c ontext k eyed p ayload e ncoding f ighting the n ext g
play

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION - PowerPoint PPT Presentation

Jul 04, 2023 •15 likes •315 views

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos dimitris at census-labs.com Census, Inc. Athens IT Security Conference (AthCon 2010) C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G

  1. C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos dimitris at census-labs.com Census, Inc. Athens IT Security Conference (AthCon 2010) C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  2. O VERVIEW I NTRODUCTION S HELLCODE D ETECTION T ECHNIQUES C ONTEXT -K EYED P AYLOAD E NCODING I MPLEMENTATION D EMONSTRATION B EST P RACTICES C ONCLUSION C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  3. I NTRODUCTION C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  4. T HE B ASICS ◮ What is shellcode ? ◮ Memory corruption bugs sometimes allow an attacker to execute her own instructions on the CPU of a vulnerable host. ◮ These instructions usually provide the attacker with a command interpreter (e.g. a UNIX shell) and that’s why they’re called shellcode . ◮ What is an Intrusion Detection System (IDS) ? ◮ A system that detects malicious activities by examining a host’s operating environment (HIDS) and/or network traffic (NIDS). ◮ This presentation focuses on: ◮ Shellcode detection techniques for NIDS. ◮ NIDS evasion techniques for stealthy shellcode. C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  5. 5 R EASONS FOR T RACKING S HELLCODE ON T HE W IRE ◮ CVE-2007-1365 OpenBSD IPv6 mbufs remote kernel buffer overflow ◮ CVE-2007-2586 Cisco IOS FTP Vulnerability ◮ CVE-2009-0065 Linux SCTP FWD Chunk Memory Corruption ◮ CVE-2009-0950 Apple iTunes ITMS Overflow ◮ CVE-2010-0239 Windows ICMPv6 Router Advertisement Vulnerability C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  6. S HELLCODE D ETECTION T ECHNIQUES C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  7. S HELLCODE E NVIRONMENT ◮ Return Address ◮ Points to an area close to the shellcode. ◮ Overwrites a saved EIP or function pointer. ◮ NOP sled ◮ Dummy instructions! ◮ They guide the instruction pointer towards the actual shellcode when its address is not known in advance. ◮ Payload ◮ Contains the shellcode instructions. C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  8. T HE 3 S CHOOLS OF M ALWARE D ETECTION ◮ Signature Matching ◮ Detect known shellcode bytes [Snort] ◮ Detect known NOP bytes (Snort thinks 25 ’C’s are a ’inc %ebx’ NOP sled) ◮ Detect known return address ranges (Buttercup) ◮ Cannot detect 0-day exploits. ◮ Anomaly Detection ◮ Perform statistical analysis on traffic (Snort SPADE) ◮ If incoming packets deviate from “normal” traffic/protocol, warn the user. ◮ Requires training. ◮ Static / Dynamic Analysis ◮ Inspect packets for code with certain characteristics (see [Polychronakis06]). ◮ Takes time... C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  9. P OLYMORPHISM AND M ETAMORPHISM ◮ Polymorphic Encoding ◮ Encrypt payload with random key. ◮ Payload instructions will be decrypted and executed at runtime. ◮ Metamorphic Encoding ◮ Reimplement a set of operations with equivalent instructions. ◮ Build tools to generate the equivalent code automatically. C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  10. T HE 3 S CHOOLS R EVISITED ◮ Signature Matching ◮ Polymorphism allows the payload to evade detection. ◮ Metamorphism allows the polymorphic decoder stub to evade detection. ◮ See “Shikata Ga Nai” encoder of Metasploit. ◮ Anomaly Detection ◮ Metamorphic encoders can produce instruction bytes that have similar statistical properties with the canonical traffic... ◮ See “Alpha2” encoder of Metasploit. ◮ Static / Dynamic Analysis ◮ Static Analysis fails to determine if a packet contains junk or a polymorphic payload. ◮ Dynamic Analysis can spot the malicious payload, once it has emulated correctly the polymorphic code! C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  11. E MULATION T ROUBLES ◮ NIDSs guard the perimeter. ◮ NIDSs with emulation support, emulate incoming packets “blindly”. ◮ Emulation happens within a fake/minimal environment. ◮ What if the shellcode depends on a piece of information from the environment of the vulnerable host? ◮ It will fail to execute on the NIDS. ◮ But it may execute correctly on the vulnerable host. ◮ Hmm, IDS evasion! C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  12. C ONTEXT -K EYED P AYLOAD E NCODING C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  13. T HE M AIN I DEA ◮ Encrypt the payload with your favorite algorithm. ◮ At execution time, get the decryption key from the environment (context) of the vulnerable host! C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  14. M EMORY - BASED K EYING ◮ Use the bytes found at a specific memory location as the encryption key. ◮ | ) ruid has implemented this for Metasploit. ◮ To find memory addresses with static values, the tool smem-map is used. ◮ See [ToorCon9] for more details. ◮ jDuck has written something similar, checking if a particular bit is set at a certain memory location. ◮ Can we guess this value for a remote host? ◮ Think about distributions that use binary packages. ◮ PIE binaries and ASLR can be an issue here. C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  15. CPU- BASED K EYING ◮ The cpuid x86 instruction returns processor information. ◮ Processor info is broken down into multiple vectors . ◮ The number of available vectors depends on the processor model. ◮ R. R. Branco and Itzik use “Vendor ID” as a shellcode encryption key (see [Troopers09]). ◮ We will extend this to include all vectors containing Basic Processor Information. ◮ XOR-ing all vector data gives us a richer 32-bit key. ◮ Can we guess this value for a remote host? ◮ Think about standard server models and Qemu guests... C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  16. T EMPORAL D ATA - BASED K EYING ◮ Build the decryption key from something that is going to be there for a certain amount of time. ◮ The Hydra shellcode engine (see [Hydra09]) uses some high-order bits from the time(2) system call. ◮ time(2) returns a 32-bit integer (secs since epoch ). ◮ We’ll use the 16 most significant bits, providing an execution window of 18 hours. ◮ Can we guess the time on a remote server? :-) ◮ Is it so difficult for this system call to be emulated? ◮ This encoder may slightly buffle reversers studying your code at a later time. But brute forcing 16bits is hardly a challenge... C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  17. F ILESYSTEM - BASED K EYING ( NEW !) ◮ Usually NIDSs don’t have access to the filesystems of the servers they are protecting. ◮ We can make a context key from filesystem metadata (see stat(2)). ◮ Good candidates: the st size and st mtime members of struct stat. ◮ st size is guessable if the target hosts a known software package in binary form. ◮ st mtime is guessable in Debian (records timestamp of last update by package maintainer). ◮ Let’s XOR these to create a context key! ◮ What happens if we stat(2) a file that we later rename/delete? ◮ Is this temporal data? :-) C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  18. I MPLEMENTATION C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  19. D ESIGN D ECISIONS ◮ Make CKPE a PenTester’s Commodity. ◮ Build on the Metasploit Framework! ◮ No Key Generator classes are available... ◮ Each CKPE method becomes a separate encoder. ◮ Context Keys are generated by aux. applications. ◮ Fed to CKP encoders via command line arguments. ◮ Actual payload encoder: Shikata Ga Nai, 32bit key. ◮ Execution in wrong context: Undefined behaviour :-) Usage example $ cd metasploit/trunk $ ./tools/stat-key /bin/ps 0xbebaf012 $ ./msfpayload linux/x86/exec CMD=/bin/sh R > /tmp/raw_payload $ ./msfencode -e x86/context_stat -t elf -i /tmp/raw_payload -o /tmp/encoded_payload \ STAT_KEY=0xbebaf012 STAT_FILE=/bin/ps $ /tmp/encoded_payload sh-3.2$ C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

S OLUTIONS A R EVIEW OF C URRENT LED I NTERIOR & E XTERIOR L IGHTING A PPLICATIONS D OUGLAS

S OLUTIONS A R EVIEW OF C URRENT LED I NTERIOR & E XTERIOR L IGHTING A PPLICATIONS D OUGLAS

C OST -E FFECTIVE LED L IGHTING S OLUTIONS A R EVIEW OF C URRENT LED I NTERIOR & E XTERIOR L IGHTING A PPLICATIONS D OUGLAS T RIMBACH V ICE P RESIDENT L IGHTING O PTIMIZERS , USA DTRIMBACH @ LIGHTINGOPTUSA . COM W HY LOOK AT L IGHTING R

575 views • 14 slides
SCD: A S CALABLE C OHERENCE D IRECTORY WITH F LEXIBLE S HARER S ET E NCODING Daniel Sanchez and

SCD: A S CALABLE C OHERENCE D IRECTORY WITH F LEXIBLE S HARER S ET E NCODING Daniel Sanchez and

SCD: A S CALABLE C OHERENCE D IRECTORY WITH F LEXIBLE S HARER S ET E NCODING Daniel Sanchez and Christos Kozyrakis Stanford University HPCA-18, February 27 th 2012 Executive Summary 2 Directories are hard to scale, degrade performance

669 views • 27 slides
Automeris louisiana Louisiana Eyed Silkmoth Citizen Science Project April August 2017

Automeris louisiana Louisiana Eyed Silkmoth Citizen Science Project April August 2017

Automeris louisiana Louisiana Eyed Silkmoth Citizen Science Project April August 2017 Jennifer Wilson, Project Leader Report prepared by Peggy Romfh Louisiana Eyed Silkmoth (LAESM) Disco Discover ered ed in in 19 1981 81 alon

245 views • 23 slides
Ramseys theorem under a computable perspective Ludovic PATEY 1 / 69 June 12, 2017 M

Ramseys theorem under a computable perspective Ludovic PATEY 1 / 69 June 12, 2017 M

M OTIVATIONS E NCODING SETS O PEN QUESTIONS Ramseys theorem under a computable perspective Ludovic PATEY 1 / 69 June 12, 2017 M OTIVATIONS E NCODING SETS O PEN QUESTIONS Motivations 2 / 69 M OTIVATIONS E NCODING SETS O PEN QUESTIONS R

1.09k views • 84 slides
POP 2016-15 Yellow-eyed penguin foraging and indirect effects Conservation Services Programme

POP 2016-15 Yellow-eyed penguin foraging and indirect effects Conservation Services Programme

POP 2016-15 Yellow-eyed penguin foraging and indirect effects Conservation Services Programme Technical Working Group Update, July 2017 MEL YOUNG, UNIVERSITY OF OTAGO POP 2016-15 Yellow-eyed penguin foraging and indirect effects Project

342 views • 31 slides
C ONTEXT The importance of post-secondary education in providing benefits both to individuals and

C ONTEXT The importance of post-secondary education in providing benefits both to individuals and

Submission to the Legislative Assembly of British Columbia Select Standing Committee on Finance and Government Services September 18, 2014 _________________________________________________________________________________ C ONTEXT The importance

329 views • 10 slides
F IGHTING AGAINST I LLEGAL , U NREPORTED AND U NREGULATED FISHING (IUU) Successes in fighting IUU

F IGHTING AGAINST I LLEGAL , U NREPORTED AND U NREGULATED FISHING (IUU) Successes in fighting IUU

Brussels Policy Brief No. 38 F IGHTING AGAINST I LLEGAL , U NREPORTED AND U NREGULATED FISHING (IUU) Successes in fighting IUU Fishing: The case of Fiji 27 th October 2014 O UTLINE Preface Location Background of Fiji Fiji Fisheries

459 views • 17 slides
Guide idelines lines for or Prop open ensity sity Scor Sc ore e Weigh ighting ting wi

Guide idelines lines for or Prop open ensity sity Scor Sc ore e Weigh ighting ting wi

St Step-by by-Step ep Guide idelines lines for or Prop open ensity sity Scor Sc ore e Weigh ighting ting wi with th Two o Grou oups ps Beth Ann Griffin 1 Four key steps 1) Choose the primary treatment effect of interest

840 views • 45 slides
Janua uary, ry, 2015 The eyed egg will multiply its size many times and in time grow into an

Janua uary, ry, 2015 The eyed egg will multiply its size many times and in time grow into an

Janua uary, ry, 2015 The eyed egg will multiply its size many times and in time grow into an adult salmon. It is a good metaphor for Cooke; we started small, weve become a good sized fish and we live in a challenging, ever-changing

439 views • 25 slides
CASCOM CASCOM C ontext- -A Aware Business Application ware Business Application S Service

CASCOM CASCOM C ontext- -A Aware Business Application ware Business Application S Service

CASCOM CASCOM C ontext- -A Aware Business Application ware Business Application S Service ervice C ontext Co- -ordination in ordination in M Mobile Computing Environments obile Computing Environments Co pecific Targeted Research

377 views • 25 slides
Yellow-eyed penguin / hoiho Megadyptes antipodes Distribution Distribution Almost all species

Yellow-eyed penguin / hoiho Megadyptes antipodes Distribution Distribution Almost all species

Yellow-eyed penguin / hoiho Megadyptes antipodes Distribution Distribution Almost all species information originates from mainland Foraging behaviour Foraging behaviour 275 of 300 dives went to seafloor Total trip duration: 11.6 hrs Time

432 views • 27 slides
C ONSISTENT M ANAGEMENT OF C ONTEXT I NFORMATION IN U BIQUITOUS S YSTEMS Gabriel

C ONSISTENT M ANAGEMENT OF C ONTEXT I NFORMATION IN U BIQUITOUS S YSTEMS Gabriel

C ONSISTENT M ANAGEMENT OF C ONTEXT I NFORMATION IN U BIQUITOUS S YSTEMS Gabriel Guerrero-Contreras gjguerrero@ugr.es Jos Luis Garrido jgarrido@ugr.es Carlos Rodrguez-Domnguez carlosrodriguez@ugr.es Sara Balderas-Daz

549 views • 27 slides
$TITLE: M5-1.GMS, ordinary least squares using NLP $ONTEXT there are I observations on two

$TITLE: M5-1.GMS, ordinary least squares using NLP $ONTEXT there are I observations on two

C:\jim\COURSES\8858\code-bk 2012\M5-1.gms Monday, January 09, 2012 6:05:32 AM Page 1 $TITLE: M5-1.GMS, ordinary least squares using NLP $ONTEXT there are I observations on two variables (set J), a dependent variables Y and an independent

457 views • 3 slides
Hoiho Threat Management and Recovery Plan Report on progress to the Annual Yellow-eyed Penguin

Hoiho Threat Management and Recovery Plan Report on progress to the Annual Yellow-eyed Penguin

Hoiho Threat Management and Recovery Plan Report on progress to the Annual Yellow-eyed Penguin Symposium 2018 Hoiho Governance/Technical Group representatives at Symposium: DOC Ian Angus Fisheries New Zealand Jenny Oliver Ngi Tahu

356 views • 17 slides
PCFG : P robabilistic C ontext F ree G rammars Presenter: Ba Dat Nguyen Advisor: Dr. Martin

PCFG : P robabilistic C ontext F ree G rammars Presenter: Ba Dat Nguyen Advisor: Dr. Martin

PCFG : P robabilistic C ontext F ree G rammars Presenter: Ba Dat Nguyen Advisor: Dr. Martin Theobald Max-Planck-Institut fr Informatik Saarbrcken, Germany Probabilistic Context Free Grammars 2 / 25 Outline Introduction P

749 views • 50 slides
cont ontext xt in af affectiv fective e or or non on-affec affectiv tive e pr

cont ontext xt in af affectiv fective e or or non on-affec affectiv tive e pr

Neur urological ological rol ole e of of cont ontext xt in af affectiv fective e or or non on-affec affectiv tive e pr primacy imacy - Asmita Bhattacharya AIM :

895 views • 10 slides
Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide Balzarotti 1 1 EURECOM 2 Cisco Systems, Inc. IEEE Symposium on Security & Privacy, May 2018 Malware and operating systems Malware and operating

690 views • 57 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California,

Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California,

Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California, Berkeley, CA Paul Thompson, CS Dept. Dartmouth College, Hanover, NH W2SP2007 Oakland, CA May 24, 2007 Outline 1.Motivation and Terminology

334 views • 30 slides
Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U.,

Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U.,

MIDeA: A Multi-Parallel Intrusion Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U., USA Sotiris Ioannidis, FORTH-ICS, Greece CCS 2011, 19 October 2011 Network Intrusion Detection Systems

548 views • 34 slides
CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z. rafique, j.caballero, g.gu imdea software institute success lab, texas a&m univeristy Cybercriminals use geographically distributed servers to

652 views • 24 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M

1.02k views • 56 slides
Small is Beautiful: the design of Lua Roberto Ierusalimschy PUC-Rio Language design many

Small is Beautiful: the design of Lua Roberto Ierusalimschy PUC-Rio Language design many

Small is Beautiful: the design of Lua Roberto Ierusalimschy PUC-Rio Language design many tradeoffs similar to any other design process designers seldom talk about them what a language is not good for Typical tradeoffs

724 views • 49 slides

More recommend