates on day, hour, minute, etc. on a real time trace
Control-flow sensitivity within loopsCod Red, Blaster.E, MyParty.A, Klez.A,
Sober.X Kama Sutra Month and year
27
Adversarial Analysis
For any technique, being applicable to every possible virus or worm is not a requirementAV companies collect intelligence
More details in the paper on this
28
Conclusions from Temporal Search
Manual analysis is tricky and time-consuming Temporal Search can dramatically improve response
time
Behavior-based analysis is all about the environment
Malware does not follow a linear timetable Gregorian calendar poses its own challenges
29
Why Behavior-Based Analysis?
“An ant, viewed as a behaving system, is quite simple. The apparent complexity of its behavior over time is largely a reflection of the complexity of the environment in which it finds itself.” –Herbert Simon