A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending...
Transcript of A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending...
![Page 1: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/1.jpg)
A Security MicrocosmAttacking and Defending Shiva
Shiva written by Neel Mehta and ShaunClowes
Presented by Shaun Clowes
![Page 2: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/2.jpg)
What is Shiva?
Shiva is an executable encryptor– Encrypted executables run exactly as
normal but are encrypted/obfuscated tomake them much harder to reverseengineer or disassemble
Resistant to analysis and modification
Shiva works on Linux executables (inthe ELF format)
![Page 3: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/3.jpg)
ELF
Executable and Linkable Format
Used on virtually all modern Unixplatforms
Very descriptive and flexible format– Good for debuggers, compilers
– As good for reverse engineers, executablepatching and modification
![Page 4: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/4.jpg)
The Field
Executable encryption has been aroundfor a long time– Since the late ’80s
Largely confined to the MS-DOS andWindows world– There are quite a number of commercial
encryptors for windows
![Page 5: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/5.jpg)
The Field
Only recently been any work in the Unixfield:– Burneye by Scut (2001)
– ELFcrypt by JunkCode
– UPX now runs on Linux
![Page 6: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/6.jpg)
Our Goal With Shiva
To provoke new research anddevelopment in, and widerunderstanding of:– Reverse Engineering
– Binary manipulation
![Page 7: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/7.jpg)
Advancements
Shiva brings many techniques from theWindows world to the Unix world
Shiva also introduces some newtechniques
![Page 8: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/8.jpg)
Security Implications
The Good Guys– Prevent trivial reverse engineering of
algorithms• Make protection technologies harder to reverse
engineer and attack
– Protect setuid programs (with passwords)
– Hide sensitive data/code in programs
![Page 9: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/9.jpg)
Security Implications
The Bad Guys– Make Malware harder to reverse engineer
Neutral– New research and techniques
![Page 10: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/10.jpg)
Shiva as a Microcosm
Shiva is a protection technology– It protects a binary image from analysis or
modification
– Conceptually like any other protectiontechnology, e.g a firewall, authenticationscheme
Attackers probe Shiva and it’s outputexecutables to find weaknesses
![Page 11: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/11.jpg)
A Hard Place
But Shiva is completely exposed:– Firewalls need to be probed blind
– Shiva runs in an environment that can becompletely controlled by an attacker
• Right down to operating system behaviour
– Even worse, we’re telling everyone thedetails
![Page 12: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/12.jpg)
A Small Place
While Shiva is complex, it is still muchsmaller than most software– It needs to be
Makes a smaller target– Much easier to reverse engineer and find
weak spots
![Page 13: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/13.jpg)
The Encryptor’s Dilemma
To be able to execute, a program’s codemust eventually be decrypted
![Page 14: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/14.jpg)
An Arms Race
Thus binary encryption is fundamentallya race between developers and reverseengineers
The encryptors cannot win in the end– Just make life hard for the determined and
skilled attacker
– Novices will be discouraged and lookelsewhere.
![Page 15: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/15.jpg)
Encryption Keys
If the encrypted executable has accessto the encryption keys for the image:– By definition a solid attack must be able to
retrieve those keys and decrypt theprogram
To reiterate, binary encryption can onlyslow a determined attacker
![Page 16: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/16.jpg)
Standard Attacks
A good encryptor will try to deterstandard attacks:– strace – System Call Tracing– ltrace – Library Call Tracing– fenris – Execution Path Tracing– gdb – Application Level Debugging– /proc – Memory Dumping– strings – Don’t Ask
![Page 17: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/17.jpg)
Deterring Standard Attacks
strings– Encrypting the binary image in any manner
will scramble the strings
![Page 18: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/18.jpg)
Deterring Standard Attacks
ltrace, strace, fenris and gdb– These tools are all based around the
ptrace() debugging API
– Making that API ineffective againstencrypted binaries is a big step towardsmaking them difficult to attack
![Page 19: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/19.jpg)
Deterring Standard Attacks
/proc memory dumping– Based on the idea that the memory image
of the running process must contain theunencrypted executable
– A logical fallacy
![Page 20: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/20.jpg)
A Layered Approach
Static analysis is significantly harder ifthe executable is encrypted on morethan one level
The layers act like an onion skin
The attacker must strip each layer of theonion before beginning work on the nextlevel
![Page 21: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/21.jpg)
(Un) Predictable Behavior
Efforts to make encryptor behavior differfrom one executable to another areworthwhile
The less generic the methodology, theharder it is to create a genericunwrapper
![Page 22: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/22.jpg)
Shiva 0.97
Currently encrypts dynamic or staticLinux ELF executables
Does not handle shared libraries (yet)
Implements defences for all the attacksdiscussed so far
![Page 23: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/23.jpg)
Encryptor / Decryptor
Development of an ELF encryptor isreally two separate programs
Symmetrical operation
![Page 24: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/24.jpg)
Encryptor
Normal executable, which performs theencryption process, wrapping the targetexecutable
![Page 25: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/25.jpg)
Decryptor
Statically-linked executable, whichperforms decryption and handlesruntime processing
Embedded within the encryptedexecutable
Self contained– Cannot link with libc etc.
![Page 26: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/26.jpg)
Dual-process Model (Evil Clone)
Slave process (main executable thread)creates a controller process (the clone)
Inter-ptrace (functional and anti-debug)
![Page 27: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/27.jpg)
x86 Assembly Byte-CodeGeneration
Allows for the generation of x86assembly byte-code from within C (abasic assembler)
Pseudo-random code generation,pseudo-random functionality
![Page 28: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/28.jpg)
Encryption Layers – Layer 1
Obfuscated
Obfuscation Layer
![Page 29: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/29.jpg)
Initial Obfuscation Layer
Intended to be simple, to evade simplestatic analysis
Somewhat random, generatedcompletely by in-line ASM byte-codegeneration
![Page 30: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/30.jpg)
Encryption Layers – Layer 2
Obfuscation Layer
AES Encrypted
Password Layer
![Page 31: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/31.jpg)
Password Layer
Optional
Wrap entire executable with 128-bitAES encryption
Key is SHA1 password hash, only asstrong as the password
![Page 32: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/32.jpg)
Encryption Layers – Layer 3
Obfuscation Layer
Crypt Blocks
Crypt Block Layer
Password Layer
![Page 33: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/33.jpg)
Crypt Blocks
Two important types – immediate map,map on-demandController process handles map on-demand blocksRandom unmap– Only small portion of executable decrypted
at any time
Instruction length parsing – necessaryto create map on-demand blocks
![Page 34: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/34.jpg)
Crypt Block Mapping
Decrypted Block
Decrypted Block
Decrypted Block
Fault
![Page 35: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/35.jpg)
Crypt Block Mapping
Decrypted Block
Decrypted Block
Decrypted Block
Cleared Block
![Page 36: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/36.jpg)
Crypt Block Encryption
Block content encrypted with strongalgorithm– Guess
Code to generate keys made pseudo-randomly on the fly (asm byte-code)– Keys are never stored in plain text
Tries to bind itself to a specific locationin memory (and other memory context)
![Page 37: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/37.jpg)
Dynamically Linked ELF’s
Decryptor interacts with system’sdynamic linker
Decryptor must map dynamic linkeritself, and then regain control after linkeris done
![Page 38: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/38.jpg)
Anti-debugging/disassembly
Inherent anti-debugging provided bydual-ptrace – link verified
Catch tracing:– Check eflags
– Check /proc/self/stat
![Page 39: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/39.jpg)
Anti-debugging/disassembly
Timing and SIGTRAP
Simple SIGTRAP catch
JMP into instructions – common anti-disassembly trick
![Page 40: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/40.jpg)
Problems Encountered, Solutions
Clone, ptrace, and signals
Fork processing
Exec processing
Life without libc– Simple implementations of malloc etc
![Page 41: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/41.jpg)
Attacks Against Shiva
We hoped Shiva would be defeatedquickly– Turned out to be about three weeks before
the first attack succeeded (A non publicattack)
We’re now aware of three successfulattacks against the previously releasedversions of Shiva
![Page 42: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/42.jpg)
The First Attack
1. Allow the encrypted executable toexecute but stop it after the first layerhas executed (using ptrace)
2. Read the key routine locator block (atknown location)
3. Execute the key routines in process
4. Use the keys to decrypt the blocks inmemory
![Page 43: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/43.jpg)
Exploited Weaknesses
Reverse engineering showed that a lotof useful information was at fixedlocations
The first layer is weak
The key routines are tightly coupled tothe process image but not the controlflow
![Page 44: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/44.jpg)
The Second Attack
Not sure of many of the details
Involved a complete reverseengineering of the shiva loader– Including its libc
![Page 45: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/45.jpg)
Shiva 0.96
Released at BlackHat USA 2002
Added code emulation functionality
Requires significant code analysis.– Instruction by instruction processing
– Function recognition, code flow analysis
– Requires a fairly well designed andimplemented framework
![Page 46: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/46.jpg)
Instruction Emulation
Easily accomplished via manipulatingptrace register structures
Virtually every instruction can beemulated if its operation is understood
![Page 47: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/47.jpg)
The Third Attack
Executed by Chris Eagle
Presented at BlackHat Federal 2003
A novel hybrid static analysis approach– Emulating code execution via a plugin to
IDA Pro
– Can remove a lot of the tedious aspects ofunwrapping protected code
– Uber cool
![Page 48: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/48.jpg)
The Third Attack
1. Load ELF program data into a “virtual”environment
2. Emulate the execution of the first layer
3. Find the key headers and emulatethem to retrieve the keys
4. Decrypt the blocks
5. Find the code emulation blocks andreapply them
![Page 49: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/49.jpg)
Exploited Weaknesses
Predictable locations
The first layer is weak
We certainly didn’t predict emulators
![Page 50: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/50.jpg)
Improving Shiva
Remove some of the predictability
Make it less of a sitting target
Unwrappers resemble exploits– They’re often fragile and dependent on
hardcoded locations and values
![Page 51: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/51.jpg)
Scrambling the Path
For the encryptor to be able torandomize the loader it needs to storemeta data– This is a weakness since a complete
reverse of the encryptor would yield themeta data form
– The meta data would help the attackergenerate generic attacks on knowninvariant bits of the loader
![Page 52: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/52.jpg)
Software as a Service
This release of Shiva is now also aservice
Once a week a new version of Shiva isautomatically uploaded towww.securereality.com.au/projects/shiva
The loader is automatically postprocessed to make it less predictable
![Page 53: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/53.jpg)
Morphing Code
The current randomization engine isvery simplistic, though it does removepredictable addresses entirely– Working on a full code flow analysis
version
The encryptor does perform somesimple modifications of the loader too
![Page 54: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/54.jpg)
Development Pain
Standard development approaches areanathema to an encryptor– Since they allow the reverse engineer to
spot design patterns
Makes developing Shiva painful– Trying to code in an undesigned fashion
![Page 55: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/55.jpg)
Current Limitations
Can’t handle vfork(), threads
Can’t encrypt static executables that callfork()
On Linux, exec() fails if the callingprocess tries to exec a setuid program
Section Headers
Concentrating on deterring attackers ☺
![Page 56: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/56.jpg)
Shiva in Action
Demo
![Page 57: A Security Microcosm Attacking and Defending Shiva · A Security Microcosm Attacking and Defending Shiva Shiva written by Neel Mehta and Shaun ... A Layered Approach ... than one](https://reader030.fdocuments.in/reader030/viewer/2022011909/5f7337a4ea99da07ec257d2d/html5/thumbnails/57.jpg)
End of Presentation
Thanks for listening
Questions?