Behavior-Based Detection The old way match syntactic signatures: - PowerPoint PPT Presentation

Extraction Of The Behavioral Profile • In this step, we process the execution trace provided by the „dynamic analysis‟ step • Goal: abstract from the system call trace – system calls can vary significantly, even between programs that exhibit the same behavior – remove execution-specific artifacts from the trace • A behavioral profile is an abstraction of the program's execution trace that accurately captures the behavior of the binary

Reasons For An Abstract Behavioral Description • Different ways to read from a file: f = fopen(“C: \\ test”); f = fopen(“C: \\ test”); B: read(f, 1); read(f, 3); A: read(f, 1); read(f, 1); • Different system calls with similar semantics – e.g., NtCreateProcess, NtCreateProcessEx • You can easily interleave the trace with unrelated calls: C: f = fopen (“C: \\ test”); read(f, 1); readRegValue(..); read(f, 1);

Reasons For An Abstract Behavioral Description • Different ways to read from a file: f = fopen(“C: \\ test”); f = fopen(“C: \\ test”); B: read(f, 1); read(f, 3); A: read(f, 1); read(f, 1); • Different system calls with similar semantics – e.g., NtCreateProcess, NtCreateProcessEx • You can easily interleave the trace with unrelated calls: C: f = fopen (“C: \\ test”); read(f, 1); readRegValue(..); read(f, 1);

Reasons For An Abstract Behavioral Description • Different ways to read from a file: f = fopen(“C: \\ test”); f = fopen(“C: \\ test”); B: read(f, 1); read(f, 3); A: read(f, 1); read(f, 1); • Different system calls with similar semantics – e.g., NtCreateProcess, NtCreateProcessEx • You can easily interleave the trace with f = fopen(“C: \\ test”); unrelated calls: read(f, 1); C: readRegValue(..); read(f, 1);

Reasons For An Abstract Behavioral Description • Different ways to read from a file: f = fopen(“C: \\ test”); f = fopen(“C: \\ test”); B: read(f, 1); read(f, 3); A: read(f, 1); read(f, 1); • Different system calls with similar semantics – e.g., NtCreateProcess, NtCreateProcessEx • You can easily interleave the trace with f = fopen(“C: \\ test”); unrelated calls: read(f, 1); C: readRegValue(..); read(f, 1);

Reasons For An Abstract Behavioral Description • Different ways to read from a file: f = fopen(“C: \\ test”); f = fopen(“C: \\ test”); B: read(f, 1); read(f, 3); A: read(f, 1); read(f, 1); • Different system calls with similar semantics – e.g., NtCreateProcess, NtCreateProcessEx • You can easily interleave the trace with f = fopen (“C: \\ test”); unrelated calls: C: read(f, 1); readRegValue(..); read(f, 1);

Elements Of A Behavioral Profile • OS Objects: represent a resource such as a file that can be manipulated via system calls – has a name and a type • OS Operations: generalization of a system call – carried out on an OS object – the order of operations is irrelevant – the number of operations on a certain resource does not matter • Object Dependencies: model dependencies between OS objects (e.g., a copy operation from a source file to a target file) – also reflect the true order of operations • Control Flow Dependencies: reflect how tainted data is used by the program (comparisons with tainted data)

Scalable Clustering • Most clustering algorithms require to compute the distances between all pairs of points => O(n 2 ) • Use LSH (locality sensitive hashing), a technique introduced by Indyk and Motwani, to compute an approximate clustering that requires less than n 2 distance computations • Clustering algorithm takes as input a set of malware samples where each malware sample is represented as a set of features  we have to transform each behavioral profile into a feature set first • Our similarity measure: Jaccard Index defined as    ( , ) | | / | | J a b a b a b

LSH Clustering • We are performing an approximate, single-linkage hierarchical clustering: • Step 1: Locality Sensitive Hashing – to cluster a set of samples we have to choose a similarity threshold t – the result is an approximation of the true set of all near (as defined by the parameter t) pairs • Step 2: Single-Linkage hierarchical clustering

Evaluating Clustering Quality (Jha) • For assessing the quality of the clustering algorithm, we compare our clustering results with a reference clustering of the same sample set – since no reference clustering for malware exists, we had to create it first • Reference Clustering: 1. we obtained a random sampling of 14,212 malware samples that were submitted to Anubis from Oct. 27 th 2007 to Jan. 31 st 2008 2. we scanned each sample with 6 different virus scanners 3. we selected only those samples for which the majority of the anti-virus programs reported the same malware family. This resulted in a total of 2,658 samples. 4. we manually corrected classification problems

Quantitative Evaluation (Jha) • We ran our clustering algorithm with a similarity threshold t = 0.7 on the reference set of 2,658 samples. • Our system produced 87 clusters while the reference clustering consists of 84 clusters. • Precision: 0.984 – precision measures how well a clustering algorithm distinguishes between samples that are different • Recall: 0.930 – recall measures how well a clustering algorithm recognizes similar samples

Comparative Evaluation (Jha) Behavioral Similarity Clustering Optimal Quality Description Measure Threshold Bailey- NCD Exact 0.75 0.916 profile Bailey- Jaccard Exact 0.63 0.801 Profile Index Jaccard Syscalls Exact 0.19 0.656 Index Jaccard Our Profile Exact 0.61 0.959 Index Jaccard Our Profile LSH 0.60 0.959 Index

Performance Evaluation (Jha) • Input: 75,692 malware samples • Previous work by Bailey et al (extrapolated from their results of 500 samples): Number of distance calculations: 2,864,639,432 Time for a single distance calculation: 1.25 ms Runtime: 995 hours (~ 6 weeks) • Our results: Number of distance calculations: 66,528,049 Runtime: 2h 18min

Malware Clustering • Ulrich Bayer, Paolo Milani Comparetti, Clemens Hlauschek, Christopher Krügel, Engin Kirda – Scalable, Behavior-Based Malware Clustering. – NDSS 2009 • ANUBIS by Somesh Jha et al

Taint Analysis 45

Paper • Edward J. Schwartz, Thanassis Avgerinos, and David Brumley – All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). – IEEE Symposium on Security and Privacy 2010 46

Two Essential Runtime Analyses Detect Detect Exploits packing in [Costa2005,Crandall2005, malware Newsome2005,Suh2004] [Bayer2009,Yin2007] Dynamic Taint Analysis: What values are derived from user input? Automated Test Input Filter Case Generation Generation [Cadar2008,Godefroid2005,Sen200 [ Costa2007,Brumley2008 ] 5] Forward Symbolic Execution: What input will make execution reach this line of code? 47

Δ tainted untainted Var Val x = get_input( ) x 7 y = x + 42 … Input is goto y tainted τ Taint Introduction Tainted Var ? t = T x Input get_input( src ) ↓ t IsUntrusted( src ) 48

Δ tainted untainted Var Val x = get_input( ) x 7 y = x + 42 y 49 Data derived from … user input is goto y tainted τ Taint Propagation Tainted Var ? T t 1 = τ [x 1 ] , t 2 = τ [x 2 ] x BinO x 1 + x 2 ↓ t 1 v t 2 T y p 49

Δ tainted untainted Var Val x = get_input( ) x 7 y = x + 42 y 49 … Policy Violation goto y Detected τ Taint Checking Tainted Var ? T x P goto (t a ) = ¬ t a T y (Must be true to execute) 50

Real Use: Exploit Detection x = get_input( ) y = … … goto y Jumping to … overwritten strcpy(buffer,argv[1] return ) ; address … return ; 51

Memory Load Variables Memory Δ μ Var Val Add Val r x 7 7 42 τ τ μ Tainted Tainted Var Add ? T r 7 ? F x 52

Problem: Memory Addresses Var Val Δ x = get_input( ) x 7 y = load( x ) … Add Val μ goto y r 7 42 All values derived from user input are Tainted Add tainted?? τ μ r 7 ? F 53

Policy 1: Taint depends only on the memory cell Var Val Δ Jump target x = get_input( ) x 7 Undertainting could be any y = load( x ) untainted Failing to identify tainted … Add Val memory cell μ goto y value values r 7 42 - e.g., missing exploits Taint Propagation Tainted Add τ μ v = Δ[ x] , t = Loa r 7 ? F load(x) ↓ t τ μ [v] d 54

If either the address or the Policy 2: memory cell is tainted, then the value is tainted Memory x = get_input( ) Overtainting Address y = load(jmp_table + x % 2 ) expression Unaffected values are is tainted … tainted jmp_table printa goto y - e.g., exploits on safe printb Policy Violation? inputs Taint Propagation v = Δ[ x] , t = τ μ [v], t a = Loa τ [x] load(x) ↓ t v t a d 55

Research Challenge State-of-the-Art is not perfect for all programs Undertainting: Overtainting: Policy may miss Policy may wrongly taint detect taint 56

The Challenge bad_abs(x is input) if (x < 0) then 2 32 possible return -x inputs if (x = 0x12345678) then return -x return x 0x1234567 8 Forward Symbolic Execution: What input will make execution reach this line of code? 57

A Simple Example x symbolic Interprete bad_abs(x is input) can have r any value What input will Interprete Interprete make execution If (x < 0) r r reach this line of x ≥ 0 t f code? Interprete Interprete return -x If x == 0x12345678 r r t f x < 0 return x return -x x ≥ 0 Λ x ≥ 0 Λ x != x == 0x12345678 0x12345678 58

One Problem: Exponential Blowup Due to Branches Interpreter Branch 1 Branch 2 Branch 3 Exponential Number of Interpreters/formulas in # of branches 59

Path Selection Heuristics Symbolic Execution Tree However, these are heuristics. In the worst case all create an exponential number of formulas in the tree height. • Depth-First Search (bounded) ,Random Search … [Cadar2008] • Concolic Testing [Sen2005,Godefroid2008] 60

Symbolic Execution is not Easy • Exponential number of interpreters/formulas branching • Exponentially-sized formulas s + s + s + s + substitutio s + s + s + s == 42 n • Solving a formula is NP-Complete! 61

Other Important Issues Formaliz ation More comple x policies Π = ( s + s + s + s + s + s + s + s) == 42 62

Summary • Dynamic taint analysis and forward symbolic execution used extensively in literature – Formal algorithm and what is done for each possible step of execution often not emphasized 63

Problem: Memory Addresses Var Val Δ x = get_input( ) x 7 y = load( x ) … Add Val μ goto y r 7 42 Tainted Add τ μ r 7 ? F 64

Software Fault Isolation

Software Fault Isolation [Whabe et al., 1993] Goal : confine apps running in same address space – Codec code should not interfere with media player – Device drivers should not corrupt kernel Simple solution: runs apps in separate address spaces – Problem: slow if apps communicate frequently • requires context switch per message

Software Fault Isolation SFI approach: – Partition process memory into segments code data code data segment segment segment segment • Locate unsafe instructions: jmp, load, store app #1 app #2 – At compile time, add guards before unsafe instructions – When loading code, ensure all guards are present

Segment matching technique • Designed for MIPS processor. Many registers available. Guard ensures code does not • dr1, dr2 : dedicated registers not used by binary load data from another segment – compiler pretends these registers don ’ t exist – dr2 contains segment ID • Indirect load instruction R12  [R34] becomes: dr1  R34 scratch-reg  (dr1 >> 20) : get segment ID compare scratch-reg and dr2 : validate seg. ID trap if not equal R12  [dr1] : do load

Address sandboxing technique • dr2 : holds segment ID • Indirect load instruction R12  [R34] becomes: dr1  R34 & segment-mask : zero out seg bits dr1  dr1 | dr2 : set valid seg ID R12  [dr1] : do load • Fewer instructions than segment matching … but does not catch offending instructions • Similar guards places on all unsafe instructions

Problem : what if jmp [addr] jumps directly into indirect (bypassing guard) Solution: jmp guard must ensure [addr] does not bypass load guard

Cross domain calls caller callee domain domain call stub draw: call draw return br addr br addr ret stub br addr br addr br addr br addr • Only stubs allowed to make cross-domain jumps • Jump table contains allowed exit points – Addresses are hard coded, read-only segment

SFI Summary • Shared memory: use virtual memory hardware – map same physical page to two segments in addr space • Performance – Usually good: mpeg_play, 4% slowdown • Limitations of SFI: harder to implement on x86 : – variable length instructions: unclear where to put guards – few registers: can ’ t dedicate three to SFI – many instructions affect memory: more guards needed

Finding%Bugs/VulnerabiliAes% • ABackers:% – Find%vulnerabiliAes% – Weaponize%them%(exploit%the%vulnerabiliAes)% – Use%exploits%to%compromise%machines%&%systems% – Exploits%are%worth%money% Find% Create% $$$% Compromise% Vulnerability% Exploit% Dawn%Song%

Market%for%0days% • Sell%for%$10KR1M% Dawn%Song%

Finding%Bugs/VulnerabiliAes% • Defenders:% – Find%vulnerabiliAes%&%eliminate%them% • Improve%security%of%so)ware% • Easier%and%cheaper%to%fix%a%vulnerability%before%so)ware%deployed% • A)er%deployed:%patching%is%expensive% – Ideally%prove%a%program%is%free%of%vulnerabiliAes% Lower%cost% Internal%fix% Bug%finding% Bug%fixing% Higher%cost% Patch% Dawn%Song%

Example:%StaAc%Device%Verifier% • Verifies%that%drivers%are%not%making%illegal%funcAon%calls%or% causing%system%corrupAon% – SLAM%project%at%Microso)% – hBp://research.microso).com/enRus/projects/slam% • “The%requirements%for%the%Windows%logo%program%( now$ Windows$Hardware$Cer.fica.on$Program )%state%that%a% driver%must%not%fail%while%running%under%Driver%Verifier.”% Dawn%Song%

Techniques%&%Approaches% Program%% AutomaAc%test% StaAc%analysis% verificaAon% case%generaAon% Fuzzing% Dynamic% Symbolic% ExecuAon% Higher%coverage% Lower%coverage% Lower%false%negaAve% Lower%false%posiAve% Higher%false%posiAve% Higher%false%negaAve% Dawn%Song%

Fuzzing% Dawn%Song%

Finding%bugs%in%PDF%viewer% PDF%viewer% ?" Dawn%Song%

BlackRbox%Fuzz%TesAng% • Given%a%program,%simply%feed%it%random%inputs,%see% whether%it%crashes% • Advantage:%really%easy% • Disadvantage:%inefficient% – Input%o)en%requires%structures,%random%inputs%are%likely% to%be%malformed% – Inputs%that%would%trigger%a%crash%is%a%very%small%fracAon,% probability%of%ge`ng%lucky%may%be%very%low% Dawn%Song%

Fuzzing% AutomaAcally%generate%test%cases% • Many%slightly%anomalous%test%cases%are%input%into%a%target% • ApplicaAon%is%monitored%for%errors% • Inputs%are%generally%either%file%based%(.pdf,%%.png,%.wav,%.mpg)% • Or%network%based…% • hBp,%SNMP,%SOAP% – Monitor% Input% Inputs% ApplicaAon% Generator% Dawn%Song%

Regression%vs.%Fuzzing% Regression" Fuzzing" DefiniAon% Run%program%on%many% normal % Run%program%on%many% abnormal % inputs,%look%for%badness.% inputs,%look%for%badness.% % Goals% Prevent% normal"users" from% Prevent% a2ackers %from%encountering% encountering%errors%(e.g.%asserAon% exploitable %errors%(e.g.%asserAon% failures%are%bad).% failures%are%o)en%ok).% Dawn%Song%

Enhancement%I:%MutaAonRBased%Fuzzing% Take%a%wellRformed%input,%randomly%perturb%(flipping%bit,%etc.)% • • LiBle%or%no%knowledge%of%the%structure%of%the%inputs%is%assumed% • Anomalies%are%added%to%exisAng%valid%inputs% • Anomalies%may%be%completely%random%or%follow%some%heurisAcs%(e.g.%remove%NUL,%shi)% character%forward)% • Examples:% E.g.,%ZZUF,%very%successful%at%finding%bugs%in%many%realRworld%programs,% – hBp://sam.zoy.org/zzuf/% Taof,%GPF,%ProxyFuzz,%FileFuzz,%Filep,%etc.% – Crash?% Feed%to%program% Take%an%input% Perturb% Dawn%Song%

Example:%fuzzing%a%pdf%viewer% Google%for%.pdf%(about%1%billion%results)% • Crawl%pages%to%build%a%corpus%% • Use%fuzzing%tool%(or%script)% • 1. Grab%a%file% 2. Mutate%that%file% 3. Feed%it%to%the%program% 4. Record%if%it%crashed%(and%input%that%crashed%it)% Dawn%Song%

MutaAonRbased%Fuzzing%In%Short% MutaAonR % % % % Super%easy%to% LiBle%to%no%protocol% Limited%by%iniAal% May%fail%for%protocols% based% setup%and% knowledge%required% corpus% with%checksums,%those% automate% % % which%depend%on% challenge%% % Dawn%Song%

Enhancement%II:%GeneraAonRBased%Fuzzing% Test%cases%are%generated%from%some%descripAon%of%the%format:%RFC,% • documentaAon,%etc.% Using%specified%protocols/file%format%info% – E.g.,%SPIKE%by%Immunity% – hBp://www.immunitysec.com/resourcesRfreeso)ware.shtml% Anomalies%are%added%to%each%possible%spot%in%the%inputs% • Knowledge%of%protocol%should%give%beBer%results%than%random%fuzzing% • RFC% Crash?% …% Generate% Take%a%spec% Feed%to%program% concrete%inputs% Dawn%Song%

Example:%Protocol%DescripAon% //png.spk //author: Charlie Miller // Header - fixed. s_binary("89504E470D0A1A0A"); // IHDRChunk s_binary_block_size_word_bigendian("IHDR"); //size of data field s_block_start("IHDRcrc"); s_string("IHDR"); // type s_block_start("IHDR"); // The following becomes s_int_variable for variable stuff // 1=BINARYBIGENDIAN, 3=ONEBYE s_push_int(0x1a, 1); // Width s_push_int(0x14, 1); // Height s_push_int(0x8, 3); // Bit Depth - should be 1,2,4,8,16, based on colortype s_push_int(0x3, 3); // ColorType - should be 0,2,3,4,6 s_binary("00 00"); // Compression || Filter - shall be 00 00 s_push_int(0x0, 3); // Interlace - should be 0,1 s_block_end("IHDR"); s_binary_block_crc_word_littleendian("IHDRcrc"); // crc of type and data s_block_end("IHDRcrc"); ... Dawn%Song%

GeneraAonRBased%Fuzzing%In%Short% MutaAonR Super%easy%to% LiBle%to%no%protocol% Limited%by% May%fail%for%protocols% setup%and% knowledge%required% iniAal%corpus% with%checksums,%those% based% automate% % % which%depend%on% challenge%% % Have%to%have%spec%of% GeneraAon WriAng% Completeness% Can%deal%with%complex% protocol%(O)en%can% generator%can%be% dependencies%e.g.% Rbased% find%good%tools%for% labor%intensive% checksums% exisAng%protocols%e.g.% for%complex% % hBp,%SNMP)% protocols% Dawn%Song%

Fuzzing%Tools%&%Frameworks% Bug%detecAon% Input%generaAon% Input%injecAon% Dawn%Song%

Input%GeneraAon% ExisAng%generaAonal%fuzzers%for%common%protocols%()p,%hBp,%SNMP,%etc.)% • – Mu%Dynamics,%Codenomicon,%PROTOS,%FTPFuzz,%WebScarab% Fuzzing%Frameworks:%providing%a%fuzz%set%with%a%given%spec% • – SPIKE,%Peach,%Sulley% MutaAonRbased%fuzzers% • – Taof,%GPF,%ProxyFuzz,%PeachShark% Special%purpose%fuzzers% • – AcAveX%(AxMan),%regular%expressions,%etc.% Dawn%Song%

Input%InjecAon% • Simplest% – Run%program%on%fuzzed%file% – Replay%fuzzed%packet%trace%% • Modify%exisAng%program/client% – Invoke%fuzzer%at%appropriate%point% • Use%fuzzing%framework% – e.g.%Peach%automates%generaAng%COM%interface%fuzzers% Dawn%Song%

Bug%DetecAon% • See%if%program%crashed% – Type%of%crash%can%tell%a%lot%(SEGV%vs.%assert%fail)% Run%program%under%dynamic%memory%error%detector%(valgrind/purify)% • – Catch%more%bugs,%but%more%expensive%per%run.% See%if%program%locks%up% • Write%your%own%checker:%e.g.%valgrind%skins% • Dawn%Song%

Workflow%AutomaAon% • Sulley,%Peach,%MuR4000% – %Provide%tools%to%aid%setup,%running,%recording,%etc.% • Virtual%machines:%help%create%reproducible% workload% % Dawn%Song%

How%Much%Fuzzing%Is%Enough?% • MutaAon%based%fuzzers%may%generate%an%infinite%number%of% test%cases...%%When%has%the%fuzzer%run%long%enough?% • GeneraAon%based%fuzzers%may%generate%a%finite%number%of% test%cases.%%What%happens%when%they � re%all%run%and%no%bugs% are%found?% Dawn%Song%

Code%Coverage% • Some%of%the%answers%to%these%quesAons%lie% in% code$coverage$ • Code%coverage%is%a%metric%which%can%be%used% to%determine%how%much%code%has%been% executed.% • Data%can%be%obtained%using%a%variety%of% profiling%tools.%e.g.% gcov ! % Dawn%Song%

Line%Coverage% Line/block%coverage:% Measures%how%many%lines%of% if( a > 2 ) source%code%have%been%executed.% a = 2; % if( b > 2 ) For%the%code%on%the%right,%how%many%test%cases% b = 2; (values%of%pair%(a,b))%needed%for%full(100%)%line% coverage?% Dawn%Song%

Branch%Coverage% Branch%coverage:% Measures%how%many% if( a > 2 ) branches%in%code%have%been%taken% a = 2; if( b > 2 ) (condiAonal%jmps)% b = 2; % For%the%code%on%the%right,%how%many%test%cases% needed%for%full%branch%coverage?% Dawn%Song%

Path%Coverage% Path%coverage:% Measures%how%many% if( a > 2 ) a = 2; paths%have%been%taken.% if( b > 2 ) % b = 2; For%the%code%on%the%right,%how%many%test%cases% needed%for%full%path%coverage?% Dawn%Song%

Code%Coverage% Benefits:% • – How%good%is%this%iniAal%file?% – Am%I%ge`ng%stuck%somewhere?% if(packet[0x10] < 7) { //hot path } else { //cold path } – How%good%is%fuzzer%X%vs.%fuzzer%Y% – Am%I%ge`ng%benefits%from%running%a%different%fuzzer?% % Dawn%Song%

Problems%of%code%coverage% • For:% mySafeCpy(char *dst, char* src){ if(dst && src) strcpy(dst, src); } • Does%full%line%coverage%guarantee%finding%the%bug?% %○%%Yes %%%%%○%%No% % % Dawn%Song%