Self-Protecting Mobile Agents

download Self-Protecting Mobile Agents

of 31

  • date post

    08-Jan-2016
  • Category

    Documents

  • view

    18
  • download

    0

Embed Size (px)

description

Self-Protecting Mobile Agents. Tom Van Vleck Lee Badger Doug Kilpatrick Larry D’Anna Brian Matt. Funded by both OASIS and Active Networks Programs NAI Labs March 2002. Not for Public Release. Web Server. Code Red. Problem and Objective. Running Agent. - PowerPoint PPT Presentation

Transcript of Self-Protecting Mobile Agents

  • Self-Protecting Mobile AgentsTom Van VleckLee BadgerDoug KilpatrickLarry DAnnaBrian MattFunded by both OASIS and Active Networks ProgramsNAI LabsMarch 2002Not for Public Release

    Not for Public Release

    Problem and ObjectiveProblem: Mobile programs are vulnerable to tampering by hosts on which they run.Objective: Protect mobile agents from tampering while allowing:

    Host Operating SystemAgent ExecutionServerRunningAgentCodeDataAttack Attack High mobility.Detached operation.Extended deployment periods.Realistic infrastructure requirements.

    Not for Public Release

    Technical Approach (in a nutshell) agentlet1Host agentlet2Host agentlet3Host agentletNHost...Distribution: replicate agents across multiple, unrelated hosts.Present a moving targetMonitoring/Recovery: regenerate corrupted agentlets.Code/data Obfuscation: prevent host-based analysisRefresh obfuscation before analysis can be completedSelf-Protecting Agent

    Not for Public Release

    Time-limited Black BoxHohl, Fritz, An Approach to Solve the Problem of Malicious Hosts A host can deny execution, or lie, but it cant disrupt the programs internal consistency for n seconds.De-obfuscation takes m >> n seconds

    Not for Public Release

    Goals of ObfuscatorPrevent understanding ofImplementation structureData valuesAlgorithmsFor some amount of time (work)Not a toy

    Not for Public Release

    Obfuscator Non-GoalsAs strong as cryptographySmaller or faster than originalWeak obscurity -> strong protectionBarak, Goldreich, et al, CRYPTO 2001:Obfuscation is impossible. for their definitionRandom slashdot poster sl956: We all know that anybody using the words 'tamper resistant' to describe a software-based solution is incompetent at best. ...

    Not for Public Release

    What Weve Done LatelyObfuscation Techniques Evaluation ReportJbet obfuscation toolObfuscation transformsControl, dataPackagingModular architectureAutomated test suite (197 tests, one with >300 cases)Nightly build

    Not for Public Release

    Jbet Obfuscation Tool - ContextJBETclassesobfuscated classesPlugin TransformsObfuscation policy

    Not for Public Release

    Obfuscation PipelineReaderclassesDAGxformsxformsCodeGenDAGDAGclassesVariable obfuscationsControl flowObfuscationsOptimization& obfuscation

    Not for Public Release

    DAG RepresentationmethodBasicblockBasicblockBasicblockmethodBasicblockBasicblockNodeNodeNodeNodeNodeNodeNodeNodeNodeNodeNodeNodeNodeNodeNodeparamsparams

    Not for Public Release

    Obfuscation TransformsTransient Variable ObfuscationOffset, CRT, XOR, etcControl Flow ObfuscationSwitchify, method and class mergingMethod combinationField accessIntroduction of dummy blocksName regeneration

    Not for Public Release

    Control FlowNo method calls exceptA few utility callsCalls to external classesInternal simulated call stackStub classes passed to external methods

    Not for Public Release

    Control Flow Obfuscation: SwitchifyCBEAcondition_1condition_2DswitchAcondition_1Dcondition_2CBEexit

    Not for Public Release

    Merged Methodspush()pop()alloc()free()make_frame()free_frame()push()pop()internal()

    Not for Public Release

    Class MergingClasses with native methods left separateInternal classes fully emulated, vanish

    Not for Public Release

    Method CallsSimulated call stackVirtual methods become table of function addreses, stored as fields, subject to further obfuscationAlternative virtual dispatch mechanisms

    Not for Public Release

    Field AccessAll variables replaced by refs to storage container class.class Memory { int[] I; float[] F; Object[] L; long[] J; double[] D; memory[] N;}

    Not for Public Release

    ExceptionsSemantics preserved but athrow not usedTry/catch/throw internal to a methodHandler address known staticallyGeneralEmulated with dynamic list of active handlers

    Not for Public Release

    Simple Demopublic class Test {public static void main(String[] a) { for (int i = 0; i < 10; i++) { System.out.println(i); }}This is a hard program to obfuscateTransient variable obfuscation is easy to see through.Control flow obfuscation really worksProgram grows in size

    Not for Public Release

    Hard DemoDES test (public domain code)6 classes, 3179 linesMore obfuscationCode volume and runtime increase

    Not for Public Release

    Demo

    Not for Public Release

    Results - Simple

    Not for Public Release

    Results - DES

    Not for Public Release

    Whats NextMore transformsPlug-in architectureOptimum determination of transformsData flow drivenMetricsSpeed and space improvementIntegrate with agentlets

    Not for Public Release

    Feb. 28, 2001Policy Specification and Architecture ReportApril 30, 2001Prototype Distributed Agent Generation ToolAdministrative Info (Milestones)Dec. 15, 2002Distributed, Self-Healing Obfuscated Agentlet PrototypeMarch 15, 2002Obfuscated Agentlet PrototypeJan. 15, 2003Final ReportNov. 15, 2001Obfuscation Techniques Evaluation Reportaaaa

    Not for Public Release

    The End!

    Not for Public Release

    Commercial Obfuscators & DecompilersSevere limitationsObfuscation mostly limited to name removal

    Not for Public Release

    Deferred Java FeaturesFloating pointReflectionSerializationSynchronization

    Not for Public Release

    Java ChallengesTyped memory managementJava verifierForces correct type and stack at every pointLimited control flowRich program object

    Not for Public Release

    Static and DynamicStatic analysisBranch loses information of where fromTrace based analysisProgram slicingInterpretive execution for given inputThreadingSeparate thread for interactions with environmentNondeterministic execution

    Not for Public Release

    Ideal State ObfuscationPOP

    Input labelsExit recordsNodes represent value flowSome optimization implicit in this construction