Quasi-Static Binary Analysis Hassen Saidi. Quasi-Static Analysis in VERNIER Node level: –Quasi-static analysis is a detector of malicious and bad behavior.

Slides:

Advertisements

Similar presentations

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.

Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

VanarSena: Automated App Testing. App Testing Test the app for – performance problems – crashes Testing app in the cloud – Upload app to a service – App.

TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.

System Center Configuration Manager Push Software By, Teresa Behm.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Chapter 4: Threads. Overview Multithreading Models Threading Issues Pthreads Windows XP Threads.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Hierarchical Reconfiguration of Dataflow Graphs Stephen Neuendorffer UC Berkeley Poster Preview May 10, 2004.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Automated Malware Analysis

Processes Part I Processes & Threads* *Referred to slides by Dr. Sanjeev Setia at George Mason University Chapter 3.

Precision Going back to constant prop, in what cases would we lose precision?

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

CS252: Systems Programming Ninghui Li Final Exam Review.

Success status, page 1 Collaborative learning for security and repair in application communities MIT & Determina AC PI meeting July 10, 2007 Milestones.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Architecture Update. Guest Host HOST COMPONENTS VERNIER Community Level: Connected Clusters User Node KB Super Node COMMUNITY MONITOR SERVLET WEB SERVER.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.

Threading Models in Visual Basic Language Student Name: Danyu Xu Student ID:98044.

Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.

7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.

DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.

1 Threads, SMP, and Microkernels Chapter Multithreading Operating system supports multiple threads of execution within a single process MS-DOS.

Application Recognition Sam Larsen Determina. Process Control One method to improve computer security is through process control  Whitelist: user specifies.

Distributed System Concepts and Architectures Services

Amit Malik SecurityXploded Research Group FireEye Labs.

Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.

Measuring a System’s Attack Surface Yin Shi. Overview Introduction State Machine Model Definitions and Examples Attack Surface Measurement Method Linux.

CISC Machine Learning for Solving Systems Problems Presented by: Suman Chander B Dept of Computer & Information Sciences University of Delaware Automatic.

Determina, Inc. Persisting Information Across Application Executions Derek Bruening Determina, Inc.

Gogul Balakrishnan, Radu Gruian and Thomas Reps Computer Science Dept., Univ. of Wisconsin GrammaTech, Inc. April, 2005 CodeSurfer / x86 A Platform for.

Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID

Recording Actor Provenance in Scientific Workflows Ian Wootten, Shrija Rajbhandari, Omer Rana Cardiff University, UK.

Application Communities Phase II Technical Progress, Instrumentation, System Design, Plans March 10, 2009.

CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.

Windows workshop 2010 Understanding Software Dependencies in Windows Roland Yap School of Computing National University of Singapore Singapore

Virtualized Execution Realizing Network Infrastructures Enhancing Reliability Application Communities PI Meeting Arlington, VA July 10, 2007.

Win32 Programming Lesson 19: Introduction to DLLs.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

JMU GenCyber Boot Camp Summer, “Canned” Exploits For many known vulnerabilities attackers do not have to write their own exploit code Many repositories.

MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.

1 Threads, SMP, and Microkernels Chapter 4. 2 Process Resource ownership - process includes a virtual address space to hold the process image Scheduling/execution-

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Application Communities

Yves Deswarte Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte RAID’ September.

Chapter 16: Distributed System Structures

A Real-time Intrusion Detection System for UNIX

Shifting from “Incident” to “Continuous” Response

Basic Dynamic Analysis VMs and Sandboxes

Following Malware Execution in IDA

Presentation transcript:

Quasi-Static Binary Analysis Hassen Saidi

Quasi-Static Analysis in VERNIER Node level: –Quasi-static analysis is a detector of malicious and bad behavior in Windows applications at the API level. –In comparison to “syzygy”, it provides context (which libraries are invoking lower-level calls) for malicious and abnormal sequences of API calls –It allows the reduction of false positives since it monitors the application based on an overapproximation of the API level behavior Community level: –Individual nodes provide information for improving the model Jump targets and arguments to API calls –Distribution of overhead: few nodes run in full monitoring mode for the purpose of generating current attack signatures –Sharing of small signatures for detected attacks –Reduces monitoring overhead for members of the community while ensuring inoculation of members of the community

Approach: Detection Through API Monitoring Monitor API Calls initiated by an application: –Monitor user level API calls: provide context for kernel-level API calls Deviations from a conservative model of API calls is bad behavior

Model For any Windows executable file: –Capture DLL dependencies: static and dynamic –Capture API calls order (CFG) –Capture statically determined API calls arguments

Example: snort.exe snortwsock32 sftptelnet sf_dns sf_dcerpc sf_engine wpcap advapi32 libnetnt odbc32 kernel32 pcre ssh smtp kernel32 advapi32 ntdll kernel32ntdll Snort: 1298 dependencies (+ 22 dynamic dependencies) correspond to configuration file preferences Iexplorer: 1479 dependencies (+ 147 dynamic dependencies) correspond to initialization of IE

Dependency Graph for snort.exe

Dependency Graph for Iexplorer.exe

Model (2) Dll dependencies: –Calls to APIs from different dlls –Capture the CFG of.exe and.dll files –Capture statically determined arguments of API calls

advapi32 start sub1 LoadLibraryExW(?,0,2) sub2 OpenFile sub3 Push 2 Push 0 Push ptr word [] Call LoadLibraryExW LoadLibraryExW

Model building: 3 steps Capture dependencies:.exe and.dlls: detect attacks where calls to APIs that are not supposed to occur based on dependencies Capture control and data-flow properties of arbitrary Windows executables: detect attacks where API calls are out of order Capture arguments of API calls: detect attacks where API calls are invoked with unexpected arguments

Each API call is traced: API Name (arguments) – API Name (): Expected API call – API Name () API call not allowed in this particular path – API Name () API call allowed in this path but out of order – API Name () API call allowed in this path, is in the right order, but is executed with unexpected arguments Monitoring and Detection: Use of StraceNt

Snort vulnerability exploit Discovered in February Allows the execution of arbitrary commands with snort privileges and terminates snort. Does not require knowing the IP address of the machine that runs snort, but any IP address within the network monitored by snort. apphelpversionkernel32ntdll NtQuerryProcessInfo NtSetProcessInfo SetErrorMode(1) LoadLibraryExW(calc.exe,0,2) GetFileVersionInfoSizeW versionkernel32ntdll SetErrorMode LoadLibraryExW(libnameW,0,2) GetFileVersionInfoSizeW kernel32ntdll

Monitoring Overhead Running snort without monitoring: baseline (11s) –Monitoring all API calls: 600% Monitoring targeted behavior: –Monitoring only API calls involved in the attack: 2% –Monitoring all registry API calls: 80% –Monitoring all files, processes, and threads API calls: 70%

Signature Generation and Distribution The signature of the attack is the set of API calls that are either –1.unexpected –2.invoked out of order –Or invoked with the wrong arguments as well as the dlls in the paths of the attack. Nodes in the community are informed of the attack using the signature. Monitoring the applications requires just the signature and not the entire model (2% overhead in monitoring)

Evaluation Plan Agree on a set of applications, platforms, configurations… Unit test for bad behavior Classes of attacks covered: –Deviations from call sequence behavior Unexpected call Out of order call Call with unexpected arguments Measure the benefits for the community: Reduction of the number of nodes affected by a given attack

Evaluation Plan Measure the speed by which attack signatures are shared with the community: unlikely to detect flush worms in time, but we will measure the speed of knowledge sharing for interactive applications (office) and reactive applications (network services) Performance Measure: Total overhead at the community level Measure how much information the dynamic analysis must provide to support static analysis: how many indirect calls have to be resolved, and how many arguments need to be determined dynamically. Measure how many attacks are detected for known exploits and for known services.

Next Steps Continue experimenting with attacks in the wild: –all attacks that we experimented with are attacks in the wild Use policy-based monitoring based on inputs from the community and other VERNIER sensors: –monitor only network behavior, registry behavior, file manipulation behavior, etc –Evaluate trade-offs between overhead and attack detections Define a set of APIs to monitor all the time with an overall loss of performance in accordance with the VERNIER metrics