DACODA and Temporal Search slides
Download
Report
Transcript DACODA and Temporal Search slides
DACODA [Crandall et al.; CCS 2005]
DAvis malCODe
Analyzer
Discover invariants in the exploit vector (ε)
Symbolic
execution on the system trace
during attacks that Minos catches
Used for an empirical analysis of
polymorphism and metamorphism
Quantify
and understand the limits
1
Worm Polymorphism and
Metamorphism
Viruses: Defender has time to pick apart
the attacker’s techniques
e.g.
Algorithmic scanners, emulation
Worms: Attacker has time to pick apart the
deployed network defense techniques
What
can defenders do to evaluate the
robustness of defenses against attacks that
don’t exist yet?
2
Measuring Poly/metamorphism
[Ma et al.; IMC 2006]
Found
relatively little polymorphism “in the
wild”
Worm defense designers don’t have
samples of the poly/metamorphic
techniques attackers will use on their
defenses
(Have
to build the defense first)
3
How DACODA Works
“Information only has meaning in that it is
subject to interpretation.” [Cohen, 1984]
Gives each byte of network data a unique
label
Tracks these through the entire system
Discovers predicates about how the host
under attack interprets the network bytes
4
mov
al,[AddressWithLabel1832]
; AL.expr <= (Label 1832)
add
al,4
; AL.expr <= (ADD AL.Expr 4)
; /* AL.expr == (ADD (LABEL 1832) 4) */
cmp
al,10
; ZFLAG.left <= AL.expr
; /* ZFLAG.left == (ADD (Label 1832) 4) */
; ZFLAG.right <= 10
je
JumpTargetIfEqualToTen
; P <= new Predicate(EQUAL ZFLAG.Left ZFLAG.Right)
; /* P == (EQUAL (ADD (Label 1832) 4) 10) */
; AddToSetOfKnownPredicates(P)
5
Actual Worms/Attacks Caught by
Minos and Analyzed by DACODA
Name
Sasser
Blaster
Workstation Serv.
RPCSS
Slammer
Code Red II
Zotob
OS
WinXP
WinXP
WinXP
WinXP
Whist.
Whist.
Win2K
Port
445TCP
135TCP
445TCP
135TCP
1434UDP
80TCP
445TCP
Class
Buff.Over.
Buff.Over.
Buff.Over.
Buff.Over.
Buff.Over.
Buff.Over.
Buff.Over.
6
Other Attacks Caught by Minos and
Analyzed by DACODA
Name
SQL Auth.
rpc.statd
OS
Whist.
Linux
innd
Scalper
ntpd
Turkey
Linux
OBSD
FBSD
FBSD
Port
1434TCP
111 &
918TCP
119TCP
80TCP
123TCP
21TCP
Class
Buff.Over.
Form.Str.
Buff.Over.
Int.Over.
Buff.Over.
OffByOne
7
Single Contiguous Byte Strings
Name
Sasser
Blaster
Work.
RPCSS
Slammer
CRII
Zotob
Longest String
36
92
23
18
1
17
36
Name
SQLAuth
rpc.statd
innd
Scalper
ntpd
Turkey
Longest String
4
16
27
32
8
21
8
Single Contiguous Signatures
Autograph [Kim and Karp; USENIX Security
2004] and EarlyBird [Singh et al.; OSDI 2004]
both demonstrated good results at about
40 bytes for the signature length
[Newsome et al.; IEEE S&P 2005] came to the
same conclusion as we did and proposed
sets of smaller byte strings called tokens
9
Tokens
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u
9090%u6858%ucbd3%u7801%u9090%u6
858%ucbd3%u7801%u9090%u9090%u81
90%u00c3%u0003%u8b00%u531b%u53f
f%u0078%u0000%u00=a HTTP/1.0
10
Where do These Tokens Come
From?
Scalper “Transfer-Encoding:
chunked”
Same
applies to most of these vulnerabilities
“The Horns of a Dilemma”
Use
protocol framing as a signature
Be very precise
11
Conclusions from DACODA
Whole system analysis is important
New focus on more semantic signatures
How
to understand the semantics of the
vulnerability?
We can learn a lot about emerging
malware threats by studying existing
malware samples and their interactions
with the systems they run on
12
Temporal Search
[Crandall et al.; ASPLOS 2006]
Automated discovery of timebomb attacks
Analysis
in the π stage
Prototype of behavior-based analysis
Proposed
a framework for a problem space nobody
has looked at before
Implemented parts of it
Identified the remaining challenges
By testing real worms with timebombs on our prototype
13
You as an antivirus professional
catch a new worm…
Unpack it
Polymorphism/
metamorphism?
Anti-debugger tricks?
Any behaviors predicated on
time?
How
it gets the time?
UTC/Local?
Conversions between
formats?
14
With Temporal Search…
Infect a VM
Automated, behavior-based
Temporal Search
Respond
15
How to respond?
Sober.X – 6 and 7 January 2006
URLs
Kama Sutra – 3rd of the month
Users
blocked
removed infections
Code Red – 20th of the month
White
House IP address changed
What if we have just hours or even
minutes, not days?
16
Behavior-based Analysis
[Cohen, 1984] defined behavior-based
detection as a question of “defining what
is and is not a legitimate use of a service,
and finding a means of detecting the
difference.”
Behavior-based analysis is similar
Assume
the system is infected with malware
Analyze its use of a service such as the PIT
17
Why not just speed up the clock?
Dramatic time perturbation would be easy
to detect
Also
not easy to do for a busy system
(effectively lowers perceived performance)
May miss some behaviors
Kama
Sutra
Will not be able to explain behaviors it
does elicit
18
Basic Idea
Find timers
Run
the PIT at different rates of perceived
time
System performance stays the same
Correlate between PIT and memory writes
Symbolic execution
e.g.
with DACODA
Weakest precondition calculation
19
Filling in the Timetable
SystemTime
126,396,288e12
(13 July 2001)
Predicate
? >= 20
Behavior
Spread
time
20
Filling in the Timetable
SystemTime
126,396,288e12
(13 July 2001)
126,402,336e12
(20 July 2001)
Predicate
Behavior
? >= 20
Spread
? >= 28
DoS White
House
time
21
Filling in the Timetable
SystemTime
126,396,288e12
(13 July 2001)
126,402,336e12
(20 July 2001)
126,409,248e12
(28 July 2001)
Predicate
Behavior
? >= 20
Spread
? >= 28
DoS White
House
None
Go to sleep
time
22
Windows
# Predicates Checked per Second
700
Windows TickCount
600
Windows SystemTime
500
400
300
200
100
0
0
60
120
180
240
300
360
420
480
Real Time (seconds)
23
Manual Analysis
Many different library calls, APIs for date and time
GetSystemTime(), GetLocalTime(), GetTimeZoneInformation(), DiffDate(),
GetDateFormat(), etc.
System call not really necessary
Conversions back and forth between various represenations (e.g.
MyParty.A, Blaster.E)
UTC vs. Local
1600 vs. 1900 vs. 1970
32- vs 64-bit
integers for day, month, year, etc.
strings
Not always done with standard library functions
Have to unpack it first, anti-debugging tricks
All of this is simply dataflow from SystemTime timer
24
Setup
ARP cache
poisoning, DNS
spoofing, etc.
Windows XP @
192.168.33.2
Host @
192.168.33.1
Bochs VM
w/ DNS, NTP, HTTP,
TIME, etc.
w/ DACODA and
Timer Discovery
tuntap interface
25
Temporal Search
Symbolic Execution (DACODA)
Cod
Red, Blaster.E, MyParty.A, Klez.A
Discovers predicates on day, hour, minute, etc. on
a real time trace
Control-flow sensitivity within loops
Cod
Red, Blaster.E, MyParty.A, Klez.A,
Sober.X Kama Sutra
Month and year
26
Adversarial Analysis
For
any technique, being applicable to
every possible virus or worm is not a
requirement
AV
More
companies collect intelligence
details in the paper on this
27
Conclusions from Temporal Search
Manual analysis is tricky and time-consuming
Temporal
Search can dramatically improve response
time
Behavior-based analysis is all about the
environment
Malware does not follow a linear timetable
Gregorian calendar poses its own challenges
28
Why Behavior-Based Analysis?
“An ant, viewed as a behaving system, is
quite simple. The apparent complexity of
its behavior over time is largely a reflection
of the complexity of the environment in
which it finds itself.” –Herbert Simon
29