The 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Reuse-Oriented Camouflaging Trojan: Vulnerability Detection and Attack.

Slides:



Advertisements
Similar presentations
Introduction to C Programming
Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Chapter 7: User-Defined Functions II
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
COMP3221: Microprocessors and Embedded Systems Lecture 12: Functions I Lecturer: Hui Wu Session 2, 2005.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
1 Programming for Engineers in Python Autumn Lecture 5: Object Oriented Programming.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
Chapter 11-14, Appendix D C Programs Higher Level languages Compilers C programming Converting C to Machine Code C Compiler for LC-3 Please return breadboards.
Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.
CS 201 Functions Debzani Deb.
Compiler Summary Mooly Sagiv html://
C++ fundamentals.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CMPE13Cyrus Bazeghi Chapter 14 Functions in C. CMPE13 2 Functions Smaller, simpler, subcomponents of programs Provide abstraction –hide low-level details.
© Copyright 1992–2005 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Tutorial 10 – Enhancing the Wage Calculator Application:
Chapter 06 (Part I) Functions and an Introduction to Recursion.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution Zhiqiang Lin 1 Xuxian Jiang 2, Dongyan Xu 1, Xiangyu Zhang 1 1.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Deriving Input Syntactic Structure From Execution Zhiqiang Lin Xiangyu Zhang Purdue University November 11 th, 2008 The 16th ACM SIGSOFT International.
Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution Zhiqiang Lin 1 Xuxian Jiang 2, Dongyan Xu 1, Xiangyu Zhang 1 1.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.
Chapter 3 Top-Down Design with Functions Part II J. H. Wang ( 王正豪 ), Ph. D. Assistant Professor Dept. Computer Science and Information Engineering National.
A Generic Approach to Automatic Deobfuscation of Executable Code Paper by Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray.
1 Chapter 6 Methods. 2 Motivation Find the sum of integers from 1 to 10, from 20 to 30, and from 35 to 45, respectively.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Buffer overflow and stack smashing attacks Principles of application software security.
Functions Illustration of: Pass by value, reference Scope Allocation Reference: See your CS115/215 textbook.
Functions Math library functions Function definition Function invocation Argument passing Scope of an variable Programming 1 DCT 1033.
Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Programming Fundamentals Enumerations and Functions.
1 Compiler Construction Run-time Environments,. 2 Run-Time Environments (Chapter 7) Continued: Access to No-local Names.
RealTimeSystems Lab Jong-Koo, Lim
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
1 Sections 6.4 – 6.5 Methods and Variables Fundamentals of Java: AP Computer Science Essentials, 4th Edition Lambert / Osborne.
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Run-Time Environments Presented By: Seema Gupta 09MCA102.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
Chapter 14 Functions.
Compilers Principles, Techniques, & Tools Taught by Jing Zhang
ENERGY 211 / CME 211 Lecture 25 November 17, 2008.
Chapter 14 Functions.
©2016 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Stack Lesson xx   This module shows you the basic elements of a type of linked list called a stack.
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Chapter 9 :: Subroutines and Control Abstraction
Functions Inputs Output
Chap. 8 :: Subroutines and Control Abstraction
Chap. 8 :: Subroutines and Control Abstraction
Chapter 5 Function Basics
Chapter 6 Methods: A Deeper Look
Procedural Programming
Topic 3-a Calling Convention 1/10/2019.
Machine Level Representation of Programs (IV)
Discovering Data Structures
Symbol Table 薛智文 (textbook ch#2.7 and 6.5) 薛智文 96 Spring.
IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.
Chapter 14 Functions.
Topic 2b ISA Support for High-Level Languages
Return-to-libc Attacks
Abstract Data Types and Stacks
Chapter 14 Functions.
Implementing Functions: Overview
Introduction to Classes and Objects
Presentation transcript:

The 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Reuse-Oriented Camouflaging Trojan: Vulnerability Detection and Attack Construction Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University July 1st, 2010

Background: reuse-oriented attack Return-into-libc attack Library call Return-oriented-programming [Shacham, CCS’07] Gadget (Short instruction sequences) Coarse-grained reuse from legal binary Legal Functions system("/bin/sh") Gadget (in libc): pop eax pop ebx ret

Feasibility Binary is everywhere Legal binaries contain the functional features for malicious purposes.

Feasibility (cont.) Incentive motivation to launch such attack No environment setup No stand-alone code to implement the malicious semantics Reuse Oriented Camouflaging (ROC) Trojan

Feasibility (cont.) vxheaven.org (260K malware pieces)

How the top 100 malware in 2008 infects computers Feasibility (cont.) Distribute? How the top 100 malware in 2008 infects computers

How to launch the ROC attack Step-I: attacker has a goal and gets a victim binary Step-II: attacker wishes to reuse some function f(x) to achieve his malicious goal Where is f Does f have side effect Where is x, how to access x Step-III: attacker patches f(x)  ROC Trojan Step-IV: attacker distributes ROC trojans Reuse of F(x): Patching argument x: { F(x) }  { F(y) } Duplication: { F(x) }  { F(x), F(y) } Feature extraction send(“alice”) send(“alice,bob”) Side effect analysis Argument reverse engineering send(“alice”, ”normal email”)  send(“alice”, ”normal email”), send(“alice”, ”spam email”)

A driving example Victim binary Attack goal Cheating sheet 1 struct Email_ADDRESS { 2 char *name; 3 char *domain; 4 Email_ADDRESS * next; 5 }; 6 Email_ADDRESS sender_addr; 7 8 void main () { 9 struct { 10 Email_ADDRESS * to; 11 Email_ADDRESS * from; 12 } header; 13 char body[BODY_SIZE]; 14 15 readconfig(&sender_addr); 16 if (use_default) header.from=&sender_addr 18 19 editor (&header, body); 20 send_mail (&header, body); 21 } Victim binary Attack goal Get an email copy whenever people uses it send email Cheating sheet Patching the next field in Email_ADDRESS of field to in argument header In the following of my talk, I will use a simplified email client software, to illustrate how we analyze the binary and launch our attack. At a high level, this email client has the following code. First of all, it declares a ADDRESS type, which is a link list. Then it has a main function, which first declares a header type data structure, and message body char array. Then it invokes readconfig function to fill the global variable myaddr, Invokes function editor, and finally send email. Our analysis will show there could be an email redirection attack, if we patch function send_mail. So how we reach this analysis. Actually, we have three key techniques. They are Feature extraction Side effect analysis Argument reverse engineering

I. Feature extraction Goal Dynamic analysis Track Get reusable functions f Dynamic analysis Track Call graph (CG) Data usage Data-Definition Data-Use Data-Propagation Input & Output Annotate CG with data used in the function 1 struct Email_ADDRESS { 2 char *name; 3 char *domain; 4 Email_ADDRESS * next; 5 }; 6 Email_ADDRESS sender_addr; 7 8 void main () { 9 struct { 10 Email_ADDRESS * to; 11 Email_ADDRESS * from; 12 } header; 13 char body[BODY_SIZE]; 14 15 readconfig(&sender_addr); 16 if (use_default) header.from=&sender_addr 18 19 editor (&header, body); 20 send_mail (&header, body); 21 }

I. Feature extraction a c d b e f g i h j k main editor read_config 1 struct Email_ADDRESS { 2 char *name; 3 char *domain; 4 Email_ADDRESS * next; 5 }; 6 Email_ADDRESS sender_addr; 7 8 void main () { 9 struct { 10 Email_ADDRESS * to; 11 Email_ADDRESS * from; 12 } header; 13 char body[BODY_SIZE]; 14 15 readconfig(&sender_addr); 16 if (use_default) header.from=&sender_addr 18 19 editor (&header, body); 20 send_mail (&header, body); 21 } editor read_config send_mail alice@bob.com c bob@bob.com Hello\r\n d b smtp_ehlo smtp_mail EHLO [10.0.0.4]\r\n e f g smtp_open i alice@bob.com h X-X-Sender: alice@bob.com\r\n To: bob@bob.com\r\n Hello\r\n MAIL FROM:<alice@bob.com>\r\n RCPT TO:<bob@bob.com>\r\n bob@bob.com Hello\r\n j EHLO [10.0.0.4]\r\n MAIL FROM:<alice@bob.com>\r\n RCPT TO:<bob@bob.com>\r\n X-X-Sender: alice@bob.com\r\n To: bob@alice.com\r\n Hello\r\n smtp_send k sys_write

I. Feature extraction – candidate function main A function instance f is candidate function f it is the common ancestor of all the function instances which use/define the observed data. editor read_config send_mail alice@bob.com c c bob@bob.com Hello\r\n d b smtp_ehlo smtp_mail EHLO [10.0.0.4]\r\n e f g smtp_open i h X-X-Sender: alice@bob.com\r\n To: bob@bob.com\r\n Hello\r\n MAIL FROM:<alice@bob.com>\r\n RCPT TO:< bob@bob.com >\r\n j EHLO [10.0.0.4]\r\n MAIL FROM:<alice@bob.com>\r\n RCPT TO:< bob@bob.com >\r\n X-X-Sender: alice@bob.com\r\n To: bob@alice.com\r\n Hello\r\n smtp_send k sys_write

II. Side effect analysis What A memory write in a function instance that is used after the function returns Why Only performed if we want to duplicate a function call, f(x), f(y) How Tracking memory write Heap variables Global variables Stack variables a a main editor read_config send_mail alice@bob.com c c bob@bob.com Hello\r\n d b smtp_ehlo smtp_mail EHLO [10.0.0.4]\r\n e f g smtp_open i h X-X-Sender: alice@bob.com\r\n To: bob@bob.com \r\n Hello\r\n MAIL FROM:<alice@bob.com>\r\n RCPT TO:< bob@bob.com >\r\n j EHLO [10.0.0.4]\r\n MAIL FROM:<alice@bob.com>\r\n RCPT TO:< bob@bob.com >\r\n X-X-Sender: alice@bob.com\r\n To: bob@alice.com\r\n Hello\r\n smtp_send k sys_write

III. Argument reverse engineering Now we have identified the candidate function f to patch, but How to pass the malicious arguments to f “Which argument x should be patched" “How to access x, without symbolic information “ Reference Graph A reference graph is a graph with nodes being the set of memory regions, and edges being the set of points-to relations Memory regions Points-to edges

III. Argument reverse engineering Mem snapshot send_mail Reference Graph Memory Differencing 0:arg0 bfff9960 (ESP) 4:arg1 bfffcf48 bfffcf12 4 From: <alice@bob.com> To: bob@bob.com Hello Hello 851bec0 8505c90 8 8 4 4 85075d8 851bf00 84c4d08 84c4d18 alice bob.com bob bob.com

III. Argument reverse engineering Mem snapshot bfff9960 (ESP) bfffcf48 bfffcf12 Hello 851bec0 8 85075d8 851bf00 4 alice bob.com 8505c90 84c4d08 84c4d18 bob send_mail Reference Graph Memory Differencing 0:arg0 4:arg1 Reference Path From: <alice@bob.com> To: bob@bob.com Hello Mem snapshot2 (*(*(ESP+0)+0)+8) bfff9970 (ESP) bfffcf58 bfffcf22 4 Hello 8521ec0 8 85075e8 851bf40 alice bob.com 8521c90 84c5c12 84c5d10 bob send_mail 8505b80 84c4500 84c4512 bob1 bob1.com From: <alice@bob.com> To: bob@bob.com, bob1@bob1.com Hello Patching the next field (+8) in Email_ADDRESS of field to (+0) in argument header (+0)

Put it all together Binary Patching Dynamic Analysis Candidate Functions f Side Effect Analysis Vulnerable Functions f Binary Patching ③ ② ② ① ① 0101010000 (app. binary) ③ ④ Attack Goal Feature Extraction ROC Attack Composer 1101010010 The final trojan Dynamic Analysis ② ② ③ Candidate Functions f Argument Reverse Eng. Reference Path x ROC: Reuse-Oriented Camouflaging

Implementation Dynamic analysis Binary patching Dynamic binary instrumentation Track memory reads (use), writes (definition), and data dependency, input/output, heap allocations, de-allocations, and call stack contexts, caller-callee relations (call graph)  Trace file Take snapshots of memory Offline analysis on the traces file Binary patching Binary rewriting/patching Leveraged widely used virus embedding technique

Implementation (cont.) Binary rewriting Helper Function Method Description BEFORE(int func) {code} insert the code block before func AFTER(int func) {code} insert the code block after func ENTRY(int func) {code} insert right inside func void get(int* field) retrieve the argument field void set(int* field, void* val) set the argument with val void duplicate(int func) duplicate the invocation of func BEFORE(send_mail){ set(&next_receipt, “ghost@somewhere.com"); } Safe Reference Path: (*(*(ESP+0)+0)+8)

Evaluation Benchmark Binary Size Attack Pine-4.63 6.3M Email Stealing/Spamming Mailx-12.4 712K Mutella-0.4.5 843K Introducing Covert C&C channel Peercast-0.1217 58K Gift-0.11.81 (libGnutella.so.0.11) 321K 657K File transferring

Discussion Achilles' heel of ROC Break the software modularity Binary integrity check Tripwire [Kim and Spafford, CCS’94] Up-to-date, globally consistent hash values Frequent, automatic software patching, decentralized distribution Break the software modularity Violate “software development principle” Seemingly Easy defense: killer heeling

Related work F(x) F(y) F(x) F(x) Binary reuse in malware analysis BCR [Caballero et al, NDSS’10] Inspector gadget [Kolbitsch et al, Oakland’10] Difference F(x) F(y) \ F(x) F(x)

Summary ROC trojan An analysis framework Dynamic binary analysis Feature extraction Side effect analysis Argument reverse engineering Binary patching Such attack is real, and can be constructed in a systematic way. However, defender can similarly detect ROC vulnerabilities in binaries

{zlin, xyzhang, dxu}@cs.purdue.edu Q & A Thank you For more information: {zlin, xyzhang, dxu}@cs.purdue.edu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.