01/04/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #2:...
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
2
Transcript of 01/04/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #2:...
01/04/2006 ecs236 winter 2006 1
ecs236 Winter 2006:
Intrusion DetectionIntrusion Detection#2: Vulnerability Analysis
Dr. S. Felix Wu
Computer Science Department
University of California, Davishttp://www.cs.ucdavis.edu/~wu/
01/04/2006 ecs236 winter 2006 2
Intrusion DetectionIntrusion Detection
IntrusionDetection
Model
Input eventsequence Results
Pattern matching
01/04/2006 ecs236 winter 2006 3
SNORTSNORT
Rules
Input eventsequence Results
Pattern matching
01/04/2006 ecs236 winter 2006 4
WORMWORM Since November 2nd of 1988…
– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…
inject infect spread
01/04/2006 ecs236 winter 2006 5
WORMWORM Since November 2nd of 1988…
– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…
inject infect spread
WORM is causing Internet-wide instability.
01/04/2006 ecs236 winter 2006 6
2T
Slammer BGPInternet routing stability analysis on a Beijing prefix
09/01/2002 01/31/2003
01/04/2006 ecs236 winter 2006 7
Network meets SoftwareNetwork meets Software
An interesting interaction among the Internet, the software on the hosts, and the worms themselves.
The “short-term” Reality:– Estimated 40~50% of Internet hosts are still
vulnerable to CodeRed.
01/04/2006 ecs236 winter 2006 8
WORMWORM Since November 2nd of 1988…
– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…
inject infect spread WORM is causing Internet-wide instability. WORM is a critical first step for the attacker
to quickly build the large-scale attacking infrastructure.
01/04/2006 ecs236 winter 2006 9
WORM + DDoSWORM + DDoS
Victim
ISP.com
01/04/2006 ecs236 winter 2006 10
They are getting better…They are getting better…
The rapid evolution of the “attacker’s community”
01/04/2006 ecs236 winter 2006 11
They are getting better…They are getting better…
The rapid evolution of the “attacker’s community”
And, many thanks to our rapid growing software industry in the past “N” years as well…
01/04/2006 ecs236 winter 2006 12
Software VulnerabilitySoftware Vulnerability Software vulnerabilities are weaknesses,
being introduced during the “software engineering” process, that can potentially be exploited by attackers.– OS kernels, device drivers, applications…
There are other types of vulnerabilities in our software systems that can be exploited.
01/04/2006 ecs236 winter 2006 13
Software VulnerabilitySoftware Vulnerability
Difficulties in security management– we don’t know how attackers are going to attack
us,– And, we don’t know which vulnerabilities
can/will be exploited, either.
01/04/2006 ecs236 winter 2006 14
Software VulnerabilitySoftware Vulnerability Focus on Software Vulnerabilities Two approaches
– better software engineering– better vulnerabilities understanding
01/04/2006 ecs236 winter 2006 15
Software VulnerabilitySoftware Vulnerability Focus on Software Vulnerabilities Two approaches
– better software engineering– better vulnerabilities understanding
Practically, around the Internet, we currently have and will still have a large number of legacy software systems around for “quite a while.”
01/04/2006 ecs236 winter 2006 16
Network-based SolutionsNetwork-based Solutions
“Intrusion Prevention Systems” or “Advanced Firewalls”
IntrusionPreventionSystem
Legacyvictims
packet packet
analyze & drop
01/04/2006 ecs236 winter 2006 17
Vulnerability vs. ExploitVulnerability vs. Exploit
Vulnerability– the “weak” points in the software– applications or even the kernel itself– “control flow hijack” based on buffer overflow.
Exploit– the attack code utilizing one or more
vulnerabilities
01/04/2006 ecs236 winter 2006 18
Buffer OverflowBuffer OverflowSome unsafe functions in C library:strcpy(char *dest, const char *src);strcat(char *dest, const char *src);getwd(char *buf);gets(char *s);fscanf(FILE *stream, const char *format, ...);scanf(const char *format, ...);realpath(char *path, char resolved_path[]);sprintf(char *str, const char *format);
NoVerification
……
01/04/2006 ecs236 winter 2006 19
01/04/2006 ecs236 winter 2006 20
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
01/04/2006 ecs236 winter 2006 21
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
bar( ){……}
foo( ){ …… call bar( ); ……}
foo
bar
01/04/2006 ecs236 winter 2006 22
int bar(int a, int b){ int i, j; char buf[9]; i = 5; j = 123; strcpy(buf, “securephdbcde”);}
b
a
high
low
ret address
SFP
05 00 00 00
65 00 00 00
64 62 63 64
72 65 70 68
73 65 63 75Buffer Overflow
5
e
d b c d
r e p h
s e c u
01/04/2006 ecs236 winter 2006 23
int bar(int a, int b){ int i, j; char buf[9]; i = 5; j = 123; strcpy(buf, “securephdaaabbbbcccceeeeffff”);}
b
a
high
low
ret address
SFP
5
123
63 63 63 63
62 62 62 62
64 61 61 61
72 65 70 68
73 65 63 75
65 65 65 65
64 64 64 64
Ret Overflow
Segmentation fault...
RetAddr = 0x65656565
01/04/2006 ecs236 winter 2006 24
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
bar( ){……}
foo( ){ …… call bar( ); ……}
foo
bar
01/04/2006 ecs236 winter 2006 25
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
bar( ){……}
foo( ){ …… call bar( ); ……}
foo
bar
01/04/2006 ecs236 winter 2006 26
Control Flow HijackControl Flow Hijack I want “my code” executed!
– Malicious code injection– Control flow redirection/hijacking
code code
codecode
VirusWorm
01/04/2006 ecs236 winter 2006 27
What is a “vulnerability”?What is a “vulnerability”?
???
01/04/2006 ecs236 winter 2006 28
A Single Packet ExploitA Single Packet Exploit
Attack CodeExploit
(ReturnAddr)
Return Address == 0x4739a304
01/04/2006 ecs236 winter 2006 29
0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff
Example
01/04/2006 ecs236 winter 2006 30
0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff
Example: NOP-sled
Sometime we can not easily determine the “exact” memory address to jump into…
01/04/2006 ecs236 winter 2006 31
““NOP Sled” EngineeringNOP Sled” Engineering
Attack CodeExploit
(ReturnAddr)
Attack CodeExploit
(ReturnAddr)NOP NOPNOP NOP
code[] = “\xeb\x2a\x5f\xc6\x47\x07\x00\x89\x7f\x08\xc7\x47”;
strcpy(buf, code);
buf = “\xeb\x2a\x5f\xc6\x47\x07”
And, sometimes, we simply want to find a way to avoid “\x00”.
01/04/2006 ecs236 winter 2006 32
attack polymorphismattack polymorphism(many different ways)(many different ways)
Attack CodeExploit
(ReturnAddr)
Attack CodeExploit
(ReturnAddr)Decryption
Code
The Signature Explosion Problem!!
01/04/2006 ecs236 winter 2006 33
Vulnerability vs. ExploitVulnerability vs. Exploit
1 M or N M Polymorphic tools available
– A Naïve approach: M
Can we find the “invariants”?– We need to avoid “signature explosion”…
01/04/2006 ecs236 winter 2006 34
Attack CodeExploit
(ReturnAddr)Decryption
Code
Attack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP
01/04/2006 ecs236 winter 2006 35
Detecting “NOP Sleds”Detecting “NOP Sleds”
“Intrusion Prevention Systems” or “Advanced Firewalls”
IntrusionPreventionSystem
Legacyvictims
packet packet
analyze & drop
NOP SledSignatures
01/04/2006 ecs236 winter 2006 36
0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff
A WORM with a NOP-Sled
01/04/2006 ecs236 winter 2006 37
0000000 5247 5237 5759 9199 984e 602f 4b58 9555 0000010 3792 4997 6059 5a5d 979c 9199 9242 9349 0000020 495e 5b37 4740 5d4f 4f99 975f 4492 3797 0000030 4297 9e93 4598 404a 9696 4652 5150 5e4f 0000040 454d 99fc 5251 5042 9b37 4042 4a95 4459 0000050 4592 4998 935f 275f 985d f84e 4991 fc96 0000060 9796 4637 5b3f 9751 9754 9f5a 9543 4c9e 0000070 4740 9c96 499f 5652 934e 5355 479b 91f8 0000080 48fc 5d60 4742 9755 4450 4441 4697 5697 0000090 5b52 494f 434d 5899 f827 9957 4346 9796 00000a0 404c 4a45 6040 404c 4957 5798 99f9 569b 00000b0 4145 96fc 5140 4c56 f946 9348 4f4d f8f8 00000c0 2f59 4c46 9647 4747 9e48 5137 4142 5b4d 00000d0 545f 55f9 5e56 4191 9249 519e 559e 6099
A Polymorphic WORM
01/04/2006 ecs236 winter 2006 38
NOP sledsNOP sleds
“NOP sled” can/will NOT be a useful signature in detecting future WORMs…
80~90% of the WORMs today don’t really need “NOP sleds” but, historically, they are still “left” there.
01/04/2006 ecs236 winter 2006 39
BUTTERCUPBUTTERCUP
Ideas:– Given a software exploit, the hacker can
encrypt the malicious code but not the “hijacking” entry point (e.g., return address).
– The hacker can twist the “return address” but practically not infinitely a range of memory addresses.
01/04/2006 ecs236 winter 2006 40
Memory Address RangesMemory Address Ranges
Arguments
Return address
Prev. frame pointer
Local variables
Arguments
Return address
Prev. frame pointer
Local variables
One “Exploit”has one “return address” value, but another exploit based on the same vulnerability might be using a different return address.
01/04/2006 ecs236 winter 2006 41
size, offset and depthsize, offset and depth
Arguments
Return address
Prev. frame pointer
Local variables
Attack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP
0x42b0caa4
0x42b0c914
Is this packet a Slammer worm or a suspect “utilizing” the same vulnerability?
performance& false positive
01/04/2006 ecs236 winter 2006 42
BUTTERCUPdetection/prevention victim
packet packet
memoryrangetable
analyze & drop
19 known exploits/vulnerabilities
IPUPR. LYR. PAYLOAD TCP/UDP HDR
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP
False Positive??
IDS/IPSpreprocessing
01/04/2006 ecs236 winter 2006 43
01/04/2006 ecs236 winter 2006 44
about about 30~180 days30~180 days In July, 2002 Microsoft announced the vulnerabilities!
On January 25, 2003 05:30 UTC, slammer was out!
We had about 6 months back then!!
BUTTERCUP, a network based approach, might have been more practical and scaleable than Windows Update!!
01/04/2006 ecs236 winter 2006 45
LimitationLimitation
BUTTERCUP will only work for “known vulnerabilities”!
– But, it may work for Zero-day exploits based on known vulnerabilities.
01/04/2006 ecs236 winter 2006 46
BUTTERCUP MINOS
DACODA
packet packet
alertcorrelation ranges
Unknown-vulnerability Collaborative Defense
(UCD)
1
2
3
01/04/2006 ecs236 winter 2006 47
UCD-MINOS
MS-Host
MS-Host
MS-HostMS-Host
MS-Host
UCD-MINOS
UCD-BUTTERCUP
UCD-BUTTERCUP
Internet
UCD-DACODA
It is not perfect, but it is a reasonable & practical trade-off between large-scale system administration (manageability) and security!
01/04/2006 ecs236 winter 2006 48
MinosMinos Can we detect “vulnerabilities/exploits” with only
one signature/invariance at run-time?– We are not performing analysis on source code!
we might not have it, and, it might be too late.
– “Run-Time” system monitoring
– Anomaly detection False Positive/Negative
Detecting “Control Flow Hijacks”– from the CPU point of view
A surprisingly simple practical solution with “zero false positive”… at least empirically.
01/04/2006 ecs236 winter 2006 49
Arguments
Return address
Prev. frame pointer
Local variables
Control Flow HijackControl Flow Hijack
code code
High Integrity Low Integrity
01/04/2006 ecs236 winter 2006 50
Information Integrity LabelingInformation Integrity Labeling
“source identification” of information,– especially, when we are going to hand over the
“control flow” to a particular piece of data.– One extra integrity bit for every memory word.
Minos:– Low integrity: 0 - from the NIC– High integrity: 1 - other sources
01/04/2006 ecs236 winter 2006 51
Bochs-Emulated MinosBochs-Emulated MinosWinXP Linux
PentiumEmulationmodifiedBochs VM
Host OSs
Virtual MemoryTracing
NE2000
01/04/2006 ecs236 winter 2006 52
MinosMinos
MINOS
Bochs
TracingWithoutModifyingOS kernel orApplications(no source code or binary rewrite)
jmpcallret
Un-trusted low-integrity information is being propagated, combined, modified…
01/04/2006 ecs236 winter 2006 53
Biba’s Low-water-markBiba’s Low-water-mark Integrity Policy Integrity Policy
Tracks the “taintedness” of data Access controls are based on accesses a
subject has made in the past
01/04/2006 ecs236 winter 2006 54
When an attack is When an attack is caught…caught…
Control-flow related instructions low integrity data– Examples: call, jmp, ret
01/04/2006 ecs236 winter 2006 55
FP & FNFP & FN Against real attacks (30~50 per months) under 4
static IP addresses– We have changed/reconfigured to try different
software patches and versions.
– Many high-frequency attacks were patched.
Control Flow Hijack– Zero false positive (a proof?)
How about False Negative?– Information flow, and virtual memory
01/04/2006 ecs236 winter 2006 56
Full Virtualization with Security Enhancements(Minos/DaCodA)
Unmodified OS (XP, Linux, Solaris, or, FreeBSD)
Unmodified Applications
Hardware
security-enhanced virtualizationsecurity-enhanced virtualization
For Minos/DaCodA, we modified the Pentium architecture in Bochs, an open source VM, to prevent control flow hijack attacks with zero false positive
01/04/2006 ecs236 winter 2006 57
MINOS MINOS DACODA DACODA
exploit vulnerability invariant signature
01/04/2006 ecs236 winter 2006 58
MINOS MINOS DACODA DACODA Buttercup: NOMS’2004 Minos: Micro’2004 Minos Honeypot: DIMVA’2005
01/04/2006 ecs236 winter 2006 59
MINOS MINOS DACODA DACODA Buttercup: NOMS’2004 Minos: Micro’2004 Minos Honeypot: DIMVA’2005 DACODA: ACM CCS’2005
– UnderStand the amount of possible Polymorphisms– “negative results”
Why Buttercup, Taintcheck, Polygraph, Earlybird, and basically all existing network-based solutions won’t work!!
01/04/2006 ecs236 winter 2006 60
Understanding the Understanding the ExploitsExploits Attacks are much more complex than
our naïve belief, based on our analysis of 14+ recent exploits
01/04/2006 ecs236 winter 2006 61
01/04/2006 ecs236 winter 2006 62
Simple view of buffer Simple view of buffer overflowsoverflows
01/04/2006 ecs236 winter 2006 63
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP System State Changes
How can each of the stages be polymorphic?
01/04/2006 ecs236 winter 2006 64
Register SpringRegister Spring
We in general don’t know which “thread stack” will be used?! 4 millions in memory differences.
01/04/2006 ecs236 winter 2006 65
Register SpringRegister SpringHigh
LowStack Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
jmp ESP
foo
barret
11,000
01/04/2006 ecs236 winter 2006 66
SlammerSlammer
01/04/2006 ecs236 winter 2006 67
ESPESP
Register springs off of ESP utilize the compiler conventions for managing stack frames
01/04/2006 ecs236 winter 2006 68
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
ESP
01/04/2006 ecs236 winter 2006 69
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
ESP
High
01/04/2006 ecs236 winter 2006 70
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
Old EBP
ESP
High
01/04/2006 ecs236 winter 2006 71
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
Old EBP
ESP/EBP
MyBuffer
High
01/04/2006 ecs236 winter 2006 72
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP/EBP
MyBuffer
Low
01/04/2006 ecs236 winter 2006 73
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP
MyBuffer
(EBP == Attack5)
code
jmp ESP
Low
01/04/2006 ecs236 winter 2006 74
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack6:
JMP ESP
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP
MyBuffer
(EBP == Attack5)
01/04/2006 ecs236 winter 2006 75
NotesNotes
This is how Slammer worked, Sasser is very similar, as are a couple of others
Bogus return pointer is Attack6, payload starts at Attack7
01/04/2006 ecs236 winter 2006 76
Other registersOther registers
Register springs off of other registers utilize the compiler conventions for managing buffers (i.e. EBX is the “base” register for indexing the base of a buffer, ESI is the “source” register for string operations, EDI is the “destination”, …)
Blaster RPC DCOM used EBX, ASN.1 uses EDI, Code Red II used EBX
01/04/2006 ecs236 winter 2006 77
DCOM Exploits in svchostDCOM Exploits in svchost(Blaster)(Blaster)
0xff 0xd3 is CALL EBX which is the one Blaster used, but JMP EBX (0xff 0xe3) works just as well.
a little over 11,000 in svchost 0x0100139d is the only one that Blaster
used and is the one the publicly available DCOM exploit uses.
01/04/2006 ecs236 winter 2006 78
High
LowStack Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
jmp ESP
foo
barret
11,000
…
…
01/04/2006 ecs236 winter 2006 79
BUTTERCUPdetection/prevention victim
packet packet
memoryrangetable dropknown
exploits
11,000 Signatures for ONE vulnerability!!
False Positive on BUTTERCUP???
01/04/2006 ecs236 winter 2006 80
Register Spring+PolymorphicRegister Spring+Polymorphic
Attack CodeExploit
(RegisterSpring)Decryption
CodeNOP NOPNOP NOP
????
“0x0100139d”
01/04/2006 ecs236 winter 2006 81
EBX-based ButtercupEBX-based Buttercup
Among all the memory address for call ebx (0xff 0xd3 -- 11000+ of them), only four of them are around 0x01001***, about another 600+ are from 0x719555a4 to 0x71c637b3. But, the rest of them (the majority 10000+) are all from 0x7585149f to 0x77fbc10b.
0x0100139d 0x010013a2 0x01001c83 0x01001cc7 0x719555a4 0x71c637b3 0x7585149f 0x77fbc10b
01/04/2006 ecs236 winter 2006 82
RemarksRemarks Software Vulnerability is a very difficult issue
to manage, especially on the wire.– Naïve payload analysis will be much less
meaningful– Minos is an excellent “host-based” solution– Not focus on the intention of the attacker– Focus on how their code can get in!
Minos + DACODA UnderStand– But, NO simple & yet powerful “signature”!
01/04/2006 ecs236 winter 2006 83
Vulnerability Vulnerability Primitive Primitive Primitive
– The capability for the attacker to put a value in a particular memory address.
– A memory system state change
NoVerification
……
And, we “might” have to perform such analysis on the wire!!
01/04/2006 ecs236 winter 2006 84
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack CodeExploit
(ReturnAddr)Decryption
CodeNOP NOPNOP NOP System State Changes
Focus on “Primitives” being used in the “Epsilon” phase!
Application dependent analysis
01/04/2006 ecs236 winter 2006 85
IPS MINOS
DACODA
packet packet
alertcorrelation ranges
Unknown-vulnerability Collaborative Defense
1
2
3
NoVerification
……
01/04/2006 ecs236 winter 2006 86
Full Virtualization with Security Enhancements(Minos/DaCodA)
Unmodified OS (XP, Linux, Solaris, or, FreeBSD)
Unmodified Applications
Hardware
IPS IPS virtualization virtualization
NIDS/NIPS
Recovery in Memory
What types of roll-backs will make the most sense practically?OS versus Applications
01/04/2006 ecs236 winter 2006 87
RecoveryRecovery VM level: Files
– Virtual Hard Disk File Recovery
– OS kernel– #1: what will be the challenges in doing it in
the VM level?– #2: how exactly to recover the most from an
attack?
01/04/2006 ecs236 winter 2006 88
virusvirus
Clickme.exe MSword.exe
FS
easily
01/04/2006 ecs236 winter 2006 89
Tricky virusTricky virus
MSword.exe FS
MSword.exe FS
01/04/2006 ecs236 winter 2006 90
IPC virusIPC virus
SQL.exe
MSword.exe FS
01/04/2006 ecs236 winter 2006 91
Simple Solutions Simple Solutions I just remove the “bad effects” of the virus
“pessimistically”.– I assume that, eventually, you know that this executable
is a virus.– In the IPC case, if I know the relationship between the
virus and the MSword, then I can also kill the MSword – contaminated applications.
Simple solutions similar/existing solutions…– niche doing it at the VM level.– Even impossible for OS.
01/04/2006 ecs236 winter 2006 92
Hao Chen’s ideaHao Chen’s idea
Why VM? VM can not be touched. Implement “special things” in the OS
kernel, but your VM will protect such that your “special things” can not be modified.
01/04/2006 ecs236 winter 2006 93
Well… (Felix)Well… (Felix)
I don’t want to modify OS! I want to research on the limitations of what I can
do or I cannot do in the VM layer.– Whether it makes sense to “understand” or “interpret”
the semantic meaning of OS and applications?
– Obviously, we don’t want to interpret everything in VM we want to have an abstraction sufficient to do whatever we want to do.
01/04/2006 ecs236 winter 2006 94
For academic research..For academic research..
I am not going to solve ALL the virus or worm-types of problems.
But, maybe it is good to focus on ONE particular type of virus on a particular application…– E.g., php related virus on w32 and IIS+.
01/04/2006 ecs236 winter 2006 95
PHP VirusesPHP Viruses PHP/Caracula, 2001 PHP/Feast, polymorphic virus We should do a little bit google on PHP-
related viruses just to see whether it is a good target to start:– Whether this is a challenging/hot area– Whether there are many instances that we can
test
http://securityresponse.symantec.com/avcenter/venc/data/php.feast.html
01/04/2006 ecs236 winter 2006 96
LinksLinks
http://www.openantivirus.org/projects.php
01/04/2006 ecs236 winter 2006 97
Sober VirusSober Virus
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
01/04/2006 ecs236 winter 2006 98
FS versus MemoryFS versus Memory Minos memory, execution state
– Control flow hijack Virtual HD File recovery, transaction
01/04/2006 ecs236 winter 2006 99
The Optimistic ApproachThe Optimistic Approach
PE assuming this is bad so I remove it. OP assuming it is good but I will verify
later..
Optimistic Recovery– Some works being done 10 years on OR.
01/04/2006 ecs236 winter 2006 100
Cache Buffer versus DDCache Buffer versus DD
If we only look at VHDisk, we will miss the actions against the buffer cache…
01/04/2006 ecs236 winter 2006 101
File tagging for TracingFile tagging for Tracing
Clickme.exe MSword.exe
Tracing/Determining the virustagging and execution
How to build the “initial trust”?Tagging for the purpose of source trace backThe other: reduce the amount of file logging
“replay/regenerate the file access sequences”
01/04/2006 ecs236 winter 2006 102
PurposesPurposes
Recovery– Virtual HD VM level
Tracing– I am not completely sure about the goals…
Identification– Exciting??
01/04/2006 ecs236 winter 2006 103
AntiVirus does two thingsAntiVirus does two things
Signature and pattern matching– ClamAV has 100K+ signatures.
Virtual execution and interpretation– Some viruses won’t reveal their evilness unless
you decompress/interpret some parts of that.
01/04/2006 ecs236 winter 2006 104
Two definitions of VirusTwo definitions of Virus A virus is a program that is able to infect
other programs by modifying them to include a possibly evolved copy of itself.– Fred Cohen
A computer virus is a program that recursively and explicitly copies a possibly evolved version of itself.– Peter Szor
01/04/2006 ecs236 winter 2006 105
In real applications…In real applications…
I suspect… for some features
MSword.exe
01/04/2006 ecs236 winter 2006 106
CEF & MSILCEF & MSIL
CEF (Common Executable File)– CEF might be the right way to do Virus…
MSIL (Microsoft Intermediate Language)
01/04/2006 ecs236 winter 2006 107
Minos RecoveryMinos Recovery Minos on detecting a problem will stop the
process. Minos recovers to a “most recent” “safe
state” and continuous to run.