backdoor detection tools for the working analyst
play

Backdoor Detection Tools for the Working Analyst Sam L. Thomas - PowerPoint PPT Presentation

Sep 16, 2023 •437 likes •814 views

Backdoor Detection Tools for the Working Analyst Sam L. Thomas (based on joint work with Flavio D. Garcia & Tom Chothia) School of Computer Science University of Birmingham Birmingham United Kingdom B15 2TT s.l.thomas@cs.bham.ac.uk

  1. Backdoor Detection Tools for the Working Analyst Sam L. Thomas (based on joint work with Flavio D. Garcia & Tom Chothia) School of Computer Science University of Birmingham Birmingham United Kingdom B15 2TT s.l.thomas@cs.bham.ac.uk CRYPTACUS Workshop & MC Meeting 2017 1 / 37

  2. An Ideal Situation 2 / 37

  3. An Ideal Situation 3 / 37

  4. An Ideal Situation 4 / 37

  5. An Ideal Situation 5 / 37

  6. A Real-world Situation 6 / 37

  7. A Real-world Situation 7 / 37

  8. A Real-world Situation 8 / 37

  9. Challenge How do we reduce the manual effort required to identify undocumented functionality and backdoors within software? 9 / 37

  10. Challenge How do we reduce the manual effort required to identify undocumented functionality and backdoors within software? 10 / 37

  11. Motivation Undocumented functionality? Backdoors? Authentication bypass by “magic” words. Hard-coded credential checks. Additional protocol messages that activate unexpected functionality. Common services that perform non-standard functionality. 11 / 37

  12. Application Focus on IoT devices: Lots of devices, lots of firmware, different architectures. Devices are attached to our networks often without regard for how secure they are. Can’t manually analyse every firmware image. 12 / 37

  13. Tools HumIDIFy : detects undocumented, non-standard functionality in common services. Stringer : detects hard-coded credentials and undocumented protocol messages. 13 / 37

  14. Objective Both tools: Lightweight analysis. Reduce time required and expertise to perform analysis. 14 / 37

  15. HumIDIFy 15 / 37

  16. Method – Overview Uses machine learning to identify common executable classes (e.g. FTP server, Web server, . . . ). Tests to see if these identified common services perform more than their expected functionality (e.g. a Web server that listens for commands on a high UDP port and executes them as root on the device). 16 / 37

  17. Method – Machine Learning Uses semi-supervised learning: train a classifier using some labelled instances and a larger amount of unlabelled instances. Uses an algorithm called self-training: iterates until some stability is reached on the performance of the classifier. On real-world test data (manually labelled, independent from training set): 96.4523% correctness. 17 / 37

  18. Method – Testing Functionality High-level domain-specific language (DSL) to encode expected program functionality. DSL interpreter processes functionality profile and target executable. Have a functionality profile for each type of common service – they have known, well-defined behaviour. 18 / 37

  19. Method – Testing Functionality (cont.) Example rules written in the DSL: rule handles_socket() = function_ref("socket") rule handles_tcp() = handles_socket() && (function_ref("recv") || function_ref("send")) 19 / 37

  20. Usage Tenda Router web-server analysis with HumIDIFy: $ ./HumIDIFy model/BayesNet httpd ]] HumIDIFy: version 1.0 ,-. ]------------------------|-’ [i] performing feature extraction... [i] classifying binary... -> File : httpd -> Profile : webserver (with confidence 100.00%) [i] checking binary’s functionality... -> Warning : udp-based api usage detected -> Judgement : potentially anomalous 20 / 37

  21. Stringer 21 / 37

  22. Method – Overview Assigns scores to static data and functions to indicate their relevance/potential. Generates a summary report of the executable using scoring for faster, simpler analysis. 22 / 37

  23. Method – Overview Automatically identifies potential static data comparison functions. Extracts the arguments passed to those functions when the function call influences a branch condition. Maximises scores to static data based on how much CFG functionality they guard . 23 / 37

  24. Method – Score Assignment 24 / 37

  25. Usage $ ./Stringer td3250 *** attempting to locate comparison functions... [h] 15669 functions analysed; comparison functions: [c] strcmp (1388.100000) [c] strncmp (773.326250) ... *** computing scores... ... [f] 556.59: _ZN9CLoginDlg5LogInEPKcS1_b 288.35: admin (via: strcmp) 60.92: ppttzz51shezhi (via: strcmp) 49.83: 6036logo (via: strcmp) ... 25 / 37

  26. Case studies 26 / 37

  27. Hard-coded Credentials in Ray Sharp DVR Firmware Identification of hard-coded credential pair in Ray Sharp DVR firmware: Comparison Function Score strcmp 5170 . 30 sub 1C7EC ( strcmp wrapper) 1351 . 96 strncmp 1109 . 73 353 . 93 strstr 222 . 00 memcmp (1) (2) Label Score Static Data Function Depends 1 30 . 23 664225 strcmp { [] } 2 2 . 77 root strcmp { [ 664225 ] } 27 / 37

  28. Hard-coded Credentials in Q-See DVR Firmware Identification of a hard-coded credential backdoor in DVR firmware – different behaviour for each hardcoded password: Comparison Function Score 1464 . 70 strcmp (1) 779 . 33 strncmp (5) CRYPTO malloc (FP) 685 . 10 (2) ZNKSs7compareEPKc 376 . 20 (3) strstr 306 . 00 strcasecmp 196 . 00 (6) (4) Label Score Static Data Function Depends (7) 1 171 . 39 admin strcmp { [] } 2 58 . 92 ppttzz51shezhi strcmp { [ admin ] } 3 45 . 13 6036logo strcmp { [ admin ] } + 4 42 . 14 { [ admin ] } 6036adws strcmp 5 37 . 54 { [ admin ] } 6036huanyuan strcmp 6 35 . 21 { [ admin ] } 6036market strcmp 7 31 . 05 jiamijiami6036 strcmp { [ admin ] } 28 / 37

  29. Tenda Web-server “Management Service” Web-server with thread running UDP-based service executing user-input commands, unauthenticated as root user: ./HumIDIFy model/BayesNet _US_W302RRA_.../bin/httpd ]] HumIDIFy: version 1.0 ,-. ]------------------------|-’ [i] performing feature extraction... [i] classifying binary... -> File : _US_W302RRA_.../bin/httpd -> Profile : webserver (with confidence 100.00%) [i] checking binary’s functionality... -> Warning : udp-based api usage detected -> Judgement : potentially anomalous 29 / 37

  30. Tenda Web-server “Management Service” (cont.) Web-server with thread running UDP-based service executing user-input commands, unauthenticated as root user: 30 / 37

  31. TrendNet HTTP Authentication with Hard-coded Credentials HTTP authentication check with comparison against hard-coded credential values: Comparison Function Score 1635 . 01 strcmp 481 . 20 strstr nvram get (FP) 413 . 10 strncmp 265 . 45 sub A2D0 (FP) 131 . 00 Static Data Score Function Depends emptyuserrrrrrrrrrrr 132 . 17 strcmp { . . . } emptypasswordddddddd 128 . 61 strcmp { [ . . . , emptyuserrrrrrrrrrrr ] } 31 / 37

  32. Recovery of SOAP-based Command Set We are also able to recover the command sets of proprietary protocols, in this case a SOAP command set: Comparison Function Score 380 . 52 strcmp safestrcmp (custom string comparison) 221 . 00 (1) strstr 185 . 00 (2) strcasecmp 184 . 00 (3) (4) (5) Label Score Static Data (6) 1 7 . 64 EnableTrafficMeter (7) 2 7 . 64 SetTrafficMeterOptions 3 7 . 64 SetGuestAccessEnabled 4 7 . 64 SetGuestAccessEnabled2 5 7 . 64 SetGuestAccessNetwork 6 7 . 64 SetWLANNoSecurity 7 7 . 64 SetWLANWPAPSKByPassphrase 32 / 37

  33. Performance 33 / 37

  34. HumIDIFy Attribute extraction: 1.31s. Classification of single binary: 0.291s (not including time taken to invoke the Java virtual machine). Performance of DSL interpreter is dependent upon the complexity of the binary under analysis (number of functions and complexity of those functions): 1.53s on average. Time to process an “average” firmware image: 970.61s. Performance analysis does not take into account the human factor in final manual analysis. 34 / 37

  35. Stringer Average processing time for a binary: 1.3s. Some take longer - depends upon number of functions and CFG complexity: Q-See DVR firmware took 46.043 with 15,669 functions. 35 / 37

  36. Conclusion Runtime of both tools satisfies lightweight property: each tool takes seconds to perform analysis. Sucessfully identified a number of backdoors and instances of undocumented functionality. 36 / 37

  37. Q & A 37 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak , Venkatesh Raman, and Stefan Szeider SAT 2013 Backdoor Sets Introduced by Crama et al. 1997 and independently by Williams et al. 2003 in an

768 views • 12 slides
Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov,

Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov,

Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov, Christopher Woods

353 views • 20 slides
The Bicho An Advanced Car Backdoor Maker by @UnaPibaGeek and @holesec Who we are? And Where

The Bicho An Advanced Car Backdoor Maker by @UnaPibaGeek and @holesec Who we are? And Where

The Bicho An Advanced Car Backdoor Maker by @UnaPibaGeek and @holesec Who we are? And Where We are from? When we start with this? Ekoparty / 2016 Why? A quick review 5) Signal 4) Chassis ground 6) CAN High ground 2) J1850 Bus +

681 views • 47 slides
Open data Practice Assessment tools Nuru Magwaza ODI Registered trainer Data Analyst Aim

Open data Practice Assessment tools Nuru Magwaza ODI Registered trainer Data Analyst Aim

Open data Practice Assessment tools Nuru Magwaza ODI Registered trainer Data Analyst Aim Enable participants to understand the use and importance of assessment tools in open data Learning outcomes Define Assessment tools Mention

458 views • 17 slides
Tools // Sessions Introduction OUTLINE I. Common Tools & Methods Working Group II.

Tools // Sessions Introduction OUTLINE I. Common Tools & Methods Working Group II.

Tools // Sessions Introduction OUTLINE I. Common Tools & Methods Working Group II. News & Announcement M. Muehlleitner & S. Muanza EuroGDRSUSY @ Brussels Nov

321 views • 5 slides
www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

Class I Leak Detection Systems - Highest level of monitoring and prevention of double walled tanks and pipes, according EU Standard EN 13160-2 Advantages Working Principle Product Overview www.thomas-leak-detection.com Leak

206 views • 16 slides
SAFEWATER Application and Results of Innovative Tools for the Detection and M itigation of

SAFEWATER Application and Results of Innovative Tools for the Detection and M itigation of

SAFEWATER Application and Results of Innovative Tools for the Detection and M itigation of CBRN-related Contamination Events in Drinking Water Supply Systems Thomas Bernard, Aharon Rosenberg, Helena Lucas, Adrian Rieder, J rgen M

809 views • 55 slides
Tools & Techniques Triage Using 99 Business Analyst Techniques to better understand

Tools & Techniques Triage Using 99 Business Analyst Techniques to better understand

Tools & Techniques Triage Using 99 Business Analyst Techniques to better understand your teams skills and training needs. Agenda Introduction The idea explained Round 1: Card sorting techniques Round 2: Visualising

370 views • 10 slides
A Solder-Defined Computer Architecture for Backdoor and Malware Resistance Examinee: Marc W.

A Solder-Defined Computer Architecture for Backdoor and Malware Resistance Examinee: Marc W.

Welcome! A Solder-Defined Computer Architecture for Backdoor and Malware Resistance Examinee: Marc W. Abel Committee: Travis Doom, Ph.D. (chair) Jack Jean, Ph.D. Michael Raymer, Ph.D. Krishnaprasad Thirunarayan, Ph.D. (T.K. Prasad) Vincent

1.94k views • 28 slides
Tools for Efficient Object Detection ICCV 2015 Tutorial Santiago, Chile, December 2015

Tools for Efficient Object Detection ICCV 2015 Tutorial Santiago, Chile, December 2015

Tools for Efficient Object Detection ICCV 2015 Tutorial Santiago, Chile, December 2015 Organizers: Classification Versus Detection Rogerio Feris Classification: WHAT Detection: WHAT and WHERE Slide Adapted from Ross Girshick Rogerio Feris

548 views • 15 slides
Librarian presentation on Data Management for the CSCRS Below is a screen shot of the backdoor

Librarian presentation on Data Management for the CSCRS Below is a screen shot of the backdoor

Librarian presentation on Data Management for the CSCRS Below is a screen shot of the backdoor editing page for the CSCRS Data Repository. It is not published, therefore not visible on the UNC Dataverse. Note that the Publish and Edit buttons will

138 views • 3 slides
Cross-lingual similarity calculation for plagiarism detection and more Tools and resources

Cross-lingual similarity calculation for plagiarism detection and more Tools and resources

Cross-lingual similarity calculation for plagiarism detection and more Tools and resources Ralf Steinberger European Commission Joint Research Centre (JRC) http://langtech.jrc.ec.europa.eu/ PAN-CLEF, Rome, Italy, 19 September 2012

471 views • 17 slides
Fraud Investigation during COVID-19 Is the pandemic a backdoor to increased fraud risk? Aris

Fraud Investigation during COVID-19 Is the pandemic a backdoor to increased fraud risk? Aris

Fraud Investigation during COVID-19 Is the pandemic a backdoor to increased fraud risk? Aris Dimitriadis, Executive Director Compliance, ERM & Insurance OTE Group 07.05.2020 Covid-19 outbreak: an opportunity for fraudsters Stay vigilant

372 views • 9 slides
Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks Bolun Wang*,

Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks Bolun Wang*,

Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks Bolun Wang*, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath , Haitao Zheng, Ben Y. Zhao University of Chicago, *UC Santa Barbara, Virginia Tech

770 views • 17 slides
Analyst & Investor Site Visit Crowcon Detection Instruments 17 September, 2015 Agenda 11.00

Analyst & Investor Site Visit Crowcon Detection Instruments 17 September, 2015 Agenda 11.00

Analyst & Investor Site Visit Crowcon Detection Instruments 17 September, 2015 Agenda 11.00 Introduction Andrew Williams, CEO 11.15 Process Safety sector review Philippe Felten, SCE 11.45 Break 12.15 Introduction to Crowcon

445 views • 22 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Change Management Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar

Change Management Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar

Change Management Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar SAPM Spring 2007: Change 1 Change is Inevitable Even brand-new systems will often or typically need to: Interface with existing components

678 views • 16 slides
GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface NIIBE Yutaka <gniibe@fsij.org> FOSDEM 2018 This is a talk of my experience to have better control (by its user) of computing for privacy

610 views • 37 slides
UPDATE Matt King 07/07/2015 Region Finding 2 Have been working on an automated fiducial

UPDATE Matt King 07/07/2015 Region Finding 2 Have been working on an automated fiducial

1 MOEDAL SIMULATION UPDATE Matt King 07/07/2015 Region Finding 2 Have been working on an automated fiducial region finding algorithm for the MMTs With assistance from Katarina Bendtz, who designed the algorithm for ATLAS. Our

361 views • 7 slides
Testing and documenting your data doesnt have to suck Data Council NYC - Nov 2019 @abeGong

Testing and documenting your data doesnt have to suck Data Council NYC - Nov 2019 @abeGong

Testing and documenting your data doesnt have to suck Data Council NYC - Nov 2019 @abeGong About me (Abe) Data scientist/engineer Tech-first and enterprise Human-scale, ethical data First time in NYC as an adult (?!)

723 views • 45 slides
Be Empowered & Know Your Rights" 2019 What should community organizations and

Be Empowered & Know Your Rights" 2019 What should community organizations and

BBT: Immigrants and Public Benefits MCLE March 2019 D EI RD RE GI B LI N, ESQ . M A SSA C HU SET T S LA W REFO RM I NST I T U T E D GI B LI N@ M LRI .O RG R e v i s e d a n d A d a p t e d ( A I L A / P A I R / K I N D P P 2 0 1 9 & E

332 views • 17 slides
CS 5150 So(ware Engineering 18. Reuse and Design Pa9erns William Y. Arms So(ware Reuse It is

CS 5150 So(ware Engineering 18. Reuse and Design Pa9erns William Y. Arms So(ware Reuse It is

Cornell University Compu1ng and Informa1on Science CS 5150 So(ware Engineering 18. Reuse and Design Pa9erns William Y. Arms So(ware Reuse It is o(en good to design a program to reuse exisCng components. This can lead to be9er so(ware at

668 views • 48 slides
State-Based Testing Part B Error Identification Generating test cases for complex

State-Based Testing Part B Error Identification Generating test cases for complex

State-Based Testing Part B Error Identification Generating test cases for complex behaviour Reference: Robert V. Binder Testing Object-Oriented Systems: Models, Patterns, and Tools Addison-Wesley, 2000, Chapter

635 views • 61 slides
Computers as undocumented physical objects Daniel J. Bernstein 2013.11.03 Do you think you

Computers as undocumented physical objects Daniel J. Bernstein 2013.11.03 Do you think you

Computers as undocumented physical objects Daniel J. Bernstein 2013.11.03 Do you think you understand how a computer behaves? Conventional software engineering: Yes, we do! We build programs purely from documented features of chips. The chips

366 views • 11 slides

More recommend