380 likes | 393 Vues
This discussion covers the scenario of a high-power base station communicating with thousands of small, low-powered devices wirelessly. It focuses on message authentication codes, cryptographic hash chains, and the challenges of securing the network.
E N D
Part IPS 3 discussion of SPINS paper CS 588 February 22, 2005 nate@cs.virginia.edu
Scenario High-power base station Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly
Message Authentication Code (MAC) • Essentially a one-way hash function with a key, k • Used for message integrity and authentication • If m is altered to m’ then MAC(m) ≠ MAC(m’) • Only those that know k can create correct MAC
time Initially store: K0 = f4(x) K1 = f3(x) verify f (K1) = f(f3(x)) = K0 K2 = f2(x) verify f2(K2) = f2(f2(x)) = K0 Cryptographic Hash Chains f is a one-way function: easy to calculate f(x), but difficult to invert f. Kj = f (Kj+1) f f f x K3 = f (x) K1 = f (f (f (x))) K2 = f (f (x))
µTesla [Perrig, et. al., 2002] • Initially: sensor nodes know K0 = fn(x) base station knows x • Base station messages encrypted using K1 = fn-1(x) • Nodes store and time stamp messages, but cannot decrypt them (yet) • At time t1, base station broadcasts K1 • Nodes verify f (K1) = K0 • Nodes use K1 to decrypt earlier messages • Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed
Part IIViruses and CryptographyPrinciples and Practise of X-RAYINGF. Perriot, P. FerrieVirus Bulletin, Sept. 2004
Lessons to Learn • Simple methods of encryption are prevalent • Viruses provide good applications of things you have seen in this class so far • Another security trade-off • Resources in sensornets • Speed in virus scanning
virus Introduction • Cohen’s definition of a virus • A program that is able to infect other programs by modifying them to include a possibly evolved copy of itself Win32 PE file (.exe)
Historical Glimpse of Malware • “Elk Cloner” • 1982: First PC virus • Displayed poem after 50th reset • Morris Worm • 1988: A network program that attacked many different vulnerabilities to compromise machine • Blaster Worm • 2004: Typical unpatched UVa CS machine compromised ~1 to 2 minutes
Virus Infection (PE files) • Easiest way is to prepend while overwriting host application beginning • Original application will not work • Can append into last section of PE file • Change entry point to beginning of the virus • Insert jmp at entry point to jump to the virus • Virus writers need something more to fight detection
Armored Viruses • Encryption • Thwarts disassembly • Can hide virus code ; From W95/Mad.2736 Virus ; mov src, dest mov ecx, LENGTH_OF_VIRUS Decrypt: xor [edi], al ; key is in al inc edi loop Decrypt ; decrement ecx
Detecting Encrypted Viruses • Polymorphic viruses mutate decryptors • Static decryptors are easier to detect • Advanced polymorphic virus decryptors can still be statically detected • MtE has a constant, conditional backwards jump • Use wildcards in matching algorithm (e.g., 0x75 ?? 0xBF)
Decryptor More complicated Decryption Decryptor Decryptor Decryptor n Decryptor
Other complicating methods of Decryption • Virus can use brute force to decrypt (no key needed) • Multiple layers of encryption • Key can slide, shift • Non-linear decryption (substitution) • Debuggers can modify decryption code (e.g., when decryption code is used as key) • Emulators may optimize decryption code
P e8 00 00 5d C 71 99 99 c4 X-RAY detection • X-RAY • Attacking the encryption of the virus code • Virus encryption is usually weak • Only have a few seconds (make it fast) If XOR is only encryption used, how can we quickly determine key?
Why X-RAY • Can be cheaper (faster) than emulation • Emulator may not be able to emulate virus • Decryptors can be buggy • Works on ~50% of recent Win32 viruses
X-RAY Overview • Known-plaintext attack • Assume we know virus body (or variant) • Just need to know if the virus is really present • Sliding x-ray C 71 99 99 c4 25 C 71 99 99 c4 25 C 71 99 99 c4 25 …
X-RAY Approaches • Key Recovery • Guess key, then match ciphertext to some part of plaintext • Key validation • Recover several keys or pieces of keys • Do the keys match with respect to given encryption method? P e8 00 00 5d ^ ^ ^ ^ C 71 99 99 c4 99 99 99 99
X-RAY Approaches • Invariant scanning • Can reduce ciphertext and then compare against reduced plaintext • Very fast • Check Rc == Rp C 71 99 99 c4 P e8 00 00 5d C >> 1 71 99 99 c4 P >> 1 e8 00 00 5d Rc =C ^ (C>>1) e8 00 5d Rp =P ^ (P>>1) e8 00 5d
p0 p1 p2 p3 P e8 00 00 5d C E8^99 00^99 00^99 5d^99 E8^99 00^99 00^99 5d^99 C >> 1 Rc =C ^ (C>>1) p0^p1 p1^p2 p2^p3 P p0 p1 p2 p3 P >> 1 p0 p1 p2 p3 Rp =P ^ (P>>1) p0^p1 p1^p2 p2^p3 Invariant Example Label each plaintext character Reduce Ciphertext Reduce Plaintext
How to apply X-RAYing • Want to filter out files for X-RAYing • Use file geometry, positions and sizes of segments that characterize infected objects (e.g., virus decryptor, virus body, min/max size of decryptor, min infected file size, …) • Use frequency analysis • Encrypted bytes will have fairly random distribution • Look at ratio of zero bytes to non-zero bytes
How to apply X-RAYing • Choice of signatures • Look at segments from begin, middle, and end of last section • Length of signatures • Related to unicity distance • If a virus has a max key length of n bits, add n bits to plaintext signature • Want to avoid false positives • Misalignment (e.g., sub on 4 bytes instead of single bytes)
W95/PerenastXOR cipher • To encrypt: • XOR dword (32 bits) of virus with a key • Add encrypted value to key to produce next key • Rotate key i times (later variants did this) • 1011 rotated 1 time to right: 1101 • Jump to step 1 if virus not encrypted • To X-RAY: • XOR first 2 dwords of ciphertext with first 2 dwords of plaintext • Compute the difference (may need to rotate second dword value if key was rotated)
W32/Efish.ASubstitution Cipher • Uses a 256 byte substitution table • Key size of XOR: 256 bits • Key size of 16x16 byte substitution table: 256! possible tables • Use geometry of file • If a duplicate byte value occurs within 256 bytes of its duplicate, then the 256 bytes cannot be the key • Have to do this fast!
X-RAY Problems • Multiple layers of encryption with a changing key are too expensive to X-RAY • If each layer of encryption uses a fixed key with simple operations (e.g., XOR, ROR, etc.), then X-RAYing can be done • Unaligned layers cause too much diffusion
W32/MagistrMore Advanced X-RAY techniques • Many operations such as XOR, ADD, shifts, etc. are often used to modify the key each round (“running keys”) • Can X-RAY by trying each possible operation, but it needs more data For i = 0 to VIRUS_SIZE p[i] = c[i] ^ k1 k1 = k1 + k2 (these 2 lines can k1 = k1 rol k3 can be swapped) end for
W32/Magistr // encrypting virus code For i = 0 to VIRUS_SIZE p[i] = c[i] ^ k1 k1 = k1 + k2 (these 2 lines can k1 = k1 rol k3 can be swapped) end for • Assume order is ADD then ROL • XOR 2nd encrypted dword (try all 31 ROL arguments) • For some i in the 31 ROL results, result - k1 yields ADD value (k2) • Check by encrypting 3rd dword of plaintext
Homophonic Cipher • NOON could encrypt to ERTY • Notice N and O encrypt to 2 different ciphertext letters • Will work as long as each ciphertext symbol maps to a unique plaintext symbol • Hides frequency distribution
W32/Efish.CHomophonic Cipher • Build decryption keys • For each ci and pi,record decryption key • If 2 distinct plaintext values map to the same decryption key, cipher is not substitution or homophonic • If there are multiple encrypted values for a given plaintext element, it’s homophonic • Brute force for this is SLOW
W32/Efish.CAttacking PRNG • Using timestamps, C rand() function is bad • Take care to seed PRNG well • Efish.C uses a PRNG named the Mersenne Twister • With 94% chance, a random substitution table is used, or • 6% of the time, it searches for an unused plaintext byte
W32/Efish.CAttacking PRNG • After ~350 bytes, the chance of an unused byte is less than 10-9 • So after the 350th byte, it’s just a substitution cipher • Use frequency analysis, determine if a virus uses a simple substitution cipher • If frequencies are not preserved, we know it’s not a substitution cipher
Questions? (Make sure you got leaked document on midterm and copy of X-RAY paper)
W32/Efish.AScanning for duplicate bytes • Naïve solution • Consider first 5 bytes, if duplicate found, slide 5-byte window one position down • It takes 4 bytes to stop the scan on first scan • It takes 3 bytes to stop for the next scan, and it’s the first 2 bytes • End up looking at same bytes multiple times 0 1 2 3 4 … 52 f2 ce f2 09 …
W32/Efish.AMore Efficient Scanning • Better solution • Start from end • If duplicate seen, slide window down 256 – examined bytes • If positions 442 and 431 are the first duplicates, we can start scanning at position 432 • On average, it takes ~20 bytes to find duplicate 0 1 2 … 431 … 442 … 52 f2 ce … 08 … 08 …
Other X-RAY Options • For W95/Perenast, the encryption is encrypt: c = p ^ k k = k – c loop encrypt • If p == 0, then k becomes 0 • If any bits in p are 0, then those bits become 0 in k
W32/Bagif • Used 2 layers of encryption • First layer is a polymorphic decryptor that builds a second layer decryptor that decrypts virus body • For 2nd layer, to encrypt: • Initialize counter to VIRUS_SIZE • XOR byte with last 8 bits of 32-bit key • Rotate key right by one bit • Subract counter from key, decrement counter • Jump to step 2 if counter not 0
X-RAYing W32/Bagif • To X-RAY, do reverse: • We can quickly get last 8 bits of key, k, from last byte of virus body • last encrypted virus byte XOR last plaintext virus byte (set c = 2) • Set k = c + k, then increment c • Rotate k left by one bit • XOR ciphertext byte with known 7 bits of key plus 1 unknown bit • Jump to step 2 if counter not VIRUS_SIZE
Multiple Layers of Encryption • Recover code and data keys from decryptor • Recover code key to X-RAY data key (check for often-used opcodes in decryptor) • Data key usually spread through many instructions • May need emulator