1 / 38

Part I PS 3 discussion of SPINS paper

This discussion covers the scenario of a high-power base station communicating with thousands of small, low-powered devices wirelessly. It focuses on message authentication codes, cryptographic hash chains, and the challenges of securing the network.

sarab
Télécharger la présentation

Part I PS 3 discussion of SPINS paper

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Part IPS 3 discussion of SPINS paper CS 588 February 22, 2005 nate@cs.virginia.edu

  2. Scenario High-power base station Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly

  3. Message Authentication Code (MAC) • Essentially a one-way hash function with a key, k • Used for message integrity and authentication • If m is altered to m’ then MAC(m) ≠ MAC(m’) • Only those that know k can create correct MAC

  4. time Initially store: K0 = f4(x) K1 = f3(x) verify f (K1) = f(f3(x)) = K0 K2 = f2(x) verify f2(K2) = f2(f2(x)) = K0 Cryptographic Hash Chains f is a one-way function: easy to calculate f(x), but difficult to invert f. Kj = f (Kj+1) f f f x K3 = f (x) K1 = f (f (f (x))) K2 = f (f (x))

  5. µTesla [Perrig, et. al., 2002] • Initially: sensor nodes know K0 = fn(x) base station knows x • Base station messages encrypted using K1 = fn-1(x) • Nodes store and time stamp messages, but cannot decrypt them (yet) • At time t1, base station broadcasts K1 • Nodes verify f (K1) = K0 • Nodes use K1 to decrypt earlier messages • Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed

  6. Part IIViruses and CryptographyPrinciples and Practise of X-RAYINGF. Perriot, P. FerrieVirus Bulletin, Sept. 2004

  7. Lessons to Learn • Simple methods of encryption are prevalent • Viruses provide good applications of things you have seen in this class so far • Another security trade-off • Resources in sensornets • Speed in virus scanning

  8. virus Introduction • Cohen’s definition of a virus • A program that is able to infect other programs by modifying them to include a possibly evolved copy of itself Win32 PE file (.exe)

  9. Historical Glimpse of Malware • “Elk Cloner” • 1982: First PC virus • Displayed poem after 50th reset • Morris Worm • 1988: A network program that attacked many different vulnerabilities to compromise machine • Blaster Worm • 2004: Typical unpatched UVa CS machine compromised ~1 to 2 minutes

  10. Virus Infection (PE files) • Easiest way is to prepend while overwriting host application beginning • Original application will not work • Can append into last section of PE file • Change entry point to beginning of the virus • Insert jmp at entry point to jump to the virus • Virus writers need something more to fight detection

  11. Armored Viruses • Encryption • Thwarts disassembly • Can hide virus code ; From W95/Mad.2736 Virus ; mov src, dest mov ecx, LENGTH_OF_VIRUS Decrypt: xor [edi], al ; key is in al inc edi loop Decrypt ; decrement ecx

  12. Detecting Encrypted Viruses • Polymorphic viruses mutate decryptors • Static decryptors are easier to detect • Advanced polymorphic virus decryptors can still be statically detected • MtE has a constant, conditional backwards jump • Use wildcards in matching algorithm (e.g., 0x75 ?? 0xBF)

  13. Decryptor More complicated Decryption Decryptor Decryptor Decryptor n Decryptor

  14. Other complicating methods of Decryption • Virus can use brute force to decrypt (no key needed) • Multiple layers of encryption • Key can slide, shift • Non-linear decryption (substitution) • Debuggers can modify decryption code (e.g., when decryption code is used as key) • Emulators may optimize decryption code

  15. P e8 00 00 5d C 71 99 99 c4 X-RAY detection • X-RAY • Attacking the encryption of the virus code • Virus encryption is usually weak • Only have a few seconds (make it fast) If XOR is only encryption used, how can we quickly determine key?

  16. Why X-RAY • Can be cheaper (faster) than emulation • Emulator may not be able to emulate virus • Decryptors can be buggy • Works on ~50% of recent Win32 viruses

  17. X-RAY Overview • Known-plaintext attack • Assume we know virus body (or variant) • Just need to know if the virus is really present • Sliding x-ray C 71 99 99 c4 25 C 71 99 99 c4 25 C 71 99 99 c4 25 …

  18. X-RAY Approaches • Key Recovery • Guess key, then match ciphertext to some part of plaintext • Key validation • Recover several keys or pieces of keys • Do the keys match with respect to given encryption method? P e8 00 00 5d ^ ^ ^ ^ C 71 99 99 c4 99 99 99 99

  19. X-RAY Approaches • Invariant scanning • Can reduce ciphertext and then compare against reduced plaintext • Very fast • Check Rc == Rp C 71 99 99 c4 P e8 00 00 5d C >> 1 71 99 99 c4 P >> 1 e8 00 00 5d Rc =C ^ (C>>1) e8 00 5d Rp =P ^ (P>>1) e8 00 5d

  20. p0 p1 p2 p3 P e8 00 00 5d C E8^99 00^99 00^99 5d^99 E8^99 00^99 00^99 5d^99 C >> 1 Rc =C ^ (C>>1) p0^p1 p1^p2 p2^p3 P p0 p1 p2 p3 P >> 1 p0 p1 p2 p3 Rp =P ^ (P>>1) p0^p1 p1^p2 p2^p3 Invariant Example Label each plaintext character Reduce Ciphertext Reduce Plaintext

  21. How to apply X-RAYing • Want to filter out files for X-RAYing • Use file geometry, positions and sizes of segments that characterize infected objects (e.g., virus decryptor, virus body, min/max size of decryptor, min infected file size, …) • Use frequency analysis • Encrypted bytes will have fairly random distribution • Look at ratio of zero bytes to non-zero bytes

  22. How to apply X-RAYing • Choice of signatures • Look at segments from begin, middle, and end of last section • Length of signatures • Related to unicity distance • If a virus has a max key length of n bits, add n bits to plaintext signature • Want to avoid false positives • Misalignment (e.g., sub on 4 bytes instead of single bytes)

  23. W95/PerenastXOR cipher • To encrypt: • XOR dword (32 bits) of virus with a key • Add encrypted value to key to produce next key • Rotate key i times (later variants did this) • 1011 rotated 1 time to right: 1101 • Jump to step 1 if virus not encrypted • To X-RAY: • XOR first 2 dwords of ciphertext with first 2 dwords of plaintext • Compute the difference (may need to rotate second dword value if key was rotated)

  24. W32/Efish.ASubstitution Cipher • Uses a 256 byte substitution table • Key size of XOR: 256 bits • Key size of 16x16 byte substitution table: 256! possible tables • Use geometry of file • If a duplicate byte value occurs within 256 bytes of its duplicate, then the 256 bytes cannot be the key • Have to do this fast!

  25. X-RAY Problems • Multiple layers of encryption with a changing key are too expensive to X-RAY • If each layer of encryption uses a fixed key with simple operations (e.g., XOR, ROR, etc.), then X-RAYing can be done • Unaligned layers cause too much diffusion

  26. W32/MagistrMore Advanced X-RAY techniques • Many operations such as XOR, ADD, shifts, etc. are often used to modify the key each round (“running keys”) • Can X-RAY by trying each possible operation, but it needs more data For i = 0 to VIRUS_SIZE p[i] = c[i] ^ k1 k1 = k1 + k2 (these 2 lines can k1 = k1 rol k3 can be swapped) end for

  27. W32/Magistr // encrypting virus code For i = 0 to VIRUS_SIZE p[i] = c[i] ^ k1 k1 = k1 + k2 (these 2 lines can k1 = k1 rol k3 can be swapped) end for • Assume order is ADD then ROL • XOR 2nd encrypted dword (try all 31 ROL arguments) • For some i in the 31 ROL results, result - k1 yields ADD value (k2) • Check by encrypting 3rd dword of plaintext

  28. Homophonic Cipher • NOON could encrypt to ERTY • Notice N and O encrypt to 2 different ciphertext letters • Will work as long as each ciphertext symbol maps to a unique plaintext symbol • Hides frequency distribution

  29. W32/Efish.CHomophonic Cipher • Build decryption keys • For each ci and pi,record decryption key • If 2 distinct plaintext values map to the same decryption key, cipher is not substitution or homophonic • If there are multiple encrypted values for a given plaintext element, it’s homophonic • Brute force for this is SLOW

  30. W32/Efish.CAttacking PRNG • Using timestamps, C rand() function is bad • Take care to seed PRNG well • Efish.C uses a PRNG named the Mersenne Twister • With 94% chance, a random substitution table is used, or • 6% of the time, it searches for an unused plaintext byte

  31. W32/Efish.CAttacking PRNG • After ~350 bytes, the chance of an unused byte is less than 10-9 • So after the 350th byte, it’s just a substitution cipher • Use frequency analysis, determine if a virus uses a simple substitution cipher • If frequencies are not preserved, we know it’s not a substitution cipher

  32. Questions? (Make sure you got leaked document on midterm and copy of X-RAY paper)

  33. W32/Efish.AScanning for duplicate bytes • Naïve solution • Consider first 5 bytes, if duplicate found, slide 5-byte window one position down • It takes 4 bytes to stop the scan on first scan • It takes 3 bytes to stop for the next scan, and it’s the first 2 bytes • End up looking at same bytes multiple times 0 1 2 3 4 … 52 f2 ce f2 09 …

  34. W32/Efish.AMore Efficient Scanning • Better solution • Start from end • If duplicate seen, slide window down 256 – examined bytes • If positions 442 and 431 are the first duplicates, we can start scanning at position 432 • On average, it takes ~20 bytes to find duplicate 0 1 2 … 431 … 442 … 52 f2 ce … 08 … 08 …

  35. Other X-RAY Options • For W95/Perenast, the encryption is encrypt: c = p ^ k k = k – c loop encrypt • If p == 0, then k becomes 0 • If any bits in p are 0, then those bits become 0 in k

  36. W32/Bagif • Used 2 layers of encryption • First layer is a polymorphic decryptor that builds a second layer decryptor that decrypts virus body • For 2nd layer, to encrypt: • Initialize counter to VIRUS_SIZE • XOR byte with last 8 bits of 32-bit key • Rotate key right by one bit • Subract counter from key, decrement counter • Jump to step 2 if counter not 0

  37. X-RAYing W32/Bagif • To X-RAY, do reverse: • We can quickly get last 8 bits of key, k, from last byte of virus body • last encrypted virus byte XOR last plaintext virus byte (set c = 2) • Set k = c + k, then increment c • Rotate k left by one bit • XOR ciphertext byte with known 7 bits of key plus 1 unknown bit • Jump to step 2 if counter not VIRUS_SIZE

  38. Multiple Layers of Encryption • Recover code and data keys from decryptor • Recover code key to X-RAY data key (check for often-used opcodes in decryptor) • Data key usually spread through many instructions • May need emulator

More Related