01/04/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #2:...

01/04/2006 ecs236 winter 2006 1

ecs236 Winter 2006:

Intrusion DetectionIntrusion Detection#2: Vulnerability Analysis

Dr. S. Felix Wu

Computer Science Department

University of California, Davishttp://www.cs.ucdavis.edu/~wu/

[email protected]

01/04/2006 ecs236 winter 2006 2

Intrusion DetectionIntrusion Detection

IntrusionDetection

Model

Input eventsequence Results

Pattern matching

01/04/2006 ecs236 winter 2006 3

SNORTSNORT

Rules

Input eventsequence Results

Pattern matching

01/04/2006 ecs236 winter 2006 4

WORMWORM Since November 2nd of 1988…

– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…

inject infect spread

01/04/2006 ecs236 winter 2006 5



inject infect spread

WORM is causing Internet-wide instability.

01/04/2006 ecs236 winter 2006 6

2T

Slammer BGPInternet routing stability analysis on a Beijing prefix

09/01/2002 01/31/2003

01/04/2006 ecs236 winter 2006 7

Network meets SoftwareNetwork meets Software

An interesting interaction among the Internet, the software on the hosts, and the worms themselves.

The “short-term” Reality:– Estimated 40~50% of Internet hosts are still

vulnerable to CodeRed.

01/04/2006 ecs236 winter 2006 8



inject infect spread WORM is causing Internet-wide instability. WORM is a critical first step for the attacker

to quickly build the large-scale attacking infrastructure.

01/04/2006 ecs236 winter 2006 9

WORM + DDoSWORM + DDoS

Victim

ISP.com

01/04/2006 ecs236 winter 2006 10

They are getting better…They are getting better…

The rapid evolution of the “attacker’s community”

01/04/2006 ecs236 winter 2006 11

They are getting better…They are getting better…

The rapid evolution of the “attacker’s community”

And, many thanks to our rapid growing software industry in the past “N” years as well…

01/04/2006 ecs236 winter 2006 12

Software VulnerabilitySoftware Vulnerability Software vulnerabilities are weaknesses,

being introduced during the “software engineering” process, that can potentially be exploited by attackers.– OS kernels, device drivers, applications…

There are other types of vulnerabilities in our software systems that can be exploited.

01/04/2006 ecs236 winter 2006 13

Software VulnerabilitySoftware Vulnerability

Difficulties in security management– we don’t know how attackers are going to attack

us,– And, we don’t know which vulnerabilities

can/will be exploited, either.

01/04/2006 ecs236 winter 2006 14

Software VulnerabilitySoftware Vulnerability Focus on Software Vulnerabilities Two approaches

– better software engineering– better vulnerabilities understanding

01/04/2006 ecs236 winter 2006 15

Software VulnerabilitySoftware Vulnerability Focus on Software Vulnerabilities Two approaches

– better software engineering– better vulnerabilities understanding

Practically, around the Internet, we currently have and will still have a large number of legacy software systems around for “quite a while.”

01/04/2006 ecs236 winter 2006 16

Network-based SolutionsNetwork-based Solutions

“Intrusion Prevention Systems” or “Advanced Firewalls”

IntrusionPreventionSystem

Legacyvictims

packet packet

analyze & drop

01/04/2006 ecs236 winter 2006 17

Vulnerability vs. ExploitVulnerability vs. Exploit

Vulnerability– the “weak” points in the software– applications or even the kernel itself– “control flow hijack” based on buffer overflow.

Exploit– the attack code utilizing one or more

vulnerabilities

01/04/2006 ecs236 winter 2006 18

Buffer OverflowBuffer OverflowSome unsafe functions in C library:strcpy(char *dest, const char *src);strcat(char *dest, const char *src);getwd(char *buf);gets(char *s);fscanf(FILE *stream, const char *format, ...);scanf(const char *format, ...);realpath(char *path, char resolved_path[]);sprintf(char *str, const char *format);

NoVerification

……

01/04/2006 ecs236 winter 2006 19

01/04/2006 ecs236 winter 2006 20

High

LowStack Growth

String Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

01/04/2006 ecs236 winter 2006 21

High

LowStack Growth

String Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

bar( ){……}

foo( ){ …… call bar( ); ……}

foo

bar

01/04/2006 ecs236 winter 2006 22

int bar(int a, int b){ int i, j; char buf[9]; i = 5; j = 123; strcpy(buf, “securephdbcde”);}

b

a

high

low

ret address

SFP

05 00 00 00

65 00 00 00

64 62 63 64

72 65 70 68

73 65 63 75Buffer Overflow

5

e

d b c d

r e p h

s e c u

01/04/2006 ecs236 winter 2006 23

int bar(int a, int b){ int i, j; char buf[9]; i = 5; j = 123; strcpy(buf, “securephdaaabbbbcccceeeeffff”);}

b

a

high

low

ret address

SFP

5

123

63 63 63 63

62 62 62 62

64 61 61 61

72 65 70 68

73 65 63 75

65 65 65 65

64 64 64 64

Ret Overflow

Segmentation fault...

RetAddr = 0x65656565

01/04/2006 ecs236 winter 2006 24

High

LowStack Growth

String Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

bar( ){……}

foo( ){ …… call bar( ); ……}

foo

bar

01/04/2006 ecs236 winter 2006 25

High

LowStack Growth

String Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

bar( ){……}

foo( ){ …… call bar( ); ……}

foo

bar

01/04/2006 ecs236 winter 2006 26

Control Flow HijackControl Flow Hijack I want “my code” executed!

– Malicious code injection– Control flow redirection/hijacking

code code

codecode

VirusWorm

01/04/2006 ecs236 winter 2006 27

What is a “vulnerability”?What is a “vulnerability”?

???

01/04/2006 ecs236 winter 2006 28

A Single Packet ExploitA Single Packet Exploit

Attack CodeExploit

(ReturnAddr)

Return Address == 0x4739a304

01/04/2006 ecs236 winter 2006 29

0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff

Example

01/04/2006 ecs236 winter 2006 30


Example: NOP-sled

Sometime we can not easily determine the “exact” memory address to jump into…

01/04/2006 ecs236 winter 2006 31

““NOP Sled” EngineeringNOP Sled” Engineering

Attack CodeExploit

(ReturnAddr)

Attack CodeExploit

(ReturnAddr)NOP NOPNOP NOP

code[] = “\xeb\x2a\x5f\xc6\x47\x07\x00\x89\x7f\x08\xc7\x47”;

strcpy(buf, code);

buf = “\xeb\x2a\x5f\xc6\x47\x07”

And, sometimes, we simply want to find a way to avoid “\x00”.

01/04/2006 ecs236 winter 2006 32

attack polymorphismattack polymorphism(many different ways)(many different ways)

Attack CodeExploit

(ReturnAddr)

Attack CodeExploit

(ReturnAddr)Decryption

Code

The Signature Explosion Problem!!

01/04/2006 ecs236 winter 2006 33

Vulnerability vs. ExploitVulnerability vs. Exploit

1 M or N M Polymorphic tools available

– A Naïve approach: M

Can we find the “invariants”?– We need to avoid “signature explosion”…

01/04/2006 ecs236 winter 2006 34

Attack CodeExploit


Code

Attack CodeExploit


CodeNOP NOPNOP NOP

01/04/2006 ecs236 winter 2006 35

Detecting “NOP Sleds”Detecting “NOP Sleds”

“Intrusion Prevention Systems” or “Advanced Firewalls”

IntrusionPreventionSystem

Legacyvictims

packet packet

analyze & drop

NOP SledSignatures

01/04/2006 ecs236 winter 2006 36


A WORM with a NOP-Sled

01/04/2006 ecs236 winter 2006 37

0000000 5247 5237 5759 9199 984e 602f 4b58 9555 0000010 3792 4997 6059 5a5d 979c 9199 9242 9349 0000020 495e 5b37 4740 5d4f 4f99 975f 4492 3797 0000030 4297 9e93 4598 404a 9696 4652 5150 5e4f 0000040 454d 99fc 5251 5042 9b37 4042 4a95 4459 0000050 4592 4998 935f 275f 985d f84e 4991 fc96 0000060 9796 4637 5b3f 9751 9754 9f5a 9543 4c9e 0000070 4740 9c96 499f 5652 934e 5355 479b 91f8 0000080 48fc 5d60 4742 9755 4450 4441 4697 5697 0000090 5b52 494f 434d 5899 f827 9957 4346 9796 00000a0 404c 4a45 6040 404c 4957 5798 99f9 569b 00000b0 4145 96fc 5140 4c56 f946 9348 4f4d f8f8 00000c0 2f59 4c46 9647 4747 9e48 5137 4142 5b4d 00000d0 545f 55f9 5e56 4191 9249 519e 559e 6099

A Polymorphic WORM

01/04/2006 ecs236 winter 2006 38

NOP sledsNOP sleds

“NOP sled” can/will NOT be a useful signature in detecting future WORMs…

80~90% of the WORMs today don’t really need “NOP sleds” but, historically, they are still “left” there.

01/04/2006 ecs236 winter 2006 39

BUTTERCUPBUTTERCUP

Ideas:– Given a software exploit, the hacker can

encrypt the malicious code but not the “hijacking” entry point (e.g., return address).

– The hacker can twist the “return address” but practically not infinitely a range of memory addresses.

01/04/2006 ecs236 winter 2006 40

Memory Address RangesMemory Address Ranges

Arguments

Return address

Prev. frame pointer

Local variables

Arguments

Return address

Prev. frame pointer

Local variables

One “Exploit”has one “return address” value, but another exploit based on the same vulnerability might be using a different return address.

01/04/2006 ecs236 winter 2006 41

size, offset and depthsize, offset and depth

Arguments

Return address

Prev. frame pointer

Local variables

Attack CodeExploit


CodeNOP NOPNOP NOP

0x42b0caa4

0x42b0c914

Is this packet a Slammer worm or a suspect “utilizing” the same vulnerability?

performance& false positive

01/04/2006 ecs236 winter 2006 42

BUTTERCUPdetection/prevention victim

packet packet

memoryrangetable

analyze & drop

19 known exploits/vulnerabilities

IPUPR. LYR. PAYLOAD TCP/UDP HDR

IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack CodeExploit


CodeNOP NOPNOP NOP

False Positive??

IDS/IPSpreprocessing

01/04/2006 ecs236 winter 2006 43

01/04/2006 ecs236 winter 2006 44

about about 30~180 days30~180 days In July, 2002 Microsoft announced the vulnerabilities!

On January 25, 2003 05:30 UTC, slammer was out!

We had about 6 months back then!!

BUTTERCUP, a network based approach, might have been more practical and scaleable than Windows Update!!

01/04/2006 ecs236 winter 2006 45

LimitationLimitation

BUTTERCUP will only work for “known vulnerabilities”!

– But, it may work for Zero-day exploits based on known vulnerabilities.

01/04/2006 ecs236 winter 2006 46

BUTTERCUP MINOS

DACODA

packet packet

alertcorrelation ranges

Unknown-vulnerability Collaborative Defense

(UCD)

1

2

3

01/04/2006 ecs236 winter 2006 47

UCD-MINOS

MS-Host

MS-Host

MS-HostMS-Host

MS-Host

UCD-MINOS

UCD-BUTTERCUP

UCD-BUTTERCUP

Internet

UCD-DACODA

It is not perfect, but it is a reasonable & practical trade-off between large-scale system administration (manageability) and security!

01/04/2006 ecs236 winter 2006 48

MinosMinos Can we detect “vulnerabilities/exploits” with only

one signature/invariance at run-time?– We are not performing analysis on source code!

we might not have it, and, it might be too late.

– “Run-Time” system monitoring

– Anomaly detection False Positive/Negative

Detecting “Control Flow Hijacks”– from the CPU point of view

A surprisingly simple practical solution with “zero false positive”… at least empirically.

01/04/2006 ecs236 winter 2006 49

Arguments

Return address

Prev. frame pointer

Local variables

Control Flow HijackControl Flow Hijack

code code

High Integrity Low Integrity

01/04/2006 ecs236 winter 2006 50

Information Integrity LabelingInformation Integrity Labeling

“source identification” of information,– especially, when we are going to hand over the

“control flow” to a particular piece of data.– One extra integrity bit for every memory word.

Minos:– Low integrity: 0 - from the NIC– High integrity: 1 - other sources

01/04/2006 ecs236 winter 2006 51

Bochs-Emulated MinosBochs-Emulated MinosWinXP Linux

PentiumEmulationmodifiedBochs VM

Host OSs

Virtual MemoryTracing

NE2000

01/04/2006 ecs236 winter 2006 52

MinosMinos

MINOS

Bochs

TracingWithoutModifyingOS kernel orApplications(no source code or binary rewrite)

jmpcallret

Un-trusted low-integrity information is being propagated, combined, modified…

01/04/2006 ecs236 winter 2006 53

Biba’s Low-water-markBiba’s Low-water-mark Integrity Policy Integrity Policy

Tracks the “taintedness” of data Access controls are based on accesses a

subject has made in the past

01/04/2006 ecs236 winter 2006 54

When an attack is When an attack is caught…caught…

Control-flow related instructions low integrity data– Examples: call, jmp, ret

01/04/2006 ecs236 winter 2006 55

FP & FNFP & FN Against real attacks (30~50 per months) under 4

static IP addresses– We have changed/reconfigured to try different

software patches and versions.

– Many high-frequency attacks were patched.

Control Flow Hijack– Zero false positive (a proof?)

How about False Negative?– Information flow, and virtual memory

01/04/2006 ecs236 winter 2006 56

Full Virtualization with Security Enhancements(Minos/DaCodA)

Unmodified OS (XP, Linux, Solaris, or, FreeBSD)

Unmodified Applications

Hardware

security-enhanced virtualizationsecurity-enhanced virtualization

For Minos/DaCodA, we modified the Pentium architecture in Bochs, an open source VM, to prevent control flow hijack attacks with zero false positive

01/04/2006 ecs236 winter 2006 57

MINOS MINOS DACODA DACODA

exploit vulnerability invariant signature

01/04/2006 ecs236 winter 2006 58

MINOS MINOS DACODA DACODA Buttercup: NOMS’2004 Minos: Micro’2004 Minos Honeypot: DIMVA’2005

01/04/2006 ecs236 winter 2006 59

MINOS MINOS DACODA DACODA Buttercup: NOMS’2004 Minos: Micro’2004 Minos Honeypot: DIMVA’2005 DACODA: ACM CCS’2005

– UnderStand the amount of possible Polymorphisms– “negative results”

Why Buttercup, Taintcheck, Polygraph, Earlybird, and basically all existing network-based solutions won’t work!!

01/04/2006 ecs236 winter 2006 60

Understanding the Understanding the ExploitsExploits Attacks are much more complex than

our naïve belief, based on our analysis of 14+ recent exploits

01/04/2006 ecs236 winter 2006 61

01/04/2006 ecs236 winter 2006 62

Simple view of buffer Simple view of buffer overflowsoverflows

01/04/2006 ecs236 winter 2006 63



CodeNOP NOPNOP NOP System State Changes

How can each of the stages be polymorphic?

01/04/2006 ecs236 winter 2006 64

Register SpringRegister Spring

We in general don’t know which “thread stack” will be used?! 4 millions in memory differences.

01/04/2006 ecs236 winter 2006 65

Register SpringRegister SpringHigh

LowStack Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

jmp ESP

foo

barret

11,000

01/04/2006 ecs236 winter 2006 66

SlammerSlammer

01/04/2006 ecs236 winter 2006 67

ESPESP

Register springs off of ESP utilize the compiler conventions for managing stack frames

01/04/2006 ecs236 winter 2006 68

Start:

CALL FunctionWithBufferOverflow

FunctionWithBufferOverflow:

PUSH EBP

MOV EBP,ESP

…

CALL OverflowMyBuffer

…

POP EBP

RET

ESP

01/04/2006 ecs236 winter 2006 69

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Start+6

ESP

High

01/04/2006 ecs236 winter 2006 70

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Start+6

Old EBP

ESP

High

01/04/2006 ecs236 winter 2006 71

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Start+6

Old EBP

ESP/EBP

MyBuffer

High

01/04/2006 ecs236 winter 2006 72

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Attack8

Attack7

Attack6

Attack5

Attack4

Attack3

Attack2

Attack1

Attack0

ESP/EBP

MyBuffer

Low

01/04/2006 ecs236 winter 2006 73

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Attack8

Attack7

Attack6

Attack5

Attack4

Attack3

Attack2

Attack1

Attack0

ESP

MyBuffer

(EBP == Attack5)

code

jmp ESP

Low

01/04/2006 ecs236 winter 2006 74

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Attack6:

JMP ESP

Attack8

Attack7

Attack6

Attack5

Attack4

Attack3

Attack2

Attack1

Attack0

ESP

MyBuffer

(EBP == Attack5)

01/04/2006 ecs236 winter 2006 75

NotesNotes

This is how Slammer worked, Sasser is very similar, as are a couple of others

Bogus return pointer is Attack6, payload starts at Attack7

01/04/2006 ecs236 winter 2006 76

Other registersOther registers

Register springs off of other registers utilize the compiler conventions for managing buffers (i.e. EBX is the “base” register for indexing the base of a buffer, ESI is the “source” register for string operations, EDI is the “destination”, …)

Blaster RPC DCOM used EBX, ASN.1 uses EDI, Code Red II used EBX

01/04/2006 ecs236 winter 2006 77

DCOM Exploits in svchostDCOM Exploits in svchost(Blaster)(Blaster)

0xff 0xd3 is CALL EBX which is the one Blaster used, but JMP EBX (0xff 0xe3) works just as well.

a little over 11,000 in svchost 0x0100139d is the only one that Blaster

used and is the one the publicly available DCOM exploit uses.

01/04/2006 ecs236 winter 2006 78

High

LowStack Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

jmp ESP

foo

barret

11,000

…

…

01/04/2006 ecs236 winter 2006 79

BUTTERCUPdetection/prevention victim

packet packet

memoryrangetable dropknown

exploits

11,000 Signatures for ONE vulnerability!!

False Positive on BUTTERCUP???

01/04/2006 ecs236 winter 2006 80

Register Spring+PolymorphicRegister Spring+Polymorphic

Attack CodeExploit

(RegisterSpring)Decryption

CodeNOP NOPNOP NOP

????

“0x0100139d”

01/04/2006 ecs236 winter 2006 81

EBX-based ButtercupEBX-based Buttercup

Among all the memory address for call ebx (0xff 0xd3 -- 11000+ of them), only four of them are around 0x01001***, about another 600+ are from 0x719555a4 to 0x71c637b3. But, the rest of them (the majority 10000+) are all from 0x7585149f to 0x77fbc10b.

0x0100139d 0x010013a2 0x01001c83 0x01001cc7 0x719555a4 0x71c637b3 0x7585149f 0x77fbc10b

01/04/2006 ecs236 winter 2006 82

RemarksRemarks Software Vulnerability is a very difficult issue

to manage, especially on the wire.– Naïve payload analysis will be much less

meaningful– Minos is an excellent “host-based” solution– Not focus on the intention of the attacker– Focus on how their code can get in!

Minos + DACODA UnderStand– But, NO simple & yet powerful “signature”!

01/04/2006 ecs236 winter 2006 83

Vulnerability Vulnerability Primitive Primitive Primitive

– The capability for the attacker to put a value in a particular memory address.

– A memory system state change

NoVerification

……

And, we “might” have to perform such analysis on the wire!!

01/04/2006 ecs236 winter 2006 84



CodeNOP NOPNOP NOP System State Changes

Focus on “Primitives” being used in the “Epsilon” phase!

Application dependent analysis

01/04/2006 ecs236 winter 2006 85

IPS MINOS

DACODA

packet packet

alertcorrelation ranges

Unknown-vulnerability Collaborative Defense

1

2

3

NoVerification

……

01/04/2006 ecs236 winter 2006 86

Full Virtualization with Security Enhancements(Minos/DaCodA)

Unmodified OS (XP, Linux, Solaris, or, FreeBSD)

Unmodified Applications

Hardware

IPS IPS virtualization virtualization

NIDS/NIPS

Recovery in Memory

What types of roll-backs will make the most sense practically?OS versus Applications

01/04/2006 ecs236 winter 2006 87

RecoveryRecovery VM level: Files

– Virtual Hard Disk File Recovery

– OS kernel– #1: what will be the challenges in doing it in

the VM level?– #2: how exactly to recover the most from an

attack?

01/04/2006 ecs236 winter 2006 88

virusvirus

Clickme.exe MSword.exe

FS

easily

01/04/2006 ecs236 winter 2006 89

Tricky virusTricky virus

MSword.exe FS

MSword.exe FS

01/04/2006 ecs236 winter 2006 90

IPC virusIPC virus

SQL.exe

MSword.exe FS

01/04/2006 ecs236 winter 2006 91

Simple Solutions Simple Solutions I just remove the “bad effects” of the virus

“pessimistically”.– I assume that, eventually, you know that this executable

is a virus.– In the IPC case, if I know the relationship between the

virus and the MSword, then I can also kill the MSword – contaminated applications.

Simple solutions similar/existing solutions…– niche doing it at the VM level.– Even impossible for OS.

01/04/2006 ecs236 winter 2006 92

Hao Chen’s ideaHao Chen’s idea

Why VM? VM can not be touched. Implement “special things” in the OS

kernel, but your VM will protect such that your “special things” can not be modified.

01/04/2006 ecs236 winter 2006 93

Well… (Felix)Well… (Felix)

I don’t want to modify OS! I want to research on the limitations of what I can

do or I cannot do in the VM layer.– Whether it makes sense to “understand” or “interpret”

the semantic meaning of OS and applications?

– Obviously, we don’t want to interpret everything in VM we want to have an abstraction sufficient to do whatever we want to do.

01/04/2006 ecs236 winter 2006 94

For academic research..For academic research..

I am not going to solve ALL the virus or worm-types of problems.

But, maybe it is good to focus on ONE particular type of virus on a particular application…– E.g., php related virus on w32 and IIS+.

01/04/2006 ecs236 winter 2006 95

PHP VirusesPHP Viruses PHP/Caracula, 2001 PHP/Feast, polymorphic virus We should do a little bit google on PHP-

related viruses just to see whether it is a good target to start:– Whether this is a challenging/hot area– Whether there are many instances that we can

test

http://securityresponse.symantec.com/avcenter/venc/data/php.feast.html

01/04/2006 ecs236 winter 2006 96

LinksLinks

http://www.openantivirus.org/projects.php

01/04/2006 ecs236 winter 2006 97

Sober VirusSober Virus

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

01/04/2006 ecs236 winter 2006 98

FS versus MemoryFS versus Memory Minos memory, execution state

– Control flow hijack Virtual HD File recovery, transaction

01/04/2006 ecs236 winter 2006 99

The Optimistic ApproachThe Optimistic Approach

PE assuming this is bad so I remove it. OP assuming it is good but I will verify

later..

Optimistic Recovery– Some works being done 10 years on OR.

01/04/2006 ecs236 winter 2006 100

Cache Buffer versus DDCache Buffer versus DD

If we only look at VHDisk, we will miss the actions against the buffer cache…

01/04/2006 ecs236 winter 2006 101

File tagging for TracingFile tagging for Tracing

Clickme.exe MSword.exe

Tracing/Determining the virustagging and execution

How to build the “initial trust”?Tagging for the purpose of source trace backThe other: reduce the amount of file logging

“replay/regenerate the file access sequences”

01/04/2006 ecs236 winter 2006 102

PurposesPurposes

Recovery– Virtual HD VM level

Tracing– I am not completely sure about the goals…

Identification– Exciting??

01/04/2006 ecs236 winter 2006 103

AntiVirus does two thingsAntiVirus does two things

Signature and pattern matching– ClamAV has 100K+ signatures.

Virtual execution and interpretation– Some viruses won’t reveal their evilness unless

you decompress/interpret some parts of that.

01/04/2006 ecs236 winter 2006 104

Two definitions of VirusTwo definitions of Virus A virus is a program that is able to infect

other programs by modifying them to include a possibly evolved copy of itself.– Fred Cohen

A computer virus is a program that recursively and explicitly copies a possibly evolved version of itself.– Peter Szor

01/04/2006 ecs236 winter 2006 105

In real applications…In real applications…

I suspect… for some features

MSword.exe

01/04/2006 ecs236 winter 2006 106

CEF & MSILCEF & MSIL

CEF (Common Executable File)– CEF might be the right way to do Virus…

MSIL (Microsoft Intermediate Language)

01/04/2006 ecs236 winter 2006 107

Minos RecoveryMinos Recovery Minos on detecting a problem will stop the

process. Minos recovers to a “most recent” “safe

state” and continuous to run.

01/04/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #2:...

Documents

Transcript of 01/04/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #2:...