Presentation is loading. Please wait.

Presentation is loading. Please wait.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Published byFranklin Lloyd Modified over 9 years ago

Similar presentations

Presentation on theme: "MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive."— Presentation transcript:

1 MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive Shellcode Detection using Runtime Heuristics

2 Introduction Architecture Runtime Heuristics Implementation Experimental Evaluation Conclusion Outline 2

3 The injected code, known as shellcode, carries out the first stage of the attack, which usually involves the download and execution of a malware binary on the compromised host. Introduction 3

4 Identify the presence of shellcode in network inputs using static code analysis - advanced obfuscation - self-modifications Dynamic code analysis using emulation - quite effective Introduction 4

5 But these are confined to the detection of a particular class of polymorphic shellcode that exhibits self-decrypting behavior Metamorphism Introduction 5

6 In this paper, present a comprehensive shellcode detection technique based on payload execution Detection method relies on several runtime heuristics tailored to the identification of different shellcode types Gene, a network level detector based on passive network monitoring Introduction 6

7 Architecture 7

8 Shellcode is meant to be injected into a running process and it usually accesses certain parts of the process' address space Gene is equipped with a fully blown virtual memory subsystem that handles all user-level memory accesses Architecture 8

9 Runtime Heuristics 9

10 Windows API is divided into several dynamic load libraries (DLLs) In order to call an API function, the shellcode must first find its absolute address in the address space of the process Searching for the Relative Virtual Addresses (RVAs) of the function in the Export Directory Table (EDT) of the DLL - LoadLibrary - GetProcAddress Runtime Heuristics - Resolving kernel32.dll 10

11 No matter which method is used, a common fundamental operation in all methods is that the shellcode has to first locate the base address of kernel32.dll Runtime Heuristics - Resolving kernel32.dll 11

12 Process Environment Block [PEB] - a user-level structure that holds extensive process specific informationPEB Runtime Heuristics - Process Environment Block 12

13 Condition P1. (i) the linear address of FS:[0x30]is read (ii) the current or any previous instruction involved the FS register, then this input may correspond to a shellcode that resolves kernel32.dll through the PEB Runtime Heuristics - Process Environment Block 13

14 Condition P2. PEB_LDR_DATA structure - holds the list of loaded modules PEB_LDR_DATA (P2): the linear address of PEB.LoaderDatais read. Runtime Heuristics - Process Environment Block 14

15 Condition P3. Walk through the loaded modules list and locate the second entry (kernel32.dll) (P3): the linear address of any of the Flink or Blink pointers in the one of the three list records of the PEB_LDR_DATA structure is read. Runtime Heuristics - Process Environment Block 15

16 Structured Exception Handling (SEH) - provides a unified way of handling hardware and software exceptionsSEH Runtime Heuristics - Backwards Searching 16

17 Runtime Heuristics - Backwards Searching 17

18 Condition B1. (i) any of the linear address between FS:[0]–FS:[0x8] is read (ii) the current or any previous instruction involved the FS register. Runtime Heuristics - Backwards Searching 18

19 Condition B2. (B2): the linear address of the Handlerfield of the default SEH handler is read. Runtime Heuristics - Backwards Searching 19

20 Condition B3. (B3): at least one memory read form the address space of kernel32.dll Runtime Heuristics - Backwards Searching 20

21 Egg-hunt shellcode Runtime Heuristics – Process Memory Scanning 21

22 Installing a custom exception handler that is invoked in case of a memory access violation Create a new SEH frame and adjust the current SEH frame pointer of the TIB to point to it Directly modify the Handler pointer of the current SEH frame to point to the attacker's handler routine Process Memory Scanning - SEH 22

23 Condition S1. (i) the linear address of FS:[0]is read or written (ii) the current or any previous instruction involved the FS register. Process Memory Scanning - SEH 23

24 Condition S2. (S2): the linear address of the Handler field in the custom SEH frame is or has been written Process Memory Scanning - SEH 24

25 Condition S3. (S3): starting from FS:[0], all SEH frames should reside on the stack, and the Handler field of the last frame should be set to 0xFFFFFFFF Process Memory Scanning - SEH 25

26 Another way to safely scanning the process address space is to check whether a page is mapped—before actually accessing it—using a system call Some Windows system calls accept as an argument a pointer to an input parameter. If the supplied pointer is invalid, the system call returns with a return value of STATUS_ACCESS_VIOLATION. Process Memory Scanning – System Call 26

27 Process Memory Scanning – System Call 27

28 Condition C1. (C1): the execution of an int 0x2e instruction with the eax register set to one of the following values: NtAccessCheckAndAuditAlarm(0x2), NtAddAtom (0x8), NtDisplayString(0x39 in Windows 2000, 0x43 in XP, 0x46 in 2003 Server, and 0x7F in Vista) Process Memory Scanning – System Call 28

29 Condition C2. (C2): (C{N}): C1 holds true N times Process Memory Scanning – System Call 29

30 The most widely used types of GetPC code for this purpose rely on some instruction from the call or fstenv instruction groupsGetPC The shellcode can register a custom exception handler, trigger an exception Runtime Heuristics – SHE-based GetPC Code 30

31 Gene, a network-level attack detector that uses a custom IA-32 emulator to identify the presence of shellcode in network streams Scan the client-initiated part of each TCP connection using the runtime heuristics The virtual memory of the emulator is initialized with an image of the complete address space of a typical Windows XP process taken from a real system Implementation 31

32 Experimental Evaluation – Detection Effectiveness 32

33 False Positives Evaluation - using a large and diverse set of benign inputs to test Heuristic Analysis Experimental Evaluation – Heuristic Robustness 33

34 Running on a system with a Xeon 1.86GHz processor and 2GB of RAM Experimental Evaluation – Runtime Performance 34

35 Deployed Gene in two University networks, where it has been operational since 25 November 2009. As of 17 April 2010, Gene has detected 116,513 code injection attacks against internal and external hosts in these two networks Experimental Evaluation – Real-world Deployment 35

36 Present a comprehensive shellcode detection method based on code emulation Expands the range of malicious code types that can be detected Detection of plain and metamorphic shellcode Without any false positives Conclusion 36

37 TIB and Thread Stack 37

Download ppt "MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive."

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.

Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
OS Fall ’ 02 Introduction Operating Systems Fall 2002.

OS Fall ’ 02 Introduction Operating Systems Fall 2002.
Run-Time Storage Organization

Run-Time Storage Organization
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>> www.softwaretestinggenius.com

Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Similar presentations

Ads by Google