ecs236 Winter 2007: Computer Security: Intrusion Detection Based Approach #1: Vulnerability

01/04/2007 ecs236 winter 2007 1

ecs236 Winter 2007:Computer Security:Intrusion Detection Based ApproachIntrusion Detection Based Approach#1: Vulnerability

Dr. S. Felix WuComputer Science DepartmentUniversity of California, Davishttp://www.cs.ucdavis.edu/~wu/[email protected]

01/04/2007 ecs236 winter 2007 2

Intrusion PreventionIntrusion Prevention Prevention: This should/must never be

broken in!– “This” means a perfectly designed,

implemented, and managed/configured secure system!

01/04/2007 ecs236 winter 2007 3

Intrusion DetectionIntrusion Detection Prevention: This should/must never be

broken in! Detection:

– The IDS (Intrusion Detection System) approach has been taken as the “Second Line of Defense” and “Short Term Solutions”.

01/04/2007 ecs236 winter 2007 4

ExamplesExamples Application/service issues Firewalls Email spam/voIP spit Spam Filters Phishing Phishing detectors The list goes on…

01/04/2007 ecs236 winter 2007 5

ExamplesExamples Application/service issues Firewalls Email spam/voIP spit Spam Filters Phishing Phishing detectors It is NOT whether we need the “detection

approach” It is whether it can be effective.

01/04/2007 ecs236 winter 2007 6


broken in! Detection: “This” will need to face the

reality check!– We had, have, will have so many “expected”

unexpected.– Industry never really serious about cyber

security – profit/market-driven

01/04/2007 ecs236 winter 2007 7

We accept it as a fact…We accept it as a fact…

01/04/2007 ecs236 winter 2007 8

And, we have to have…And, we have to have…

01/04/2007 ecs236 winter 2007 9


broken in! Detection: “This” will need to face the

reality check!– We had, have, will have so many “expected”

unexpected.– We had, have, will have even more

“unexpected” unexpected!!

01/04/2007 ecs236 winter 2007 10

To: All Faculty, Staff and Students

On Tuesday, January 03, 2006, UC Davis implemented temporary measures to prevent the exploitation of a serious new computer vulnerability for which no patch is yet available. This vulnerability affects Windows 2000, Windows XP, Windows Server 2003, Windows 98 and ME systems and may be exploited when infected email file attachments or infected Web pages are viewed. Once a computer is infected, data may be permanently lost and/or a remote attacker could gain control of the computer. After extensive consultation with the campus leadership, the decision has been made to temporarily block wmf image attachments. These files can have a number of different extensions, but most commonly will have .wmf and .jpg extensions.

01/04/2007 ecs236 winter 2007 11

Max-Sequence # AttackMax-Sequence # Attack Block LSA updates for one hour by injecting

one bad LSA.– You can hit it once and come back in an hour.

Implementation Bug!– Two independently developed OSPF packages.– MaxSeq# LSA Purging has not been implemented

correctly!! Announced in May, 1997.

01/04/2007 ecs236 winter 2007 12

What is Intrusion Detection?What is Intrusion Detection?

01/04/2007 ecs236 winter 2007 13

Intrusion DetectionIntrusion Detection Detecting intrusions such as

– Viruses, Worms, Spywares, Phishing, Spamming, Insider, Un-authorized activities, faults/failures, among many others

Detecting and Managing anything “unexpected”– Anomalies

Question: “Detecting what??”

01/04/2007 ecs236 winter 2007 14

Intrusion DetectionIntrusion Detection

IntrusionDetection

ModelInput eventsequence Results

01/04/2007 ecs236 winter 2007 15

Results??Results?? This email contains virus XYZ This email might be a spam with 80%

probability This email is somewhat trusted based on

your social network This email might be malicious This email might be malicious for reasons

ABC and DEF.

01/04/2007 ecs236 winter 2007 16

Intrusion DetectionIntrusion Detection

IntrusionDetection

ModelInput eventsequence Results

Pattern matching

01/04/2007 ecs236 winter 2007 17

IDS EventsIDS Events TCPdump traces OS kernel and Host-level information BGP traces Application Logs Many others…

01/04/2007 ecs236 winter 2007 18

Anti-VirusAnti-Virus

VirusDetection

VirusDefinition

Input eventsequence Results

Pattern matching

01/04/2007 ecs236 winter 2007 19

Credit Card Fraud DetectionCredit Card Fraud Detection

FraudDetection

SpendingPatterns

Input eventsequence Results

Statistical Pattern Matching

01/04/2007 ecs236 winter 2007 20

SNORTSNORT

RulesInput eventsequence Results

Pattern matching

01/04/2007 ecs236 winter 2007 21

01/04/2007 ecs236 winter 2007 22

About the InstructorAbout the Instructor S. Felix Wu

– [email protected] – [email protected]– [email protected]

Office: 3057 Engineering II Phone: 530-754-7070 Office Hours:

– 10-11 a.m. on Monday and Friday– by appointment

mailto:[email protected]



01/04/2007 ecs236 winter 2007 23

Why 3 email addresses?Why 3 email addresses?– [email protected] – [email protected]

– [email protected]





01/04/2007 ecs236 winter 2007 24

Why 3 email addresses?Why 3 email addresses?– [email protected] – [email protected]– My main email contact for everything all the time.

– [email protected]





01/04/2007 ecs236 winter 2007 25

Why 3 email addresses?Why 3 email addresses?– [email protected] – [email protected]– My main email contact for everything all the time.

– [email protected]– Read only once in the past three months…




01/04/2007 ecs236 winter 2007 26

Why 3 email addresses?Why 3 email addresses?– [email protected] read/response during the quarters, especially before the homework deadlines.

– [email protected]– My main email contact for everything all the time.

– [email protected]– Read only once in the past three months…




01/04/2007 ecs236 winter 2007 27

Anti-SpamAnti-Spam [email protected] subject: [0x9876543210ABCDEF]…

0x9876543210ABCDEF is the cyber social link between the instructor and the students in ecs236, Winter 2007.


01/04/2007 ecs236 winter 2007 28

Intrusion DetectionIntrusion Detection Practical Engineering

– Performance, Accuracy, Scalability, CPU/Memory, Correlation, Deployment.

Theoretical Foundation– Detectability/Limitation, Dimensionality,

Entropy, False Negative and Positive, Evaluation

01/04/2007 ecs236 winter 2007 29

In this quarter…In this quarter… The architecture of ID and IDS

– Stateful versus stateless– Signature, specification, anomaly

Analysis of ID Results– Explanation and Analysis– Event Correlation

IDS Evaluation or Attacking IDS– Attack Polymorphism and IDS Evasion

IDS Fundamental Principles

A balance between Engineering a High-Performance IDS system

Fundamentally understand our limitations

01/04/2007 ecs236 winter 2007 30

SyllabusSyllabus IDS architecture Anomaly-based Approach Event Correlation and Analysis IDS Evaluation Advanced Research Topics

01/04/2007 ecs236 winter 2007 31

Course RequirementsCourse Requirements Teamwork or individual

– Discussion with others is highly encouraged! 50%: 5 Homework Assignments

– 10% each (read 1~2 IDS papers and answer a few questions)

10%: Proposal 40%: Final Project

01/04/2007 ecs236 winter 2007 32

www.cs.ucdavis.edu/~wu/ecs236/

01/04/2007 ecs236 winter 2007 33

Final ProjectsFinal Projects IDS Architecture Network versus Host Anomaly Detection IDS Evaluation and Evasion Alert correlation and explanation

01/04/2007 ecs236 winter 2007 34

More…More… Polymorphic/metamorphic worms Spam/Spit, Phishing, Spyware,… P2P issues (e.g., Bittorrent) Botnet..

01/04/2007 ecs236 winter 2007 35

Even more…Even more… Fundamental… “Why will we have DDoS and Spam in the

first place??”

01/04/2007 ecs236 winter 2007 36

about Web siteabout Web site http://www.cs.ucdavis.edu/~wu/ecs236/ all lectures, notes, announcements,

homework assignments, tools, papers will be there.

01/04/2007 ecs236 winter 2007 37

First Paper: BUTTERCUPFirst Paper: BUTTERCUP

http://www.cs.ucdavis.edu/~wu/ecs236/papers/Buttercup_NOMS2004.pdf

Question: “How would you attack the Buttercup mechanism mentioned in the paper?”



01/04/2007 ecs236 winter 2007 38

Internet InfrastructureInternet Infrastructure It enables many cool applications.

– Email, Web+, IM, Skype, Google, Bittorrent, Infospace, LinkedIn,...

We are connected, at least in the “IP address” sense!!

01/04/2007 ecs236 winter 2007 39

Internet InfrastructureInternet Infrastructure It enables many cool applications.

– Email, Web+, IM, Skype, Google, Bittorrent, Infospace, LinkedIn,...

We are connected, at least in the “IP address” sense!!

Many other forms of connections:– Peer2Peer, Friend2Friend, community

01/04/2007 ecs236 winter 2007 40

Internet InfrastructureInternet Infrastructure It enables many cool applications. It enables many cool attacks.

01/04/2007 ecs236 winter 2007 41


– David Clark on Morris Worms to DARPA in 1988

01/04/2007 ecs236 winter 2007 42


– David Clark on Morris Worms to DARPA in 1988 “Internet is doing exactly what it supposed to do”

01/04/2007 ecs236 winter 2007 43

It enables many cool applications. It enables many cool attacks.

– Worm, DDoS, spamming, phishing,… (the list is still growing)

01/04/2007 ecs236 winter 2007 44

We can not blame We can not blame everything to Microsoft!everything to Microsoft!

It enables many cool applications. It enables many cool attacks.

– Worm, DDoS, spamming, phishing,… (the list is still growing)

Related to our Inter-domain routing today…

01/04/2007 ecs236 winter 2007 45

WORMWORM Since November 2nd of 1988…

– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…

inject infect spread

01/04/2007 ecs236 winter 2007 46



inject infect spread

WORM is causing Internet-wide instability.

01/04/2007 ecs236 winter 2007 47

2T

Slammer BGPInternet routing stability analysis on a Beijing prefix

09/01/2002 01/31/2003

01/04/2007 ecs236 winter 2007 48

Network meets SoftwareNetwork meets Software An interesting interaction among the

Internet, the software on the hosts, and the worms themselves.

The “short-term” Reality:– Estimated 40~50% of Internet hosts are still

vulnerable to CodeRed.

01/04/2007 ecs236 winter 2007 49



inject infect spread WORM is causing Internet-wide instability. WORM is a critical first step for the attacker

to quickly build the large-scale attacking infrastructure.

01/04/2007 ecs236 winter 2007 50

WORM + DDoSWORM + DDoS

Victim

ISP.com

01/04/2007 ecs236 winter 2007 51

They are getting better…They are getting better…

The rapid evolution of the “attacker’s community”

01/04/2007 ecs236 winter 2007 52

They are getting better…They are getting better…

The rapid evolution of the “attacker’s community”

And, many thanks to our rapid growing software industry in the past “N” years as well…

01/04/2007 ecs236 winter 2007 53

Software VulnerabilitySoftware Vulnerability Software vulnerabilities are weaknesses,

being introduced during the “software engineering” process, that can potentially be exploited by attackers.– OS kernels, device drivers, applications…

There are other types of vulnerabilities in our software systems that can be exploited.

01/04/2007 ecs236 winter 2007 54

Software VulnerabilitySoftware Vulnerability Difficulties in security management

– we don’t know how attackers are going to attack us,

– And, we don’t know which vulnerabilities can/will be exploited, either.

01/04/2007 ecs236 winter 2007 55

Software VulnerabilitySoftware Vulnerability Focus on Software Vulnerabilities Two approaches

– better software engineering– better vulnerabilities understanding

01/04/2007 ecs236 winter 2007 56

Software VulnerabilitySoftware Vulnerability Focus on Software Vulnerabilities Two approaches

– better software engineering– better vulnerabilities understanding

Practically, around the Internet, we currently have and will still have a large number of legacy software systems around for “quite a while.”

01/04/2007 ecs236 winter 2007 57

Network-based SolutionsNetwork-based Solutions

“Intrusion Prevention Systems” or “Advanced Firewalls”

IntrusionPreventionSystem

Legacyvictims

packet packet

analyze & drop

01/04/2007 ecs236 winter 2007 58

Vulnerability vs. ExploitVulnerability vs. Exploit

Vulnerability– the “weak” points in the software– applications or even the kernel itself– “control flow hijack” based on buffer overflow.

Exploit– the attack code utilizing one or more

vulnerabilities

01/04/2007 ecs236 winter 2007 59

Buffer OverflowBuffer OverflowSome unsafe functions in C library:strcpy(char *dest, const char *src);strcat(char *dest, const char *src);getwd(char *buf);gets(char *s);fscanf(FILE *stream, const char *format, ...);scanf(const char *format, ...);realpath(char *path, char resolved_path[]);sprintf(char *str, const char *format);

NoVerification

……

01/04/2007 ecs236 winter 2007 60

01/04/2007 ecs236 winter 2007 61

High

LowStack Growth

String Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

01/04/2007 ecs236 winter 2007 62

High

LowStack Growth

String Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

bar( ){……}

foo( ){ …… call bar( ); ……}

foo

bar

01/04/2007 ecs236 winter 2007 63

int bar(int a, int b){ int i, j; char buf[9]; i = 5; j = 123; strcpy(buf, “securephdbcde”);}

ba

high

low

ret addressSFP

05 00 00 0065 00 00 0064 62 63 6472 65 70 6873 65 63 75Buffer Overflow

5ed b c dr e p hs e c u

01/04/2007 ecs236 winter 2007 64

int bar(int a, int b){ int i, j; char buf[9]; i = 5; j = 123; strcpy(buf, “securephdaaabbbbcccceeeeffff”);}

ba

high

low

ret address SFP

5123

63 63 63 6362 62 62 6264 61 61 6172 65 70 6873 65 63 75

65 65 65 6564 64 64 64

Ret Overflow

Segmentation fault...

RetAddr = 0x65656565

01/04/2007 ecs236 winter 2007 65

High

LowStack Growth

String Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

bar( ){……}

foo( ){ …… call bar( ); ……}

foo

bar

01/04/2007 ecs236 winter 2007 66

High

LowStack Growth

String Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

bar( ){……}

foo( ){ …… call bar( ); ……}

foo

bar

01/04/2007 ecs236 winter 2007 67

Control Flow HijackControl Flow Hijack I want “my code” executed!

– Malicious code injection– Control flow redirection/hijacking

code code

codecode

VirusWorm

01/04/2007 ecs236 winter 2007 68

High

LowStack Growth

String Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

bar( ){……}

foo( ){ …… call bar( ); ……}

foo

bar

01/04/2007 ecs236 winter 2007 69

A Single Packet ExploitA Single Packet Exploit

Attack Code Exploit (ReturnAddr)

Return Address == 0x4739a304

01/04/2007 ecs236 winter 2007 70

0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff

Example

01/04/2007 ecs236 winter 2007 71


Example: NOP-sled

Sometime we can not easily determine the “exact” memory address to jump into…

01/04/2007 ecs236 winter 2007 72

““NOP Sled” EngineeringNOP Sled” Engineering



NOP NOPNOP NOP

code[] = “\xeb\x2a\x5f\xc6\x47\x07\x00\x89\x7f\x08\xc7\x47”;strcpy(buf, code);

buf = “\xeb\x2a\x5f\xc6\x47\x07”

And, sometimes, we simply want to find a way to avoid “\x00”.

01/04/2007 ecs236 winter 2007 73

attack polymorphismattack polymorphism(many different ways)(many different ways)



DecryptionCode

The Signature Explosion Problem!!

01/04/2007 ecs236 winter 2007 74

Vulnerability vs. ExploitVulnerability vs. Exploit

1 M or N M Polymorphic tools available

– A Naïve approach: M

Can we find the “invariants”?– We need to avoid “signature explosion”…

∞

01/04/2007 ecs236 winter 2007 75


DecryptionCode


DecryptionCode

NOP NOPNOP NOP

01/04/2007 ecs236 winter 2007 76

Detecting “NOP Sleds”Detecting “NOP Sleds” “Intrusion Prevention Systems” or

“Advanced Firewalls”

IntrusionPreventionSystem

Legacyvictims

packet packet

analyze & drop

NOP SledSignatures

01/04/2007 ecs236 winter 2007 77


A WORM with a NOP-Sled

01/04/2007 ecs236 winter 2007 78

0000000 5247 5237 5759 9199 984e 602f 4b58 9555 0000010 3792 4997 6059 5a5d 979c 9199 9242 9349 0000020 495e 5b37 4740 5d4f 4f99 975f 4492 3797 0000030 4297 9e93 4598 404a 9696 4652 5150 5e4f 0000040 454d 99fc 5251 5042 9b37 4042 4a95 4459 0000050 4592 4998 935f 275f 985d f84e 4991 fc96 0000060 9796 4637 5b3f 9751 9754 9f5a 9543 4c9e 0000070 4740 9c96 499f 5652 934e 5355 479b 91f8 0000080 48fc 5d60 4742 9755 4450 4441 4697 5697 0000090 5b52 494f 434d 5899 f827 9957 4346 9796 00000a0 404c 4a45 6040 404c 4957 5798 99f9 569b 00000b0 4145 96fc 5140 4c56 f946 9348 4f4d f8f8 00000c0 2f59 4c46 9647 4747 9e48 5137 4142 5b4d 00000d0 545f 55f9 5e56 4191 9249 519e 559e 6099

A Polymorphic WORM

01/04/2007 ecs236 winter 2007 79

NOP sledsNOP sleds “NOP sled” can/will NOT be a useful

signature in detecting future WORMs…

80~90% of the WORMs today don’t really need “NOP sleds” but, historically, they are still “left” there.

01/04/2007 ecs236 winter 2007 80

BUTTERCUPBUTTERCUP

Ideas:– Given a software exploit, the hacker can

encrypt the malicious code but not the “hijacking” entry point (e.g., return address).

– The hacker can twist the “return address” but practically not infinitely a range of memory addresses.

01/04/2007 ecs236 winter 2007 81

Memory Address RangesMemory Address Ranges

Arguments

Return address

Prev. frame pointer

Local variables

Arguments

Return address

Prev. frame pointer

Local variables

One “Exploit”has one “return address” value, but another exploit based on the same vulnerability might be using a different return address.

01/04/2007 ecs236 winter 2007 82

size, offset and depthsize, offset and depth

Arguments

Return address

Prev. frame pointer

Local variables


DecryptionCode

NOP NOPNOP NOP

0x42b0caa4

0x42b0c914

Is this packet a Slammer worm or a suspect “utilizing” the same vulnerability?

performance& false positive

01/04/2007 ecs236 winter 2007 83

BUTTERCUPdetection/prevention victim

packet packet

memoryrangetable

analyze & drop

19 known exploits/vulnerabilities

IPUPR. LYR. PAYLOAD TCP/UDP HDR

IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack Code Exploit (ReturnAddr)

DecryptionCode

NOP NOPNOP NOP

False Positive??

IDS/IPSpreprocessing

01/04/2007 ecs236 winter 2007 84

01/04/2007 ecs236 winter 2007 85

about about 30~180 days30~180 days In July, 2002 Microsoft announced the vulnerabilities!

On January 25, 2003 05:30 UTC, slammer was out!

We had about 6 months back then!!

BUTTERCUP, a network based approach, might have been more practical and scaleable than Windows Update!!

01/04/2007 ecs236 winter 2007 86

LimitationLimitation BUTTERCUP will only work for “known

vulnerabilities”!

– But, it may work for Zero-day exploits based on known vulnerabilities.

01/04/2007 ecs236 winter 2007 87

Exploit Exploit VulnerabilityVulnerability

Exploit: controlled by the attackersVulnerability: controller/limited by the defense

01/04/2007 ecs236 winter 2007 88


DecryptionCode

NOP NOPNOP NOP System State Changes

How can each of the stages be polymorphic?

01/04/2007 ecs236 winter 2007 89

Register SpringRegister Spring

We in general don’t know which “thread stack” will be used?! 4 millions in memory differences.

01/04/2007 ecs236 winter 2007 90

Register SpringRegister SpringHigh

LowStack Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

jmp ESP

foo

barret

11,000

01/04/2007 ecs236 winter 2007 91

Start:

CALL FunctionWithBufferOverflow

FunctionWithBufferOverflow:

PUSH EBP

MOV EBP,ESP

…

CALL OverflowMyBuffer

…

POP EBP

RET

01/04/2007 ecs236 winter 2007 92

SlammerSlammer

01/04/2007 ecs236 winter 2007 93

ESP (Stack Pointer)ESP (Stack Pointer) Register springs off of ESP utilize the

compiler conventions for managing stack frames

01/04/2007 ecs236 winter 2007 94

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

ESP

01/04/2007 ecs236 winter 2007 95

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Start+6

ESP

High

01/04/2007 ecs236 winter 2007 96

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Start+6

Old EBP

ESP

High

01/04/2007 ecs236 winter 2007 97

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Start+6

Old EBP

ESP/EBP

MyBuffer

High

01/04/2007 ecs236 winter 2007 98

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Attack8

Attack7

Attack6

Attack5

Attack4

Attack3

Attack2

Attack1

Attack0

ESP/EBP

MyBuffer

Low

01/04/2007 ecs236 winter 2007 99

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Attack8

Attack7

Attack6

Attack5

Attack4

Attack3

Attack2

Attack1

Attack0

ESP

MyBuffer

(EBP == Attack5)

code

jmp ESP

Low

01/04/2007 ecs236 winter 2007 100

Start:



PUSH EBP

MOV EBP,ESP

…


…

POP EBP

RET

Attack8

Attack7

Attack6

Attack5

Attack4

Attack3

Attack2

Attack1

Attack0

ESP

MyBuffer

(EBP == Attack5)

Attack6:JMP ESP

01/04/2007 ecs236 winter 2007 101

NotesNotes This is how Slammer worked, Sasser is

very similar, as are a couple of others Bogus return pointer is Attack6, payload

starts at Attack7

01/04/2007 ecs236 winter 2007 102

Other registersOther registers Register springs off of other registers utilize

the compiler conventions for managing buffers (i.e. EBX is the “base” register for indexing the base of a buffer, ESI is the “source” register for string operations, EDI is the “destination”, …)

Blaster RPC DCOM used EBX, ASN.1 uses EDI, Code Red II used EBX

01/04/2007 ecs236 winter 2007 103

DCOM Exploits in svchostDCOM Exploits in svchost(Blaster)(Blaster)

0xff 0xd3 is CALL EBX which is the one Blaster used, but JMP EBX (0xff 0xe3) works just as well.

a little over 11,000 in svchost 0x0100139d is the only one that Blaster

used and is the one the publicly available DCOM exploit uses.

01/04/2007 ecs236 winter 2007 104

High

LowStack Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack Pointer

jmp ESP

foo

barret

11,000

…

…

01/04/2007 ecs236 winter 2007 105

BUTTERCUPdetection/prevention victim

packet packet

memoryrangetable dropknown

exploits

11,000 Signatures for ONE vulnerability!!

False Positive on BUTTERCUP???

01/04/2007 ecs236 winter 2007 106

Register Spring+PolymorphicRegister Spring+Polymorphic

Attack Code Exploit (RegisterSpring)

DecryptionCode

NOP NOPNOP NOP

????

“0x0100139d”

01/04/2007 ecs236 winter 2007 107

EBX-based ButtercupEBX-based Buttercup(a possible project idea)(a possible project idea)

Among all the memory address for call ebx (0xff 0xd3 -- 11000+ of them), only four of them are around 0x01001***, about another 600+ are from 0x719555a4 to 0x71c637b3. But, the rest of them (the majority 10000+) are all from 0x7585149f to 0x77fbc10b.

0x0100139d 0x010013a2 0x01001c83 0x01001cc7 0x719555a4 0x71c637b3 0x7585149f 0x77fbc10b

01/04/2007 ecs236 winter 2007 108

But…But… Still a lot and maybe false positive…

– We don’t know– What else can we do in the network…

01/04/2007 ecs236 winter 2007 109

Vulnerability and IDS/IPSVulnerability and IDS/IPS Software Vulnerability is a very difficult issue

to manage, especially on the wire.– Naïve payload analysis will be much less

meaningful– Not focus on the intention of the attacker first

Too many possibilities– Focus on how their code can get in!

A more humble goal Signature: simple & yet powerful??

01/04/2007 ecs236 winter 2007 110

What is a “vulnerability”?What is a “vulnerability”? 1 Vulnerability -- N Exploits

01/04/2007 ecs236 winter 2007 111

Vulnerability Vulnerability Primitive Primitive Primitive

– The capability for the attacker to put a value in a particular memory address.

– A memory system state change

NoVerification

……

And, we “might” have to perform such analysis on the wire!!

01/04/2007 ecs236 winter 2007 112


DecryptionCode

NOP NOPNOP NOP System State Changes

Focus on “Primitives” being used in the “Epsilon” phase!

Application dependent analysis

01/04/2007 ecs236 winter 2007 113

Control Flow HijackControl Flow Hijack I want “my code” executed!

– Malicious code injection– Control flow redirection/hijacking

code code

codecode

VirusWorm

01/04/2007 ecs236 winter 2007 114

virusvirus

Clickme.exe MSword.exe

FSeasily

01/04/2007 ecs236 winter 2007 115

Host-based ApproachHost-based Approach Minos can resolve all the problems related

to control-flow hijacks with zero-false positive.

01/04/2007 ecs236 winter 2007 116

Full Virtualization with Security Enhancements(Minos/DaCodA)

Unmodified OS (XP, Linux, Solaris, or, FreeBSD)

Unmodified Applications

Hardware

Secure virtualizationSecure virtualization

01/04/2007 ecs236 winter 2007 117

Asymmetric InformationAsymmetric Information Can we fill the gap??

01/04/2007 ecs236 winter 2007 118

Full Virtualization with Security Enhancements(Minos/DaCodA)

Unmodified OS (XP, Linux, Solaris, or, FreeBSD)

Unmodified Applications

Hardware

IPS IPS virtualization virtualization

NIDS/NIPS

Recovery in MemoryWhat types of roll-backs will make the most sense practically?OS versus Applications

01/04/2007 ecs236 winter 2007 119

Tricky virusTricky virus

MSword.exe FS

MSword.exe FS

01/04/2007 ecs236 winter 2007 120

IPC virusIPC virus

SQL.exe

MSword.exe FS

01/04/2007 ecs236 winter 2007 121

Two definitions of VirusTwo definitions of Virus A virus is a program that is able to infect

other programs by modifying them to include a possibly evolved copy of itself.– Fred Cohen, early 80’s.

A computer virus is a program that recursively and explicitly copies a possibly evolved version of itself.– Peter Szor, recently.

ecs236 Winter 2007: Computer Security: Intrusion Detection Based Approach #1: Vulnerability

Documents

Transcript of ecs236 Winter 2007: Computer Security: Intrusion Detection Based Approach #1: Vulnerability