 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.

Slides:

Advertisements

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

Advertisements

Exceptional Control Flow Processes Today. Control Flow Processors do only one thing: From startup to shutdown, a CPU simply reads and executes (interprets)

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering.

Chapter 6 Limited Direct Execution

CS 345 Computer System Overview

Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.

CMPT 300: Operating Systems I Dr. Mohamed Hefeeda

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Memory Management (II)

Translation Buffers (TLB’s)

1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.

Worms By: Aaron Stahler. Difference Between a Worm and A Virus Viruses are computer programs that are designed to spread themselves from one file to another.

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

MIS Week 2 Site:

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Processes and OS basics. RHS – SOC 2 OS Basics An Operating System (OS) is essentially an abstraction of a computer As a user or programmer, I do not.

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

Mitigation of Buffer Overflow Attacks

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

1 OmniUmpack: Fast, Generic, and Safe Unpacking of Malware Authors: Lerenzo Martignoni, Mihai Christodorescu and Somesh Jha Computer Security Applications.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.

Accessing I/O Devices Processor Memory BUS I/O Device 1 I/O Device 2.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

1 CSE451 Architectural Supports for Operating Systems Autumn 2002 Gary Kimura Lecture #2 October 2, 2002.

Operating Systems 1 K. Salah Module 1.2: Fundamental Concepts Interrupts System Calls.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Operating Systems Engineering Based on MIT (2012, lec3) Recitation 2: OS Organization.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Demand Paging.

Chapter 1 Basic Concepts of Operating Systems Introduction Software A program is a sequence of instructions that enables the computer to carry.

Role Of Network IDS in Network Perimeter Defense.

Virtual Machines Mr. Monil Adhikari. Agenda Introduction Classes of Virtual Machines System Virtual Machines Process Virtual Machines.

Evaluating the Fault Tolerance Capabilities of Embedded Systems via BDM M. Rebaudengo, M. Sonza Reorda Politecnico di Torino Dipartimento di Automatica.

Interrupts and Exception Handling. Execution We are quite aware of the Fetch, Execute process of the control unit of the CPU –Fetch and instruction as.

Malicious Programs (1) Viruses have the ability to replicate themselves Other Malicious programs may be installed by hand on a single machine. They may.

Chapter 6 Limited Direct Execution Chien-Chung Shen CIS/UD

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Introduction to Operating Systems

Malware Reverse Engineering Process

Basic Processor Structure/design

Mechanism: Limited Direct Execution

Chapter 1: Introduction

Malware Reverse Engineering Process

Effective Data-Race Detection for the Kernel

Practical Rootkit Detection with RAI

Introduction to Operating Systems

Chap 10 Malicious Software.

Translation Buffers (TLB’s)

Chap 10 Malicious Software.

Translation Buffers (TLB’s)

Translation Buffers (TLBs)

Review What are the advantages/disadvantages of pages versus segments?

Presentation transcript:

 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar at Advaced Defense Lab

 In recent years, code-injection attacks have become a widely popular modus operandi for performing malicious actions on network services and client- based programs.[link]link  Exploitation toolkits › Phoenix [link]link 3 A Seminar at Advaced Defense Lab

 Today, malicious PDFs are distributed via mass mailing, targeted , and drive- by downloads.  The “stream objects” in PDF allow many types of encodings to be used, including multi-level compression, obfuscation, and even encryption. 4 A Seminar at Advaced Defense Lab

 The key to detecting these attacks lies in accurately discovering the presence of the shellcode in network payloads or process buffers.  In this paper, we argue that a promising technique for detecting shellcode is to examine the input and efficiently execute its content to find what lurks within. 5 A Seminar at Advaced Defense Lab

 Finding the presence of malicious code by searching for tell-tale signs of executable code  Toth and Kruegel, “Accurate Buffer Overflow Detection via Abstract Payload Execution”, A Seminar at Advaced Defense Lab

 Polychronakis et al., “Network-level Polymorphic Shellcode Detection using Emulation”, A Seminar at Advaced Defense Lab

 the instruction set for modern CISC architectures is very complex, and so it is unlikely that software emulators will ever be bug free. › FPU-based GetPC instructions [link]link  Special purpose CPU emulators › Nemu, libemu[link]link › large subsets of instructions rarely used by injected code are skipped 8 A Seminar at Advaced Defense Lab

 the vast majority of network streams will contain benign data, some of which might be significant in size.  A separate execution chain must be attempted for each offset in a network stream because the starting location of injected code is unknown. 9 A Seminar at Advaced Defense Lab

 We allow instruction sequences to execute directly on the CPU using hardware virtualization, and only trace specific memory reads, writes, and executions through hardware-supported paging mechanisms.  Our design for enabling hardware-support of code injection attacks is built upon Kernel-based Virtual Machine (KVM). 10 A Seminar at Advaced Defense Lab

11 A Seminar at Advaced Defense Lab

 The kernel supports loading arbitrary snapshots created using the minidump format[link].link  instructions are executed directly on the CPU in usermode until execution is interrupted by a fault, trap, or timeout. 12 A Seminar at Advaced Defense Lab

 We force a trap to occur on access to an arbitrary virtual address by clearing the present bit of the page entry.  Any heuristic based on memory reads, writes, or executions can be supported with coarse-grained tracing. 13 A Seminar at Advaced Defense Lab

 we chose to implement the PEB heuristic proposed by Polychronakis et al.  This heuristic detects injected code that parses the process-level TEB and PEB data structures. 14 A Seminar at Advaced Defense Lab

 We place traps on the addresses of the specific functions, and when triggered, a handler for the corresponding call is invoked. 15 A Seminar at Advaced Defense Lab

 We built two platforms that rely on ShellOS to scan buffers for injected code.  For client-based programs › We implemented a lightweight memory monitoring facility that allows ShellOS to scan buffers created by documents loaded. 16 A Seminar at Advaced Defense Lab

17 A Seminar at Advaced Defense Lab

 For network services › We build a platform to detect code injection attacks on network services by reassembling observed network streams and executing each of these streams. 18 A Seminar at Advaced Defense Lab

 Environment › Intel Xeon Quad Processor machine with 32 GB of memory. › The host OS was Ubuntu with kernel version A Seminar at Advaced Defense Lab

 Metasploit › For each encoder, we generated 100s of attack instances by randomly selecting 1 of 7 exploits, 1 of 9 self-contained payloads.  As the attacks launched, we captured the network traffic for later network-level buffer analysis. 20 A Seminar at Advaced Defense Lab

21 A Seminar at Advaced Defense Lab

22 A Seminar at Advaced Defense Lab

 We built a testbed consisting of 32 machines running FreeBSD 6.0 and generated traffic using a state-of-the-art traffic generator, Tmix [link].link  We supply Tmix with a network trace of HTTP connections captured on the border links of UNC-Chapel Hill in October, A Seminar at Advaced Defense Lab

24 A Seminar at Advaced Defense Lab

25

A Seminar at Advaced Defense Lab 26

 The malicious PDFs were randomly selected from suspicious files flagged by a large-scale web malware detection system.  We also use a collection of 179 benign PDFs from various USENIX conferences. A Seminar at Advaced Defense Lab 27

A Seminar at Advaced Defense Lab 28 All attacks use ROP

A Seminar at Advaced Defense Lab KB

A Seminar at Advaced Defense Lab 30 5 secs 26 secs

A Seminar at Advaced Defense Lab 31

 85% of the injected code exhibited an identical API call sequence. A Seminar at Advaced Defense Lab 32

A Seminar at Advaced Defense Lab 33

 Although the code copy is not apparent in the API call sequence alone, ShellOS may also provide an instruction-level trace by single-stepping each instruction via the TRAP bit in the flags register. A Seminar at Advaced Defense Lab 34

 We note, however, that this particular challenge is not unique to ShellOS. A Seminar at Advaced Defense Lab 35

 Shellcode designed to execute under very specific conditions may not operate as expected.  Software-based emulators are able to quickly detect and exit an infinite loop.  It may still be possible to detect a virtualized environment through the small set of instructions. A Seminar at Advaced Defense Lab 36

 ShellOS provides a framework for fast detection and analysis of a buffer, but an analyst or automated data pre- processor must provide these buffers. A Seminar at Advaced Defense Lab 37

A Seminar at Advaced Defense Lab 38