Transcript DACODA and Temporal Search slides

DACODA [Crandall et al.; CCS 2005]
 DAvis malCODe

Analyzer
Discover invariants in the exploit vector (ε)
 Symbolic
execution on the system trace
during attacks that Minos catches

Used for an empirical analysis of
polymorphism and metamorphism
 Quantify
and understand the limits
1
Worm Polymorphism and
Metamorphism

Viruses: Defender has time to pick apart
the attacker’s techniques
 e.g.

Algorithmic scanners, emulation
Worms: Attacker has time to pick apart the
deployed network defense techniques
 What
can defenders do to evaluate the
robustness of defenses against attacks that
don’t exist yet?
2
Measuring Poly/metamorphism

[Ma et al.; IMC 2006]
 Found
relatively little polymorphism “in the
wild”

Worm defense designers don’t have
samples of the poly/metamorphic
techniques attackers will use on their
defenses
 (Have
to build the defense first)
3
How DACODA Works
“Information only has meaning in that it is
subject to interpretation.” [Cohen, 1984]
 Gives each byte of network data a unique
label
 Tracks these through the entire system
 Discovers predicates about how the host
under attack interprets the network bytes

4
mov
al,[AddressWithLabel1832]
; AL.expr <= (Label 1832)
add
al,4
; AL.expr <= (ADD AL.Expr 4)
; /* AL.expr == (ADD (LABEL 1832) 4) */
cmp
al,10
; ZFLAG.left <= AL.expr
; /* ZFLAG.left == (ADD (Label 1832) 4) */
; ZFLAG.right <= 10
je
JumpTargetIfEqualToTen
; P <= new Predicate(EQUAL ZFLAG.Left ZFLAG.Right)
; /* P == (EQUAL (ADD (Label 1832) 4) 10) */
; AddToSetOfKnownPredicates(P)
5
Actual Worms/Attacks Caught by
Minos and Analyzed by DACODA
Name
Sasser
Blaster
Workstation Serv.
RPCSS
Slammer
Code Red II
Zotob
OS
WinXP
WinXP
WinXP
WinXP
Whist.
Whist.
Win2K
Port
445TCP
135TCP
445TCP
135TCP
1434UDP
80TCP
445TCP
Class
Buff.Over.
Buff.Over.
Buff.Over.
Buff.Over.
Buff.Over.
Buff.Over.
Buff.Over.
6
Other Attacks Caught by Minos and
Analyzed by DACODA
Name
SQL Auth.
rpc.statd
OS
Whist.
Linux
innd
Scalper
ntpd
Turkey
Linux
OBSD
FBSD
FBSD
Port
1434TCP
111 &
918TCP
119TCP
80TCP
123TCP
21TCP
Class
Buff.Over.
Form.Str.
Buff.Over.
Int.Over.
Buff.Over.
OffByOne
7
Single Contiguous Byte Strings
Name
Sasser
Blaster
Work.
RPCSS
Slammer
CRII
Zotob
Longest String
36
92
23
18
1
17
36
Name
SQLAuth
rpc.statd
innd
Scalper
ntpd
Turkey
Longest String
4
16
27
32
8
21
8
Single Contiguous Signatures


Autograph [Kim and Karp; USENIX Security
2004] and EarlyBird [Singh et al.; OSDI 2004]
both demonstrated good results at about
40 bytes for the signature length
[Newsome et al.; IEEE S&P 2005] came to the
same conclusion as we did and proposed
sets of smaller byte strings called tokens
9
Tokens
GET /default.ida?XXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
X…XXXX%u9090%u6858%ucbd3%u7801%u
9090%u6858%ucbd3%u7801%u9090%u6
858%ucbd3%u7801%u9090%u9090%u81
90%u00c3%u0003%u8b00%u531b%u53f
f%u0078%u0000%u00=a HTTP/1.0
10
Where do These Tokens Come
From?

Scalper “Transfer-Encoding:
chunked”
 Same

applies to most of these vulnerabilities
“The Horns of a Dilemma”
 Use
protocol framing as a signature
 Be very precise
11
Conclusions from DACODA
Whole system analysis is important
 New focus on more semantic signatures

 How
to understand the semantics of the
vulnerability?

We can learn a lot about emerging
malware threats by studying existing
malware samples and their interactions
with the systems they run on
12
Temporal Search
[Crandall et al.; ASPLOS 2006]

Automated discovery of timebomb attacks
 Analysis

in the π stage
Prototype of behavior-based analysis
 Proposed
a framework for a problem space nobody
has looked at before
 Implemented parts of it
 Identified the remaining challenges

By testing real worms with timebombs on our prototype
13
You as an antivirus professional
catch a new worm…




Unpack it
Polymorphism/
metamorphism?
Anti-debugger tricks?
Any behaviors predicated on
time?
 How
it gets the time?
 UTC/Local?
 Conversions between
formats?
14
With Temporal Search…



Infect a VM
Automated, behavior-based
Temporal Search
Respond
15
How to respond?

Sober.X – 6 and 7 January 2006
 URLs

Kama Sutra – 3rd of the month
 Users

blocked
removed infections
Code Red – 20th of the month
 White
House IP address changed
What if we have just hours or even
minutes, not days?
16
Behavior-based Analysis
[Cohen, 1984] defined behavior-based
detection as a question of “defining what
is and is not a legitimate use of a service,
and finding a means of detecting the
difference.”
 Behavior-based analysis is similar

 Assume
the system is infected with malware
 Analyze its use of a service such as the PIT
17
Why not just speed up the clock?

Dramatic time perturbation would be easy
to detect
 Also
not easy to do for a busy system
(effectively lowers perceived performance)

May miss some behaviors
 Kama

Sutra
Will not be able to explain behaviors it
does elicit
18
Basic Idea

Find timers
 Run
the PIT at different rates of perceived
time
System performance stays the same
 Correlate between PIT and memory writes


Symbolic execution
 e.g.

with DACODA
Weakest precondition calculation
19
Filling in the Timetable
SystemTime
126,396,288e12
(13 July 2001)
Predicate
? >= 20
Behavior
Spread
time
20
Filling in the Timetable
SystemTime
126,396,288e12
(13 July 2001)
126,402,336e12
(20 July 2001)
Predicate
Behavior
? >= 20
Spread
? >= 28
DoS White
House
time
21
Filling in the Timetable
SystemTime
126,396,288e12
(13 July 2001)
126,402,336e12
(20 July 2001)
126,409,248e12
(28 July 2001)
Predicate
Behavior
? >= 20
Spread
? >= 28
DoS White
House
None
Go to sleep
time
22
Windows
# Predicates Checked per Second
700
Windows TickCount
600
Windows SystemTime
500
400
300
200
100
0
0
60
120
180
240
300
360
420
480
Real Time (seconds)
23
Manual Analysis

Many different library calls, APIs for date and time

GetSystemTime(), GetLocalTime(), GetTimeZoneInformation(), DiffDate(),
GetDateFormat(), etc.
 System call not really necessary

Conversions back and forth between various represenations (e.g.
MyParty.A, Blaster.E)





UTC vs. Local
1600 vs. 1900 vs. 1970
32- vs 64-bit
integers for day, month, year, etc.
strings

Not always done with standard library functions
Have to unpack it first, anti-debugging tricks

All of this is simply dataflow from SystemTime timer

24
Setup
ARP cache
poisoning, DNS
spoofing, etc.
Windows XP @
192.168.33.2
Host @
192.168.33.1
Bochs VM
w/ DNS, NTP, HTTP,
TIME, etc.
w/ DACODA and
Timer Discovery
tuntap interface
25
Temporal Search

Symbolic Execution (DACODA)
 Cod


Red, Blaster.E, MyParty.A, Klez.A
Discovers predicates on day, hour, minute, etc. on
a real time trace
Control-flow sensitivity within loops
 Cod
Red, Blaster.E, MyParty.A, Klez.A,
Sober.X Kama Sutra

Month and year
26
Adversarial Analysis
 For
any technique, being applicable to
every possible virus or worm is not a
requirement
AV
 More
companies collect intelligence
details in the paper on this
27
Conclusions from Temporal Search

Manual analysis is tricky and time-consuming
 Temporal
Search can dramatically improve response
time



Behavior-based analysis is all about the
environment
Malware does not follow a linear timetable
Gregorian calendar poses its own challenges
28
Why Behavior-Based Analysis?
“An ant, viewed as a behaving system, is
quite simple. The apparent complexity of
its behavior over time is largely a reflection
of the complexity of the environment in
which it finds itself.” –Herbert Simon
29