asplos06temporal.odp
Download
Report
Transcript asplos06temporal.odp
Temporal Search: Detecting Hidden
Malware Timebombs with Virtual
Machines
Presented by Steve Rizor
Jedidiah R. Crandall, Gary Wassermann,
Daniela A. S. de Oliveira, Zhendong Su,
S. Felix Wu, and Frederic T. Chong
University of California at {Davis, Santa Barbara}
1
You as an antivirus professional
catch a new worm…
Unpack it
Polymorphism/ metamorphism?
Anti-debugger tricks?
Any behaviors predicated on time?
How it gets the time?
UTC/Local?
Conversions between formats?
Where it uses the time?
2
With Temporal Search…
Infect a VM
Automated, behavior-based
Temporal Search
Respond
3
How to respond?
Sober.X – 6 and 7 January 2006
URLs blocked
Kama Sutra – 3rd of the month
Users removed infections
Code Red – 20th of the month
White House IP address changed
What if we have just hours or even
minutes, not days?
4
Behavior-based Analysis
[Cohen, 1984] defined behavior-based detection as a
question of “defining what is and is not a legitimate
use of a service, and finding a means of detecting
the difference.”
Behavior-based analysis is similar
Assume the system is infected with malware
Analyze its use of a service such as the PIT
5
Overview of Temporal Search
Timer
Discovery
VM
Symbolic
Execution
Weakest
Precondition
6
Contributions
Propose a framework for a problem space
nobody has looked at
Implement parts of Temporal Search
Identify the remaining challenges
7
Definitions
Absolute time vs. relative time
Absolute
11:30am on 23 October 2006
Second Tuesday of the month
Relative
30 minutes after infection
Every 30 seconds
Perceived time vs. real time
8
Outline
How systems keep track of time
Timer discovery via temporal perturbation
How symbolic execution works
Analysis of six real worms
Weakest precondition analysis
Adversarial analysis
9
Outline
How systems keep track of time
Timer discovery via temporal perturbation
How symbolic execution works
Analysis of six real worms
Weakest precondition analysis
Adversarial analysis
10
Time Hardware
PIT (Programmable Interval Timer) running at
1.193182 MHz
Programmable interrupt
RAM refresh
PC speaker tone
Others
CMOS real time clock
Local APIC timers
ACPI timers
Pentium CPU’s Time Stamp Counter
High Precision Event Timer
…
11
OS Timekeeping
OS sets PIT at some frequency
(e.g. 100 Hz, 1000 Hz)
Counts interrupts from some epoch
(e.g. Windows SystemTime counts
hectonanoseconds since 1 January 1600)
Shouldn’t make assumptions about the
integrity of the OS kernel
12
Outline
How systems keep track of time
Timer discovery via temporal perturbation
How symbolic execution works
Analysis of six real worms
Weakest precondition analysis
Adversarial analysis
13
Why not just speed up the clock?
Dramatic time perturbation would be easy to
detect
Also not easy to do for a busy system (effectively
lowers performance)
May miss some behaviors
Kama Sutra
Will not be able to explain behaviors it does
elicit
14
Types of Noise (look like timers)
Performance-based phase behavior
Memory updates independent of time
Memory updates that don’t define a series
Delayed interrupt handling, NTP, etc.
15
Finding Timers: Basic Idea
Run the PIT at different rates of perceived time
System performance stays the same
Correlate between PIT and memory writes
Symbolic execution to discover a series
e.g. Linux “jiffies” or “xtime.tv_usec”
Predicate inversion to discover dependent timers or
behaviors
e.g. Linux “xtime.tv_sec”
16
Linux
700
600
# Predicates Checked per Second
500
Linux jiffies
400
Linux xtime.usec
Linux xtime.sec
300
200
100
0
0
60
120
180
240
300
Real Time (seconds)
360
420
480
17
Windows
# P redicates C hecked per S econd
700
Windows TickCount
600
Windows SystemTime
500
400
300
200
100
0
0
60
120
180
240
300
360
420
480
Real Time (seconds)
18
Outline
How systems keep track of time
Timer discovery via temporal perturbation
How symbolic execution works
Analysis of six real worms
Weakest precondition analysis
Adversarial analysis
19
DACODA (DAvis malCODe Analyzer)
Crandall, Su, Wu, and Chong. On Deriving
Unknown Vulnerabilities from Zero-day
Polymorphic and Metamorphic Worm Exploits.
CCS 2005
20
mov
al,[AddressWithLabel1832]
; AL.expr <= (Label 1832)
add
al,4
; AL.expr <= (ADD AL.Expr 4)
; /* AL.expr == (ADD (LABEL 1832) 4) */
cmp
al,10
; ZFLAG.left <= AL.expr
; /* ZFLAG.left == (ADD (Label 1832) 4) */
; ZFLAG.right <= 10
je
JumpTargetIfEqualToTen
; P <= new Predicate(EQUAL ZFLAG.Left ZFLAG.Right)
; /* P == (EQUAL (ADD (Label 1832) 4) 10) */
; AddToSetOfKnownPredicates(P)
21
Outline
How systems keep track of time
Timer discovery via temporal perturbation
How symbolic execution works
Analysis of six real worms
Weakest precondition analysis
Adversarial analysis
22
Setup
ARP
ARP cache
cache
poisoning,
poisoning, DNS
DNS
spoofing,
spoofing, etc.
etc.
Windows XP @
192.168.33.2
Host @
192.168.33.1
Bochs VM
w/ DNS, NTP, HTTP,
TIME, etc.
w/ DACODA and Timer
Discovery
tuntap interface
23
Temporal Search vs. Manual Analysis
Symbolic Execution (DACODA)
Code Red, Blaster.E, MyParty.A, Klez.A
Discovers predicates on day, hour, minute, etc. on a
real time trace
Need more control-flow sensitivity for month and year
Sober.X and Kama Sutra
Visual Basic – need more control-flow sensitivity…
“#10/21/2006#”
Manual Analysis…
24
Temporal Search is Needed
Many different library calls, APIs for date and time
GetSystemTime(), GetLocalTime(), GetTimeZoneInformation(), DiffDate(),
GetDateFormat(), etc.
System call not really necessary
Conversions back and forth between various represenations (e.g.
MyParty.A, Blaster.E)
UTC vs. Local
1600 vs. 1900 vs. 1970
32- vs 64-bit
integers for day, month, year, etc.
strings
Not always done with standard library functions
Have to unpack it first, anti-debugging tricks
All of this is simply dataflow from SystemTime
timer
25
We Also Learned…
Some interesting times are relative
Need to track TickCount
Behavior-based analysis is all about the
environment
Code Red and TCP RSTs
26
Outline
How systems keep track of time
Timer discovery via temporal perturbation
How symbolic execution works
Analysis of six real worms
Weakest precondition analysis
Adversarial analysis
27
Filling in the Timetable
SystemTime
126,396,288e12
(13 July 2001)
Predicate
? >= 20
Behavior
Spread
time
28
Filling in the Timetable
SystemTime
126,396,288e12
(13 July 2001)
126,402,336e12
(20 July 2001)
Predicate
Behavior
? >= 20
Spread
? >= 28
DoS White House
time
29
Filling in the Timetable
SystemTime
126,396,288e12
(13 July 2001)
126,402,336e12
(20 July 2001)
126,409,248e12
(28 July 2001)
Predicate
Behavior
? >= 20
Spread
? >= 28
DoS White House
None
Go to sleep
time
30
Weakest Precondition
Done on a trace, not code with loops
Presburger arithmetic
+ and - … no * or /
Logical inference rules for mod and divide
operations
31
Weakest Precondition Analysis
Identified capabilities and limitations
Demonstrated how to handle intricacies of the
Gregorian calendar
Malware time-dependent behavior is not a
timetable
Finite state transition systems?
32
Outline
How systems keep track of time
Timer discovery via temporal perturbation
How symbolic execution works
Analysis of six real worms
Weakest precondition analysis
Adversarial analysis
33
Adversarial Analysis
For any technique, being applicable to every possible
virus or worm is not a requirement
Challenges
What is and is not a malicious use of the PIT?
Cryptocounters, covert channels, etc.
VM detection
King et al. Subvirt… at IEEE S&P 2006
Pioneer project and related work at CMU
All analysis can be done on a trace
Oliveira et al. ASID 2006
34
Conclusions
Manual analysis is tricky and time-consuming
Temporal Search can dramatically improve response time
Behavior-based analysis is all about the environment
Malware does not follow a linear timetable
Gregorian calendar poses its own challenges
35
Why Behavior-Based Analysis?
“An ant, viewed as a behaving system, is quite
simple. The apparent complexity of its
behavior over time is largely a reflection of
the complexity of the environment in which it
finds itself.” –Herbert Simon
36