network level polymorphic shellcode detection using
play

Network-level Polymorphic Shellcode Detection using Emulation - PowerPoint PPT Presentation

Dec 22, 2023 •222 likes •771 views

Network-level Polymorphic Shellcode Detection using Emulation Michalis Polychronakis, Kostas Anagnostakis, and Evangelos Markatos Institute of Computer Science Foundation for Research and Technology Hellas Crete, Greece DIMVA06 - 13

  1. Network-level Polymorphic Shellcode Detection using Emulation Michalis Polychronakis, Kostas Anagnostakis, and Evangelos Markatos Institute of Computer Science Foundation for Research and Technology – Hellas Crete, Greece DIMVA’06 - 13 July 2006 FORTH-ICS Michalis Polychronakis 1

  2. Outline � Introduction – related work � Evasion techniques � Emulation-based detection � Performance evaluation � Open issues FORTH-ICS Michalis Polychronakis 2

  3. Remote System Compromise Attacker/worm exploits a software vulnerability 1 Place the attack code into a buffer 2 Divert the execution flow of the vulnerable process Stack/heap/integer overflow � Format string abuse � Arbitrary data corruption � 3 Execute the injected code ( shellcode ) Performs arbitrary operations under the privileges of the process � that has been exploited \xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00 FORTH-ICS Michalis Polychronakis 3

  4. Signature-based Detection � Hand-crafted signatures GET default.ida?NNNNNNNNNNN… � � Also for unknown attacks Generic signatures for suspicious code sequences � NOP sleds, system calls, … � � Automated signature generation Honeycomb, Earlybird, Autograph, PADS, Polygraph, Hamsa, … � Common idea: find invariant parts among multiple attack instances � Then turned into token subsequences � regular expressions � Effective only for noisy worm-like attacks � FORTH-ICS Michalis Polychronakis 4

  5. Polymorphism (1/2) � Naïve encryption decryptor encrypted data � The decryptor remains the same in each attack instance � Easy to fingerprint using typical string signatures attack code � NOP code interspersion NOPs � NOPs’ type/position/number varies in each instance � Can be fingerprinted using regular expressions FORTH-ICS Michalis Polychronakis 5

  6. Polymorphism (2/2) � Code obfuscation/metamorphism � Instruction substitution � Code block transposition push 0xF3 mov eax,0xF3 � Register reassignment pop eax � Dead code insertion � Hard to fingerprint using regexps if applied extensively � Combination of all techniques decryptor encrypted data � Signature extraction becomes infeasible FORTH-ICS Michalis Polychronakis 6

  7. Static Analysis Based Detection Recent proposals heuristically identify malicious code inside network � flows using static binary code analysis [Kruegel’05, Chinchani’05, Payer’05, Wang’06] � Step forward – beyond pattern-matching � Do not depend on invariant content � Basic steps � Disassembly 1 Control Flow Graph extraction 2 Initial approaches focused only on the � shellcodes’ sled component Abstract Payload Execution [Kruegel’02] � Pioneer network-level static analysis work Orthogonal to above approaches � FORTH-ICS Michalis Polychronakis 7

  8. Static Analysis Resistant Shellcode (1/4) � Static binary code analysis is generally accurate for compiled and well-structured binaries � Shellcode is not normal code! � Written/tweaked at assembly level: complete freedom… � The attacker can specially craft the shellcode to hinder disassembly and CFG extraction � Anti-disassembly tricks � Indirect addressing jmp ebx � Self-modifying code FORTH-ICS Michalis Polychronakis 8

  9. Static Analysis Resistant Shellcode (2/4) � Running example � Encrypted shellcode generated by the Countdown engine of the Metasploit Framework � Slightly modified with a self-modification \x6A\x7F\x59\xE8\xFF\xFF\xFF\xFF\xC1\x5E\x80 \x46\x0A\xE0\x30\x4C\x0E\x0B\x02\xFA... � Let’s try to figure out what this code does FORTH-ICS Michalis Polychronakis 9

  10. Static Analysis Resistant Shellcode (3/4) � Linear disassembly can be easily tricked Linear Disassembly 00 6A7F push byte +0x7f 02 59 pop ecx 03 E8FFFFFFFF call 0x7 08 C15E8046 rcr [esi-0x80],0x46 0C 0AE0 or ah,al 0E 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 10

  11. Static Analysis Resistant Shellcode (3/4) � Linear disassembly can be easily tricked Linear Disassembly 00 6A7F push byte +0x7f 02 59 pop ecx Jumps to the middle 03 E8FFFFFFFF call 0x7 08 C15E8046 rcr [esi-0x80],0x46 of itself 0C 0AE0 or ah,al 0E 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 11

  12. Static Analysis Resistant Shellcode (3/4) � Linear disassembly can be easily tricked Linear Disassembly Recursive Traversal Disassembly 00 6A7F push byte +0x7f 00 6A7F push byte +0xf 02 59 pop ecx 02 59 pop ecx 03 E8FFFFFF FF call 0x7 03 Jumps to the middle E8FFFFFFFF call 0x7 08 C15E8046 rcr [esi-0x80],0x46 07 FFC1 inc ecx of itself 0C 0AE0 or ah,al 09 5E pop esi 0a 80460AE0 add [esi+0xa],0xe0 0E 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 0e 304C0E0B xor [esi+ecx+0xb],cl 14 12 02FA add bh,dl ... <encrypted shellcode> 14 93 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 12

  13. Static Analysis Resistant Shellcode (3/4) � Linear disassembly can be easily tricked Linear Disassembly Recursive Traversal Disassembly 00 6A7F push byte +0x7f 00 6A7F push byte +0x7f 02 59 pop ecx 02 59 pop ecx much better, but not 03 E8FFFFFF FF call 0x7 03 Jumps to the middle E8FFFFFFFF call 0x7 08 C15E8046 rcr [esi-0x80],0x46 07 FFC1 the real code inc ecx of itself 0C 0AE0 or ah,al 09 5E pop esi that will be eventually 0a 80460AE0 add [esi+0xa],0xe0 0E 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 0e 304C0E0B xor [esi+ecx+0xb],cl executed! 14 12 02FA add bh,dl ... <encrypted shellcode> 14 93 ... <encrypted shellcode> 93 � Recursive traversal disassembly is still not enough… FORTH-ICS Michalis Polychronakis 13

  14. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx 03 E8FFFFFFFF call 0x7 07 FFC1 inc ecx 09 5E pop esi 0a 80460AE0 add [esi+0xa],0xe0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 14

  15. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx pop ecx ecx = 0x7F 03 E8FFFFFFFF call 0x7 07 FFC1 inc ecx 09 5E pop esi 0a 80460AE0 add [esi+0xa],0xe0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 15

  16. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx pop ecx ecx = 0x7F 03 E8FFFFFFFF call 0x7 call 0x7 (push 0x8) 07 FFC1 inc ecx 09 5E pop esi 0a 80460AE0 add [esi+0xa],0xe0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 16

  17. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx pop ecx ecx = 0x7F 03 E8FFFFFFFF call 0x7 call 0x7 (push 0x8) 07 FFC1 inc ecx inc ecx ecx = 0x80 09 5E pop esi 0a 80460AE0 add [esi+0xa],0xe0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 17

  18. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx pop ecx ecx = 0x7F 03 E8FFFFFFFF call 0x7 call 0x7 (push 0x8) 07 FFC1 inc ecx inc ecx ecx = 0x80 09 5E pop esi pop esi esi = 0x8 0a 80460AE0 add [esi+0xa],0xe0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 18

  19. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx pop ecx ecx = 0x7F 03 E8FFFFFFFF call 0x7 call 0x7 (push 0x8) 07 FFC1 inc ecx inc ecx ecx = 0x80 09 5E pop esi pop esi esi = 0x8 0a 80460AE0 add [esi+0xa],0xe0 add [esi+0xa],0xe0 ADD [12] 0xE0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Shellcode Shellcode A set of instructions injected and

Shellcode Shellcode A set of instructions injected and

Shellcode Shellcode A set of instructions injected and executed by exploited software Also called a payload Denoted as shellcode because

606 views • 49 slides
Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of Ammonia Ammonia A A i i Ne w Me thod Validate d F ollowing E PA Guidanc e AT AT P Case #: N08 0004 P Case #: N08-0004 E dwa rd F Aske w

551 views • 32 slides
Problems and methods for attribute detection of social network users Anton Korshunov Institute

Problems and methods for attribute detection of social network users Anton Korshunov Institute

Problems and methods for attribute detection of social network users Anton Korshunov Institute for System Programming of Russian Academy of Sciences RCDL-2013 Contents Network Level: User Community Detection 1 User Level: Demographic

628 views • 41 slides
ScrambleSuit: A Polymorphic Network Protocol to Circumvent Censorship Philipp Winter 1 , Tobias

ScrambleSuit: A Polymorphic Network Protocol to Circumvent Censorship Philipp Winter 1 , Tobias

ScrambleSuit: A Polymorphic Network Protocol to Circumvent Censorship Philipp Winter 1 , Tobias Pulls 1 , and J urgen Fu 2 1 Karlstad University 2 FH Hagenberg November 4, 2013 Using Tor in China GFW actively probes bridges! . . . and

690 views • 24 slides
Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure

Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure

Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure Software Systems Binary-level GDB commands and demo Day 5: Memory safety attacks In-person lab logistics reminders Stephen McCamant Project 1 bcimgview

1.17k views • 6 slides
Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop

Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop

White Hat Shellcode Workshop Didier Stevens Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop . First example: loading/unloading a DLL Start calc.exe Start procexp.exe (Process Explorer) and

471 views • 23 slides
This time on Types ... Polymorphic -calculus (polymorphic -binding). Lets us type: f ((

This time on Types ... Polymorphic -calculus (polymorphic -binding). Lets us type: f ((

This time on Types ... Polymorphic -calculus (polymorphic -binding). Lets us type: f (( f true ) :: ( f nil )) -bound variables in ML cannot be used polymorphically within a function abstraction E.g. f (( f true ) :: ( f nil ))

945 views • 23 slides
Polymorphic Lists &amp; Trees Department of Computer Science University of Maryland, College Park

Polymorphic Lists &amp; Trees Department of Computer Science University of Maryland, College Park

CMSC 132: Object-Oriented Programming II Polymorphic Lists &amp; Trees Department of Computer Science University of Maryland, College Park Polymorphic Binary Search Trees Second approach to implement BST What do we mean by polymorphic?

329 views • 9 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Polymorphic &amp; Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses

Polymorphic &amp; Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses

Polymorphic &amp; Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses (1) } Why polymorphism? } Anti-virus scanners detect viruses by looking for signatures (snippets of known virus code) } Virus writers

641 views • 40 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
POLYMORPHIC ON-CHIP NETWORKS Martha Mercaldi Kim, John D. Davis*, Mark Oskin, Todd Austin**

POLYMORPHIC ON-CHIP NETWORKS Martha Mercaldi Kim, John D. Davis*, Mark Oskin, Todd Austin**

POLYMORPHIC ON-CHIP NETWORKS Martha Mercaldi Kim, John D. Davis*, Mark Oskin, Todd Austin** University of Washington *Microsoft Research, Silicon Valley ** University of Michigan On-Chip Network Selection 2 Talk Outline Network-on-chip

1.01k views • 68 slides
Regulating Transportation Network Companies: Fourth level Fifth level Should Uber and

Regulating Transportation Network Companies: Fourth level Fifth level Should Uber and

Click to edit Master text styles Second level Third level Regulating Transportation Network Companies: Fourth level Fifth level Should Uber and Lyft Set Their Own Rules? Sen Li , Hamidreza Tavafoghi, Kameshwar Poolla and

501 views • 36 slides
A Polymorphic Data Visualization for Spatiotemporal Database Makoto Hanashima Institute for

A Polymorphic Data Visualization for Spatiotemporal Database Makoto Hanashima Institute for

A Polymorphic Data Visualization for Spatiotemporal Database Makoto Hanashima Institute for Areal Studies, Foundation Tokyo, Japan Outline of Presentation 2 An Introduction to Reki-Show Authoring Tools Conceptual design of polymorphic

325 views • 14 slides
Polymorphic types Polymorphic -calculus (System F) Simply typed -calculus is

Polymorphic types Polymorphic -calculus (System F) Simply typed -calculus is

Polymorphic types Polymorphic -calculus (System F) Simply typed -calculus is monomorphic, Extends simply-typed : i.e. a type has no flexible pieces ::= * | type syntax expression/value syntax

328 views • 4 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
2 An overall view (of little detail) Source program Scan Parse Front High IR (lexical)

2 An overall view (of little detail) Source program Scan Parse Front High IR (lexical)

1 TDT4205 Grand Summary, pt. 1 2 An overall view (of little detail) Source program Scan Parse Front High IR (lexical) (syntactic) Back Assemble Generate Low IR Binary executable 3 Lexical analysis Lexical analysis covers

343 views • 31 slides
Language Models Dan Klein, John DeNero UC Berkeley Language Models Language Models Acoustic

Language Models Dan Klein, John DeNero UC Berkeley Language Models Language Models Acoustic

Language Models Dan Klein, John DeNero UC Berkeley Language Models Language Models Acoustic Confusions the station signs are in deep in english -14732 the stations signs are in deep in english -14735 the station signs are in deep into

1.44k views • 86 slides
The contact process on evolving scale-free networks Peter M orters Bath joint work with

The contact process on evolving scale-free networks Peter M orters Bath joint work with

The contact process on evolving scale-free networks Peter M orters Bath joint work with Emmanuel Jacob (Lyon) Setup of the talk (1) The contact process (2) Scale-free networks (3) The contact process on static scale-free networks (4) The

678 views • 63 slides
Metastability for the contact process on evolving scale-free networks Peter M orters K oln

Metastability for the contact process on evolving scale-free networks Peter M orters K oln

Metastability for the contact process on evolving scale-free networks Peter M orters K oln joint work with Emmanuel Jacob (ENS Lyon) Amitai Linker (Universidad de Chile) Aim of the project Motivation: We would like to understand how

698 views • 66 slides
Topic: Data for Better MQLs (&amp; Summit Highlights) WELCOME MARKETO USER GROUP LEADERS: Karen

Topic: Data for Better MQLs (&amp; Summit Highlights) WELCOME MARKETO USER GROUP LEADERS: Karen

Topic: Data for Better MQLs (&amp; Summit Highlights) WELCOME MARKETO USER GROUP LEADERS: Karen W. Sesona Manager, Marketing Ops/Campaign Management Tyler Technologies, Inc. karen.sesona@tylertech.com Pamela Brungardt Marketing Systems and

1.71k views • 18 slides
Introduction to Debugging with Windbg Module Overview Introduction to Debugging Callstacks and

Introduction to Debugging with Windbg Module Overview Introduction to Debugging Callstacks and

Introduction to Debugging with Windbg Module Overview Introduction to Debugging Callstacks and Symbols Windbg for .NET Debugging Son of Strike (SOS) Review 2 Callstacks and Symbols Anatomy Of A Call Stack (unmanaged) Module &amp;

1.05k views • 45 slides
1 Three Dimensional Aggregation (con.t) Three Dimensional Aggregation (con.t) If we need to

1 Three Dimensional Aggregation (con.t) Three Dimensional Aggregation (con.t) If we need to

Data Cube: A Relational Aggregation Operator Topic Outline Generalizing Group-By, Cross-Tab, and Sub-Totals J. Gray, al, Microsoft Research F. Pellow, al, IBM Research Visualization and dimension reduction The relational representation of

367 views • 4 slides
Understanding the Link Between Micro and Macro Consump8on Data ( a project for 2017-18 ) Thomas

Understanding the Link Between Micro and Macro Consump8on Data ( a project for 2017-18 ) Thomas

Understanding the Link Between Micro and Macro Consump8on Data ( a project for 2017-18 ) Thomas Crossley, Essex Sofiya Stoyanova , ONS Richard Tonkin, ONS ESCoE Workshop, October 2 nd 2017 Mo8va8on(s) At least three: Understanding the

203 views • 19 slides

More recommend