Network Embedded Device Insecurity:Next Gen Exploitation and Defense

ONR BotNet Project ReviewFeb 9, 2010

Ang CuiColumbia IDS Lab

ang@cs.columbia.edu

Salvatore J. StolfoColumbia IDS Lab

sal@cs.columbia.edu

Embedded Devices Are Insecure and available as a source for new, stealthy botnets

A global scan indicates there are a large number of trivially vulnerable devices in the wild – default passwords requiring no

effort

Traditional Anti-Virus does not work on embedded devices

Advanced router exploitation techniques and router botnets exist today

We should expect to see massive stealthy botnets composed of embedded devices

__________________________________________

The Main Message

Parasitic Embedded Machines: a solution to embed defenses into legacy embedded devices in situ

Parasitic Embedded Machines Can Protect Legacy Devices against exploitation

A PEM that protects standard Cisco IOS against rootkit installation exists today in our lab

Our Current Status

Network Embedded Insecurity: Global Vulnerability Scan

Embedded devices can be compromised using out-of-the-box default passwords and used in Botnets

How many trivially vulnerable embedded devices are there?

1. Scan the World

2. Identify Embedded Devices

3. Automatically Try Default Password• Automatically verify default passwords using profiles like this:

cisco-IOS | web_cisco-weblevel_15_access | web_cisco-webLinksys SPA Configuration | web_linksys-spaLinksys PAP2 Configuration | web_linksys-pap2SpeedStream Router Configurator | web_speedstreamDD-WRT Control Panel | web_ddwrt

root: username_prompt: ['sername:'] username: ['cisco’] askuser: true passstr: ['assword:'] incorrect: [sername, assword] success: ['\$', '\#', '>'] passwords: ['cisco’] deviceType: cisco linesep: ''

•Scan the world’s largest•Residential ISPs•Commercial ISPs•EDU, GOV etc

•Scan in•United States•Asia•Europe

(easy as pie)

Global Vulnerability Scan Procedure

3 weeks 5 machines1 Billion Ips Scanned

102,896 Devices Owned (As of Jan, 2010)

Global Vulnerability Scan Results

Major Vulnerable Device Types

Devices found over a 4 day period

28808 MW-2010R 4025 SI314T 2555 BCM 1203 speedstream 923 ipserver_dvrdvs 560 zte 484 cisco 423 h3c 322 linksys-wrt 305 linksys-spa 205 webbox 194 huawei-ma5600 121 netscreen 101 polycom

[www.hacktory.cs.columbia.edu]

What we should expect next…– Router Exploitation

• DIK (Da IOS Rootkit, Sebastian Muniz)– http://eusecwest.com/esw08/esw08-muniz.pdf

• Router Transit Vulnerabilities (Felix Linder)– http://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-SLIDES.pdf

• Reliable Cisco IOS Exploit (Felix Linder)– http://www.phenoelit-us.org/stuff/FX_Phenoelit_25c3_Cisco_IOS.pdf

– Router Botnet• Network Bluepill

– http://dronebl.org/blog

• Keiten Bot– Helel Mod 1.0 – Ezba’Elohim– Runs on D-link routers– http://packetstormsecurity.nl/irc/kaiten.c

Host-based Embedded Device Defense Does not yet Exist (Norton for IOS?)Detection of compromise is Very difficult (Tripwire for IOS?)

Polymorphism has made signature-based protection obsolete (White-listing?)

Parasitic Embedded Machines are the Solution.

Parasitic Embedded Machines(Next Gen Embedded Defense)

Embedded Device Population is Diverse

• 270,000+ Unique IOS Images (Cisco)• Many Vendors, Many Devices, Many Revisions on Same Device

Traditional Host-Based Software Cannot be ported to Embedded Devices

• Computational Resource Constraint• Too many types of devices to protect• can not leverage economies of scale

Parasitic Embedded Machines are a Solution

• Operating System Agnostic Code Injection• Invisible to Original Device Firmware• Protect Embedded Devices With White-list based Technology• Retrofit Legacy Devices With Low Overhead protection

Cross PlatformOperating System Agnostic

Code Injection

Standard Function Interception

Improved Function Hooking

PEMM (PEM Manager)

• Manages an Isolated Execution Context for PEM Payload

• Gives PEM Payload Cross-Device/Platform Portability

PEM

• Payload Executes In Parallel to Native OS

• Payload is invisible to Native OS

• Payload has full access to Native OS Internals

• Payload Controls CPU Allocation Between Native OS and Itself

Choose arbitrary functions to hook

• PEMM and Payload are injected into Native OS

• Many native OS functions are arbitrarily intercepted by PEMM

• PEM Continuously regains control of CPU as intercepted functions are invoked

• PEM Function hooks can be modified at runtime

•PEM can be obfuscated to evade adversarial attack

PEM Injection (Demonstrated for Cisco IOS)

Injection process can be done at runtime (via exploit) or at boot-time (patching IOS image)

Usable “Gap” Memory In IOSAvailable Gaps in 24MB of IOS 12.2

Code A Typical Usable Gap

Approximately 100KB of usable space was automatically detected Using The “Gap” Method alone

Several other slightly more sophisticated methods can be used to automatically detect more usable space.

A Trivial PEM Payload

void dummyPEMPayload( register unsigned int * saveLocation, register unsigned int * checkMemStart,

register unsigned int * checkMemStop, register unsigned int * statusRegister) { unsigned int * x;

while (1) { for(x=(checkMemStart); x < checkMemStop; x+=1) {

\\ do something useful (calculate checksum)

if ((int) x % 0x7FF == 0) {asm("jalr $t9");

}

*(statusRegister) = (unsigned int) *(x); }

}}

This can be compiled by GCC, and injected directly into IOS as a PEM Payload

Void dummyPEMPayload(PEM args) {

While(True) { scan through memory segment perform computation on memory segment

periodically yield control of CPU to native OS

}}

1. Inject Code Verification Payload Into Cisco IOS

• PEM Payload Injected into IOS Image• Can be done at runtime or boot-time

1. Continuously Monitor Changes to IOS Code• PEM payload calculates checksum over protected OS

memory regions• Code Section• Static data Sections• Empty “gap” regions

2. Catch IOS Rootkits In Real-Time• PEM prevents function Interception• Attacker can not modify Device OS• Persistent Rootkits not possible under PEM protection

Parasitic Embedded Machine Rootkit DefenseCisco IOS Case Study

IOS memory layout

Defense Strategy does not rely on Attack SignaturesContinuous checksum validates IOS integrity

White-list Strategy will detect Any OS modification attempts

Implementation Stats

PEM Rootkit Detection Overhead

PEMM Regulates CPU allocation between the Native OS and ItselfAbove shows CPU utilization on Cisco 7121 Router with PEM Set to different CPU usage levels

IOS Modification Detection Latency

There is a direct relationship between PEM CPU usage and IOS modification detection speed

Next Steps

• Expand range of devices in the scan (including .MIL via NPS.edu)• Expand the range of devices with PEM injection• Improve the PEM injection method (hooking returns) to broaden

range of attack detection• End-to-end demo of attack and defense against a router in the lab• Develop an embedded device attack sensor• Deploy sensors to detect attacks against routers in a network with

outside collaborators (possibly FI infrastructure)

Columbia IDS Labwww.cs.columbia.edu/ids{sal,ang}@cs.columbia.edu