Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.

Published byCory Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: " Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar."— Presentation transcript:

1

2  Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar at Advaced Defense Lab

3  In recent years, code-injection attacks have become a widely popular modus operandi for performing malicious actions on network services and client- based programs.[link]link  Exploitation toolkits › Phoenix [link]link 3 A Seminar at Advaced Defense Lab

4  Today, malicious PDFs are distributed via mass mailing, targeted email, and drive- by downloads.  The “stream objects” in PDF allow many types of encodings to be used, including multi-level compression, obfuscation, and even encryption. 4 A Seminar at Advaced Defense Lab

5  The key to detecting these attacks lies in accurately discovering the presence of the shellcode in network payloads or process buffers.  In this paper, we argue that a promising technique for detecting shellcode is to examine the input and efficiently execute its content to find what lurks within. 5 A Seminar at Advaced Defense Lab

6  Finding the presence of malicious code by searching for tell-tale signs of executable code  Toth and Kruegel, “Accurate Buffer Overflow Detection via Abstract Payload Execution”, 2002 6 A Seminar at Advaced Defense Lab

7  Polychronakis et al., “Network-level Polymorphic Shellcode Detection using Emulation”, 2006 7 A Seminar at Advaced Defense Lab

8  the instruction set for modern CISC architectures is very complex, and so it is unlikely that software emulators will ever be bug free. › FPU-based GetPC instructions [link]link  Special purpose CPU emulators › Nemu, libemu[link]link › large subsets of instructions rarely used by injected code are skipped 8 A Seminar at Advaced Defense Lab

9  the vast majority of network streams will contain benign data, some of which might be significant in size.  A separate execution chain must be attempted for each offset in a network stream because the starting location of injected code is unknown. 9 A Seminar at Advaced Defense Lab

10  We allow instruction sequences to execute directly on the CPU using hardware virtualization, and only trace specific memory reads, writes, and executions through hardware-supported paging mechanisms.  Our design for enabling hardware-support of code injection attacks is built upon Kernel-based Virtual Machine (KVM). 10 A Seminar at Advaced Defense Lab

11 11 A Seminar at Advaced Defense Lab

12  The kernel supports loading arbitrary snapshots created using the minidump format[link].link  instructions are executed directly on the CPU in usermode until execution is interrupted by a fault, trap, or timeout. 12 A Seminar at Advaced Defense Lab

13  We force a trap to occur on access to an arbitrary virtual address by clearing the present bit of the page entry.  Any heuristic based on memory reads, writes, or executions can be supported with coarse-grained tracing. 13 A Seminar at Advaced Defense Lab

14  we chose to implement the PEB heuristic proposed by Polychronakis et al.  This heuristic detects injected code that parses the process-level TEB and PEB data structures. 14 A Seminar at Advaced Defense Lab

15  We place traps on the addresses of the specific functions, and when triggered, a handler for the corresponding call is invoked. 15 A Seminar at Advaced Defense Lab

16  We built two platforms that rely on ShellOS to scan buffers for injected code.  For client-based programs › We implemented a lightweight memory monitoring facility that allows ShellOS to scan buffers created by documents loaded. 16 A Seminar at Advaced Defense Lab

17 17 A Seminar at Advaced Defense Lab

18  For network services › We build a platform to detect code injection attacks on network services by reassembling observed network streams and executing each of these streams. 18 A Seminar at Advaced Defense Lab

19  Environment › Intel Xeon Quad Processor machine with 32 GB of memory. › The host OS was Ubuntu with kernel version 2.6.35. 19 A Seminar at Advaced Defense Lab

20  Metasploit › For each encoder, we generated 100s of attack instances by randomly selecting 1 of 7 exploits, 1 of 9 self-contained payloads.  As the attacks launched, we captured the network traffic for later network-level buffer analysis. 20 A Seminar at Advaced Defense Lab

21 21 A Seminar at Advaced Defense Lab

22 22 A Seminar at Advaced Defense Lab

23  We built a testbed consisting of 32 machines running FreeBSD 6.0 and generated traffic using a state-of-the-art traffic generator, Tmix [link].link  We supply Tmix with a network trace of HTTP connections captured on the border links of UNC-Chapel Hill in October, 2009. 23 A Seminar at Advaced Defense Lab

24 24 A Seminar at Advaced Defense Lab

25 25

26 A Seminar at Advaced Defense Lab 26

27  The malicious PDFs were randomly selected from suspicious files flagged by a large-scale web malware detection system.  We also use a collection of 179 benign PDFs from various USENIX conferences. A Seminar at Advaced Defense Lab 27

28 A Seminar at Advaced Defense Lab 28 All attacks use ROP

29 A Seminar at Advaced Defense Lab 29 512KB

30 A Seminar at Advaced Defense Lab 30 5 secs 26 secs

31 A Seminar at Advaced Defense Lab 31

32  85% of the injected code exhibited an identical API call sequence. A Seminar at Advaced Defense Lab 32

33 A Seminar at Advaced Defense Lab 33

34  Although the code copy is not apparent in the API call sequence alone, ShellOS may also provide an instruction-level trace by single-stepping each instruction via the TRAP bit in the flags register. A Seminar at Advaced Defense Lab 34

35  We note, however, that this particular challenge is not unique to ShellOS. A Seminar at Advaced Defense Lab 35

36  Shellcode designed to execute under very specific conditions may not operate as expected.  Software-based emulators are able to quickly detect and exit an infinite loop.  It may still be possible to detect a virtualized environment through the small set of instructions. A Seminar at Advaced Defense Lab 36

37  ShellOS provides a framework for fast detection and analysis of a buffer, but an analyst or automated data pre- processor must provide these buffers. A Seminar at Advaced Defense Lab 37

38 A Seminar at Advaced Defense Lab 38

Download ppt " Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Exceptional Control Flow Processes Today. Control Flow Processors do only one thing: From startup to shutdown, a CPU simply reads and executes (interprets)

Exceptional Control Flow Processes Today. Control Flow Processors do only one thing: From startup to shutdown, a CPU simply reads and executes (interprets)
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering.

Boxuan Gu, Xiaole Bai, Zhimin Yang,Xiaole BaiZhimin Yang Adam C. ChampionAdam C. Champion, Dong XuanDong Xuan Dept. of Computer Science and Engineering.
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
CS 345 Computer System Overview

CS 345 Computer System Overview
Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.

Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.
CMPT 300: Operating Systems I Dr. Mohamed Hefeeda

CMPT 300: Operating Systems I Dr. Mohamed Hefeeda
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Memory Management (II)

Memory Management (II)
Translation Buffers (TLB’s)

Translation Buffers (TLB’s)
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.

1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
Worms By: Aaron Stahler. Difference Between a Worm and A Virus Viruses are computer programs that are designed to spread themselves from one file to another.

Worms By: Aaron Stahler. Difference Between a Worm and A Virus Viruses are computer programs that are designed to spread themselves from one file to another.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.

What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

Similar presentations

Ads by Google