Transcript General
ecs236 Winter 2007: Computer Security: Intrusion Detection Based Approach #1: Vulnerability Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ [email protected] 01/04/2007 ecs236 winter 2007 1 Intrusion Prevention Prevention: This should/must never be broken in! – “This” means a perfectly designed, implemented, and managed/configured secure system! 01/04/2007 ecs236 winter 2007 2 Intrusion Detection Prevention: This should/must never be broken in! Detection: – The IDS (Intrusion Detection System) approach has been taken as the “Second Line of Defense” and “Short Term Solutions”. 01/04/2007 ecs236 winter 2007 3 Examples Application/service issues Firewalls Email spam/voIP spit Spam Filters Phishing Phishing detectors The list goes on… 01/04/2007 ecs236 winter 2007 4 Examples Application/service issues Firewalls Email spam/voIP spit Spam Filters Phishing Phishing detectors It is NOT whether we need the “detection approach” It is whether it can be effective. 01/04/2007 ecs236 winter 2007 5 Intrusion Detection Prevention: This should/must never be broken in! Detection: “This” will need to face the reality check! – We had, have, will have so many “expected” unexpected. – Industry never really serious about cyber security – profit/market-driven 01/04/2007 ecs236 winter 2007 6 We accept it as a fact… 01/04/2007 ecs236 winter 2007 7 And, we have to have… 01/04/2007 ecs236 winter 2007 8 Intrusion Detection Prevention: This should/must never be broken in! Detection: “This” will need to face the reality check! – We had, have, will have so many “expected” unexpected. – We had, have, will have even more “unexpected” unexpected!! 01/04/2007 ecs236 winter 2007 9 To: All Faculty, Staff and Students On Tuesday, January 03, 2006, UC Davis implemented temporary measures to prevent the exploitation of a serious new computer vulnerability for which no patch is yet available. This vulnerability affects Windows 2000, Windows XP, Windows Server 2003, Windows 98 and ME systems and may be exploited when infected email file attachments or infected Web pages are viewed. Once a computer is infected, data may be permanently lost and/or a remote attacker could gain control of the computer. After extensive consultation with the campus leadership, the decision has been made to temporarily block wmf image attachments. These files can have a number of different extensions, but most commonly will have .wmf and .jpg extensions. 01/04/2007 ecs236 winter 2007 10 Max-Sequence # Attack Block LSA updates for one hour by injecting one bad LSA. – You can hit it once and come back in an hour. Implementation Bug! – Two independently developed OSPF packages. – MaxSeq# LSA Purging has not been implemented correctly!! Announced in May, 1997. 01/04/2007 ecs236 winter 2007 11 What is Intrusion Detection? 01/04/2007 ecs236 winter 2007 12 Intrusion Detection Detecting intrusions such as – Viruses, Worms, Spywares, Phishing, Spamming, Insider, Un-authorized activities, faults/failures, among many others Detecting and Managing anything “unexpected” – Anomalies Question: “Detecting what??” 01/04/2007 ecs236 winter 2007 13 Intrusion Detection Model Input event sequence 01/04/2007 Intrusion Detection ecs236 winter 2007 Results 14 Results?? This email contains virus XYZ This email might be a spam with 80% probability This email is somewhat trusted based on your social network This email might be malicious This email might be malicious for reasons ABC and DEF. 01/04/2007 ecs236 winter 2007 15 Intrusion Detection Model Input event sequence Intrusion Detection Results Pattern matching 01/04/2007 ecs236 winter 2007 16 IDS Events TCPdump traces OS kernel and Host-level information BGP traces Application Logs Many others… 01/04/2007 ecs236 winter 2007 17 Anti-Virus Virus Definition Input event sequence Virus Detection Results Pattern matching 01/04/2007 ecs236 winter 2007 18 Credit Card Fraud Detection Spending Patterns Input event sequence Fraud Detection Results Statistical Pattern Matching 01/04/2007 ecs236 winter 2007 19 SNORT Rules Input event sequence Results Pattern matching 01/04/2007 ecs236 winter 2007 20 01/04/2007 ecs236 winter 2007 21 About the Instructor S. Felix Wu – [email protected] – [email protected] – [email protected] Office: 3057 Engineering II Phone: 530-754-7070 Office Hours: – 10-11 a.m. on Monday and Friday – by appointment 01/04/2007 ecs236 winter 2007 22 Why 3 email addresses? – [email protected] – [email protected] – [email protected] 01/04/2007 ecs236 winter 2007 23 Why 3 email addresses? – [email protected] – [email protected] – My main email contact for everything all the time. – [email protected] 01/04/2007 ecs236 winter 2007 24 Why 3 email addresses? – [email protected] – [email protected] – My main email contact for everything all the time. – [email protected] – Read only once in the past three months… 01/04/2007 ecs236 winter 2007 25 Why 3 email addresses? – [email protected] read/response during the quarters, especially before the homework deadlines. – [email protected] – My main email contact for everything all the time. – [email protected] – Read only once in the past three months… 01/04/2007 ecs236 winter 2007 26 Anti-Spam [email protected] subject: [0x9876543210ABCDEF]… 0x9876543210ABCDEF is the cyber social link between the instructor and the students in ecs236, Winter 2007. 01/04/2007 ecs236 winter 2007 27 Intrusion Detection Practical Engineering – Performance, Accuracy, Scalability, CPU/Memory, Correlation, Deployment. Theoretical Foundation – Detectability/Limitation, Dimensionality, Entropy, False Negative and Positive, Evaluation 01/04/2007 ecs236 winter 2007 28 In this quarter… The architecture of ID and IDS – Stateful versus stateless A balance between – Signature, specification, anomaly Engineering a High Analysis of ID Results Performance IDS system – Explanation and Analysis Fundamentally understand our – Event Correlation limitations IDS Evaluation or Attacking IDS – Attack Polymorphism and IDS Evasion IDS Fundamental Principles 01/04/2007 ecs236 winter 2007 29 Syllabus IDS architecture Anomaly-based Approach Event Correlation and Analysis IDS Evaluation Advanced Research Topics 01/04/2007 ecs236 winter 2007 30 Course Requirements Teamwork or individual – Discussion with others is highly encouraged! 50%: 5 Homework Assignments – 10% each (read 1~2 IDS papers and answer a few questions) 10%: 40%: 01/04/2007 Proposal Final Project ecs236 winter 2007 31 www.cs.ucdavis.edu/~wu/ecs236/ 01/04/2007 ecs236 winter 2007 32 Final Projects IDS Architecture Network versus Host Anomaly Detection IDS Evaluation and Evasion Alert correlation and explanation 01/04/2007 ecs236 winter 2007 33 More… Polymorphic/metamorphic worms Spam/Spit, Phishing, Spyware,… P2P issues (e.g., Bittorrent) Botnet.. 01/04/2007 ecs236 winter 2007 34 Even more… Fundamental… “Why will we have DDoS and Spam in the first place??” 01/04/2007 ecs236 winter 2007 35 about Web site http://www.cs.ucdavis.edu/~wu/ecs236/ all lectures, notes, announcements, homework assignments, tools, papers will be there. 01/04/2007 ecs236 winter 2007 36 First Paper: BUTTERCUP http://www.cs.ucdavis.edu/~wu/ecs236/pap ers/Buttercup_NOMS2004.pdf Question: “How would you attack the Buttercup mechanism mentioned in the paper?” 01/04/2007 ecs236 winter 2007 37 Internet Infrastructure It enables many cool applications. – Email, Web+, IM, Skype, Google, Bittorrent, Infospace, LinkedIn,... We are connected, at least in the “IP address” sense!! 01/04/2007 ecs236 winter 2007 38 Internet Infrastructure It enables many cool applications. – Email, Web+, IM, Skype, Google, Bittorrent, Infospace, LinkedIn,... We are connected, at least in the “IP address” sense!! Many other forms of connections: – Peer2Peer, Friend2Friend, community 01/04/2007 ecs236 winter 2007 39 Internet Infrastructure It enables many cool applications. It enables many cool attacks. 01/04/2007 ecs236 winter 2007 40 Internet Infrastructure It enables many cool applications. It enables many cool attacks. – David Clark on Morris Worms to DARPA in 1988 01/04/2007 ecs236 winter 2007 41 Internet Infrastructure It enables many cool applications. It enables many cool attacks. – David Clark on Morris Worms to DARPA in 1988 “Internet is doing exactly what it supposed to do” 01/04/2007 ecs236 winter 2007 42 It enables many cool applications. It enables many cool attacks. – Worm, DDoS, spamming, phishing,… (the list is still growing) 01/04/2007 ecs236 winter 2007 43 We can not blame everything to Microsoft! It enables many cool applications. It enables many cool attacks. – Worm, DDoS, spamming, phishing,… (the list is still growing) Related to our Inter-domain routing today… 01/04/2007 ecs236 winter 2007 44 WORM Since November 2nd of 1988… – Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others… inject infect spread 01/04/2007 ecs236 winter 2007 45 WORM Since November 2nd of 1988… – Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others… inject infect spread WORM is causing Internet-wide instability. 01/04/2007 ecs236 winter 2007 46 Slammer BGP Internet routing stability analysis on a Beijing prefix T 2 09/01/2002 01/04/2007 01/31/2003 ecs236 winter 2007 47 Network meets Software An interesting interaction among the Internet, the software on the hosts, and the worms themselves. The “short-term” Reality: – Estimated 40~50% of Internet hosts are still vulnerable to CodeRed. 01/04/2007 ecs236 winter 2007 48 WORM Since November 2nd of 1988… – Robert T. Morris, Code Red, Nimda, Slammer, Blaster, and many others… inject infect spread WORM is causing Internet-wide instability. WORM is a critical first step for the attacker to quickly build the large-scale attacking infrastructure. 01/04/2007 ecs236 winter 2007 49 WORM + DDoS Victim .com ISP 01/04/2007 ecs236 winter 2007 50 They are getting better… The rapid evolution of the “attacker’s community” 01/04/2007 ecs236 winter 2007 51 They are getting better… The rapid evolution of the “attacker’s community” And, many thanks to our rapid growing software industry in the past “N” years as well… 01/04/2007 ecs236 winter 2007 52 Software Vulnerability Software vulnerabilities are weaknesses, being introduced during the “software engineering” process, that can potentially be exploited by attackers. – OS kernels, device drivers, applications… There are other types of vulnerabilities in our software systems that can be exploited. 01/04/2007 ecs236 winter 2007 53 Software Vulnerability Difficulties in security management – we don’t know how attackers are going to attack us, – And, we don’t know which vulnerabilities can/will be exploited, either. 01/04/2007 ecs236 winter 2007 54 Software Vulnerability Focus on Software Vulnerabilities Two approaches – better software engineering – better vulnerabilities understanding 01/04/2007 ecs236 winter 2007 55 Software Vulnerability Focus on Software Vulnerabilities Two approaches – better software engineering – better vulnerabilities understanding Practically, around the Internet, we currently have and will still have a large number of legacy software systems around for “quite a while.” 01/04/2007 ecs236 winter 2007 56 Network-based Solutions “Intrusion Prevention Systems” or “Advanced Firewalls” packet Intrusion Prevention System packet Legacy victims analyze & drop 01/04/2007 ecs236 winter 2007 57 Vulnerability vs. Exploit Vulnerability – the “weak” points in the software – applications or even the kernel itself – “control flow hijack” based on buffer overflow. Exploit – the attack code utilizing one or more vulnerabilities 01/04/2007 ecs236 winter 2007 58 Buffer Overflow Some unsafe functions in C library: strcpy(char *dest, const char *src); strcat(char *dest, const char *src); getwd(char *buf); gets(char *s); fscanf(FILE *stream, const char *format, ...); scanf(const char *format, ...); realpath(char *path, char resolved_path[]); sprintf(char *str, const char *format); … 01/04/2007 No Verification ecs236 winter 2007 … 59 01/04/2007 ecs236 winter 2007 60 High Arguments Return address String Growth Prev. frame pointer Local variables Stack Pointer Low 01/04/2007 Stack Growth ecs236 winter 2007 61 High foo Arguments bar Return address String Growth Prev. frame pointer Local variables Stack Pointer Low 01/04/2007 Stack Growth ecs236 winter 2007 bar( ) {……} foo( ) { …… call bar( ); …… } 62 b int bar(int a, int b) { int i, j; char buf[9]; } a ret address SFP i = 5; j = 123; strcpy(buf, “securephdbcde”); Buffer Overflow 01/04/2007 high ecs236 winter 2007 05 00 500 00 e 00 00 00 65 d 62 b 63 c 64 d 64 r 65 e 70 p 68 h 72 s 65 e 63 c 75 u 73 low 63 int bar(int Ret a, int b) Overflow { int i, j; Segmentation fault... char buf[9]; RetAddr = 0x65656565 i = 5; j = 123; strcpy(buf, “securephdaaabbbbcccceeeeffff”); } 01/04/2007 ecs236 winter 2007 high b a address 65ret65 65 65 SFP64 64 64 64 63 635 63 63 12362 62 62 62 64 61 61 61 72 65 70 68 73 65 63 75 low 64 High foo Arguments bar Return address String Growth Prev. frame pointer Local variables Stack Pointer Low 01/04/2007 Stack Growth ecs236 winter 2007 bar( ) {……} foo( ) { …… call bar( ); …… } 65 High String Growth foo Arguments bar( ) {……} Return address bar Prev. frame pointer Local variables Stack Pointer Low 01/04/2007 Stack Growth ecs236 winter 2007 foo( ) { …… call bar( ); …… } 66 Control Flow Hijack I want “my code” executed! – Malicious code injection – Control flow redirection/hijacking code code code code Virus Worm 01/04/2007 ecs236 winter 2007 67 High String Growth foo Arguments bar( ) {……} Return address bar Prev. frame pointer Local variables Stack Pointer Low 01/04/2007 Stack Growth ecs236 winter 2007 foo( ) { …… call bar( ); …… } 68 A Single Packet Exploit Return Address == 0x4739a304 Attack Code 01/04/2007 Exploit (ReturnAddr) ecs236 winter 2007 69 Example 0000000 * 00001f0 0000200 0000210 0000220 0000230 * 00004a0 00004b0 01/04/2007 9090 9090 9090 9090 9090 9090 9090 9090 9090 89aa 3180 2f6e f822 9090 89f9 89db 6873 bfff 22eb abf0 40d8 f822 f822 895e fa89 80cd bfff bfff 89f3 c031 d9e8 f822 f822 83f7 b0ab ffff bfff bfff 07c7 0408 2fff f822 f822 c031 cd03 6962 bfff bfff f822 bfff f822 bfff f822 bfff 9090 9090 fa48 bfff ecs236 winter 2007 70 Example: NOP-sled 0000000 * 00001f0 0000200 0000210 0000220 0000230 * 00004a0 00004b0 9090 9090 9090 9090 9090 9090 9090 9090 9090 89aa 3180 2f6e f822 9090 89f9 89db 6873 bfff 22eb abf0 40d8 f822 f822 895e fa89 80cd bfff bfff 89f3 c031 d9e8 f822 f822 83f7 b0ab ffff bfff bfff 07c7 0408 2fff f822 f822 c031 cd03 6962 bfff bfff f822 bfff f822 bfff f822 bfff 9090 9090 fa48 bfff Sometime we can not easily determine the “exact” memory address to jump into… 01/04/2007 ecs236 winter 2007 71 “NOP Sled” Engineering Attack Code Exploit (ReturnAddr) code[] = “\xeb\x2a\x5f\xc6\x47\x07\x00\x89\x7f\x08\xc7\x47”; strcpy(buf, code); buf = “\xeb\x2a\x5f\xc6\x47\x07” NOP NOP NOP NOP Attack Code Exploit (ReturnAddr) And, sometimes, we simply want to find a way to avoid “\x00”. 01/04/2007 ecs236 winter 2007 72 attack polymorphism (many different ways) Attack Code Decryption Code Exploit (ReturnAddr) Attack Code Exploit (ReturnAddr) The Signature Explosion Problem!! 01/04/2007 ecs236 winter 2007 73 Vulnerability vs. Exploit 1 M or N M Polymorphic tools available – A Naïve approach: M Can we find the “invariants”? – We need to avoid “signature explosion”… 01/04/2007 ecs236 winter 2007 74 Decryption Code NOP NOP NOP NOP 01/04/2007 Attack Code Decryption Code Exploit (ReturnAddr) Attack Code ecs236 winter 2007 Exploit (ReturnAddr) 75 Detecting “NOP Sleds” “Intrusion Prevention Systems” or “Advanced Firewalls” packet Intrusion Prevention System NOP Sled Signatures 01/04/2007 ecs236 winter 2007 packet Legacy victims analyze & drop 76 A WORM with a NOP-Sled 0000000 * 00001f0 0000200 0000210 0000220 0000230 * 00004a0 00004b0 01/04/2007 9090 9090 9090 9090 9090 9090 9090 9090 9090 89aa 3180 2f6e f822 9090 89f9 89db 6873 bfff 22eb abf0 40d8 f822 f822 895e fa89 80cd bfff bfff 89f3 c031 d9e8 f822 f822 83f7 b0ab ffff bfff bfff 07c7 0408 2fff f822 f822 c031 cd03 6962 bfff bfff f822 bfff f822 bfff f822 bfff 9090 9090 fa48 bfff ecs236 winter 2007 77 A Polymorphic WORM 0000000 0000010 0000020 0000030 0000040 0000050 0000060 0000070 0000080 0000090 00000a0 00000b0 00000c0 00000d0 01/04/2007 5247 3792 495e 4297 454d 4592 9796 4740 48fc 5b52 404c 4145 2f59 545f 5237 4997 5b37 9e93 99fc 4998 4637 9c96 5d60 494f 4a45 96fc 4c46 55f9 5759 6059 4740 4598 5251 935f 5b3f 499f 4742 434d 6040 5140 9647 5e56 9199 5a5d 5d4f 404a 5042 275f 9751 5652 9755 5899 404c 4c56 4747 4191 ecs236 winter 2007 984e 979c 4f99 9696 9b37 985d 9754 934e 4450 f827 4957 f946 9e48 9249 602f 9199 975f 4652 4042 f84e 9f5a 5355 4441 9957 5798 9348 5137 519e 4b58 9242 4492 5150 4a95 4991 9543 479b 4697 4346 99f9 4f4d 4142 559e 9555 9349 3797 5e4f 4459 fc96 4c9e 91f8 5697 9796 569b f8f8 5b4d 6099 78 NOP sleds “NOP sled” can/will NOT be a useful signature in detecting future WORMs… 80~90% of the WORMs today don’t really need “NOP sleds” but, historically, they are still “left” there. 01/04/2007 ecs236 winter 2007 79 BUTTERCUP Ideas: – Given a software exploit, the hacker can encrypt the malicious code but not the “hijacking” entry point (e.g., return address). – The hacker can twist the “return address” but practically not infinitely a range of memory addresses. 01/04/2007 ecs236 winter 2007 80 Memory Address Ranges Arguments Arguments Return address Return address Prev. frame pointer Prev. frame pointer Local variables Local variables One “Exploit”has one “return address” value, but another exploit based on the same vulnerability might be using a different return address. 01/04/2007 ecs236 winter 2007 81 size, offset and depth Is this packet a Slammer worm or a suspect “utilizing” the same vulnerability? 0x42b0caa4 Arguments Return address Prev. frame pointer 0x42b0c914 Local variables performance & false positive NOP NOP NOP NOP 01/04/2007 Decryption Code Attack Code ecs236 winter 2007 Exploit (ReturnAddr) 82 UPR. LYR. PAYLOAD NOP NOP NOP NOP Code UPR. LYR.Attack PAYLOAD Decryption Code TCP/UDP HDR Exploit (ReturnAddr) packet TCP/UDP HDR IP IP BUTTERCUP False Positive ?? packet victim detection/prevention IDS/IPS preprocessing memory range table analyze & drop 19 known exploits/vulnerabilities 01/04/2007 ecs236 winter 2007 83 01/04/2007 ecs236 winter 2007 84 about 30~180 days In July, 2002 Microsoft announced the vulnerabilities! On January 25, 2003 05:30 UTC, slammer was out! We had about 6 months back then!! BUTTERCUP, a network based approach, might have been more practical and scaleable than Windows Update!! 01/04/2007 ecs236 winter 2007 85 Limitation BUTTERCUP will only work for “known vulnerabilities”! – But, it may work for Zero-day exploits based on known vulnerabilities. 01/04/2007 ecs236 winter 2007 86 Exploit Vulnerability Exploit: controlled by the attackers Vulnerability: controller/limited by the defense 01/04/2007 ecs236 winter 2007 87 How can each of the stages be polymorphic? NOP NOP NOP NOP Decryption Exploit Attack Code UPR. Code LYR. PAYLOAD (ReturnAddr) TCP/UDP HDR 01/04/2007 IP ecs236 winter 2007 System State Changes 88 Register Spring We in general don’t know which “thread stack” will be used?! 4 millions in memory differences. 01/04/2007 ecs236 winter 2007 89 Register Spring High foo Arguments bar ret Return address Prev. frame pointer jmp ESP Local variables Stack Pointer Low 01/04/2007 11,000 Stack Growth ecs236 winter 2007 90 Start: CALL FunctionWithBufferOverflow FunctionWithBufferOverflow: PUSH EBP MOV EBP,ESP … CALL OverflowMyBuffer … POP EBP RET 01/04/2007 ecs236 winter 2007 91 Slammer 01/04/2007 ecs236 winter 2007 92 ESP (Stack Pointer) Register springs off of ESP utilize the compiler conventions for managing stack frames 01/04/2007 ecs236 winter 2007 93 Start: CALL FunctionWithBufferOverflow FunctionWithBufferOverflow: ESP PUSH EBP MOV EBP,ESP … CALL OverflowMyBuffer … POP EBP RET 01/04/2007 ecs236 winter 2007 94 Start: CALL FunctionWithBufferOverflow FunctionWithBufferOverflow: PUSH EBP Start+6 High ESP MOV EBP,ESP … CALL OverflowMyBuffer … POP EBP RET 01/04/2007 ecs236 winter 2007 95 Start: CALL FunctionWithBufferOverflow Start+6 FunctionWithBufferOverflow: PUSH EBP MOV EBP,ESP High Old EBP ESP … CALL OverflowMyBuffer … POP EBP RET 01/04/2007 ecs236 winter 2007 96 Start: CALL FunctionWithBufferOverflow FunctionWithBufferOverflow: Start+6 High Old EBP PUSH EBP MOV EBP,ESP ESP/ EBP … CALL OverflowMyBuffer … POP EBP RET MyB uffer 01/04/2007 ecs236 winter 2007 97 Start: Attack8 CALL FunctionWithBufferOverflow FunctionWithBufferOverflow: Attack7 Attack6 PUSH EBP Attack5 MOV EBP,ESP Attack4 … Attack3 CALL OverflowMyBuffer … Attack2 POP EBP Attack1 RET Low ESP/ EBP Attack0 MyB uffer 01/04/2007 ecs236 winter 2007 98 Start: Attack8 CALL FunctionWithBufferOverflow Attack7 FunctionWithBufferOverflow: Attack6 PUSH EBP Attack5 MOV EBP,ESP Attack4 … CALL OverflowMyBuffer jmp ESP Low ESP Attack3 Attack2 … POP EBP RET Attack1 code Attack0 MyBuffer 01/04/2007 ecs236 winter 2007 (EBP == Attack5) 99 Attack8 Start: CALL FunctionWithBufferOverflow Attack7 Attack6 FunctionWithBufferOverflow: ESP Attack5 PUSH EBP Attack4 MOV EBP,ESP Attack6:JMP ESP … CALL OverflowMyBuffer Attack2 … Attack1 POP EBP Attack0 RET 01/04/2007 Attack3 ecs236 winter 2007 (EBP == Attack5) MyBuffer 100 Notes This is how Slammer worked, Sasser is very similar, as are a couple of others Bogus return pointer is Attack6, payload starts at Attack7 01/04/2007 ecs236 winter 2007 101 Other registers Register springs off of other registers utilize the compiler conventions for managing buffers (i.e. EBX is the “base” register for indexing the base of a buffer, ESI is the “source” register for string operations, EDI is the “destination”, …) Blaster RPC DCOM used EBX, ASN.1 uses EDI, Code Red II used EBX 01/04/2007 ecs236 winter 2007 102 DCOM Exploits in svchost (Blaster) 0xff 0xd3 is CALL EBX which is the one Blaster used, but JMP EBX (0xff 0xe3) works just as well. a little over 11,000 in svchost 0x0100139d is the only one that Blaster used and is the one the publicly available DCOM exploit uses. 01/04/2007 ecs236 winter 2007 103 High foo Arguments bar … ret Return address Prev. frame pointer jmp ESP Local variables … Stack Pointer Low 01/04/2007 11,000 Stack Growth ecs236 winter 2007 104 packet packet BUTTERCUP victim detection/prevention known exploits memory range table drop 11,000 Signatures for ONE vulnerability!! False Positive on BUTTERCUP??? 01/04/2007 ecs236 winter 2007 105 Register Spring+Polymorphic ???? NOP NOP NOP NOP Decryption Code Attack Code Exploit (RegisterSpring) “0x0100139d” 01/04/2007 ecs236 winter 2007 106 EBX-based Buttercup (a possible project idea) Among all the memory address for call ebx (0xff 0xd3 -- 11000+ of them), only four of them are around 0x01001***, about another 600+ are from 0x719555a4 to 0x71c637b3. But, the rest of them (the majority 10000+) are all from 0x7585149f to 0x77fbc10b. 0x0100139d 0x010013a2 0x01001c83 0x01001cc7 0x719555a4 0x71c637b3 0x7585149f 0x77fbc10b 01/04/2007 ecs236 winter 2007 107 But… Still a lot and maybe false positive… – We don’t know – What else can we do in the network… 01/04/2007 ecs236 winter 2007 108 Vulnerability and IDS/IPS Software Vulnerability is a very difficult issue to manage, especially on the wire. – Naïve payload analysis will be much less meaningful – Not focus on the intention of the attacker first Too many possibilities – Focus on how their code can get in! A more humble goal Signature: simple & yet powerful?? 01/04/2007 ecs236 winter 2007 109 What is a “vulnerability”? 1 Vulnerability -- N Exploits 01/04/2007 ecs236 winter 2007 110 Vulnerability Primitive Primitive – The capability for the attacker to put a value in a particular memory address. – A memory system state change … No Verification … And, we “might” have to perform such analysis on the wire!! 01/04/2007 ecs236 winter 2007 111 Focus on “Primitives” being used in the “Epsilon” phase! Application dependent analysis NOP NOP NOP NOP Decryption Exploit Attack Code UPR. Code LYR. PAYLOAD (ReturnAddr) TCP/UDP HDR 01/04/2007 IP ecs236 winter 2007 System State Changes 112 Control Flow Hijack I want “my code” executed! – Malicious code injection – Control flow redirection/hijacking code code code code Virus Worm 01/04/2007 ecs236 winter 2007 113 virus Clickme.exe MSword.exe easily FS 01/04/2007 ecs236 winter 2007 114 Host-based Approach Minos can resolve all the problems related to control-flow hijacks with zero-false positive. 01/04/2007 ecs236 winter 2007 115 Secure virtualization Unmodified Applications Unmodified OS (XP, Linux, Solaris, or, FreeBSD) Full Virtualization with Security Enhancements (Minos/DaCodA) Hardware 01/04/2007 ecs236 winter 2007 116 Asymmetric Information Can we fill the gap?? 01/04/2007 ecs236 winter 2007 117 IPS virtualization Unmodified Applications Unmodified OS (XP, Linux, Solaris, or, FreeBSD) Full Virtualization with Security Enhancements (Minos/DaCodA) Hardware NIDS/NIPS Recovery in Memory What types of roll-backs will make the most sense practically? OS versus Applications 01/04/2007 ecs236 winter 2007 118 Tricky virus 01/04/2007 MSword.exe FS MSword.exe FS ecs236 winter 2007 119 IPC virus SQL.exe MSword.exe 01/04/2007 FS ecs236 winter 2007 120 Two definitions of Virus A virus is a program that is able to infect other programs by modifying them to include a possibly evolved copy of itself. – Fred Cohen, early 80’s. A computer virus is a program that recursively and explicitly copies a possibly evolved version of itself. – Peter Szor, recently. 01/04/2007 ecs236 winter 2007 121