Presentation is loading. Please wait.

Presentation is loading. Please wait.

Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering.

Published byMalachi Thomley Modified over 9 years ago

Similar presentations

Presentation on theme: "Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering."— Presentation transcript:

1 Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering The Ohio State University Columbus, OH, USA IEEE Infocom Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering The Ohio State University Columbus, OH, USA IEEE Infocom A Presentation at Advanced Defense Lab

2 Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab2

3 Introduction - Motivation According to the US-CERT database, buffer overflows are one of the most critical and common software vulnerabilities.US-CERT Difference between DDC-Based and DBC-Based. In this paper, we remove the limitation of DBC-Based approaches. Advanced Defense Lab3

4 Introduction - Contributions Take snapshots of the target process’s virtual memory immediately before input data are consumed. Use these snapshots to instantiate a runtime environment that emulates the target process’s input data consumption. Advanced Defense Lab4

5 Introduction - Contributions Implement a prototype system in Debian Linux with Kernel version 2.6.26. Conduct extensive experiments based on real traces and thousands of malicious shellcode samples. Advanced Defense Lab5

6 Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab6

7 DBC-Based – Static Analysis Advanced Defense Lab7

8 DBC-Based – Static Analysis T. Toth and C. Kruegel, “Accurate Buffer Overflow Detection via Abstract Payload Execution” (NOP Sled) Focusing on code-level patterns has limitations regarding accuracy and completeness. U. Bayer, A. Moser, C. Kruegel, and E. Kirda, “Dynamic Analysis of Malicious Code” Advanced Defense Lab8

9 DBC-Based – Dynamic Analysis M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos, “Network-level Polymorphic Shellcode Detection Using Emulation” “Emulation-Based Detection of Non-Self-Contained Polymorphic Shellcode” They’re still prone to evasion due to insufficient context information about the target process. Advanced Defense Lab9

10 Generated Block N … … Generated Block 2 Generated Block 1 DBC-Based – Dynamic Analysis Advanced Defense Lab10 Decryptor for block 1 Decryptor for block 2 … … Decryptor for block N Bootstrap Code espeip Launch

11 Examples to by pass detection Advanced Defense Lab11

12 DDC-Based Detection is conducted while processes consume input data. Address Space Randomization (ASR) Data Space Randomization (DSR) Troubleshooting is inefficient. Advanced Defense Lab12

13 Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab13

14 System Design - Rationale Advanced Defense Lab14

15 System Design - Rationale Instantiating Virtual Execution Environment Snapshots are used to initialize this environment and provide two benefits. For observing the input data’s real behaviors. mimic the process’s consumption of input data. For constructing a lightweight virtual environment. Advanced Defense Lab15

16 System Design - Rationale Facilitating System Call-based Detection No matter how well malicious shellcode disguises itself, it will eventually use system calls to launch attacks. Existing DBC-Based approaches, including both static and dynamic analysis, cannot use system call invocations as detection criteria as they lack such necessary register information. Advanced Defense Lab16

17 System Design - Architecture Advanced Defense Lab17

18 System Design - Architecture Advanced Defense Lab18

19 System Design - Workflow Advanced Defense Lab19

20 System Design - Workflow Advanced Defense Lab20

21 Generated Blocks Generated Blocks Decryptors By passed... lidt eax jz +3 Cmp ebx,0x252d252d Mov ebx,0xa0ef(ebp) Erase eax Pop esp System Design - Detection Advanced Defense Lab21 Pop eax Calculate… Push eax Pop eax Calculate… Push eax Push esp lidt eax jz +3 Cmp ebx,0x252d252d Mov ebx,0xa0ef(ebp) Erase eax Pop esp Pop eax Calculate… Push eax Pop eax Calculate… Push eax Push esp With snapshotsWithout snapshots ebx=0x252d252d Context Information Provieded ebx=0x252d252d Context Information Provieded ebx=??? Context Information Unavailable ebx=??? Context Information Unavailable GG…

22 Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab22

23 Implementation Debian Linux with kernel version 2.6.26 Emulator can interpret all IA-32 instructions General-purpose 、 FPU instructions System instructions System call instructions (int 0x80 、 sysenter) When an unimplemented instruction is encountered in emulation Skip if it’s not a privileged instruction Stop otherwise Advanced Defense Lab23

24 Implementation Suitable Threshold Lower Bound : Set exe_depth to 14 Upper Bound : Set exe_depth to 7000 Use an open-source x86 disassembler library to construct the decoder ( http://sourceforge.net/projects/bastard/files/libdisasm/ ) http://sourceforge.net/projects/bastard/files/libdisasm/ Integrated into glibc, override the read 、 recv functions… Advanced Defense Lab24

25 Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab25

26 Experiments - Effectiveness Collect 51 unencrypted malicious shellcodes from the Internet that target Linux Systems. Using encryption tools to generate 5000 encrypted malicious shellcodes. ADMMutate: Polymorphic Shellcode Engine Metasploit: http://www.metasploit.com/http://www.metasploit.com/ TAPiON: http://pb.specialised.info/all/tapion/http://pb.specialised.info/all/tapion/ Advanced Defense Lab26

27 Experiments - Effectiveness Enlist 4 volunteers who collect HTTP messages for 6 weeks by using Fiddler (http://fiddler2.com/fiddler2)http://fiddler2.com/fiddler2 Advanced Defense Lab27

28 Experiments - False Pos & Neg Advanced Defense Lab28 False Negative is ZERO.

29 Experiments - Overhead Dell Dimension 5150 with an Intel Pentium 4 2.8 GHz and 1 GB RAM. Advanced Defense Lab29

30 Experiments - Overhead Hardware Server: Dell Dimension 5150 with an Intel Pentium 4 2.8 GHz and 1 GB RAM Client: IBM ThinkPad T60 and 1 GB RAM. Connection: 100 Mbps Ethernet switch Software Server: thttpd (ACME Laboratories)ACME Laboratories Client: Jef Poskanzer’s HTTP Load ProgramJef Poskanzer’s HTTP Load Program Advanced Defense Lab30

31 Experiments - Overhead Advanced Defense Lab31

32 Outline Introduction Related Work System Design Implementation Experiments Conclusion Advanced Defense Lab32

33 Conclusion Drawback Return-into-libc without function calls may still evade this system. Feature work Designing a faster instruction decoder. Using static analysis tech. to analyze input data before or during emulation. The virtual memory snapshot is very useful for analysis. Advanced Defense Lab33

Download ppt "Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering."

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
Full-System Timing-First Simulation Carl J. Mauer Mark D. Hill and David A. Wood Computer Sciences Department University of Wisconsin—Madison.

Full-System Timing-First Simulation Carl J. Mauer Mark D. Hill and David A. Wood Computer Sciences Department University of Wisconsin—Madison.
Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Supporting Parallel Applications on Clusters of Workstations: The Intelligent Network Interface Approach.

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Supporting Parallel Applications on Clusters of Workstations: The Intelligent Network Interface Approach.
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.

Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Operating System Kernels1 Operating System Support for Performance Monitoring Witawas Srisa-an Chapter: not in the book.

Operating System Kernels1 Operating System Support for Performance Monitoring Witawas Srisa-an Chapter: not in the book.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Battle of Botcraft: Fighting Bots in Online Games withHuman Observational Proofs Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang The College.

Battle of Botcraft: Fighting Bots in Online Games withHuman Observational Proofs Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang The College.
8/16/2015\course\cpeg323-08F\Topics1b.ppt1 A Review of Processor Design Flow.

8/16/2015\course\cpeg323-08F\Topics1b.ppt1 A Review of Processor Design Flow.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

Similar presentations

Ads by Google