Tools and techniques for understanding and defending real systems

1
Tools and techniques for understanding and
defending real systems

• Jedidiah R. Crandall
• crandall_at_cs.ucdavis.edu

2
Overview

• Security is not a problem to be solved, but a
  battle to be waged by
• Antivirus professionals
• Law enforcement
• Next-generation security technology developers
• Give them the tools they need
• Implementations of useful techniques
• Theory planted firmly in practice

3
Vision

• How can we address emerging threats
  (poly/metamorphic worms/botnets, cryptovirology,
  advanced rootkits, etc.)?
• Problem We dont have very many real-world
  samples of these to look at
• Solution Look at the way the samples we have
  interact with the systems were trying to defend

4
Outline

• Code Red II example
• Define some basic terms and concepts
• Minos
• Catches worms
• DACODA
• Used to understand polymorphism and metamorphism
• Temporal Search
• Analyzes the payload for timebomb attacks
• Looking ahead

5
Outline

• Code Red II example
• Define some basic terms and concepts
• Minos
• Catches worms
• DACODA
• Used to understand polymorphism and metamorphism
• Temporal Search
• Analyzes the payload for timebomb attacks
• Looking ahead

6
Code Red/Code Red II

• Code Red
• 359,000 hosts infected
• 2.6 billion in cleanup Computer Economics
• Attempted DoS on White House
• Averted after being discovered hours before the
  attack was to occur
• Code Red II
• Exploit is basically the same

7
Exploit-based Worms
Web Servers Memory
Next
GET /bla?xA1B28CD30EE17C
8
The Code Red II Exploit

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

9
Three stages of an attack
10
e Exploit Vector

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

11
? Bogus Control Data

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

12
p Payload

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

13
Motivation for e-?-p

• Different polymorphic/metamorphic techniques for
  e, ?, and p
• Data can be represented differently on the
  network and where it used in the attack trace
• 25 75 62 63 64 33 25 75 37 38 30 31 vs.
• d3 cb 01 78 for 0x7801cbd3
• Information only has meaning in that it is
  subject to interpretation. Cohen, 1984

14
Network Signatures?

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

15
Polymorphism and metamorphism

• Change successive instances of the worm so
  signature-based network defenses fail
• Polymorphic think syntax
• Metamorphic think semantics
• Note Some researchers call both polymorphism

16
e Exploit Vector

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

17
? Bogus Control Data

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

18
p Payload

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

19
Poly/metamorphism in ? and p

• Poly/metamorphic possibilities of p are endless
  (self-modifying code)
• ? Buttercup Pasupulati et al. NOMS 2004
• Register springs more details in Crandall et
  al. DIMVA 2005
• 11,009 possibilities for Blaster
• 353 for Slammer

20
Polymorphism of e

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

21
Polymorphism of e

• GET /yutiodr.ida?CEOIUXJASKMDIDD
• EOXIJOEIJXDXNMDKJXNSKJNXIDOIW
• RATUDu8743ubc65ua999uffffu873fue875u4568u
  99ccu8333u7621ubb66u9876u1000u8732u9854u76
  cduddddu5555u5234uff43u7632u5632ucci
  HTTP/1.0

22
Metamorphism of e

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

23
Metamorphism of e

• GET /default.ida?Xu61XXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\
  xd3\xcb\x01\x78XXXXXXXXXXXXXXXXXXa HTTP/1.0

24
Metamorphism of e
25
Outline

• Code Red II example
• Define some basic terms and concepts
• Minos
• Catches worms
• DACODA
• Used to understand polymorphism and metamorphism
• Temporal Search
• Analyzes the payload for timebomb attacks
• Looking ahead

26
Minos Crandall and Chong MICRO 2004

• Tagged architecture that tracks the integrity of
  every memory word
• Network data is tainted
• Control data (return pointers, function pointers,
  jump targets, etc.) should not be
• Taint tracking with every instruction
• Great for catching worms
• Uses the ? mapping

27
Gratuitous Dante Quote

• Minos the dreadful snarls at the gate, and
  wraps himself in his tail with as many turns as
  levels down that shade will have to dwell

28
Minos Implementation

• Implemented a full-system tagging scheme in a
  virtual machine
• Linux (modified kernel)
• Tracks integrity in the file system
• Virtual memory swapping used by Raksha project
• Windows (unmodified)
• Works great as a honeypot for cacthing worms

29
How to catch worms
30
Only one false positive
31
Actually a non-target pest
32
Minos Full-System Evaluation

• General Minos concept used in related works (DIFT
  Suh et al. ASPLOS 2004, TaintCheck Newsome
  and Song NDSS 2005), follow-on works, and at
  least one commercial product
• Important to get things right
• e.g. Code Red II must taint table lookups
• Able to build DACODA on top of Minos

33
Outline

• Code Red II example
• Define some basic terms and concepts
• Minos
• Catches worms
• DACODA
• Used to understand polymorphism and metamorphism
• Temporal Search
• Analyzes the payload for timebomb attacks
• Looking ahead

34
DACODA Crandall et al. CCS 2005

• DAvis malCODe Analyzer
• Discover invariants in the exploit vector (e)
• Symbolic execution on the system trace during
  attacks that Minos catches
• Used for an empirical analysis of polymorphism
  and metamorphism
• Quantify and understand the limits

35
Worm Polymorphism and Metamorphism

• Viruses Defender has time to pick apart the
  attackers techniques
• e.g. Algorithmic scanners, emulation
• Worms Attacker has time to pick apart the
  deployed network defense techniques
• What can defenders do to evaluate the robustness
  of defenses against attacks that dont exist yet?

36
Measuring Poly/metamorphism

• Ma et al. IMC 2006
• Found relatively little polymorphism in the
  wild
• Worm defense designers dont have samples of the
  poly/metamorphic techniques attackers will use on
  their defenses
• (Have to build the defense first)

37
The Epsilon-Gamma-Pi Model
38
How DACODA Works

• Information only has meaning in that it is
  subject to interpretation. Cohen, 1984
• Gives each byte of network data a unique label
• Tracks these through the entire system
• Discovers predicates about how the host under
  attack interprets the network bytes

39
mov al,AddressWithLabel1832 add
al,4 cmp al,10 je JumpTargetIfEqualTo
Ten
AL.expr lt (Label 1832) AL.expr lt (ADD
AL.Expr 4) / AL.expr (ADD (LABEL 1832) 4)
/ ZFLAG.left lt AL.expr / ZFLAG.left
(ADD (Label 1832) 4) / ZFLAG.right lt 10 P
lt new Predicate(EQUAL ZFLAG.Left ZFLAG.Right)
/ P (EQUAL (ADD (Label 1832) 4) 10) /
AddToSetOfKnownPredicates(P)
40
Why Full-System Analysis?

• Kernel
• Remote Windows Kernel Exploitation Step Into
  the Ring 0 by Barnaby Jack
• MS05-027 (SMB)
• Multiple processes
• Base64 in IIS ASN.1 in lsass.exe
• Multithreading
• And listening on multiple ports
• Even for Slammer, the simplest buffer overflow
  ever

41
Actual Worms/Attacks Caught by Minos and Analyzed
by DACODA
Name OS Port Class
Sasser WinXP 445TCP Buff.Over.
Blaster WinXP 135TCP Buff.Over.
Workstation Serv. WinXP 445TCP Buff.Over.
RPCSS WinXP 135TCP Buff.Over.
Slammer Whist. 1434UDP Buff.Over.
Code Red II Whist. 80TCP Buff.Over.
Zotob Win2K 445TCP Buff.Over.
42
Other Attacks Caught by Minos and Analyzed by
DACODA
Name OS Port Class
SQL Auth. Whist. 1434TCP Buff.Over.
rpc.statd Linux 111 918TCP Form.Str.
innd Linux 119TCP Buff.Over.
Scalper OBSD 80TCP Int.Over.
ntpd FBSD 123TCP Buff.Over.
Turkey FBSD 21TCP OffByOne
43
Single Contiguous Byte Strings
Name Longest String
Sasser 36
Blaster 92
Work. 23
RPCSS 18
Slammer 1
CRII 17
Zotob 36
Name Longest String
SQLAuth 4
rpc.statd 16
innd 27
Scalper 32
ntpd 8
Turkey 21
44
Single Contiguous Signatures

• Autograph Kim and Karp USENIX Security 2004
  and EarlyBird Singh et al. OSDI 2004 both
  demonstrated good results at about 40 bytes for
  the signature length
• Newsome et al. IEEE SP 2005 came to the same
  conclusion as we did and proposed sets of smaller
  byte strings called tokens

45
Tokens

• GET /default.ida?XXXXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXX
• XXXXXu9090u6858ucbd3u7801u9090u6858ucbd3u
  7801u9090u6858ucbd3u7801u9090u9090u8190u00
  c3u0003u8b00u531bu53ffu0078u0000u00a
  HTTP/1.0

46
Where do These Tokens Come From?

• Scalper Transfer-Encoding chunked
• Same applies to most of these vulnerabilities
• The Horns of a Dilemma
• Use protocol framing as a signature
• Be very precise

47
Precision ASN.1 Dangling Pointer

• Heap corruption
• (0x23 SIZE AAAAAAAA
• (0x23 SIZE
• 0x77665544 BBBB)
• )

48
Conclusions from DACODA

• Whole system analysis is important
• New focus on more semantic signatures
• How to understand the semantics of the
  vulnerability?
• We can learn a lot about emerging malware threats
  by studying existing malware samples and their
  interactions with the systems they run on

49
Outline

• Code Red II example
• Define some basic terms and concepts
• Minos
• Catches worms
• DACODA
• Used to understand polymorphism and metamorphism
• Temporal Search
• Analyzes the payload for timebomb attacks
• Looking ahead

50
Temporal SearchCrandall et al. ASPLOS 2006

• Automated discovery of timebomb attacks
• Analysis in the p stage
• Prototype of behavior-based analysis
• Proposed a framework for a problem space nobody
  has looked at before
• Implemented parts of it
• Identified the remaining challenges
• By testing real worms with timebombs on our
  prototype

51
You as an antivirus professionalcatch a new worm

• Unpack it
• Polymorphism/ metamorphism?
• Anti-debugger tricks?
• Any behaviors predicated on time?
• How it gets the time?
• UTC/Local?
• Conversions between formats?

52
With Temporal Search

• Infect a VM
• Automated, behavior-based Temporal Search
• Respond

53
How to respond?

• Sober.X 6 and 7 January 2006
• URLs blocked
• Kama Sutra 3rd of the month
• Users removed infections
• Code Red 20th of the month
• White House IP address changed
• What if we have just hours or even minutes, not
  days?

54
Behavior-based Analysis

• Cohen, 1984 defined behavior-based detection as
  a question of defining what is and is not a
  legitimate use of a service, and finding a means
  of detecting the difference.
• Behavior-based analysis is similar
• Assume the system is infected with malware
• Analyze its use of a service such as the PIT

55
Why not just speed up the clock?

• Dramatic time perturbation would be easy to
  detect
• Also not easy to do for a busy system
  (effectively lowers perceived performance)
• May miss some behaviors
• Kama Sutra
• Will not be able to explain behaviors it does
  elicit

56
Basic Idea

• Find timers
• Run the PIT at different rates of perceived time
• System performance stays the same
• Correlate between PIT and memory writes
• Symbolic execution
• e.g. with DACODA
• Weakest precondition calculation

57
Filling in the Timetable
SystemTime Predicate Behavior
126,396,288e12 (13 July 2001) ? gt 20 Spread


time
58
Filling in the Timetable
SystemTime Predicate Behavior
126,396,288e12 (13 July 2001) ? gt 20 Spread
126,402,336e12 (20 July 2001) ? gt 28 DoS White House

time
59
Filling in the Timetable
SystemTime Predicate Behavior
126,396,288e12 (13 July 2001) ? gt 20 Spread
126,402,336e12 (20 July 2001) ? gt 28 DoS White House
126,409,248e12 (28 July 2001) None Go to sleep
time
60
Windows
61
Manual Analysis

• Many different library calls, APIs for date and
  time
• GetSystemTime(), GetLocalTime(),
  GetTimeZoneInformation(), DiffDate(),
  GetDateFormat(), etc.
• System call not really necessary
• Conversions back and forth between various
  represenations (e.g. MyParty.A, Blaster.E)
• UTC vs. Local
• 1600 vs. 1900 vs. 1970
• 32- vs 64-bit
• integers for day, month, year, etc.
• strings
• Not always done with standard library functions
• Have to unpack it first, anti-debugging tricks
• All of this is simply dataflow from SystemTime
  timer

62
Setup
ARP cache poisoning, DNS spoofing, etc.
Windows XP _at_ 192.168.33.2
Host _at_ 192.168.33.1 w/ DNS, NTP, HTTP, TIME, etc.
Bochs VM w/ DACODA and Timer Discovery
tuntap interface
63
Temporal Search

• Symbolic Execution (DACODA)
• Cod Red, Blaster.E, MyParty.A, Klez.A
• Discovers predicates on day, hour, minute, etc.
  on a real time trace
• Control-flow sensitivity within loops
• Cod Red, Blaster.E, MyParty.A, Klez.A, Sober.X
  Kama Sutra
• Month and year

64
Adversarial Analysis

• For any technique, being applicable to every
  possible virus or worm is not a requirement
• AV companies collect intelligence
• More details in the paper on this

65
Conclusions from Temporal Search

• Manual analysis is tricky and time-consuming
• Temporal Search can dramatically improve response
  time
• Behavior-based analysis is all about the
  environment
• Malware does not follow a linear timetable
• Gregorian calendar poses its own challenges

66
Why Behavior-Based Analysis?

• An ant, viewed as a behaving system, is quite
  simple. The apparent complexity of its behavior
  over time is largely a reflection of the
  complexity of the environment in which it finds
  itself. Herbert Simon

67
Other recent projects

• (Stuff Im currently working on)

68
Replay-Based Entropy MeasurementCrandall et
al. work in progess
69
Great Firewall of ChinaZinn et al. work in
progress

• My contribution Model keyword-based censorship
  using Latent Semantic Analysis
• Relate keywords to concepts
• Efficient probing to discover unknown words that
  are filtered

70
RecoveryOliveira et al. work in progress
Virtual Time
71
Outline

• Code Red II example
• Define some basic terms and concepts
• Minos
• Catches worms
• DACODA
• Used to understand polymorphism and metamorphism
• Temporal Search
• Analyzes the payload for timebomb attacks
• Looking ahead

72
Looking ahead

• Worms, botnets, rootkits, ???
• Not problems with purely technical solutions
• Should give defenders the tools they need
• How to develop defenses for emerging threats
• Study real malware
• Understand the systems that the battle takes
  place on
• Use the interactions between the two to develop a
  theory of what is possible

73
Examples

• Behavior-based analysis
• Fully-automated implementation of temporal search
• Different approaches Reps et al ESEC/FSE 97?
• Cryptovirology Yung and Young 2004
• Vulnerability semantics
• Vector semantics (such as LSA)?
• Testing for unknown vulnerabilities
• Policies for commodity systems
• Bibas low-water-mark integrity, Chinese Wall
  Policy Fraser IEEE SP 2000

74
Questions?

• Thank you for inviting me.

75
Related Work Vigilante Costa et al., SOSP
2005

• Introduces the idea of Self Certifying Alerts
• Goal is automatic patching, not network filtering
• No distinction between what data looks like on
  the network and what it looks like when processed
• Filter generation is similar to DACODAs symbolic
  execution
• DACODA is a whole system approach
• Shield Wang et al. SIGCOMM 2004

76
Temporal Search Lessons Learned

• Some interesting times are relative
• Need to track TickCount
• Behavior-based analysis is all about the
  environment
• Code Red and TCP RSTs

77
Minos Evaluation

• Attacks designed to subvert Minos
• Crandall and Chong MICRO 2004
• Crandall and Chong WASSA 2004
• Chen et al. USENIX Security 2005
• Dalton et al. WDDD 2006
• Piromsopa and Enbody WDDD 2006

78
Adversarial Analysis of Temporal Search

• For any technique, being applicable to every
  possible virus or worm is not a requirement
• AV companies collect intelligence
• Challenges
• What is and is not a malicious use of the PIT?
• Cryptocounters, covert channels, etc.
• VM detection
• King et al. Subvirt at IEEE SP 2006
• Pioneer project and related work at CMU
• All analysis can be done on a trace
• Oliveira et al. ASID 2006