Application-Level Reconnaissance: Timing Channel Attacks Against - - PowerPoint PPT Presentation

application level reconnaissance timing channel attacks
SMART_READER_LITE
LIVE PREVIEW

Application-Level Reconnaissance: Timing Channel Attacks Against - - PowerPoint PPT Presentation

Jan 22, 2024 423 likes •708 views

Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software Mohammed I. Al-Saleh and Jedidiah R. Crandall Server Reconnaissance OS & Services ports Client Server Client Reconnaissance Hmmm, what can I get about

slide-1
SLIDE 1

Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software

Mohammed I. Al-Saleh and Jedidiah R. Crandall

slide-2
SLIDE 2

Server Reconnaissance

ports OS & Services

Client Server

slide-3
SLIDE 3

Client Reconnaissance

Hmmm, what can I get about you?!! Client Server

slide-4
SLIDE 4

Client Reconnaissance

  • Browser identification

– https://panopticlick.eff.org/

  • AV related info

– AV fingerprinting – Up-to-date?

  • Timing channels

– AV performance tradeoff – Make the common case fast – Updated?

slide-5
SLIDE 5

Threat Model

Measure scanning time Updated?? Client Server

slide-6
SLIDE 6

Basic Idea

  • Antivirus (AV) scans data against sigs
  • Sigs are stored somehow in AV’s data

structures

  • Scanning time

– Based on scanning path

  • Hitting the newly added sigs
slide-7
SLIDE 7

ClamAV

  • ClamAV

– http://www.clamav.net – http://www.clamxav.com/ – http://www.clamwin.com/

  • Scanning steps:

– File type filtering – Filtering step – Boyer-Moore algorithm – Aho-Corasick algorithm

slide-8
SLIDE 8

File Type Filtering

File Type Filtering File to scan Type Roots Type

slide-9
SLIDE 9

Filtering Step

Input Filter Yes/No

slide-10
SLIDE 10

Boyer-Moore

Sig

chars HASH Sig Array of LLs

slide-11
SLIDE 11

Aho-Corasick

slide-12
SLIDE 12

Methodology

  • Question #1: Is there a timing channel in the

way ClamAV scans data?

  • Question #2: If the first question is confirmed,

how could the attacker create the timing channel?

slide-13
SLIDE 13

Methodology/Q1

  • Collect viruses in (name,date) pairs and

remove their sigs from current DB

slide-14
SLIDE 14

Two Kinds of Experiments

  • Whole-day sig experiment
  • Single sig experiment
slide-15
SLIDE 15

Whole-Day

DB before DateX DB after DateX Sigs of DateX Scan Becomes Old New

slide-16
SLIDE 16

( ( (ahochars|boyerchars)^n . filterchars)^m) File Size BuffSize = 256 KB

content

slide-17
SLIDE 17

DB before SigX DB after SigX One Sig Scan Becomes

Single Signature

Old New

slide-18
SLIDE 18

Whole-Day

Time Difference (seconds)) Frequency

slide-19
SLIDE 19

Single

Time Difference (seconds)) Frequency

slide-20
SLIDE 20

Methodology/Q2

slide-21
SLIDE 21

Methodology/Q2

Create file Close the file Time Start CPU Time Sampling Determine CPU Busy Time

slide-22
SLIDE 22

ActiveX

Max Min Scanning Time (seconds)

slide-23
SLIDE 23

Possible Timing Channels in Modern AVs

  • Pattern matching
  • Algorithmic scanning

– Zmist virus needs to execute at least 2 million p- code-based iterations

  • Code emulation

– Significantly slows scanning

  • Heuristics

– Extra work when triggered

slide-24
SLIDE 24

Related Work

  • Network discovery

– Port scanning

  • Timing channel attacks

– Secret keys in cryptographic systems – Virtual machines detection – Others

  • Antivirus research

– Signature extraction – Detection evasion

slide-25
SLIDE 25

Conclusion and Future Work

  • Application-level reconnaissance through

timing channels

  • Running example: ClamAV
  • Currently, we are exploring performance

issues in commercial antiviruses

slide-26
SLIDE 26

Acknowledgements

  • Török Edwin
  • LEET reviewers
  • U.S. National Science Foundation (CNS-

0905177)

slide-27
SLIDE 27

Thanks