Presentation is loading. Please wait.

Presentation is loading. Please wait.

The 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Reuse-Oriented Camouflaging Trojan: Vulnerability Detection and Attack.

Published byPreston Hamilton Modified over 6 years ago

Similar presentations

Presentation on theme: "The 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Reuse-Oriented Camouflaging Trojan: Vulnerability Detection and Attack."— Presentation transcript:

1 The 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
Reuse-Oriented Camouflaging Trojan: Vulnerability Detection and Attack Construction Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University July 1st, 2010

2 Background: reuse-oriented attack
Return-into-libc attack Library call Return-oriented-programming [Shacham, CCS’07] Gadget (Short instruction sequences) Coarse-grained reuse from legal binary Legal Functions system("/bin/sh") Gadget (in libc): pop eax pop ebx ret

3 Feasibility Binary is everywhere
Legal binaries contain the functional features for malicious purposes.

4 Feasibility (cont.) Incentive motivation to launch such attack
No environment setup No stand-alone code to implement the malicious semantics Reuse Oriented Camouflaging (ROC) Trojan

5 Feasibility (cont.) vxheaven.org (260K malware pieces)

6 How the top 100 malware in 2008 infects computers
Feasibility (cont.) Distribute? How the top 100 malware in 2008 infects computers

7 How to launch the ROC attack
Step-I: attacker has a goal and gets a victim binary Step-II: attacker wishes to reuse some function f(x) to achieve his malicious goal Where is f Does f have side effect Where is x, how to access x Step-III: attacker patches f(x)  ROC Trojan Step-IV: attacker distributes ROC trojans Reuse of F(x): Patching argument x: { F(x) }  { F(y) } Duplication: { F(x) }  { F(x), F(y) } Feature extraction send(“alice”) send(“alice,bob”) Side effect analysis Argument reverse engineering send(“alice”, ”normal ”)  send(“alice”, ”normal ”), send(“alice”, ”spam ”)

8 A driving example Victim binary Attack goal Cheating sheet
1 struct _ADDRESS { 2 char *name; 3 char *domain; _ADDRESS * next; 5 }; 6 _ADDRESS sender_addr; 7 8 void main () { 9 struct { _ADDRESS * to; _ADDRESS * from; 12 } header; 13 char body[BODY_SIZE]; 14 15 readconfig(&sender_addr); 16 if (use_default) header.from=&sender_addr 18 19 editor (&header, body); 20 send_mail (&header, body); 21 } Victim binary Attack goal Get an copy whenever people uses it send Cheating sheet Patching the next field in _ADDRESS of field to in argument header In the following of my talk, I will use a simplified client software, to illustrate how we analyze the binary and launch our attack. At a high level, this client has the following code. First of all, it declares a ADDRESS type, which is a link list. Then it has a main function, which first declares a header type data structure, and message body char array. Then it invokes readconfig function to fill the global variable myaddr, Invokes function editor, and finally send . Our analysis will show there could be an redirection attack, if we patch function send_mail. So how we reach this analysis. Actually, we have three key techniques. They are Feature extraction Side effect analysis Argument reverse engineering

9 I. Feature extraction Goal Dynamic analysis Track
Get reusable functions f Dynamic analysis Track Call graph (CG) Data usage Data-Definition Data-Use Data-Propagation Input & Output Annotate CG with data used in the function 1 struct _ADDRESS { 2 char *name; 3 char *domain; _ADDRESS * next; 5 }; 6 _ADDRESS sender_addr; 7 8 void main () { 9 struct { _ADDRESS * to; _ADDRESS * from; 12 } header; 13 char body[BODY_SIZE]; 14 15 readconfig(&sender_addr); 16 if (use_default) header.from=&sender_addr 18 19 editor (&header, body); 20 send_mail (&header, body); 21 }

10 I. Feature extraction a c d b e f g i h j k main editor read_config
1 struct _ADDRESS { 2 char *name; 3 char *domain; _ADDRESS * next; 5 }; 6 _ADDRESS sender_addr; 7 8 void main () { 9 struct { _ADDRESS * to; _ADDRESS * from; 12 } header; 13 char body[BODY_SIZE]; 14 15 readconfig(&sender_addr); 16 if (use_default) header.from=&sender_addr 18 19 editor (&header, body); 20 send_mail (&header, body); 21 } editor read_config send_mail c Hello\r\n d b smtp_ehlo smtp_mail EHLO [ ]\r\n e f g smtp_open i h X-X-Sender: To: Hello\r\n MAIL RCPT Hello\r\n j EHLO [ ]\r\n MAIL RCPT X-X-Sender: To: Hello\r\n smtp_send k sys_write

11 I. Feature extraction – candidate function
main A function instance f is candidate function f it is the common ancestor of all the function instances which use/define the observed data. editor read_config send_mail c c Hello\r\n d b smtp_ehlo smtp_mail EHLO [ ]\r\n e f g smtp_open i h X-X-Sender: To: Hello\r\n MAIL RCPT TO:< >\r\n j EHLO [ ]\r\n MAIL RCPT TO:< >\r\n X-X-Sender: To: Hello\r\n smtp_send k sys_write

12 II. Side effect analysis
What A memory write in a function instance that is used after the function returns Why Only performed if we want to duplicate a function call, f(x), f(y) How Tracking memory write Heap variables Global variables Stack variables a a main editor read_config send_mail c c Hello\r\n d b smtp_ehlo smtp_mail EHLO [ ]\r\n e f g smtp_open i h X-X-Sender: To: \r\n Hello\r\n MAIL RCPT TO:< >\r\n j EHLO [ ]\r\n MAIL RCPT TO:< >\r\n X-X-Sender: To: Hello\r\n smtp_send k sys_write

13 III. Argument reverse engineering
Now we have identified the candidate function f to patch, but How to pass the malicious arguments to f “Which argument x should be patched" “How to access x, without symbolic information “ Reference Graph A reference graph is a graph with nodes being the set of memory regions, and edges being the set of points-to relations Memory regions Points-to edges

14 III. Argument reverse engineering
Mem snapshot send_mail Reference Graph Memory Differencing 0:arg0 bfff9960 (ESP) 4:arg1 bfffcf48 bfffcf12 4 From: To: Hello Hello 851bec0 8505c90 8 8 4 4 85075d8 851bf00 84c4d08 84c4d18 alice bob.com bob bob.com

15 III. Argument reverse engineering
Mem snapshot bfff9960 (ESP) bfffcf48 bfffcf12 Hello 851bec0 8 85075d8 851bf00 4 alice bob.com 8505c90 84c4d08 84c4d18 bob send_mail Reference Graph Memory Differencing 0:arg0 4:arg1 Reference Path From: To: Hello Mem snapshot2 (*(*(ESP+0)+0)+8) bfff9970 (ESP) bfffcf58 bfffcf22 4 Hello 8521ec0 8 85075e8 851bf40 alice bob.com 8521c90 84c5c12 84c5d10 bob send_mail 8505b80 84c4500 84c4512 bob1 bob1.com From: To: Hello Patching the next field (+8) in _ADDRESS of field to (+0) in argument header (+0)

16 Put it all together Binary Patching Dynamic Analysis
Candidate Functions f Side Effect Analysis Vulnerable Functions f Binary Patching (app. binary) Attack Goal Feature Extraction ROC Attack Composer The final trojan Dynamic Analysis Candidate Functions f Argument Reverse Eng. Reference Path x ROC: Reuse-Oriented Camouflaging

17 Implementation Dynamic analysis Binary patching
Dynamic binary instrumentation Track memory reads (use), writes (definition), and data dependency, input/output, heap allocations, de-allocations, and call stack contexts, caller-callee relations (call graph)  Trace file Take snapshots of memory Offline analysis on the traces file Binary patching Binary rewriting/patching Leveraged widely used virus embedding technique

18 Implementation (cont.)
Binary rewriting Helper Function Method Description BEFORE(int func) {code} insert the code block before func AFTER(int func) {code} insert the code block after func ENTRY(int func) {code} insert right inside func void get(int* field) retrieve the argument field void set(int* field, void* val) set the argument with val void duplicate(int func) duplicate the invocation of func BEFORE(send_mail){ set(&next_receipt, } Safe Reference Path: (*(*(ESP+0)+0)+8)

19 Evaluation Benchmark Binary Size Attack Pine-4.63 6.3M
Stealing/Spamming Mailx-12.4 712K Mutella-0.4.5 843K Introducing Covert C&C channel Peercast 58K Gift (libGnutella.so.0.11) 321K 657K File transferring

20 Discussion Achilles' heel of ROC Break the software modularity
Binary integrity check Tripwire [Kim and Spafford, CCS’94] Up-to-date, globally consistent hash values Frequent, automatic software patching, decentralized distribution Break the software modularity Violate “software development principle” Seemingly Easy defense: killer heeling

21 Related work F(x) F(y) F(x) F(x) Binary reuse in malware analysis
BCR [Caballero et al, NDSS’10] Inspector gadget [Kolbitsch et al, Oakland’10] Difference F(x) F(y) \ F(x) F(x)

22 Summary ROC trojan An analysis framework
Dynamic binary analysis Feature extraction Side effect analysis Argument reverse engineering Binary patching Such attack is real, and can be constructed in a systematic way. However, defender can similarly detect ROC vulnerabilities in binaries

23 {zlin, xyzhang, dxu}@cs.purdue.edu
Q & A Thank you For more information: {zlin, xyzhang,

Download ppt "The 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Reuse-Oriented Camouflaging Trojan: Vulnerability Detection and Attack."

Similar presentations

Introduction to C Programming

Introduction to C Programming
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Chapter 7: User-Defined Functions II

Chapter 7: User-Defined Functions II
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
COMP3221: Microprocessors and Embedded Systems Lecture 12: Functions I Lecturer: Hui Wu Session 2, 2005.

COMP3221: Microprocessors and Embedded Systems Lecture 12: Functions I Lecturer: Hui Wu Session 2, 2005.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
1 Programming for Engineers in Python Autumn 2011-12 Lecture 5: Object Oriented Programming.

1 Programming for Engineers in Python Autumn Lecture 5: Object Oriented Programming.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
Chapter 11-14, Appendix D C Programs Higher Level languages Compilers C programming Converting C to Machine Code C Compiler for LC-3 Please return breadboards.

Chapter 11-14, Appendix D C Programs Higher Level languages Compilers C programming Converting C to Machine Code C Compiler for LC-3 Please return breadboards.
Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.

Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.
CS 201 Functions Debzani Deb.

CS 201 Functions Debzani Deb.
Compiler Summary Mooly Sagiv html://www.math.tau.ac.il/~msagiv/courses/wcc03.html.

Compiler Summary Mooly Sagiv html://
C++ fundamentals.

C++ fundamentals.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CMPE13Cyrus Bazeghi Chapter 14 Functions in C. CMPE13 2 Functions Smaller, simpler, subcomponents of programs Provide abstraction –hide low-level details.

CMPE13Cyrus Bazeghi Chapter 14 Functions in C. CMPE13 2 Functions Smaller, simpler, subcomponents of programs Provide abstraction –hide low-level details.
© Copyright 1992–2005 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Tutorial 10 – Enhancing the Wage Calculator Application:

© Copyright 1992–2005 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Tutorial 10 – Enhancing the Wage Calculator Application:
Chapter 06 (Part I) Functions and an Introduction to Recursion.

Chapter 06 (Part I) Functions and an Introduction to Recursion.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Similar presentations

Ads by Google