Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yet Another Heapspray Detector Danny Kovach Raytheon SI.

Published byCora Blake Modified over 9 years ago

Similar presentations

Presentation on theme: "Yet Another Heapspray Detector Danny Kovach Raytheon SI."— Presentation transcript:

1 Yet Another Heapspray Detector Danny Kovach Raytheon SI

2 Introduction Our main purpose is to detect malware.

3 Introduction Currently we monitor an application in a VM for such behavior as: –Loading drivers –Creating executable files –Network activity Heap sprays are very hard to detect.

4 What is a heapspray? Technique used to put executable code onto the heap. Consists of –NOP sled –Shellcode Goal: direct execution flow to the NOP sled; shellcode.

5 How to detect a heapspray? Nozzle [1] BuBBle [3] Entropy

6 Idea! Treat byte values on the heap as a random variable and do math!

7 Assumptions Bytes on a normal heap should be randomly distributed (white noise) Fourier transform of white noise has constant magnitude.

8 Visualizing the Heap (normal program operation)

9

10

11 Fourier Transforms of the Heap (normal program operation)

12

13

14 Visualizing the Heap (heap spray)

15

16

17 Fourier Transforms of the Heap (heap spray)

18

19

20 Problem:

21 Low hanging fruit?

22 More Analysis Used the open source tool RapidMiner Started by making a decision tree

23 Results

24 100% accurate for all our test cases. Rushed into production (without further testing). FAIL!

25 Next attempt: Statistics Assume that distribution of bytes is Gaussian

26 Statistics for normal heap About 40 counts > 1 standard deviation Actual measurement: 20 – 30

27 Statistics for Heapspray NOP slide altered distribution Typically 2 – 8 > 1 standard deviation

28 Advantages of a Statistical Approach Easy to code Friendly to system resources More general than hard coded approach Theoretically sound

29 Results Out of over 500 files tested, we had 100% success. 0 false positives 0 false negatives

30 How to defeat Write shellcode so as to minimally alter normal distribution. Most likely will leave some signature. Invites cat and mouse game.

31 References 1.http://research.microsoft.com/en-us/projects/nozzle/http://research.microsoft.com/en-us/projects/nozzle/ 2.http://en.wikipedia.org/wiki/Heap_sprayinghttp://en.wikipedia.org/wiki/Heap_spraying 3.https://lirias.kuleuven.be/bitstream/123456789/265421/ 1/fulltext.pdfhttps://lirias.kuleuven.be/bitstream/123456789/265421/ 1/fulltext.pdf 4.http://www.mathnstuff.com/math/spoken/here/2class/9 0/normal.htmhttp://www.mathnstuff.com/math/spoken/here/2class/9 0/normal.htm

Download ppt "Yet Another Heapspray Detector Danny Kovach Raytheon SI."

Similar presentations

Introduction to Hypothesis Testing

Introduction to Hypothesis Testing
Applications of one-class classification

Applications of one-class classification
Estimating Identification Risks for Microdata Jerome P. Reiter Institute of Statistics and Decision Sciences Duke University, Durham NC, USA.

Estimating Identification Risks for Microdata Jerome P. Reiter Institute of Statistics and Decision Sciences Duke University, Durham NC, USA.
Machine Learning Math Essentials Part 2

Machine Learning Math Essentials Part 2
Common Cause Variation

Common Cause Variation
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Part V The Generalized Linear Model Chapter 16 Introduction.

Part V The Generalized Linear Model Chapter 16 Introduction.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Copyright (c) 2009 John Wiley & Sons, Inc.

Copyright (c) 2009 John Wiley & Sons, Inc.
Chapter 10 Quality Control McGraw-Hill/Irwin

Chapter 10 Quality Control McGraw-Hill/Irwin
Networks, Lie Monoids, & Generalized Entropy Metrics Networks, Lie Monoids, & Generalized Entropy Metrics St. Petersburg Russia September 25, 2005 Joseph.

Networks, Lie Monoids, & Generalized Entropy Metrics Networks, Lie Monoids, & Generalized Entropy Metrics St. Petersburg Russia September 25, 2005 Joseph.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Kevin and Kyra Moon EE 670 December 1, 2011.  Background ◦ Motivation ◦ Problem  Theoretical model for backscatter  Simulations  Estimators ◦ ML ◦

Kevin and Kyra Moon EE 670 December 1,  Background ◦ Motivation ◦ Problem  Theoretical model for backscatter  Simulations  Estimators ◦ ML ◦
1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.

1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.
Image Enhancement.

Image Enhancement.
Independent Sample T-test Classical design used in psychology/medicine N subjects are randomly assigned to two groups (Control * Treatment). After treatment,

Independent Sample T-test Classical design used in psychology/medicine N subjects are randomly assigned to two groups (Control * Treatment). After treatment,

Similar presentations

Ads by Google