Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware resistance. Outline Preliminaries –Virtual Address Layout –Stack Layout –Verification Problem Remote Attestation –Methods –Code Injection Interrupts.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Malware resistance. Outline Preliminaries –Virtual Address Layout –Stack Layout –Verification Problem Remote Attestation –Methods –Code Injection Interrupts."— Presentation transcript:

1 Malware resistance

2 Outline Preliminaries –Virtual Address Layout –Stack Layout –Verification Problem Remote Attestation –Methods –Code Injection Interrupts Identification

3 Virtual Address Space (Linux) 1 Gb is given for Kernel mapping 3 GB for User app –Code, data segment, BSS –Stack and Heap Which is where? –“Stack grows down” –“Heap grows up” 0 4GB Stack and Heap

4 VAS DS –Static int q =5; BSS –Block Started by Symbol –Static int q; 4 GB 0 Stack and Heap Text Segment ELF image Data Segment Static initialized variables BSS Static uninitialized variables 3 GB Stack Grows Down Heap Grows Up Kernel

5 Sample Program int main(){ char *ptr; ptr = (char *) malloc((sizeof(char)*10)); printf("ptr on stack = %x", &ptr); printf("ptr on heap = %x", ptr); free(ptr); return 0;}

6 Results [rsriniv8@calypso4:~]$./stack_heap_t.o ptr on stack = bffaf194 ptr on heap = 9f2d008 Stack – bffaf194 = 3220499860 = 2.99 GB Heap – 9f2d008 = 166907912 =.15 GB

7 Stack layout Function call –Push context address on Stack –Jump to function –Subtract Stack pointer to accommodate Local variables Arguments Return Add Local variables High Address Low Address

8 Program (Buffer Overflow) int main() { …. foo(); printf(“something”); return 0; } int foo() { int a[4]; for (int i=0;i<=7;i++) scanf(“%d”, &a[i]); return 0; } Program most likely crashes and never executes the printf in main Or may jump to a new address and execute

9 int i; int function(int); int main() { int a= 4; printf("\n address of main %x, address of function %x",main, function); function(a); return 0; } int function(int x) { int a[3]= {-1, -1,-1}; for (i=0;i<=10;i++) printf("\n a[%d] = %x", i, a[i]); return 0; } address of main 8048368, address of function 80483ba a[0] = ffffffff a[1] = ffffffff a[2] = ffffffff a[3] = 80484f8 a[4] = bfe74b6c a[5] = 91aff4 a[6] = bfe74b88 a[7] = 80483b0 (Return address) a[8] = 4 (argument) a[9] = 8048368 a[10] = 80483ba 80483a5: 83 ec 0c sub $0xc,%esp 80483a8: ff 75 fc pushl 0xfffffffc(%ebp) 80483ab: e8 0a 00 00 00 call 80483ba 80483b0: 83 c4 10 add $0x10,%esp Excerpt from the objdump of main Output

10 Prevention and Detection Prevention –Create genetic diversity among binaries –Memory randomization Stack Randomization Heap Randomization –Code Randomization How? Detection –Is It done?

11 Verified Code Execution Assume Viruses have unlimited potential Can patch on detectors –Why? Same image Difficult to find if any code actually executed –Results may be pre computed –Verification can be bounced

12 Remote Attestation (hardware) Make an external entity check the system Typically through TPM –Computes checksums Plenty of literature on pros and cons Client OS Programs Client HW TPM Trusted External Server Network

13 Remote Attestation (Software) No hardware support –Opens issues Did the code actually execute Is the attestation program patched Was it bounced to another machine Was it bounced to another process

14 Bounce to another machine Client OS Patched Program Client HW Trusted External Server Network Machine 1 Client OS Clean Program Client HW Relay Machine 2 Program Send data to compute checksum Send code to compute checksum

15 Bounce to another Process Client OS Client HW Trusted External Server Network Machine 1 Patched Program Clean Program

16 Attestation Process Client OS Patched Program Client HW Trusted External Server Machine 1 op-code Network Results

17 Characteristics Inject code in the running process –Make the process inject code on itself Use schemes to identify machine –Connection details should suffice IP, port, etc Use schemes to identify process –Identify all open ports to see if more than one process is communicating to server

18 ASM code Injected code No library calls Required calls have to be written Either C code, or ASM code if it is a system call – socket() – ioctl – send() – receive() – helper functions like write(), read(), exit(), getpid(), etc

19 Example: socket() int sock_d(int sock){ sock = socket(PF_INET, SOCK_STREAM, 0); return sock;} int sock_d(int sock){ __asm__("sub $12,%esp\n" "movl $2,(%esp)\n" "movl $1,4(%esp)\n" "movl $0,8(%esp)\n" "movl $102,%eax\n" "movl $1,%ebx\n" "movl %esp,%ecx\n" "int $0x80\n" "add $12,%esp\n" : "=a" (s) ); return sock;} http://www.digilife.be/quickreference s/QRC/LINUX%20System%20Call %20Quick%20Reference.pdf 102 socketcall socket system calls net/socket.c linux/include/net.h 30 #define SYS_SOCKET 1 /* sys_socket(2) */ 31 #define SYS_BIND 2 /* sys_bind(2) */ 32 #define SYS_CONNECT 3 /* sys_connect(2) */ 33 #define SYS_LISTEN 4 /* sys_listen(2) */ 34 #define SYS_ACCEPT 5 /* sys_accept(2) */ 35 #define SYS_GETSOCKNAME 6 /* sys_getsockname(2) */ 36 #define SYS_GETPEERNAME 7 /* sys_getpeername(2) */ 37 #define SYS_SOCKETPAIR 8 /* sys_socketpair(2) */ 38 #define SYS_SEND 9 /* sys_send(2) */ 39 #define SYS_RECV 10 /* sys_recv(2) */ 40 #define SYS_SENDTO 11 /* sys_sendto(2) */ 41 #define SYS_RECVFROM 12 /* sys_recvfrom(2) */ 42 #define SYS_SHUTDOWN 13 /* sys_shutdown(2) */ 43 #define SYS_SETSOCKOPT 14 /* sys_setsockopt(2) */ 44 #define SYS_GETSOCKOPT 15 /* sys_getsockopt(2) */ 45 #define SYS_SENDMSG 16 /* sys_sendmsg(2) */ 46 #define SYS_RECVMSG 17 /* sys_recvmsg(2) */

20 Attestation Process Identify the Machine –IP add works if there is no NAT Take random checksums –Must differ each time Why? How? Check open ports –How? /proc/net/tcp, compare with open /proc/ /fd which has symbolic links. Identify Process ID –How? Return results

21 Questions?

Download ppt "Malware resistance. Outline Preliminaries –Virtual Address Layout –Stack Layout –Verification Problem Remote Attestation –Methods –Code Injection Interrupts."

Similar presentations

Dynamic Memory Allocation I Topics Simple explicit allocators Data structures Mechanisms Policies CS 105 Tour of the Black Holes of Computing.

Dynamic Memory Allocation I Topics Simple explicit allocators Data structures Mechanisms Policies CS 105 Tour of the Black Holes of Computing.
Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.

Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.
CS 4284 Systems Capstone Godmar Back Linking and Loading.

CS 4284 Systems Capstone Godmar Back Linking and Loading.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Day 11 Processes. Operating Systems Control Tables.

Day 11 Processes. Operating Systems Control Tables.
Jieun Song 2014.12.04 Port-Binding & Connect-Back Shellcode.

Jieun Song Port-Binding & Connect-Back Shellcode.
Processes CSCI 444/544 Operating Systems Fall 2008.

Processes CSCI 444/544 Operating Systems Fall 2008.
Embedded Systems Programming Introduction to cross development techniques.

Embedded Systems Programming Introduction to cross development techniques.
Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011.

Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011.
C and Data Structures Baojian Hua

C and Data Structures Baojian Hua
Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.

Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.
Memory Layout C and Data Structures Baojian Hua

Memory Layout C and Data Structures Baojian Hua
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.

Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.
CS252: Systems Programming Ninghui Li Final Exam Review.

CS252: Systems Programming Ninghui Li Final Exam Review.
Chapter 3 Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3 Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
CS 3204 Operating Systems Godmar Back Lecture 11.

CS 3204 Operating Systems Godmar Back Lecture 11.

Similar presentations

Ads by Google