Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.

Slides:

Advertisements

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Advertisements

Smashing the Stack for Fun and Profit

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering.

Review: Software Security David Brumley Carnegie Mellon University.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

CS2422 Assembly Language & System Programming October 3, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Hello ASM World: A Painless and Contextual Introduction to x86 Assembly rogueclown DerbyCon 3.0 September 28, 2013.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Code Generation Gülfem Savrun Yeniçeri CS 142 (b) 02/26/2013.

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Mitigation of Buffer Overflow Attacks

The ISA Level The Instruction Set Architecture (ISA) is positioned between the microarchtecture level and the operating system level.  Historically, this.

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.

Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California,

Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.

CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.

 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.

CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.

26-Nov-15 (1) CSC Computer Organization Lecture 6: Pentium IA-32.

CNIT 127: Exploit Development Ch 1: Before you begin.

Introduction to Information Security ROP – Recitation 5.

Introduction to Assembly II Abed Asi Extended System Programming Laboratory (ESPL) CS BGU Fall 2013/2014.

Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.

Superoptimization Venkatesh Karthik Srinivasan Guest Lecture in CS 701, Nov. 10, 2015.

17 th ACM CCS (October, 2010).  Introduction  Problem Statement  Approach  RG Design  Implementation  Related Work 2 A Seminar at Advanced Defense.

8086/8088 Instruction Set, Machine Codes and Addressing Modes.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.

Assembly 09. Outline Strings in x86 esi, edi, ecx, eax stosb, stosw, stosd cld, std rep loop 1.

Arrays. Outline 1.(Introduction) Arrays An array is a contiguous block of list of data in memory. Each element of the list must be the same type and use.

Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.

Chapter 8 String Operations. 8.1 Using String Instructions.

Exploiting & Defense Day 1 Recap

Introduction to Information Security

Shellcode COSC 480 Presentation Alison Buben.

Mitigation against Buffer Overflow Attacks

Return Oriented Programming

1. Introduction A microprocessor executes instructions given by the user Instructions should be in a language known to the microprocessor Microprocessor.

Introduction to Information Security

CSC 495/583 Topics of Software Security Stack Overflows (2)

Secure Software Development: Theory and Practice

CSC 495/583 Topics of Software Security Return-oriented programming

CMSC 414 Computer and Network Security Lecture 21

Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]

BIC 10503: COMPUTER ARCHITECTURE

Practical Session 4.

Week 2: Buffer Overflow Part 2.

Computer Architecture and System Programming Laboratory

Return-to-libc Attacks

Presentation transcript:

Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS

 Introduction  On the arms race  Related work  Our approach  Automatic generation  Implementation  Evaluation 2Advaced Defense Lab

 Code-injection attack  Source code for script-language  Byte-code  Machine code  The common component  The injected code or …  shellcode Advaced Defense Lab3

 Shellcode is delivered in tandem with the exploitation.  Store shellcode in memory, then exploit  Shellcode takes the form of directly executable machine code.  polymorphism Advaced Defense Lab4

 Even polymorphic shellcode is constrained by an essential component: the decoder.  Shellcode is fundamentally different in structure than non-executable payload data.  This paper!!! Advaced Defense Lab5 Decoder Encoded data

 Automatically producing English Shellcode  Although it is not indistinguishable form authentic English prose.  Do you want to analyze? Advaced Defense Lab6

 Shellcode developers are often faced with constraints that limit the range of byte-values aceepted.  e.g. printable, alphanumeric, MIME  Encoding  Self-modification Advaced Defense Lab7

 Much literature describing code injection attacks assumes a standard attack template.  A NOP sled, shellcode, and one or more pointer  While emulation and static analysis have bean successful in identifying some failings of advanced shellcode.  But…overhead Advaced Defense Lab8

 It has been suggested that malicious polymorphic behavior cannot be modeled effectively.  On the infeasibility of Modeling Polymorphic Shellcode.  By Y. Song et al. Advaced Defense Lab9

 Limit the spoils of exploitation and to prevent developers from writing vulnerable code  Preventing the execution of injected code  Content-based input-validation  Polymorphic ▪ To identify self-decrypting shellcode ▪ But … non-self-contained polymorphic shellcode Advaced Defense Lab10

 Shellcode is simply an ordered list of machine instructions.  “Shake Shake Shake!”  push %ebx; push “ake ”; push %ebx; push “ake ”; push %ebx; push “ake!”;  But add, mov, call  To develop an automated approach  Arbitrary shellcode  English representation Advaced Defense Lab11

 English shellcode is completely self- contained. Advaced Defense Lab12

 The decoder must be English-cpmpatible  Cannot use many instruction ▪ E.g. loop instructions  Our decoder has the form:  Initialization  Decoder  Encoded payload Advaced Defense Lab13

 Only English-compatible instructions  English-compatible instructions that can produce useful instructions  Favor instructions that have less-constrained ASCII equivalents  push %eax (“P”) > push %ecx (“Q”) Advaced Defense Lab14

 Overwriting registers and patching some instructions  Using inc instruction and manipulatiing the alignment of the stack Advaced Defense Lab15

Advaced Defense Lab16

 “and r/m8, r8”(0x20, ASCII space character)   add ▪  lods (load string from esi) Advaced Defense Lab17

 Two pointer: %esi, %edi Advaced Defense Lab18  ”,” and “ ”  ”u” and “decode”  ”G”

Advaced Defense Lab19

 Using popa instruction (ASCII character “a”) Advaced Defense Lab20

 Taken as-is, the custom decoder will have common English characters, but will not appearance of English text.  Add some instructions between decoder instructions  Augmenting a statistical language generation algorithm. Advaced Defense Lab21

 n-gram model length is 5   the i th instruction in decoder have a level i  A sentence have score i when it complete level i Advaced Defense Lab22

Advaced Defense Lab23

 Using beam search algorithm  Keep the best m(=20,000) candidates during the process  For encoded payload, observe how many target byte are encoded Advaced Defense Lab24

 The training data  Over 15,000 Wikipedia articles  27,000 books from the Project GutenbergProject Gutenberg  Language engine was constructed in the Java language using the LingPipe APILingPipe API  Scoring engine  using ptrace API  Executor  Watcher  Taking 12 hours Advaced Defense Lab25

Advaced Defense Lab26

 Emulation  Expand 1 instruction into tens of instructions  Monitored direct execution  Maintain 2 machine state  Use 3 separate stacks  Pause 2 conditions ▪ Encounter a jump ▪ Change memory  Roughly in less than 1 hour Advaced Defense Lab27

 Exit(0)  2054 bytes Advaced Defense Lab28

 Windows Bind DLL Inject Advaced Defense Lab29