B l a c k B o x Lightweight Security Monitoring for COTS - PowerPoint PPT Presentation

B l a c k B o x Lightweight Security Monitoring for COTS Binaries Byron Hawkins and Brian Demsky University of California, Irvine, USA Michael B. Taylor University of California, San Diego, USA

Why Security Monitoring? Motjvatjon #1: Exploits occur frequently. • Thousands of vulnerabilitjes reported in 2015. • Millions of new malware released every year. • Over 90% of atuacks target 10+ year old bugs. • Windows XP stjll claims over 10% market share!

Why Security Monitoring? Motjvatjon #2: Exploit recovery requires informatjon. • Identjfy which machines were afgected: ● Repair corrupted fjles. ● Restore failed or crippled services. ● Remove persistent malware. ● Learn how the atuacker gained control. • Prevent recurrence of the same exploit.

Why Security Monitoring? Motjvatjon #3: Automated security may never be feasible.

Why Security Monitoring? Motjvatjon #3: Automated security may never be feasible. • COTS rewritjng approaches have been defeated.

Why Security Monitoring? Motjvatjon #3: Automated security may never be feasible. • COTS rewritjng approaches have been defeated. • Recompilatjon required, but opportunity is limited: • Slow adoptjon of security tools • Legacy platgorms maintain signifjcant market share

Why Security Monitoring? Motjvatjon #3: Automated security may never be feasible. • COTS rewritjng approaches have been defeated. • Recompilatjon required, but opportunity is limited: • Slow adoptjon of security tools • Legacy platgorms maintain signifjcant market share • Is it possible to build security into the compiler?

Exploit Example: Bufger Overfmow Parse the argument by copying up to the space into the bufger.

Exploit Example: Bufger Overfmow User input can change the return address of this functjon!

Automated Security Defense concept: ● Identjfy vulnerable program instructjons 0 x 0 0 0 0 7 f f f f f f f d 4 1 8 a r g # 2 : * * o p t i o n _ o u t 0 x 0 0 0 0 7 f f f f f f f d a e 7 a r g # 1 : * i n p u t 0 x 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 l o c a l # 2 : i 0 x 7 7 2 d 6 e 6 f 6 9 7 4 7 0 6 f l o c a l # 1 : b u f f e r 0 x 6 1 7 6 6 e 6 9 2 d 6 8 7 4 6 9 < p r e v i o u s s t a c k f r a m e b a s e > 0 x 7 5 6 c 6 1 7 6 2 d 6 4 6 9 6 c < r e t u r n a d d r e s s > A d v e r s a r y c o n t r o l s t h e p r o g r a m !

Automated Security Defense concept: ● Identjfy vulnerable program instructjons ● Detect adversarial manipulatjon of instructjon operands 0 x 0 0 0 0 7 f f f f f f f d 4 1 8 a r g # 2 : * * o p t i o n _ o u t 0 x 0 0 0 0 7 f f f f f f f d a e 7 a r g # 1 : * i n p u t 0 x 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 l o c a l # 2 : i 0 x 7 7 2 d 6 e 6 f 6 9 7 4 7 0 6 f l o c a l # 1 : b u f f e r 0 x 6 1 7 6 6 e 6 9 2 d 6 8 7 4 6 9 < p r e v i o u s s t a c k f r a m e b a s e > 0 x 7 5 6 c 6 1 7 6 2 d 6 4 6 9 6 c < r e t u r n a d d r e s s > A d v e r s a r y c o n t r o l s t h e p r o g r a m !

Automated Security Defense problem: ● How to distjnguish adversarial infmuence? 0 x 0 0 0 0 7 f f f f f f f d 4 1 8 a r g # 2 : * * o p t i o n _ o u t 0 x 0 0 0 0 7 f f f f f f f d a e 7 a r g # 1 : * i n p u t 0 x 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 l o c a l # 2 : i 0 x 7 7 2 d 6 e 6 f 6 9 7 4 7 0 6 f l o c a l # 1 : b u f f e r 0 x 6 1 7 6 6 e 6 9 2 d 6 8 7 4 6 9 < p r e v i o u s s t a c k f r a m e b a s e > 0 x 7 5 6 c 6 1 7 6 2 d 6 4 6 9 6 c < r e t u r n a d d r e s s > A d v e r s a r y c o n t r o l s t h e p r o g r a m !

Automated Security Defense proposal: ● Detect unintended data fmows... 0 x 0 0 0 0 7 f f f f f f f d 4 1 8 a r g # 2 : * * o p t i o n _ o u t 0 x 0 0 0 0 7 f f f f f f f d a e 7 a r g # 1 : * i n p u t 0 x 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 l o c a l # 2 : i 0 x 7 7 2 d 6 e 6 f 6 9 7 4 7 0 6 f l o c a l # 1 : b u f f e r 0 x 6 1 7 6 6 e 6 9 2 d 6 8 7 4 6 9 < p r e v i o u s s t a c k f r a m e b a s e > 0 x 7 5 6 c 6 1 7 6 2 d 6 4 6 9 6 c < r e t u r n a d d r e s s > A d v e r s a r y c o n t r o l s t h e p r o g r a m !

Automated Security Defense proposal: ● Detect unintended data fmows… ● Intended data fmows can be exploited! 0 x 0 0 0 0 7 f f f f f f f d 4 1 8 a r g # 2 : * * o p t i o n _ o u t 0 x 0 0 0 0 7 f f f f f f f d a e 7 a r g # 1 : * i n p u t 0 x 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 l o c a l # 2 : i 0 x 7 7 2 d 6 e 6 f 6 9 7 4 7 0 6 f l o c a l # 1 : b u f f e r 0 x 6 1 7 6 6 e 6 9 2 d 6 8 7 4 6 9 < p r e v i o u s s t a c k f r a m e b a s e > 0 x 7 5 6 c 6 1 7 6 2 d 6 4 6 9 6 c < r e t u r n a d d r e s s > A d v e r s a r y c o n t r o l s t h e p r o g r a m !

Automated Security Defense proposal: ● Detect unintended data fmows… ● Intended data fmows can be exploited! ● Calculate intended operand values ● e.g. legitjmate return addresses

Automated Security Defense proposal: ● Detect unintended data fmows… ● Intended data fmows can be exploited! ● Calculate intended operand values ● e.g. legitjmate return addresses ● Counter example: Microsofu media licensing

Automated Security Limitatjons At startup of Microsofu Word, a media license module dynamically generates a small routjne on the heap: DGC code ipcsecproc.dll generator 56 basic blocks

Automated Security Limitatjons It pushes a placeholder on the call stack... Call Stack create fake stack frame DGC ipcsecproc.dll 56 basic blocks

Automated Security Limitatjons …followed by a non-conventjonal “return” to enter the DGC. Call Stack DGC "incorrect" ipcsecproc.dll return 56 basic blocks

Automated Security Limitatjons Calculatjng this return address requires calculatjng heap states. Call Stack DGC "incorrect" ipcsecproc.dll return 56 basic blocks

Automated Security Limitatjons The DGC routjne calls several security-sensitjve functjons. Crypt32.dll Kernel32.dll CryptUnprotectData() VirtualProtect() DGC DeviceIoControl() "incorrect" ipcsecproc.dll return 56 basic blocks CreateFile()

Automated Security Limitatjons Defense proposal: ● Detect unintended data fmows… ● Intended data fmows can be exploited! ● Calculate intended operand values ● e.g. legitjmate return addresses ● Counter example: Microsofu media licensing ● Counter example: Windows thread injectjon

Automated Security Limitatjons D W O R D y o u r A p p P r o c e s s I d = G e t P r o c e s s B y N a m e ( " Y o u r A p p . e x e " ) ;

Automated Security Limitatjons D W O R D y o u r A p p P r o c e s s I d = G e t P r o c e s s B y N a m e ( " Y o u r A p p . e x e " ) ; H A N D L E y o u r A p p P r o c e s s = O p e n P r o c e s s ( P R O C E S S _ A L L _ A C C E S S , y o u r A p p P r o c e s s I d ) ;

Automated Security Limitatjons D W O R D y o u r A p p P r o c e s s I d = G e t P r o c e s s B y N a m e ( " Y o u r A p p . e x e " ) ; H A N D L E y o u r A p p P r o c e s s = O p e n P r o c e s s ( P R O C E S S _ A L L _ A C C E S S , y o u r A p p P r o c e s s I d ) ; H M O D U L E k e r n e l 3 2 = G e t M o d u l e H a n d l e ( " k e r n e l 3 2 . d l l " ) ;

Automated Security Limitatjons D W O R D y o u r A p p P r o c e s s I d = G e t P r o c e s s B y N a m e ( " Y o u r A p p . e x e " ) ; H A N D L E y o u r A p p P r o c e s s = O p e n P r o c e s s ( P R O C E S S _ A L L _ A C C E S S , y o u r A p p P r o c e s s I d ) ; H M O D U L E k e r n e l 3 2 = G e t M o d u l e H a n d l e ( " k e r n e l 3 2 . d l l " ) ; L P T H R E A D _ S T A R T _ R O U T I N E l o a d L i b r a r y = G e t P r o c A d d r e s s ( k e r n e l 3 2 , " L o a d L i b r a r y A " ) ;