770 likes | 790 Vues
This overview discusses the importance of addressing emerging threats such as poly/metamorphic worms, botnets, cryptovirology, and advanced rootkits. It explores various techniques and tools for capturing and analyzing these threats in order to develop next-generation security technologies.
E N D
Capturing and Analyzing Internet Worms Jedidiah R. Crandall crandall@cs.ucdavis.edu
Overview • Security is not a problem to be solved, but a battle to be waged by… • Antivirus professionals • Law enforcement • Next-generation security technology developers • … • Give them the tools they need • Implementations of useful techniques • Theory planted firmly in practice
Focus • How can we address emerging threats (poly/metamorphic worms/botnets, cryptovirology, advanced rootkits, etc.)? • Problem: We don’t have very many real-world samples of these to look at • Solution: Look at the way the samples we have interact with the systems we’re trying to defend
Overview of my work Symbolic Execution Catch Worms Temporal Search ASPLOS 2006 Timebomb Attacks Minos MICRO 2004 Architectural Support for Security DACODA CCS 2005 Empirical Study
Outline • Code Red II example • Define some basic terms and concepts • Minos • Catches worms • DACODA • Used to understand polymorphism and metamorphism • Temporal Search • Analyzes the payload for timebomb attacks • Looking ahead…
Outline • Code Red II example • Define some basic terms and concepts • Minos • Catches worms • DACODA • Used to understand polymorphism and metamorphism • Temporal Search • Analyzes the payload for timebomb attacks • Looking ahead…
Code Red/Code Red II • Code Red • 359,000 hosts infected • $2.6 billion in cleanup [Computer Economics] • Attempted DoS on White House • Averted after being discovered hours before the attack was to occur • Code Red II • Exploit is basically the same
Exploit-based Worms Web Server’s Memory Next GET /bla?x=A1B28CD30EE17C
The Code Red II Exploit GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
ε = Exploit Vector GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
γ = Bogus Control Data GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
π = Payload GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Motivation for ε-γ-π • Different polymorphic/metamorphic techniques for ε, γ, and π • Data can be represented differently on the network and where it used in the attack trace • “25 75 62 63 64 33 25 75 37 38 30 31” vs. “d3 cb 01 78” for 0x7801cbd3 • “Information only has meaning in that it is subject to interpretation.” [Cohen, 1984]
Network Signatures? GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Polymorphism and metamorphism • Change successive instances of the worm so signature-based network defenses fail • Polymorphic: think syntax • Metamorphic: think semantics • Note: Some researchers call both polymorphism
ε = Exploit Vector GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
γ = Bogus Control Data GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
π = Payload GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Poly/metamorphism in γ and π • Poly/metamorphic possibilities of π are endless (self-modifying code) • γ: Buttercup [Pasupulati et al. NOMS 2004] • “Register springs” – more details in [Crandall et al.; DIMVA 2005] • 11,009 possibilities for Blaster • 353 for Slammer
Polymorphism of ε GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Polymorphism of ε GET /yutiodr.ida?CEOIUXJASKMDIDD EOXIJOEIJXDXNMDKJXNSKJNXIDOIW R…ATUD%u8743%ubc65%ua999%uffff%u873f%ue875%u4568%u99cc%u8333%u7621%ubb66%u9876%u1000%u8732%u9854%u76cd%udddd%u5555%u5234%uff43%u7632%u5632%ucc=i HTTP/1.0
Metamorphism of ε GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Metamorphism of ε GET /default.ida?X%u61XXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\xd3\xcb\x01\x78XXXXXXXXXXXXXXXXXX=a HTTP/1.0
Outline • Code Red II example • Define some basic terms and concepts • Minos • Catches worms • DACODA • Used to understand polymorphism and metamorphism • Temporal Search • Analyzes the payload for timebomb attacks • Looking ahead…
Minos [Crandall and Chong; MICRO 2004] • Tagged architecture that tracks the integrity of every memory word • Network data is tainted • Control data (return pointers, function pointers, jump targets, etc.) should not be • Taint tracking with every instruction • Great for catching worms • Uses the γ mapping
Minos Implementation • Implemented a full-system tagging scheme in a virtual machine • Linux (modified kernel) • Tracks integrity in the file system • Virtual memory swapping [used by Raksha project] • Windows (unmodified) • Works great as a honeypot for cacthing worms
Actually a “non-target pest” http://www.peta.org/about/c-report_cruelty.asp
Minos Full-System Evaluation • General Minos concept used in related works (DIFT [Suh et al.; ASPLOS 2004], TaintCheck [Newsome and Song; NDSS 2005], Vigilante [Costa et al.; SOSP 2005]), follow-on works, and at least one commercial product • Important to get things right • e.g. Code Red II – must taint table lookups • Able to build DACODA on top of Minos
Outline • Code Red II example • Define some basic terms and concepts • Minos • Catches worms • DACODA • Used to understand polymorphism and metamorphism • Temporal Search • Analyzes the payload for timebomb attacks • Looking ahead…
DACODA [Crandall et al.; CCS 2005] • DAvis malCODe Analyzer • Discover invariants in the exploit vector (ε) • Symbolic execution on the system trace during attacks that Minos catches • Used for an empirical analysis of polymorphism and metamorphism • Quantify and understand the limits
Worm Polymorphism and Metamorphism • Viruses: Defender has time to pick apart the attacker’s techniques • e.g. Algorithmic scanners, emulation • Worms: Attacker has time to pick apart the deployed network defense techniques • What can defenders do to evaluate the robustness of defenses against attacks that don’t exist yet?
Measuring Poly/metamorphism • [Ma et al.; IMC 2006] • Found relatively little polymorphism “in the wild” • Worm defense designers don’t have samples of the poly/metamorphic techniques attackers will use on their defenses • (Have to build the defense first)
How DACODA Works • “Information only has meaning in that it is subject to interpretation.” [Cohen, 1984] • Gives each byte of network data a unique label • Tracks these through the entire system • Discovers predicates about how the host under attack interprets the network bytes
mov al,[AddressWithLabel1832] add al,4 cmp al,10 je JumpTargetIfEqualToTen ; AL.expr <= (Label 1832) ; AL.expr <= (ADD AL.Expr 4) ; /* AL.expr == (ADD (LABEL 1832) 4) */ ; ZFLAG.left <= AL.expr ; /* ZFLAG.left == (ADD (Label 1832) 4) */ ; ZFLAG.right <= 10 ; P <= new Predicate(EQUAL ZFLAG.Left ZFLAG.Right) ; /* P == (EQUAL (ADD (Label 1832) 4) 10) */ ; AddToSetOfKnownPredicates(P)
Why Full-System Analysis? • Kernel • “Remote Windows Kernel Exploitation – Step Into the Ring 0” by Barnaby Jack • MS05-027 (SMB) • Multiple processes • Base64 in IIS + ASN.1 in lsass.exe • Multithreading • And listening on multiple ports
Single Contiguous Signatures • Autograph [Kim and Karp; USENIX Security 2004] and EarlyBird [Singh et al.; OSDI 2004] both demonstrated good results at about 40 bytes for the signature length • [Newsome et al.; IEEE S&P 2005] came to the same conclusion as we did and proposed sets of smaller byte strings called tokens
Tokens GET /default.ida?XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX X…XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Where do These Tokens Come From? • Scalper “Transfer-Encoding: chunked” • Same applies to most of these vulnerabilities • “The Horns of a Dilemma” • Use protocol framing as a signature • Be very precise
Precision: ASN.1 Dangling Pointer • Heap corruption (0x23 [SIZE]… ”AAAAAAAA” (0x23 [SIZE] 0x77665544 “BBBB”) …)
Conclusions from DACODA • Whole system analysis is important • New focus on more semantic signatures • How to understand the semantics of the vulnerability? • We can learn a lot about emerging malware threats by studying existing malware samples and their interactions with the systems they run on
Outline • Code Red II example • Define some basic terms and concepts • Minos • Catches worms • DACODA • Used to understand polymorphism and metamorphism • Temporal Search • Analyzes the payload for timebomb attacks • Looking ahead…
Temporal Search[Crandall et al.; ASPLOS 2006] • Automated discovery of timebomb attacks • Analysis in the πstage • Prototype of behavior-based analysis • Proposed a framework for a problem space nobody has looked at before • Implemented parts of it • Identified the remaining challenges • By testing real worms with timebombs on our prototype