1 Part I PS 3 discussion of SPINS paper CS 588 February 22, 2005

Slides:



Advertisements
Similar presentations
Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.
Advertisements

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Sri Lanka Institute of Information Technology
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5
Dr. Richard Ford  Szor 7  Another way viruses try to evade scanners.
Creating Secret Messages. 2 Why do we need to keep things secret? Historically, secret messages were used in wars and battles For example, the Enigma.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Wired Equivalent Privacy (WEP)
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
CS Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.
Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Security 2 Distributed Systems Lecture# 15. Overview Cryptography Symmetric Assymeteric Digital Signature Secure Digest Functions Authentication.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Secure Aggregation for Wireless Networks Lingxuan Hu David Evans [lingxuan, Department of Computer.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Chapter 20 Symmetric Encryption and Message Confidentiality.
Chapter 20 Symmetric Encryption and Message Confidentiality.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.
Cracking DES Cryptosystem A cryptosystem is made of these parts: Two parties who want to communicate over an insecure channel An encryption algorithm that.
Cryptography Team Presentation 2
Telecommunications Networking II Lecture 41f Viruses and Worms.
Lecture 3 Page 1 Advanced Network Security Review of Cryptography Advanced Network Security Peter Reiher August, 2014.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
Description of a New Variable-Length Key, 64-Bit Block Cipher (BLOWFISH) Bruce Schneier BY Sunitha Thodupunuri.
2004 Symantec Corporation, All Rights Reserved Principles and Practice of X-raying Frédéric Perriot Peter Ferrie Symantec Security Response.
Encryption No. 1  Seattle Pacific University Encryption: Protecting Your Data While in Transit Kevin Bolding Electrical Engineering Seattle Pacific University.
Computer Science 1 TinySeRSync: Secure and Resilient Time Synchronization in Wireless Sensor Networks Speaker: Sangwon Hyun Acknowledgement: Slides were.
Lecture 23 Symmetric Encryption
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Advanced Encryption Standard Dr. Shengli Liu Tel: (O) Cryptography and Information Security Lab. Dept. of Computer.
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
Intro to Cryptography Lesson Introduction
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Invitation to Computer Science 5 th Edition Chapter 8 Information Security.
CSCE 201 Identification and Authentication Fall 2015.
Keyword search on encrypted data. Keyword search problem  Linux utility: grep  Information retrieval Basic operation Advanced operations – relevance.
Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Cryptographic Hash Function
Outline Desirable characteristics of ciphers Stream and block ciphers
Lecture 3: Symmetric Key Encryption
Chap 10 Malicious Software.
Outline Using cryptography in networks IPSec SSL and TLS.
Chap 10 Malicious Software.
Block Ciphers (Crypto 2)
CRYPTOGRAPHY & NETWORK SECURITY
Presentation transcript:

1 Part I PS 3 discussion of SPINS paper CS 588 February 22, 2005

2 Scenario Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly High-power base station

3 Message Authentication Code (MAC) Essentially a one-way hash function with a key, k Used for message integrity and authentication –If m is altered to m’ then MAC(m) ≠ MAC(m’) –Only those that know k can create correct MAC

4 Cryptographic Hash Chains fff x K 3 = f (x) K 2 = f (f (x))K 1 = f (f (f (x))) Initially store:K 0 = f 4 (x) K 1 = f 3 (x) verify f (K 1 ) = f(f 3 (x)) = K 0 K 2 = f 2 (x) verify f 2 (K 2 ) = f 2 (f 2 (x)) = K 0 time f is a one-way function: easy to calculate f(x), but difficult to invert f. K j = f (K j+1 )

5 µTesla [Perrig, et. al., 2002] Initially: sensor nodes know K 0 = f n (x) base station knows x Base station messages encrypted using K 1 = f n-1 (x) Nodes store and time stamp messages, but cannot decrypt them (yet) At time t 1, base station broadcasts K 1 Nodes verify f (K 1 ) = K 0 Nodes use K 1 to decrypt earlier messages Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K 1 after K 1 was revealed

6 Part II Viruses and Cryptography Principles and Practise of X-RAYING F. Perriot, P. Ferrie Virus Bulletin, Sept. 2004

7 Lessons to Learn Simple methods of encryption are prevalent Viruses provide good applications of things you have seen in this class so far Another security trade-off –Resources in sensornets –Speed in virus scanning

8 Introduction Cohen’s definition of a virus –A program that is able to infect other programs by modifying them to include a possibly evolved copy of itself Win32 PE file (.exe) virus

9 Historical Glimpse of Malware “Elk Cloner” –1982: First PC virus –Displayed poem after 50 th reset Morris Worm –1988: A network program that attacked many different vulnerabilities to compromise machine Blaster Worm –2004: Typical unpatched UVa CS machine compromised ~1 to 2 minutes

10 Virus Infection (PE files) Easiest way is to prepend while overwriting host application beginning –Original application will not work Can append into last section of PE file –Change entry point to beginning of the virus –Insert jmp at entry point to jump to the virus Virus writers need something more to fight detection

11 Armored Viruses Encryption –Thwarts disassembly –Can hide virus code ; From W95/Mad.2736 Virus ; movsrc, dest movecx, LENGTH_OF_VIRUS Decrypt: xor[edi], al; key is in al incedi loopDecrypt; decrement ecx

12 Detecting Encrypted Viruses Polymorphic viruses mutate decryptors Static decryptors are easier to detect –Advanced polymorphic virus decryptors can still be statically detected MtE has a constant, conditional backwards jump –Use wildcards in matching algorithm (e.g., 0x75 ?? 0xBF)

13 More complicated Decryption Decryptor Decryptor n

14 Other complicating methods of Decryption Virus can use brute force to decrypt (no key needed) Multiple layers of encryption Key can slide, shift Non-linear decryption (substitution) Debuggers can modify decryption code (e.g., when decryption code is used as key) –Emulators may optimize decryption code

15 X-RAY detection X-RAY –Attacking the encryption of the virus code Virus encryption is usually weak Only have a few seconds (make it fast) 7199 c4 e800 5dP C If XOR is only encryption used, how can we quickly determine key?

16 Why X-RAY Can be cheaper (faster) than emulation Emulator may not be able to emulate virus Decryptors can be buggy Works on ~50% of recent Win32 viruses

17 X-RAY Overview Known-plaintext attack –Assume we know virus body (or variant) –Just need to know if the virus is really present Sliding x-ray C7199 c4 C7199 c425 C7199 c425 …

18 X-RAY Approaches Key Recovery –Guess key, then match ciphertext to some part of plaintext Key validation –Recover several keys or pieces of keys –Do the keys match with respect to given encryption method? 7199 c4 e800 5dP C ^^^^ 99

19 X-RAY Approaches Invariant scanning –Can reduce ciphertext and then compare against reduced plaintext –Very fast –Check R c == R p 7199 c4e800 5dPC 7199 c4C >> 1 e8005dR c = C ^ (C>>1) e800 5dP >> 1 e8005dR p = P ^ (P>>1)

20 P C >> 1 R c = C ^ (C>>1) C P P >> 1 R p = P ^ (P>>1) Reduce Ciphertext Reduce Plaintext Label each plaintext character e800 5d p0p1p2p3 Invariant Example E8^9900^99 5d^99 p0^p1 p1^p2p2^p3 p0p1p2p3 p0p1p2p3 p0^p1p1^p2p2^p3 E8^9900^99 5d^99

21 How to apply X-RAYing Want to filter out files for X-RAYing –Use file geometry, positions and sizes of segments that characterize infected objects (e.g., virus decryptor, virus body, min/max size of decryptor, min infected file size, …) –Use frequency analysis Encrypted bytes will have fairly random distribution Look at ratio of zero bytes to non-zero bytes

22 How to apply X-RAYing Choice of signatures –Look at segments from begin, middle, and end of last section Length of signatures –Related to unicity distance –If a virus has a max key length of n bits, add n bits to plaintext signature –Want to avoid false positives Misalignment (e.g., sub on 4 bytes instead of single bytes)

23 W95/Perenast XOR cipher To encrypt: 1.XOR dword (32 bits) of virus with a key 2.Add encrypted value to key to produce next key 3.Rotate key i times (later variants did this) 1011 rotated 1 time to right: Jump to step 1 if virus not encrypted To X-RAY: –XOR first 2 dwords of ciphertext with first 2 dwords of plaintext –Compute the difference (may need to rotate second dword value if key was rotated)

24 W32/Efish.A Substitution Cipher Uses a 256 byte substitution table –Key size of XOR: 256 bits –Key size of 16x16 byte substitution table: 256! possible tables Use geometry of file –If a duplicate byte value occurs within 256 bytes of its duplicate, then the 256 bytes cannot be the key –Have to do this fast!

25 X-RAY Problems Multiple layers of encryption with a changing key are too expensive to X-RAY If each layer of encryption uses a fixed key with simple operations (e.g., XOR, ROR, etc.), then X-RAYing can be done Unaligned layers cause too much diffusion

26 W32/Magistr More Advanced X-RAY techniques Many operations such as XOR, ADD, shifts, etc. are often used to modify the key each round (“running keys”) Can X-RAY by trying each possible operation, but it needs more data For i = 0 to VIRUS_SIZE p[i] = c[i] ^ k1 k1 = k1 + k2 (these 2 lines can k1 = k1 rol k3 can be swapped) end for

27 W32/Magistr Assume order is ADD then ROL XOR 2nd encrypted dword (try all 31 ROL arguments) For some i in the 31 ROL results, result - k1 yields ADD value (k2) Check by encrypting 3rd dword of plaintext // encrypting virus code For i = 0 to VIRUS_SIZE p[i] = c[i] ^ k1 k1 = k1 + k2 (these 2 lines can k1 = k1 rol k3 can be swapped) end for

28 Homophonic Cipher NOON could encrypt to ERTY Notice N and O encrypt to 2 different ciphertext letters Will work as long as each ciphertext symbol maps to a unique plaintext symbol Hides frequency distribution

29 W32/Efish.C Homophonic Cipher Build decryption keys –For each c i and p i, record decryption key –If 2 distinct plaintext values map to the same decryption key, cipher is not substitution or homophonic –If there are multiple encrypted values for a given plaintext element, it’s homophonic –Brute force for this is SLOW

30 W32/Efish.C Attacking PRNG Using timestamps, C rand() function is bad Take care to seed PRNG well Efish.C uses a PRNG named the Mersenne Twister –With 94% chance, a random substitution table is used, or –6% of the time, it searches for an unused plaintext byte

31 W32/Efish.C Attacking PRNG After ~350 bytes, the chance of an unused byte is less than –So after the 350th byte, it’s just a substitution cipher Use frequency analysis, determine if a virus uses a simple substitution cipher –If frequencies are not preserved, we know it’s not a substitution cipher

32 Questions? (Make sure you got leaked document on midterm and copy of X-RAY paper)

33 W32/Efish.A Scanning for duplicate bytes Naïve solution –Consider first 5 bytes, if duplicate found, slide 5- byte window one position down –It takes 4 bytes to stop the scan on first scan –It takes 3 bytes to stop for the next scan, and it’s the first 2 bytes –End up looking at same bytes multiple times 52f2cef209… 01234…

34 W32/Efish.A More Efficient Scanning Better solution –Start from end –If duplicate seen, slide window down 256 – examined bytes If positions 442 and 431 are the first duplicates, we can start scanning at position 432 On average, it takes ~20 bytes to find duplicate … 52f2ce…08… … … …

35 Other X-RAY Options For W95/Perenast, the encryption is encrypt:c = p ^ k k = k – c loop encrypt If p == 0, then k becomes 0 If any bits in p are 0, then those bits become 0 in k

36 W32/Bagif Used 2 layers of encryption –First layer is a polymorphic decryptor that builds a second layer decryptor that decrypts virus body For 2nd layer, to encrypt: 1.Initialize counter to VIRUS_SIZE 2.XOR byte with last 8 bits of 32-bit key 3.Rotate key right by one bit 4.Subract counter from key, decrement counter 5.Jump to step 2 if counter not 0

37 X-RAYing W32/Bagif To X-RAY, do reverse: 1.We can quickly get last 8 bits of key, k, from last byte of virus body last encrypted virus byte XOR last plaintext virus byte (set c = 2) 2.Set k = c + k, then increment c 3.Rotate k left by one bit 4.XOR ciphertext byte with known 7 bits of key plus 1 unknown bit 5.Jump to step 2 if counter not VIRUS_SIZE

38 Multiple Layers of Encryption Recover code and data keys from decryptor Recover code key to X-RAY data key (check for often-used opcodes in decryptor) Data key usually spread through many instructions –May need emulator