ecs236 Winter 2007: Computer Security: Intrusion Detection Based Approach #1: Vulnerability
description
Transcript of ecs236 Winter 2007: Computer Security: Intrusion Detection Based Approach #1: Vulnerability
01/04/2007 ecs236 winter 2007 1
ecs236 Winter 2007:Computer Security:Intrusion Detection Based ApproachIntrusion Detection Based Approach#1: Vulnerability
Dr. S. Felix WuComputer Science DepartmentUniversity of California, Davishttp://www.cs.ucdavis.edu/~wu/[email protected]
01/04/2007 ecs236 winter 2007 2
Intrusion PreventionIntrusion Prevention Prevention: This should/must never be
broken in!– “This” means a perfectly designed,
implemented, and managed/configured secure system!
01/04/2007 ecs236 winter 2007 3
Intrusion DetectionIntrusion Detection Prevention: This should/must never be
broken in! Detection:
– The IDS (Intrusion Detection System) approach has been taken as the “Second Line of Defense” and “Short Term Solutions”.
01/04/2007 ecs236 winter 2007 4
ExamplesExamples Application/service issues Firewalls Email spam/voIP spit Spam Filters Phishing Phishing detectors The list goes on…
01/04/2007 ecs236 winter 2007 5
ExamplesExamples Application/service issues Firewalls Email spam/voIP spit Spam Filters Phishing Phishing detectors It is NOT whether we need the “detection
approach” It is whether it can be effective.
01/04/2007 ecs236 winter 2007 6
Intrusion DetectionIntrusion Detection Prevention: This should/must never be
broken in! Detection: “This” will need to face the
reality check!– We had, have, will have so many “expected”
unexpected.– Industry never really serious about cyber
security – profit/market-driven
01/04/2007 ecs236 winter 2007 7
We accept it as a fact…We accept it as a fact…
01/04/2007 ecs236 winter 2007 8
And, we have to have…And, we have to have…
01/04/2007 ecs236 winter 2007 9
Intrusion DetectionIntrusion Detection Prevention: This should/must never be
broken in! Detection: “This” will need to face the
reality check!– We had, have, will have so many “expected”
unexpected.– We had, have, will have even more
“unexpected” unexpected!!
01/04/2007 ecs236 winter 2007 10
To: All Faculty, Staff and Students
On Tuesday, January 03, 2006, UC Davis implemented temporary measures to prevent the exploitation of a serious new computer vulnerability for which no patch is yet available. This vulnerability affects Windows 2000, Windows XP, Windows Server 2003, Windows 98 and ME systems and may be exploited when infected email file attachments or infected Web pages are viewed. Once a computer is infected, data may be permanently lost and/or a remote attacker could gain control of the computer. After extensive consultation with the campus leadership, the decision has been made to temporarily block wmf image attachments. These files can have a number of different extensions, but most commonly will have .wmf and .jpg extensions.
01/04/2007 ecs236 winter 2007 11
Max-Sequence # AttackMax-Sequence # Attack Block LSA updates for one hour by injecting
one bad LSA.– You can hit it once and come back in an hour.
Implementation Bug!– Two independently developed OSPF packages.– MaxSeq# LSA Purging has not been implemented
correctly!! Announced in May, 1997.
01/04/2007 ecs236 winter 2007 12
What is Intrusion Detection?What is Intrusion Detection?
01/04/2007 ecs236 winter 2007 13
Intrusion DetectionIntrusion Detection Detecting intrusions such as
– Viruses, Worms, Spywares, Phishing, Spamming, Insider, Un-authorized activities, faults/failures, among many others
Detecting and Managing anything “unexpected”– Anomalies
Question: “Detecting what??”
01/04/2007 ecs236 winter 2007 14
Intrusion DetectionIntrusion Detection
IntrusionDetection
ModelInput eventsequence Results
01/04/2007 ecs236 winter 2007 15
Results??Results?? This email contains virus XYZ This email might be a spam with 80%
probability This email is somewhat trusted based on
your social network This email might be malicious This email might be malicious for reasons
ABC and DEF.
01/04/2007 ecs236 winter 2007 16
Intrusion DetectionIntrusion Detection
IntrusionDetection
ModelInput eventsequence Results
Pattern matching
01/04/2007 ecs236 winter 2007 17
IDS EventsIDS Events TCPdump traces OS kernel and Host-level information BGP traces Application Logs Many others…
01/04/2007 ecs236 winter 2007 18
Anti-VirusAnti-Virus
VirusDetection
VirusDefinition
Input eventsequence Results
Pattern matching
01/04/2007 ecs236 winter 2007 19
Credit Card Fraud DetectionCredit Card Fraud Detection
FraudDetection
SpendingPatterns
Input eventsequence Results
Statistical Pattern Matching
01/04/2007 ecs236 winter 2007 20
SNORTSNORT
RulesInput eventsequence Results
Pattern matching
01/04/2007 ecs236 winter 2007 21
01/04/2007 ecs236 winter 2007 22
About the InstructorAbout the Instructor S. Felix Wu
– [email protected] – [email protected]– [email protected]
Office: 3057 Engineering II Phone: 530-754-7070 Office Hours:
– 10-11 a.m. on Monday and Friday– by appointment
01/04/2007 ecs236 winter 2007 23
Why 3 email addresses?Why 3 email addresses?– [email protected] – [email protected]
01/04/2007 ecs236 winter 2007 24
Why 3 email addresses?Why 3 email addresses?– [email protected] – [email protected]– My main email contact for everything all the time.
01/04/2007 ecs236 winter 2007 25
Why 3 email addresses?Why 3 email addresses?– [email protected] – [email protected]– My main email contact for everything all the time.
– [email protected]– Read only once in the past three months…
01/04/2007 ecs236 winter 2007 26
Why 3 email addresses?Why 3 email addresses?– [email protected] read/response during the quarters, especially before the homework deadlines.
– [email protected]– My main email contact for everything all the time.
– [email protected]– Read only once in the past three months…
01/04/2007 ecs236 winter 2007 27
Anti-SpamAnti-Spam [email protected] subject: [0x9876543210ABCDEF]…
0x9876543210ABCDEF is the cyber social link between the instructor and the students in ecs236, Winter 2007.
01/04/2007 ecs236 winter 2007 28
Intrusion DetectionIntrusion Detection Practical Engineering
– Performance, Accuracy, Scalability, CPU/Memory, Correlation, Deployment.
Theoretical Foundation– Detectability/Limitation, Dimensionality,
Entropy, False Negative and Positive, Evaluation
01/04/2007 ecs236 winter 2007 29
In this quarter…In this quarter… The architecture of ID and IDS
– Stateful versus stateless– Signature, specification, anomaly
Analysis of ID Results– Explanation and Analysis– Event Correlation
IDS Evaluation or Attacking IDS– Attack Polymorphism and IDS Evasion
IDS Fundamental Principles
A balance between Engineering a High-Performance IDS system
Fundamentally understand our limitations
01/04/2007 ecs236 winter 2007 30
SyllabusSyllabus IDS architecture Anomaly-based Approach Event Correlation and Analysis IDS Evaluation Advanced Research Topics
01/04/2007 ecs236 winter 2007 31
Course RequirementsCourse Requirements Teamwork or individual
– Discussion with others is highly encouraged! 50%: 5 Homework Assignments
– 10% each (read 1~2 IDS papers and answer a few questions)
10%: Proposal 40%: Final Project
01/04/2007 ecs236 winter 2007 32
www.cs.ucdavis.edu/~wu/ecs236/
01/04/2007 ecs236 winter 2007 33
Final ProjectsFinal Projects IDS Architecture Network versus Host Anomaly Detection IDS Evaluation and Evasion Alert correlation and explanation
01/04/2007 ecs236 winter 2007 34
More…More… Polymorphic/metamorphic worms Spam/Spit, Phishing, Spyware,… P2P issues (e.g., Bittorrent) Botnet..
01/04/2007 ecs236 winter 2007 35
Even more…Even more… Fundamental… “Why will we have DDoS and Spam in the
first place??”
01/04/2007 ecs236 winter 2007 36
about Web siteabout Web site http://www.cs.ucdavis.edu/~wu/ecs236/ all lectures, notes, announcements,
homework assignments, tools, papers will be there.
01/04/2007 ecs236 winter 2007 37
First Paper: BUTTERCUPFirst Paper: BUTTERCUP
http://www.cs.ucdavis.edu/~wu/ecs236/papers/Buttercup_NOMS2004.pdf
Question: “How would you attack the Buttercup mechanism mentioned in the paper?”
01/04/2007 ecs236 winter 2007 38
Internet InfrastructureInternet Infrastructure It enables many cool applications.
– Email, Web+, IM, Skype, Google, Bittorrent, Infospace, LinkedIn,...
We are connected, at least in the “IP address” sense!!
01/04/2007 ecs236 winter 2007 39
Internet InfrastructureInternet Infrastructure It enables many cool applications.
– Email, Web+, IM, Skype, Google, Bittorrent, Infospace, LinkedIn,...
We are connected, at least in the “IP address” sense!!
Many other forms of connections:– Peer2Peer, Friend2Friend, community
01/04/2007 ecs236 winter 2007 40
Internet InfrastructureInternet Infrastructure It enables many cool applications. It enables many cool attacks.
01/04/2007 ecs236 winter 2007 41
Internet InfrastructureInternet Infrastructure It enables many cool applications. It enables many cool attacks.
– David Clark on Morris Worms to DARPA in 1988
01/04/2007 ecs236 winter 2007 42
Internet InfrastructureInternet Infrastructure It enables many cool applications. It enables many cool attacks.
– David Clark on Morris Worms to DARPA in 1988 “Internet is doing exactly what it supposed to do”
01/04/2007 ecs236 winter 2007 43
It enables many cool applications. It enables many cool attacks.
– Worm, DDoS, spamming, phishing,… (the list is still growing)
01/04/2007 ecs236 winter 2007 44
We can not blame We can not blame everything to Microsoft!everything to Microsoft!
It enables many cool applications. It enables many cool attacks.
– Worm, DDoS, spamming, phishing,… (the list is still growing)
Related to our Inter-domain routing today…
01/04/2007 ecs236 winter 2007 45
WORMWORM Since November 2nd of 1988…
– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…
inject infect spread
01/04/2007 ecs236 winter 2007 46
WORMWORM Since November 2nd of 1988…
– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…
inject infect spread
WORM is causing Internet-wide instability.
01/04/2007 ecs236 winter 2007 47
2T
Slammer BGPInternet routing stability analysis on a Beijing prefix
09/01/2002 01/31/2003
01/04/2007 ecs236 winter 2007 48
Network meets SoftwareNetwork meets Software An interesting interaction among the
Internet, the software on the hosts, and the worms themselves.
The “short-term” Reality:– Estimated 40~50% of Internet hosts are still
vulnerable to CodeRed.
01/04/2007 ecs236 winter 2007 49
WORMWORM Since November 2nd of 1988…
– Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others…
inject infect spread WORM is causing Internet-wide instability. WORM is a critical first step for the attacker
to quickly build the large-scale attacking infrastructure.
01/04/2007 ecs236 winter 2007 50
WORM + DDoSWORM + DDoS
Victim
ISP.com
01/04/2007 ecs236 winter 2007 51
They are getting better…They are getting better…
The rapid evolution of the “attacker’s community”
01/04/2007 ecs236 winter 2007 52
They are getting better…They are getting better…
The rapid evolution of the “attacker’s community”
And, many thanks to our rapid growing software industry in the past “N” years as well…
01/04/2007 ecs236 winter 2007 53
Software VulnerabilitySoftware Vulnerability Software vulnerabilities are weaknesses,
being introduced during the “software engineering” process, that can potentially be exploited by attackers.– OS kernels, device drivers, applications…
There are other types of vulnerabilities in our software systems that can be exploited.
01/04/2007 ecs236 winter 2007 54
Software VulnerabilitySoftware Vulnerability Difficulties in security management
– we don’t know how attackers are going to attack us,
– And, we don’t know which vulnerabilities can/will be exploited, either.
01/04/2007 ecs236 winter 2007 55
Software VulnerabilitySoftware Vulnerability Focus on Software Vulnerabilities Two approaches
– better software engineering– better vulnerabilities understanding
01/04/2007 ecs236 winter 2007 56
Software VulnerabilitySoftware Vulnerability Focus on Software Vulnerabilities Two approaches
– better software engineering– better vulnerabilities understanding
Practically, around the Internet, we currently have and will still have a large number of legacy software systems around for “quite a while.”
01/04/2007 ecs236 winter 2007 57
Network-based SolutionsNetwork-based Solutions
“Intrusion Prevention Systems” or “Advanced Firewalls”
IntrusionPreventionSystem
Legacyvictims
packet packet
analyze & drop
01/04/2007 ecs236 winter 2007 58
Vulnerability vs. ExploitVulnerability vs. Exploit
Vulnerability– the “weak” points in the software– applications or even the kernel itself– “control flow hijack” based on buffer overflow.
Exploit– the attack code utilizing one or more
vulnerabilities
01/04/2007 ecs236 winter 2007 59
Buffer OverflowBuffer OverflowSome unsafe functions in C library:strcpy(char *dest, const char *src);strcat(char *dest, const char *src);getwd(char *buf);gets(char *s);fscanf(FILE *stream, const char *format, ...);scanf(const char *format, ...);realpath(char *path, char resolved_path[]);sprintf(char *str, const char *format);
NoVerification
……
01/04/2007 ecs236 winter 2007 60
01/04/2007 ecs236 winter 2007 61
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
01/04/2007 ecs236 winter 2007 62
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
bar( ){……}
foo( ){ …… call bar( ); ……}
foo
bar
01/04/2007 ecs236 winter 2007 63
int bar(int a, int b){ int i, j; char buf[9]; i = 5; j = 123; strcpy(buf, “securephdbcde”);}
ba
high
low
ret addressSFP
05 00 00 0065 00 00 0064 62 63 6472 65 70 6873 65 63 75Buffer Overflow
5ed b c dr e p hs e c u
01/04/2007 ecs236 winter 2007 64
int bar(int a, int b){ int i, j; char buf[9]; i = 5; j = 123; strcpy(buf, “securephdaaabbbbcccceeeeffff”);}
ba
high
low
ret address SFP
5123
63 63 63 6362 62 62 6264 61 61 6172 65 70 6873 65 63 75
65 65 65 6564 64 64 64
Ret Overflow
Segmentation fault...
RetAddr = 0x65656565
01/04/2007 ecs236 winter 2007 65
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
bar( ){……}
foo( ){ …… call bar( ); ……}
foo
bar
01/04/2007 ecs236 winter 2007 66
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
bar( ){……}
foo( ){ …… call bar( ); ……}
foo
bar
01/04/2007 ecs236 winter 2007 67
Control Flow HijackControl Flow Hijack I want “my code” executed!
– Malicious code injection– Control flow redirection/hijacking
code code
codecode
VirusWorm
01/04/2007 ecs236 winter 2007 68
High
LowStack Growth
String Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
bar( ){……}
foo( ){ …… call bar( ); ……}
foo
bar
01/04/2007 ecs236 winter 2007 69
A Single Packet ExploitA Single Packet Exploit
Attack Code Exploit (ReturnAddr)
Return Address == 0x4739a304
01/04/2007 ecs236 winter 2007 70
0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff
Example
01/04/2007 ecs236 winter 2007 71
0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff
Example: NOP-sled
Sometime we can not easily determine the “exact” memory address to jump into…
01/04/2007 ecs236 winter 2007 72
““NOP Sled” EngineeringNOP Sled” Engineering
Attack Code Exploit (ReturnAddr)
Attack Code Exploit (ReturnAddr)
NOP NOPNOP NOP
code[] = “\xeb\x2a\x5f\xc6\x47\x07\x00\x89\x7f\x08\xc7\x47”;strcpy(buf, code);
buf = “\xeb\x2a\x5f\xc6\x47\x07”
And, sometimes, we simply want to find a way to avoid “\x00”.
01/04/2007 ecs236 winter 2007 73
attack polymorphismattack polymorphism(many different ways)(many different ways)
Attack Code Exploit (ReturnAddr)
Attack Code Exploit (ReturnAddr)
DecryptionCode
The Signature Explosion Problem!!
01/04/2007 ecs236 winter 2007 74
Vulnerability vs. ExploitVulnerability vs. Exploit
1 M or N M Polymorphic tools available
– A Naïve approach: M
Can we find the “invariants”?– We need to avoid “signature explosion”…
∞
01/04/2007 ecs236 winter 2007 75
Attack Code Exploit (ReturnAddr)
DecryptionCode
Attack Code Exploit (ReturnAddr)
DecryptionCode
NOP NOPNOP NOP
01/04/2007 ecs236 winter 2007 76
Detecting “NOP Sleds”Detecting “NOP Sleds” “Intrusion Prevention Systems” or
“Advanced Firewalls”
IntrusionPreventionSystem
Legacyvictims
packet packet
analyze & drop
NOP SledSignatures
01/04/2007 ecs236 winter 2007 77
0000000 9090 9090 9090 9090 9090 9090 9090 9090 *00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031 0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03 0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962 0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff 0000230 f822 bfff f822 bfff f822 bfff f822 bfff *00004a0 f822 bfff f822 bfff f822 bfff 9090 9090 00004b0 fa48 bfff
A WORM with a NOP-Sled
01/04/2007 ecs236 winter 2007 78
0000000 5247 5237 5759 9199 984e 602f 4b58 9555 0000010 3792 4997 6059 5a5d 979c 9199 9242 9349 0000020 495e 5b37 4740 5d4f 4f99 975f 4492 3797 0000030 4297 9e93 4598 404a 9696 4652 5150 5e4f 0000040 454d 99fc 5251 5042 9b37 4042 4a95 4459 0000050 4592 4998 935f 275f 985d f84e 4991 fc96 0000060 9796 4637 5b3f 9751 9754 9f5a 9543 4c9e 0000070 4740 9c96 499f 5652 934e 5355 479b 91f8 0000080 48fc 5d60 4742 9755 4450 4441 4697 5697 0000090 5b52 494f 434d 5899 f827 9957 4346 9796 00000a0 404c 4a45 6040 404c 4957 5798 99f9 569b 00000b0 4145 96fc 5140 4c56 f946 9348 4f4d f8f8 00000c0 2f59 4c46 9647 4747 9e48 5137 4142 5b4d 00000d0 545f 55f9 5e56 4191 9249 519e 559e 6099
A Polymorphic WORM
01/04/2007 ecs236 winter 2007 79
NOP sledsNOP sleds “NOP sled” can/will NOT be a useful
signature in detecting future WORMs…
80~90% of the WORMs today don’t really need “NOP sleds” but, historically, they are still “left” there.
01/04/2007 ecs236 winter 2007 80
BUTTERCUPBUTTERCUP
Ideas:– Given a software exploit, the hacker can
encrypt the malicious code but not the “hijacking” entry point (e.g., return address).
– The hacker can twist the “return address” but practically not infinitely a range of memory addresses.
01/04/2007 ecs236 winter 2007 81
Memory Address RangesMemory Address Ranges
Arguments
Return address
Prev. frame pointer
Local variables
Arguments
Return address
Prev. frame pointer
Local variables
One “Exploit”has one “return address” value, but another exploit based on the same vulnerability might be using a different return address.
01/04/2007 ecs236 winter 2007 82
size, offset and depthsize, offset and depth
Arguments
Return address
Prev. frame pointer
Local variables
Attack Code Exploit (ReturnAddr)
DecryptionCode
NOP NOPNOP NOP
0x42b0caa4
0x42b0c914
Is this packet a Slammer worm or a suspect “utilizing” the same vulnerability?
performance& false positive
01/04/2007 ecs236 winter 2007 83
BUTTERCUPdetection/prevention victim
packet packet
memoryrangetable
analyze & drop
19 known exploits/vulnerabilities
IPUPR. LYR. PAYLOAD TCP/UDP HDR
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack Code Exploit (ReturnAddr)
DecryptionCode
NOP NOPNOP NOP
False Positive??
IDS/IPSpreprocessing
01/04/2007 ecs236 winter 2007 84
01/04/2007 ecs236 winter 2007 85
about about 30~180 days30~180 days In July, 2002 Microsoft announced the vulnerabilities!
On January 25, 2003 05:30 UTC, slammer was out!
We had about 6 months back then!!
BUTTERCUP, a network based approach, might have been more practical and scaleable than Windows Update!!
01/04/2007 ecs236 winter 2007 86
LimitationLimitation BUTTERCUP will only work for “known
vulnerabilities”!
– But, it may work for Zero-day exploits based on known vulnerabilities.
01/04/2007 ecs236 winter 2007 87
Exploit Exploit VulnerabilityVulnerability
Exploit: controlled by the attackersVulnerability: controller/limited by the defense
01/04/2007 ecs236 winter 2007 88
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack Code Exploit (ReturnAddr)
DecryptionCode
NOP NOPNOP NOP System State Changes
How can each of the stages be polymorphic?
01/04/2007 ecs236 winter 2007 89
Register SpringRegister Spring
We in general don’t know which “thread stack” will be used?! 4 millions in memory differences.
01/04/2007 ecs236 winter 2007 90
Register SpringRegister SpringHigh
LowStack Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
jmp ESP
foo
barret
11,000
01/04/2007 ecs236 winter 2007 91
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
01/04/2007 ecs236 winter 2007 92
SlammerSlammer
01/04/2007 ecs236 winter 2007 93
ESP (Stack Pointer)ESP (Stack Pointer) Register springs off of ESP utilize the
compiler conventions for managing stack frames
01/04/2007 ecs236 winter 2007 94
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
ESP
01/04/2007 ecs236 winter 2007 95
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
ESP
High
01/04/2007 ecs236 winter 2007 96
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
Old EBP
ESP
High
01/04/2007 ecs236 winter 2007 97
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Start+6
Old EBP
ESP/EBP
MyBuffer
High
01/04/2007 ecs236 winter 2007 98
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP/EBP
MyBuffer
Low
01/04/2007 ecs236 winter 2007 99
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP
MyBuffer
(EBP == Attack5)
code
jmp ESP
Low
01/04/2007 ecs236 winter 2007 100
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
…
CALL OverflowMyBuffer
…
POP EBP
RET
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
ESP
MyBuffer
(EBP == Attack5)
Attack6:JMP ESP
01/04/2007 ecs236 winter 2007 101
NotesNotes This is how Slammer worked, Sasser is
very similar, as are a couple of others Bogus return pointer is Attack6, payload
starts at Attack7
01/04/2007 ecs236 winter 2007 102
Other registersOther registers Register springs off of other registers utilize
the compiler conventions for managing buffers (i.e. EBX is the “base” register for indexing the base of a buffer, ESI is the “source” register for string operations, EDI is the “destination”, …)
Blaster RPC DCOM used EBX, ASN.1 uses EDI, Code Red II used EBX
01/04/2007 ecs236 winter 2007 103
DCOM Exploits in svchostDCOM Exploits in svchost(Blaster)(Blaster)
0xff 0xd3 is CALL EBX which is the one Blaster used, but JMP EBX (0xff 0xe3) works just as well.
a little over 11,000 in svchost 0x0100139d is the only one that Blaster
used and is the one the publicly available DCOM exploit uses.
01/04/2007 ecs236 winter 2007 104
High
LowStack Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack Pointer
jmp ESP
foo
barret
11,000
…
…
01/04/2007 ecs236 winter 2007 105
BUTTERCUPdetection/prevention victim
packet packet
memoryrangetable dropknown
exploits
11,000 Signatures for ONE vulnerability!!
False Positive on BUTTERCUP???
01/04/2007 ecs236 winter 2007 106
Register Spring+PolymorphicRegister Spring+Polymorphic
Attack Code Exploit (RegisterSpring)
DecryptionCode
NOP NOPNOP NOP
????
“0x0100139d”
01/04/2007 ecs236 winter 2007 107
EBX-based ButtercupEBX-based Buttercup(a possible project idea)(a possible project idea)
Among all the memory address for call ebx (0xff 0xd3 -- 11000+ of them), only four of them are around 0x01001***, about another 600+ are from 0x719555a4 to 0x71c637b3. But, the rest of them (the majority 10000+) are all from 0x7585149f to 0x77fbc10b.
0x0100139d 0x010013a2 0x01001c83 0x01001cc7 0x719555a4 0x71c637b3 0x7585149f 0x77fbc10b
01/04/2007 ecs236 winter 2007 108
But…But… Still a lot and maybe false positive…
– We don’t know– What else can we do in the network…
01/04/2007 ecs236 winter 2007 109
Vulnerability and IDS/IPSVulnerability and IDS/IPS Software Vulnerability is a very difficult issue
to manage, especially on the wire.– Naïve payload analysis will be much less
meaningful– Not focus on the intention of the attacker first
Too many possibilities– Focus on how their code can get in!
A more humble goal Signature: simple & yet powerful??
01/04/2007 ecs236 winter 2007 110
What is a “vulnerability”?What is a “vulnerability”? 1 Vulnerability -- N Exploits
01/04/2007 ecs236 winter 2007 111
Vulnerability Vulnerability Primitive Primitive Primitive
– The capability for the attacker to put a value in a particular memory address.
– A memory system state change
NoVerification
……
And, we “might” have to perform such analysis on the wire!!
01/04/2007 ecs236 winter 2007 112
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack Code Exploit (ReturnAddr)
DecryptionCode
NOP NOPNOP NOP System State Changes
Focus on “Primitives” being used in the “Epsilon” phase!
Application dependent analysis
01/04/2007 ecs236 winter 2007 113
Control Flow HijackControl Flow Hijack I want “my code” executed!
– Malicious code injection– Control flow redirection/hijacking
code code
codecode
VirusWorm
01/04/2007 ecs236 winter 2007 114
virusvirus
Clickme.exe MSword.exe
FSeasily
01/04/2007 ecs236 winter 2007 115
Host-based ApproachHost-based Approach Minos can resolve all the problems related
to control-flow hijacks with zero-false positive.
01/04/2007 ecs236 winter 2007 116
Full Virtualization with Security Enhancements(Minos/DaCodA)
Unmodified OS (XP, Linux, Solaris, or, FreeBSD)
Unmodified Applications
Hardware
Secure virtualizationSecure virtualization
01/04/2007 ecs236 winter 2007 117
Asymmetric InformationAsymmetric Information Can we fill the gap??
01/04/2007 ecs236 winter 2007 118
Full Virtualization with Security Enhancements(Minos/DaCodA)
Unmodified OS (XP, Linux, Solaris, or, FreeBSD)
Unmodified Applications
Hardware
IPS IPS virtualization virtualization
NIDS/NIPS
Recovery in MemoryWhat types of roll-backs will make the most sense practically?OS versus Applications
01/04/2007 ecs236 winter 2007 119
Tricky virusTricky virus
MSword.exe FS
MSword.exe FS
01/04/2007 ecs236 winter 2007 120
IPC virusIPC virus
SQL.exe
MSword.exe FS
01/04/2007 ecs236 winter 2007 121
Two definitions of VirusTwo definitions of Virus A virus is a program that is able to infect
other programs by modifying them to include a possibly evolved copy of itself.– Fred Cohen, early 80’s.
A computer virus is a program that recursively and explicitly copies a possibly evolved version of itself.– Peter Szor, recently.