Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.

Slides:

Advertisements

Similar presentations

Saumya Debray The University of Arizona Tucson, AZ

Advertisements

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.

Date:2011/06/08 吳昕澧 BOA: The Bayesian Optimization Algorithm.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

The Superdiversifier: Peephole Individualization for Software Protection Mariusz H. Jakubowski Prasad Naldurg Chit Wei (Nick) Saw Ramarathnam Venkatesan.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Genetic Algorithms Nehaya Tayseer 1.Introduction What is a Genetic algorithm? A search technique used in computer science to find approximate solutions.

Methodology Conceptual Database Design

Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.

2  Problem Definition  Project Purpose – Building Obfuscator  Obfuscation Quality  Obfuscation Using Opaque Predicates  Future Planning.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Automated malware classification based on network behavior

Silvio Cesare Ph.D. Candidate, Deakin University.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.

By: Kirti Chawla. Introduction Classification Algorithms Vis-à-Vis Looking back What is a Cipher or Crypto-algorithm ? A method or system for transforming.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

CIS 450 – Network Security Chapter 8 – Password Security.

Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Semantic Analysis Aaron Bloomfield CS 415 Fall 2005.

Bug Localization with Machine Learning Techniques Wujie Zheng

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Roberto Paleari,Università degli Studi di Milano Lorenzo Martignoni,Università degli Studi di Udine Emanuele Passerini,Università degli Studi di Milano.

Kyushu University Koji Inoue ICECS'061 Supporting A Dynamic Program Signature: An Intrusion Detection Framework for Microprocessors Koji Inoue Department.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Description of a New Variable-Length Key, 64-Bit Block Cipher (BLOWFISH) Bruce Schneier BY Sunitha Thodupunuri.

CISC Machine Learning for Solving Systems Problems Presented by: Ashwani Rao Dept of Computer & Information Sciences University of Delaware Learning.

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.

PZAPR Parallel Zip Archive Password Recovery CSCI High Perf Sci Computing Univ. of Colorado Spring 2011 Neelam Agrawal Rodney Beede Yogesh Virkar.

Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

CS223: Software Engineering Lecture 26: Software Testing.

Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Automatic Network Protocol Analysis

Control Flow Testing Handouts

Handouts Software Testing and Quality Assurance Theory and Practice Chapter 4 Control Flow Testing

Input Space Partition Testing CS 4501 / 6501 Software Testing

Presented by Xiaohui (Amy) Lin

Techniques, Tools, and Research Issues

Outline of the Chapter Basic Idea Outline of Control Flow Testing

TriggerScope Towards Detecting Logic Bombs in Android Applications

TriggerScope Towards detecting logic bombs in android applications

Digital Signature Schemes and the Random Oracle Model

Chap 10 Malicious Software.

Representation, Syntax, Paradigms, Types

Chap 10 Malicious Software.

CSC-682 Advanced Computer Security

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.

Hash Function Requirements

Presentation transcript:

Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network and Distributed System Security Symposium (NDSS), 2008 Presented by: LIU Limin

Outline Introduction Conditional Code Obfuscation Implications Implementation and Evaluation Discussion

Introduction Hundreds of new malware samples appear every day. –Trojans, Rootkits, Worms, Viruses, Backdoors … Automated malware analysis becomes increasingly important. –Static analysis –Dynamic analysis –State-of-the-art analyzer

Malware Analysis Offense –Polymorphism, metamorphism and opaque predicates. –Trigger based behavior. (time- bombs, logic- bombs, bot commands etc.) ? Defense –Static analysis –Dynamic analysis –Input-oblivious analyzers (Dynamic multiple path exploration, Forced execution)

Obfuscation Obfuscations that are easily to be applicable on existing code can be a threat. Conditional Code Obfuscation: A simple, automated and transparent obfuscation against powerful input- oblivious analyzer.

Outline Introduction Conditional Code Obfuscation Implications Implementation And Evaluation Discussion

Conditional Code Snippets cmd = get_command (sock); if (strcmp (cmd, “startkeylogger”) == 0) { log_keys(); } n = get_day_of_month (); if ((n > 10) && (n<20)) { attack(); } E.g.1 E.g.2

Obfuscated example snippet Original code Obfuscated code cmd = get_command (sock); if (hash (cmd) == H) /* here, H= hash(“startkeylogger”)*/ { decrypt_function (encr_log_keys, cmd); encr_log_keys(); /*encrypted log_keys*/ } cmd = get_command (sock); if (strcmp (cmd, “startkeylogger”) == 0) { log_keys(); } One-way

General Obfuscation Mechanism Hash properties –Pre-image resistance: infeasible to find c given H c. –Second pre-image resistance: hard to find another c’ for which Hash (c’) = H c. Candidate conditions –Equality operators: ‘==’, strcmp, strncmp, memcmp… –Unsupported operators: ‘>’, ‘<’… Conditional code –Code that gets executed when a condition is satisfied.

Automation using Static Analysis Finding Conditional Code –Identify candidate conditions Construct a CFG for each function Identify basic blocks having conditional branches Select candidate conditions those contain equality operators –Find corresponding conditional code Intra-procedural: basic blocks which are control dependent on condition with true outcome Inter-procedural: set of functions which only be reachable when certain condition is satisfied

Automation using Static Analysis Handling Common Conditional Code –Duplicate the code and encrypt it separately for each candidate condition.

Simplifying Compound Constructs Operators (&& or ||…) combine more than one simple condition Break the compound conditions into semantically equivalent but simplified conditions

Outline Introduction Conditional Code Obfuscation Implications Implementation And Evaluation Discussion

Consequences to Existing Analyzers Path exploration and input discovery –Construct constraints for each path (e.g. X == c ). Input Discovery (EXE) –Discover inputs from constraints by using symbolic execution. Obfuscated constraints is “Hash (X) == H c ” Infeasible to reverse the hash function.

Consequences to Existing Analyzers Forcing execution –Force execution along a specific path without solving the constraints –Without key, program crashes. Static analysis –Conceal the behavior in the encrypted block

Attacks Brute Force and Dictionary Attacks –Constraint: Hash (X) = H c Find possible X for satisfying above equation. Domain (X) : set of all possible values that X may take during execution. t: time taken to a test a single value of X or the hash computation time. Brute Force attempt: time = |Domain (X)|* t. If X is n bits in length, attack requires 2 n t time.

Outline Introduction Conditional Code Obfuscation Implications Implementation And Evaluation Discussion

Implementation Platform: Linux Input: C/C++ Source; Output: ELF Binary Four phases: –Front-end Code Parsing Phase –Analysis/Transformation Phase –Code Generation Phase –Encryption Phase Two Levels: –Binary level: decrypted code is executable –Intermediate code level: data types information

Analysis phase Candidate Condition Replacement –Identify candidate conditions and their conditional code –Hash function: SHA-256 Decipher Routine –Encryption algorithm: AES with 256-bit keys Decryption Key and Markers –Key (X) = Hash (X|N), N is a nonce. –marker: foresee the exact location of the corresponding code in the resulting binary file.

Encryption phase Identify code blocks needing encryption. Extracts the encryption key K c. Replace K c and End_marker() with NOP instructions. Calculate the size of the block to be encrypted. Place the size as argument to the call to Decipher. Encrypt the block with the key K c.

Experimental Evaluation Evaluate system by determining how many manually identified trigger-based malicious behavior were automatically and completed obfuscated. Three levels of obfuscation strength: –Strong: strings –Medium: integers –Weak: boolean flags

Outline Introduction Conditional Code Obfuscation Implications Implementation And Evaluation Discussion

Strengths Malware author can modify the programs to improve the strengths. –Introducing more candidate conditions. Query for resources and compare with the names. Replace operators such as or != by ==. –Increasing the size of the concealed code. Incorporate triggers that encapsulates more execution behavior. –Increasing the input domains. Use variables with larger domains (e.g., string) or use integer with larger size.

Weakness Limited types of conditions –Equality checks. Input domain may be very small in some cases. –32-bit or 64-bit integers.

Possible ways to defeat Equipped with decryptors that reduce the search space of keys by taking the input domain into account. –the result or an argument receiving data from a system call, e.g. gettimeofday. Input-aware analysis. –Collection mechanisms capture interaction of the binary with its environment.

Conclusion An obfuscation scheme that can be automatically applied on malware programs. The obfuscation conceal trigger based-malicious behavior from state-of-the-art malware analyzers. It is shown that the obfuscation scheme is capable of concealing a large fraction of malicious triggers by experiment.