faros illuminating in memory injection attacks via
play

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based - PowerPoint PPT Presentation

Dec 30, 2022 •264 likes •588 views

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking Meisam Navaki Arefi , Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira and

  1. FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking Meisam Navaki Arefi , Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira and Jedidiah R. Crandall

  2. Problem ● In-memory Injection attacks. ● They are becoming more and more common. ● We built a reverse engineering tool to flag them and give analysts the information they need to reverse engineer such malware. 2 ● An analyst needs visibly into memory throughout the execution.

  3. In-Memory Injection Attack ● Operates only on memory ● Acts very stealthy ● Hard to detect 3 ● An analyst needs visibly into memory throughout the execution.

  4. Threat Model ● Reflective DLL injection ● Process hollowing/replacement ● Code/process injection 4

  5. Threat Model - Reflective DLL Injection ● Reflective DLL injection refers to loading a DLL from memory rather than from disk. ● Windows doesn’t have such loading function. ● Write your own load function: Omitting some of the things Windows normally does, e.g. registering the DLL as a loaded module. 5

  6. Threat Model - Process Hollowing ● Start a process in a suspended state. ● Replace the process image with a malicious one. ● Run the process. ● Easy! 6

  7. Threat Model - Code Injection ● Write the malicious code directly to the address space of the target process. ● Have the target process run the code. ● Easy! 7

  8. Motivation ● Current malware analysis solutions, e.g. CuckooBox and memory forensics tools, are no match. ● An analyst needs visibility into memory throughout the execution to flag such attacks. ● Question: ○ How the attack was conducted? ○ What is the source of the attack? ○ ... 8

  9. Dynamic Information Flow Tracking (DIFT) ● Makes systems transparent for attack detection, enforcement of security policies and forensics* *Suh et al. 2004, Minos (Crandall and Chong 2004), TaintCheck (Newsome and Song 2005), and Vigilante (Costa et al. 2004) 9

  10. DIFT - How? I. Introduce the tags/taints II. Propagate the tags III. Check the status of tags 10

  11. Shadow Memory 11

  12. DIFT Example 12

  13. DIFT Example 13

  14. DIFT Example 14

  15. DIFT Example 15

  16. DIFT Example 16

  17. DIFT Example 17

  18. Provenance List ● Each byte could have a list of tags (provenance list). A provenance list for a specific byte 18

  19. Tag Confluence ● Two or more tags of different types can “come together”. 19

  20. Tag Confluence ● A bytes comes in from the network and then moves to the physical memory. 20

  21. Tag Confluence ● Process #1 accesses that byte. 21

  22. Flagging Policy via Provenance-based DIFT Data coming in from the network ( Netflow tag ) SHOULD NOT “come together” with linking/loading data exported by the kernel ( export table tag ). That shouldn’t happen under normal circumstances! 22

  23. Flagging Policy via Provenance-based DIFT ● Tag confluence heuristic: 23

  24. System Architecture 24

  25. Results - Reflective DLL Injection 25

  26. Results - Reflective DLL Injection 26

  27. Comparison with CuckooBox ● Most popular open-source malware analysis system. ● We tested CuckooBox on in-memory injection attacks. ● CuckooBox (along with malfind and Volatility plugins) provided limited visibility into these attacks. ● With CuckooBox, we are blind as to how the attack was conducted. 27

  28. True/False Positive Analysis ● Tested against 6 memory injection attacks and successfully flagged them all. ● Tested against 90 non-injecting malware samples and 14 benign software from various categories. ○ FAROS presented a very low false positive rate of 2% . 28

  29. Performance Evaluation ● Performance is not a priority for FAROS. ● Focused on providing a low false positive rate. ● FAROS’ slowdown is 56X compared to QEMU. 29

  30. Conclusions ● Presented FAROS, a DIFT-based reverse engineering tool, which can illuminate in-memory injection attacks. ● Tag confluence as a promising heuristic. ● Very low false positive (2%). ● FAROS ○ can save reverse engineers substantial time and effort in practice. ○ can provide reverse engineers with valuable information about any in-memory injection attacks. ● FAROS is open source: ○ https://github.com/mnavaki/FAROS 30

  31. Acknowledgments ● Our reviewers and our shepherd, Etienne Riviere. ● DARPA Trusted Computing Project (Grant No. FA8650-15-C-7565) and the U.S. National Science Foundation (Grant Nos. #1518523, #1518878). ● NSF disclaimer: Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation. 31

  32. Thank you! mnavaki@unm.edu 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Computer Science 161 Fall 2016 Nicholas Weaver Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 Nicholas Weaver You really really really

944 views • 50 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC

in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC

in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC Berkeley Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory attacks: an ongoing war David

725 views • 44 slides
SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . . Lecture 16 Page 1

646 views • 21 slides
Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to Computer Security Day 4: Low-level attacks Shellcode techniques Stephen McCamant University of Minnesota, Computer Science & Engineering

412 views • 5 slides
Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
Illuminating The JVM with FlameGraphs Nitsan Wakart (@nitsanw) Illuminating The JVM with

Illuminating The JVM with FlameGraphs Nitsan Wakart (@nitsanw) Illuminating The JVM with

Illuminating The JVM with FlameGraphs Nitsan Wakart (@nitsanw) Illuminating The JVM with FlameGraphs Nitsan Wakart (@nitsanw) By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=196363 Thanks! I, Programmer Performance

942 views • 39 slides
CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year:

CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year:

CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year: 2019; } Historical background (might be historically inaccurate) ~2007: Gareth Heyes, David Lindsay and Eduardo Vela (from sla.ckers.org) published

412 views • 15 slides
Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William G.J. Halfond Alessandro Orso Panagiotis Manolios Georgia Institute of Technology Supported by NSF awards CCR-0205422 and CCR-0306372 to GA Tech and

678 views • 34 slides
Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William Halfond & Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to

187 views • 17 slides
kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

Introduction RX Fine-grained KASLR Evaluation kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos Petsios 1 Angelos D. Keromytis 1 Michalis Polychronakis 2 Vasileios P. Kemerlis 3 1 Columbia

1.18k views • 66 slides
A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring

A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring

Session 3 - Oscillators and PLLs A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring Oscillator Somok Mondal and Drew A. Hall University of California, San Diego La Jolla, CA, (USA) IEEE CICC, Austin, TX,

652 views • 29 slides
RD53A injection capacitor measurement results & RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results & RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results & RD53A pixel hit delay measurement results 2/02/2018 Magne Lauritzen Part 1 Injection capacitor measurement Goal Measure capacitance of the injection capacitors that are present on

423 views • 16 slides
Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words

Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words

Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words containing -tion . Teach When we see - tion in a word, it makes the sound /shun/. Look at these words below: attention potion section mention Teach

142 views • 13 slides
Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is

Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is

Can strace make you fail? strace syscall fault injection Dmitry Levin FOSDEM 2017 What is strace? A diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor interactions between processes and the Linux

541 views • 24 slides
Long Baseline NF a la NuMAX J. Pasternak, IC London/STFC-RAL-ISIS D. Kelliher, STFC-RAL-ASTeC 11

Long Baseline NF a la NuMAX J. Pasternak, IC London/STFC-RAL-ISIS D. Kelliher, STFC-RAL-ASTeC 11

Decay Ring Design for Long Baseline NF a la NuMAX J. Pasternak, IC London/STFC-RAL-ISIS D. Kelliher, STFC-RAL-ASTeC 11 August 2015, CBPF, Rio De Janeiro, Brazil, nufact15 Outline Introduction IDS-NF decay ring FDDF ring for NuMax

368 views • 26 slides
Particle Acceleration Particle Acceleration and Injection Problem in Shocks and Injection

Particle Acceleration Particle Acceleration and Injection Problem in Shocks and Injection

Particle Acceleration Particle Acceleration and Injection Problem in Shocks and Injection Problem in Shocks Masahiro Hoshino Masahiro Hoshino University of Tokyo University of Tokyo Acknowledgments for Advice and Comments: A. Amano, Y.

350 views • 23 slides
More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas

More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas

More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas ELCE17 Wolfram Sang, Consultant / Renesas Robust I2C with fault-injection ELCE17 1 / 24 Motivation It really got personal I2C maintainer since

257 views • 24 slides

More recommend