Presentation is loading. Please wait.

Presentation is loading. Please wait.

0wning Antivirus Alex Wheeler

Published byかずゆき やぶき Modified over 5 years ago

Similar presentations

Presentation on theme: "0wning Antivirus Alex Wheeler"— Presentation transcript:

1 0wning Antivirus Alex Wheeler (alexbling@gmail
0wning Antivirus Alex Wheeler Neel Mehta

2 Why AV? Attractive Attack Surface
Gateways, Servers, Clients, ISP’s, Third Party Vendor Products Heterogeneous and Layered Environments

3 Why AV? Un-trusted Data Processing
Must be reachable by external input to be useful

4 Why AV? Run on a variety of Platforms Windows, Linux, Solaris, Mac

5 How Does AV work? Signature vs. Behavior Pattern-matching / regex
File-format decomposition

6 How Does AV work? Enterprise vs. Consumer Architecture
$$$ & Manageability

7 How Does AV work? Common Core Components IO filters Format Engines

8 How Does AV work? Standard Features Updates Multi-Threat detection

9 How Does AV work? Common Configurations Scan level Scan sizes
Scan Method

10 Code Coverage - Signatures
Field Values Max Len (eg. ARJ header len 0xa28) Magic (eg. PECOFF – “MZ” & “PE”) Field Sizes PE Section Header 0x28 Tar Object 0x200 Strings PECOFF – section labels, common libraries Ida Examples LHA ARJ UPX

11 Code Coverage – Core Utilities
Read Easy to spot Closest audit point to un-trusted input Usually wrapped & buffered Some truncate length

12 Code Coverage – Core Utilities
Allocation Any calculations to length are interesting Usually wrapped Some check 4 zero Some add to length for internal headers Some wrappers will truncate length

13 Code Coverage –Constructs
Conversions String/Number Byte Ordering

14 Code Coverage –Constructs
Checksum, CRC, etc. Easy to spot (ror, xor, etc. in a loop) Gives un-trusted input context

15 Code Coverage –Constructs
Inherited File Structures & Commonly Grouped Processors Are annoying to trace, due to indirection Can reveal more subtle unchecked copies Ex: Is MZ -> Is PE -> Is UPX

16 Audit Points - Inefficiencies
Engine vs. Product differences Can be an issue when engine is stricter than the product Ex: Recent Multi-vendor zip issues

17 Audit Points - Inefficiencies
Default Scan Levels Can be an issue when product does not require multiple extractions Ex: Packed and SFX

18 Audit Points - Inefficiencies
File Size Limitations Small archives can contain large files

19 Audit Points - Inefficiencies
Format Collisions Files conforming to multiple formats may be used to trick state and evade detection

20 O-Day Detection Generally very minimal capabilities Evasion?
Measure virus propagation by number of infected customers. Evasion? Write a new virus.

21 Audit Points – Memory Corruption
Inconsistent Checks Length type mismatches can be abused to bypass checks, wrap allocations, and overflow copies Negative offsets can be abused to bypass checks and overflow copies

22 Audit Points – Memory Corruption
Wrappers Allocators that modify length Reads that truncate length (reduces chance of access violation on overflow on negative copies)

23 Audit Points – Memory Corruption
Error-Prone Formats: 32 bit fields Interesting to examine sign and any calculations Ex: PECOFF – Packed & SFX, Archives

24 Audit Points – Memory Corruption
String Based Formats These can be hard to implement correctly StringToNumber conversions are interesting Ex: TNEF, MIME, PDF

25 Common Error #1 MOV ECX, USERINPUTPTR PUSH ECX LEA ESI, [EBP-100h]
PUSH OFFSET _ss ; "%s" PUSH ESI CALL _sprintf ADD ESP, 0Ch

26 Common Error #2 MOV EAX, DWORD PTR [EBX] CMP EAX, 40h JG TOO_LARGE

27 Common Error #3 MOV ESI, DWORD PTR [EBX] LEA EAX, [ESI+18h] PUSH EAX
CALL malloc ADD ESP, 4 MOV EDI, EAX TEST EDI, EDI JZ ALLOCATION_FAILED PUSH ESI // Size to Read PUSH EDI // Destination Buffer PUSH EBP // File Descriptor CALL read_file_wrapper ADD ESP, 0Ch

28 Common Error #4 XOR EBX, EBX START_LOOP MOV AL, [ESI] INC ESI INC EBX
TEST AL, AL JNZ START_LOOP MOVZX ECX, BX LEA ESI, [ECX+1] PUSH ESI CALL malloc ADD ESP, 4

29 Another Error MOV EAX, DWORD PTR [ESI] MOV EBX, DWORD PTR [ESI+4]
ADD ESI, 8 XOR EDX, EDX DIV EBX

30 Audit Methodology Identify Utility Functions
Naming these will aid in tracing input later Ex: Wrappers, FileIO, Allocations

31 Audit Methodology Trace Un-trusted Input Examine data that influences:
Allocations Copies Structure members Initializations are easy to spot Use is less easy – binary search for offset

32 Audit Methodology Reverse File Format Processors
Track class member offsets and sizes Will reveal more subtle bugs

33 Audit Results Symantec Unchecked offset reconstructing UPX PE header
Can be triggered by providing a negative offset to prior heap chunk containing MZ header with crafted PE header Heap overflow with no character restrictions

34 Audit Results McAfee Improperly checked file name and path strlen in LHA level 1 header Signature in .dat to detect for malformed LHA file Can be triggered my supplying a malformed LHA file, that also conforms to the PECOFF format Stack overflow with ascii character restrictions

35 Audit Results TrendMicro
Improperly checked filename strlen in ARJ header Doesn’t overflow the next chunk’s header, but does corrupt various pointers, which results in the address of the filename being written to an arbitrary destination Kernel Heap overflow with ascii character restrictions

36 Audit Results FSecure Improperly checked filename strlen in ARJ header
Standard heap overflow with ascii character restrictions

37 Future Points of Interest
Large Files Signed Checks Type Truncation Integer Overflows/Wraps/Underflows Ida Examples

38 Future Points of Interest
New Formats Formats implemented due to bugs Formats implemented due to wide use Product Administration

39 Questions?

Download ppt "0wning Antivirus Alex Wheeler"

Similar presentations

COMP 2003: Assembly Language and Digital Logic

COMP 2003: Assembly Language and Digital Logic
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Department of Computer Science and Software Engineering

Department of Computer Science and Software Engineering
Computer Organization And Assembly Language

Computer Organization And Assembly Language
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Assembly Language for Intel-Based Computers, 4 th Edition Chapter 6: Conditional Processing (c) Pearson Education, 2002. All rights reserved. You may modify.

Assembly Language for Intel-Based Computers, 4 th Edition Chapter 6: Conditional Processing (c) Pearson Education, All rights reserved. You may modify.
© 2006 Pearson Education, Upper Saddle River, NJ 07458. All Rights Reserved.Brey: The Intel Microprocessors, 7e Chapter 2 The Microprocessor and its Architecture.

© 2006 Pearson Education, Upper Saddle River, NJ All Rights Reserved.Brey: The Intel Microprocessors, 7e Chapter 2 The Microprocessor and its Architecture.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Assembly Language for Intel-Based Computers

Assembly Language for Intel-Based Computers
Microprocessors Introduction to ia32 Architecture Jan 31st, 2002.

Microprocessors Introduction to ia32 Architecture Jan 31st, 2002.
ICS312 Set 3 Pentium Registers. Intel 8086 Family of Microprocessors All of the Intel chips from the 8086 to the latest pentium, have similar architectures.

ICS312 Set 3 Pentium Registers. Intel 8086 Family of Microprocessors All of the Intel chips from the 8086 to the latest pentium, have similar architectures.
Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, 2003. 1 Stack Operations Runtime Stack PUSH Operation POP.

Web siteWeb site ExamplesExamples Irvine, Kip R. Assembly Language for Intel-Based Computers, Stack Operations Runtime Stack PUSH Operation POP.
© 2006 Pearson Education, Upper Saddle River, NJ 07458. All Rights Reserved.Brey: The Intel Microprocessors, 7e Chapter 2 The Microprocessor and its Architecture.

© 2006 Pearson Education, Upper Saddle River, NJ All Rights Reserved.Brey: The Intel Microprocessors, 7e Chapter 2 The Microprocessor and its Architecture.
The ISA Level The Instruction Set Architecture (ISA) is positioned between the microarchtecture level and the operating system level.  Historically, this.

The ISA Level The Instruction Set Architecture (ISA) is positioned between the microarchtecture level and the operating system level.  Historically, this.
0wning Antivirus Alex Wheeler Neel Mehta

0wning Antivirus Alex Wheeler Neel Mehta
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Faculty of Engineering, Electrical Department,

Faculty of Engineering, Electrical Department,
The ISA Level The Instruction Set Architecture (ISA) is positioned between the microarchtecture level and the operating system level.  Historically, this.

The ISA Level The Instruction Set Architecture (ISA) is positioned between the microarchtecture level and the operating system level.  Historically, this.

Similar presentations

Ads by Google