1. 1 Automatic Real-time Counterattack System against Remote Buffer Overflow Attack 許富皓 先進防禦實驗室 資訊工程學系 國立中央大學

2. 2 Some Recently News Titles DownadupDownadup worm infects more than 3.5 million - Published: 2009-01-14 DownadupDownadup virus exposes millions of PCs to hijack – CNN 16th Jan. 2009 Microsoft announces $250000 Conficker worm bounty - Network WorldNetwork World

3. 3 Introduction of Arcs Automatic real-time counterattack system – Counterattack worms spreading through remote buffer overflow attacks – Unpatched compromised attack hosts Arcs host Attacking host Buffer Overflow Attack Fight back Modification & Generation

4. 4 Introduction of Arcs Why use code injection-based remote buffer overflow attack? – Flexibility Target selection malicious activities – Simplicity Shellcode programming – Portability Repeated deviation addresses NOP sled

5. 5 Explanation of BOAs (1) b return address add_g address of G’s frame point C[0] H’s stack frame G(int a) { H(3); add_g: } H( int b) { char c[100]; int i; while((c[i++]=getch())!=EOF) { } } C[99] Input String: xyz ZYXZYX G’s stack frame 0xabc 0xaba 0xabb

6. 6 Explanation of BOAs (2) b return address add_g address of G’s frame point C[0] H’s stack frame addrress oxabc G(int a) { H(3); add_g: } H( int b) { char c[100]; int i; while((c[i++]=getch())!=EOF) { } } C[99] Injected Code 0xabc Attack String: xxInjected Codexy0xabc Length=108 bytes 0xaba 0xabb xxxx x y

7. 7 Injected Code: The attacked programs usually have root privilege; therefore, the injected code is executed with root privilege. The injected code is already in machine instruction form; therefore, a CPU can directly execute it. – However the above fact also means that the injected code must match the CPU type of the attacked host. Usually the injected code will fork a shell; hence, after an attack, an attacker could have a root shell.

8. 8 Injected Code of Remote BOAs In order to be able to interact with the newly forked root shell, the injected code usually need to execute the following two steps: – Open a socket. – Redirect standard input and output of the newly forked root shell to the socket.

9. 9 Example of Injected Code for X86 Architecture : Shell Code char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0 \x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\ x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

10. 10 Two Factors for A Successful Buffer Overflow-style Attack(1) A successful buffer overflow-style attack should be able to overflow the right place (e.g. the place to hold a return address with the correct value (e.g. the address of injected code entry point)).

11. 11 Two Factors for A Successful Buffer Overflow-style Attack(2) buffer where the overflow start injected code return address offset between the beginning of the overflowed buffer and the overflow target. address of injected code entry point. The offset and the entry point address are non-predicable. They can not decided by just looking the source code or local binary code.

12. 12 Non-predicable Offset For performance concerns, most compilers don’t allocate memory for local variables in the order they appear in the source code, sometimes some space may be inserted between them. (Source Code doesn’t help) Different compiler/OS uses different allocation strategy. (Local binaries don’t help) Address obfuscation insert random number of space between local variables and return address. (Super good luck may help)

13. 13 Non-predicable Entry Point Address [fhsu@ecsl]# 0xbfffffff system data environment variables argument strings env pointers argv pointers argc webserver –a –b security command line arguments and environment variables Function main()’s stack frame

14. 14 Strategies Used by Attackers to Increase Their Success Chance Repeat address patterns. Insert NOP (0x90) operations before the entry point of injected code.

15. 15 Buffer Overflow Attack String Classic code injection buffer overflow attacking string format

16. 16 Buffer Overflow Attack String Characteristics – Injected code (shellcode) NOP sled used – 0x90 (NOP) – One byte non-privileged instructions – Repeated Deviation address Repeat every 4 bytes Point to stack or heap: – Code injection

17. 17 Modification of Buffer Overflow Attack String Modification – Injected code replacement – Preserve Effectiveness padding deviation addresses rest part of the attack string 項目＼種類反擊字串 填充段同原攻擊字串 更改位址值同原攻擊字串 注入程式碼替換成反擊程式碼 注入程式碼 長度 反擊程式碼必須小於原注入程 式碼 總字串長度同原攻擊字串 Fight back injected code Fight Back String

18. 18 Implementation Arcs Design – Arcs Core – Arcser detected add event Polling fetch event network data stream Fight Back String

19. 19 Demonstration Effectiveness demonstration – Target: normal Linux host 屬性內容描述 漏洞程式 描述 corehttpd[v0.5.3alpha]: httpd remote buffer overflow NOP sled268 bytes continue 0x90 注入程式 碼 Portbind shellcode at port 7979 after NOP sled Running vulnerable Corehttpd service at port 8080 launch an attack though the exploit Portbind shell at port 7979 Normal Linux

20. 20 Demonstration Effectiveness Demonstration – Target: Arcs host Attacking host Arcs host Running vulnerable Corehttpd service at port 8080 Running vulnerable Corehttpd service at port 8080 Attack generated by the exploit Fight back Portbind shell at port 30000 屬性內容描述 漏洞程式 描述 corehttpd[v0.5.3alpha]: httpd remote buffer overflow NOP sled268 bytes continue 0x90 注入程式 碼 Portbind shellcode at port 7979 after NOP sled Portbind shell at port 7979 ?

21. 21 Discussion Arcs against Internet Worm – Uniform random target selection worm model – Arcs Decrease the number of vulnerable hosts in the Internet – portable Arcs Decrease the number of malicious hosts in the Internet Infected host Immune host Arcs host vulnerable host Portable Arcs host vulnerable hostInfected host Arcs host Infected host Portable Arcs host

22. 22 Discussion Arcs based solution against Internet Worm I t = N – (V t ∪ M t ∪ S t )

23. 23 Discussion Arcs against Internet Worm NNumber of total targets VtVt Number of uninfected Vulnerable hosts at t th time tick PsPs The probability of a successful attack for each attack Number of attacks generated by an infected host in a time tick S0S0 Initial number of Arcs hosts ItIt Number of Immune hosts at t th time tick MtMt Number of infected malicious hosts at t th time tick PtPt The probability of a host being attacked at least once at t th time tick

24. 24 Discussion Portable Arcs against Internet Worm NNumber of total targets VtVt Number of uninfected Vulnerable hosts at t th time tick PsPs The probability of a successful attack for each attack Number of attacks generated by an infected host in a time tick StSt Number of Arcs hosts at t th time tick MtMt Number of infected malicious hosts at t th time tick PtPt The probability of a host being attacked at least once at t th time tick

25. 25 Discussion Against Internet Worm ArcsPortable Arcs Number of Host Number of Time tick Number of Host

26. 26 Discussion Against Internet Worm ArcsPortable Arcs Number of Host Number of Time tick Number of Host

27. 27 Discussion Against Internet Worm ArcsPortable Arcs Number of Host Number of Time tick Number of Host

28. 28 Discussion Limitations – Detection NON-repeated deviation address – Modification Multiple NOP sleds Extremely small injected code

29. 29 Discussion Counterattack risk – Legal or illegal – Arcs attacks Arcs

30. 30 Discussion Deployment strategies – As Honeypot – As important server protection – Both of above. – Depending on managers’ requirements Future work – Arcs-based worm auto cleaning system

31. 31 Related work Worm – White Worm – Watertight compartment – Vaccination – Detection and monitoring

32. 32 Conclusion Automatic buffer overflow attacking string modification – Injected code replacement – Effectiveness preserved Arcs – Automatic real-time counterattack system – Flexible deployment – Remote buffer overflow attack deterrence Arcs-based applications – Cleaning worm – Detecting and identifying Botnet

33. 33 Q&A