one flaw over the cuckoo s nest
play

One FlAw over the Cuckoos Nest on , Ricardo J. Rodr guez I naki - PowerPoint PPT Presentation

May 30, 2023 •108 likes •827 views

One FlAw over the Cuckoos Nest on , Ricardo J. Rodr guez I naki Rodr guez-Gast All wrongs reversed inaki@sensepost.com, rjrodriguez@fi.upm.es @virtualminds es @RicardoJRdez SensePost Universidad Polit

  1. One FlAw over the Cuckoo’s Nest on † , Ricardo J. Rodr´ ıguez ‡ I˜ naki Rodr´ ıguez-Gast´ � All wrongs reversed inaki@sensepost.com, rjrodriguez@fi.upm.es @virtualminds es ※ @RicardoJRdez † SensePost ‡ Universidad Polit´ ecnica de Madrid London, UK Madrid, Spain 1 de Noviembre, 2013 No cON Name 2013 Barcelona (Espa˜ na)

  2. $ whoarewe $ whoarewe : command not found CLS member (2001) CISSP, CEH, GWAPT Ph.D. by UZ (2013) Security analyst @ SensePost Working for UPM Malware lover Trainee @ NcN, RootedCON, mlw.re staff HIP Trainee @ 44CON Speaker @ NcN, HackLU, . . . RootedCON, STIC CCN, HIP I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 2 / 39

  3. Agenda Outline Motivation 1 Previous Concepts 2 Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework On the Anti-VMs & Anti-Sandboxing Techniques 3 VM Detection Sandboxing detection Mixing Cuckoo Sandbox and Pin DBI 4 Sticking both Programs Introducing PinVMShield Case Study: the pafish tool 5 Related Work 6 Conclusions and Future Work 7 I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 3 / 39

  4. Motivation Outline Motivation 1 Previous Concepts 2 Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework On the Anti-VMs & Anti-Sandboxing Techniques 3 VM Detection Sandboxing detection Mixing Cuckoo Sandbox and Pin DBI 4 Sticking both Programs Introducing PinVMShield Case Study: the pafish tool 5 Related Work 6 Conclusions and Future Work 7 I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 4 / 39

  5. Motivation Motivation (I) Malware are increasing in number and complexity Targeted attacks also grown (specially industry and government espionage) How do we currently fight against malware? Firstly, to understand how a sample works (what is it doing?) Then, to figure out how it can be removed Lastly, to avoid future infections (can we detect it again?) I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 5 / 39

  6. Motivation Motivation (II) Figuring out what it is doing. . . Manual analysis Intensive Time-consuming I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 6 / 39

  7. Motivation Motivation (II) Figuring out what it is doing. . . Manual analysis Intensive Time-consuming Good if you are paid per working hour ¨ ⌣ Automatic analysis Just take a seat, and relax. . . Real problem here: automation of malware analysis tasks I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 6 / 39

  8. Motivation Motivation (II) Figuring out what it is doing. . . Manual analysis Intensive Time-consuming Good if you are paid per working hour ¨ ⌣ Automatic analysis Just take a seat, and relax. . . Real problem here: automation of malware analysis tasks Only manual analysis for weird (or interesting) samples I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 6 / 39

  9. Motivation Motivation (III) Sandbox Environments Computer resources are tightly controlled and monitored Current trending of malware analysis Commercial and free-license solutions Sandboxie JoeBox CWSandbox Cuckoo Sandbox PyBox Virtual Machine and Sandbox: a good combination I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 7 / 39

  10. Motivation Motivation (III) Sandbox Environments Computer resources are tightly controlled and monitored Current trending of malware analysis Commercial and free-license solutions Sandboxie JoeBox CWSandbox Cuckoo Sandbox PyBox Virtual Machine and Sandbox: a good combination Do malware samples detect VMs/sandbox environments? I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 7 / 39

  11. Motivation Motivation (III) Sandbox Environments Computer resources are tightly controlled and monitored Current trending of malware analysis Commercial and free-license solutions Sandboxie JoeBox CWSandbox Cuckoo Sandbox PyBox Virtual Machine and Sandbox: a good combination Do malware samples detect VMs/sandbox environments? Yes, they do. I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 7 / 39

  12. Motivation Motivation (IV) Can we avoid the detection of a VMs/sandbox environment? I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 8 / 39

  13. Motivation Motivation (IV) Can we avoid the detection of a VMs/sandbox environment? Yes, we can! (at least, we should try. . . ) I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 8 / 39

  14. Motivation Motivation (IV) Can we avoid the detection of a VMs/sandbox environment? Yes, we can! (at least, we should try. . . ) We’re gonna do it in a fancy way. . . using Dynamic Binary Instrumentation ¨ ⌣ Dynamic Binary Instrumentation (DBI) Analyse the runtime behaviour of a binary Executes arbitrary code during normal execution of a binary I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 8 / 39

  15. Motivation Motivation (V) Why DBI? Its advantages Binary instrumentation: advantages Programming language (totally) independent Machine-mode vision We can instrument proprietary software I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 9 / 39

  16. Motivation Motivation (V) Why DBI? Its advantages Binary instrumentation: advantages Programming language (totally) independent Machine-mode vision We can instrument proprietary software Dynamic Instrumentation: advantages No need to recompile/relink each time Allow to find on-the-fly code Dynamically generated code Allow to instrument a process in execution already ( attach ) I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 9 / 39

  17. Motivation Motivation (VI) Why DBI? Its disadvantages Main disadvantages Overhead (by the instrumentation during execution) ⇓ performance (analyst hopelessness!) Single execution path analysed I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 10 / 39

  18. Motivation Motivation (VII) Summary of contributions Our goal in this work Develop a Dynamic Binary Analysis (DBA) tool Integrated with Cuckoo Sandbox I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 11 / 39

  19. Motivation Motivation (VII) Summary of contributions Our goal in this work Develop a Dynamic Binary Analysis (DBA) tool Integrated with Cuckoo Sandbox Protects Cuckoo for being detected. . . I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 11 / 39

  20. Motivation Motivation (VII) Summary of contributions Our goal in this work Develop a Dynamic Binary Analysis (DBA) tool Integrated with Cuckoo Sandbox Protects Cuckoo for being detected. . . . . . and also for (some) VMs detection I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 11 / 39

  21. Previous Concepts Outline Motivation 1 Previous Concepts 2 Cuckoo Sandbox Dynamic Binary Instrumentation: The Pin Framework On the Anti-VMs & Anti-Sandboxing Techniques 3 VM Detection Sandboxing detection Mixing Cuckoo Sandbox and Pin DBI 4 Sticking both Programs Introducing PinVMShield Case Study: the pafish tool 5 Related Work 6 Conclusions and Future Work 7 I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 12 / 39

  22. Previous Concepts Cuckoo Sandbox Cuckoo Sandbox (I) What is Cuckoo Sandbox? Automated malware analysis tool Written in Python Reporting system (API calls, registry access, network activity) Extensible OpenSource I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 13 / 39

  23. Previous Concepts Cuckoo Sandbox Cuckoo Sandbox (II) API call analyzer.py packages \\.\PIPE\random string (exe.py) Results from the analysis agent.py Executes procces and injects cuckoomon.dll resultserver TCP socket (8000) Drop file Cuckoomon.dll (Random name) Sample.exe (Suspended) Sample.exe cuckoo.py submit.py web.py api.py I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 14 / 39

  24. Previous Concepts Dynamic Binary Instrumentation: The Pin Framework Dynamic Binary Instrumentation: The Pin Framework (I) http://www.pintools.org What is Pin? Framework designed by Intel Allows to build easy-to-use, portable, transparent and efficient instrumentation tools (DBA, or Pintools) Recall: instrumentation enables the execution of arbitrary code during run-time of a binary Extensive API for doing whatever you can imagine Used for things like: Instruction profiling Performance evaluation Bug detection And malware analysis (here we are ¨ ⌣ ) I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 15 / 39

  25. Previous Concepts Dynamic Binary Instrumentation: The Pin Framework Dynamic Binary Instrumentation: The Pin Framework (II) How does Pin work? I. Rodr´ ıguez-Gast´ on, R.J. Rodr´ ıguez One FlAw over the Cuckoo’s Nest 1 Nov’13 16 / 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A European Contract Law: a cuckoo in the nest? Professor Hugh Beale Professor of law, University

A European Contract Law: a cuckoo in the nest? Professor Hugh Beale Professor of law, University

Department of Law public lecture A European Contract Law: a cuckoo in the nest? Professor Hugh Beale Professor of law, University of Warwick Dr Linda Mulcahy Chair, LSE London School of Economics Law lectures 2011

652 views • 47 slides
due to a design flaw on many pontoon boats Explain the design flaw Describe the accident

due to a design flaw on many pontoon boats Explain the design flaw Describe the accident

Finger Amputations due to a design flaw on many pontoon boats Explain the design flaw Describe the accident Recommendations WEERES Ball Moves away Pinch Zone Door Door closed open Spooner Emergency Room 4 Days later Product

469 views • 25 slides
Digital NEST Connect Transform Create What is the NEST? Digital NEST CONNECTS youth to a

Digital NEST Connect Transform Create What is the NEST? Digital NEST CONNECTS youth to a

Digital NEST Connect Transform Create What is the NEST? Digital NEST CONNECTS youth to a skill-building community that TRANSFORMS them into professionals who can CREATE successful careers, innovative solutions, and prosperous communities

423 views • 19 slides
Cuckoo Search via Lvy flights X. S. Yang and Suash Deb NABIC, 2009, IEEE Presented by Cihan

Cuckoo Search via Lvy flights X. S. Yang and Suash Deb NABIC, 2009, IEEE Presented by Cihan

Cuckoo Search via Lvy flights X. S. Yang and Suash Deb NABIC, 2009, IEEE Presented by Cihan Kaya What is cuckoo search with Levy flights? v A meta-heuristic method v Global optimization v Based on obligate brood parasitic behavior of cuckoo

711 views • 19 slides
Today. Cuckoo hashing. Today. Cuckoo hashing. Johnson-Lindenstrass. Cuckoo hashing. Hashing

Today. Cuckoo hashing. Today. Cuckoo hashing. Johnson-Lindenstrass. Cuckoo hashing. Hashing

Today. Cuckoo hashing. Today. Cuckoo hashing. Johnson-Lindenstrass. Cuckoo hashing. Hashing with two choices: max load O ( loglog n ) . Cuckoo hashing. Hashing with two choices: max load O ( loglog n ) . Cuckoo hashing: Cuckoo hashing.

1.69k views • 147 slides
NEST NEST New and Emerging Science and Technology European Commission RTD.B.1 Anticipating

NEST NEST New and Emerging Science and Technology European Commission RTD.B.1 Anticipating

NEST NEST New and Emerging Science and Technology European Commission RTD.B.1 Anticipating Scientific and Technological Needs (NEST activity); Basic Research Specific Activities covering a Wider Field of Research New and Emerging Science

292 views • 12 slides
What is Nest? FREE online home matching platform Nest matches people with disability to

What is Nest? FREE online home matching platform Nest matches people with disability to

What is Nest? FREE online home matching platform Nest matches people with disability to accommodation/housing that suits their needs and wants. Nest makes it easy to search, choose and apply for accommodation/housing that meets

282 views • 14 slides
First experiences with Cuckoo bags John McHugh - RedJack, LLC and The University of North

First experiences with Cuckoo bags John McHugh - RedJack, LLC and The University of North

First experiences with Cuckoo bags John McHugh - RedJack, LLC and The University of North Carolina Jeff Janies - Redjack LLC Teryl Taylor - Dalhousie University FloCon 2010 New Orleans January 2010 What is a cuckoo bag? SiLK sets and

315 views • 29 slides
Problems Flaw Hypothesis Methodology depends on caliber of testers to hypothesize and

Problems Flaw Hypothesis Methodology depends on caliber of testers to hypothesize and

Problems Flaw Hypothesis Methodology depends on caliber of testers to hypothesize and generalize flaws Flaw Hypothesis Methodology does not provide a way to examine system systematically Vulnerability classification schemes help

1.11k views • 74 slides
Ew E NEST m odel Thorsten Blenckner Maciej T. Tomczak Susa Niiranen Olle Hjerne Baltic Nest

Ew E NEST m odel Thorsten Blenckner Maciej T. Tomczak Susa Niiranen Olle Hjerne Baltic Nest

Ew E NEST m odel Thorsten Blenckner Maciej T. Tomczak Susa Niiranen Olle Hjerne Baltic Nest Institute (BNI) Linking science and management Baltic NEST = a science based decision support system (DSS) to : Explore and synthesize

511 views • 20 slides
AniFilter: Parallel and Failure-Atomic Cuckoo Filter for Non-Volatile Memories Hyungjun Oh 1 ,

AniFilter: Parallel and Failure-Atomic Cuckoo Filter for Non-Volatile Memories Hyungjun Oh 1 ,

AniFilter: Parallel and Failure-Atomic Cuckoo Filter for Non-Volatile Memories Hyungjun Oh 1 , Bongki Cho 1 , Changdae Kim 2 , Heejin Park 1 , Jiwon Seo 1 1 2 1 Ou Outline NVM and AMQs Cuckoo Filter Optimizations in AniFilter

1.18k views • 58 slides
Determinants of Nest Egg Sustainability Jack C. DeJong, Jr., Ph.D., MBA, CFA Nova Southeastern

Determinants of Nest Egg Sustainability Jack C. DeJong, Jr., Ph.D., MBA, CFA Nova Southeastern

Determinants of Nest Egg Sustainability Jack C. DeJong, Jr., Ph.D., MBA, CFA Nova Southeastern University CoFounder, Nest Egg Guru John H. Robinson Founder, Financial Planning Hawaii CoFounder, Nest Egg Guru Inspiration: Two Seminal

219 views • 19 slides
Background and introduction to NeST within the context of the GPEDC and the global SSC debates

Background and introduction to NeST within the context of the GPEDC and the global SSC debates

Background and introduction to NeST within the context of the GPEDC and the global SSC debates Presentation for the NeST SA reference group meeting Neissan Alessandro Besharati Jan Smuts House, Johannesburg, 28 January 2015 The Rise of the

417 views • 22 slides
SWAN NEST A SWAN BUILDS ITS NEST FROM FOUND MATERIALS, RECYCLING AND REFLECTING THE

SWAN NEST A SWAN BUILDS ITS NEST FROM FOUND MATERIALS, RECYCLING AND REFLECTING THE

5/16/2018 SWAN NEST A SWAN BUILDS ITS NEST FROM FOUND MATERIALS, RECYCLING AND REFLECTING THE AESTHETIC OF THE WATER. - BISSET ADAMS DESIGN CONCEPT DESIGN INTENTION AND SUSTAINABLE GOALS 1 5/16/2018 DESIGN INTENT The concept for

571 views • 30 slides
On- -line flaw growth line flaw growth On monitoring in high monitoring in high temperature

On- -line flaw growth line flaw growth On monitoring in high monitoring in high temperature

On- -line flaw growth line flaw growth On monitoring in high monitoring in high temperature plant temperature plant Ian Atkinson, KANDE International Ltd Ian Atkinson, KANDE International Ltd Stephen Kelly, Doosan Doosan Babcock Energy

471 views • 23 slides
Build a backend with TypeScript using Nest.js RICHARD MOOT DEVELOPER EVANGELIST @ SQUARE What

Build a backend with TypeScript using Nest.js RICHARD MOOT DEVELOPER EVANGELIST @ SQUARE What

Build a backend with TypeScript using Nest.js RICHARD MOOT DEVELOPER EVANGELIST @ SQUARE What is NestJS? A progressive Node.js framework for building efficient, reliable and scalable server-side applications. Huh? Nest provides an

763 views • 73 slides
Software Streams Big Data Challenges in Dynamic Program Analysis Irene Finocchi Dept. Computer

Software Streams Big Data Challenges in Dynamic Program Analysis Irene Finocchi Dept. Computer

Intro Software streams Case studies Conclusions Software Streams Big Data Challenges in Dynamic Program Analysis Irene Finocchi Dept. Computer Science Sapienza U. Rome 1 / 41 Irene Finocchi CiE 2013 special session on data streams and

860 views • 67 slides
Data-Intensive Distributed Computing CS 431/631 451/651 (Winter 2019) Part 3: Analyzing Text

Data-Intensive Distributed Computing CS 431/631 451/651 (Winter 2019) Part 3: Analyzing Text

Data-Intensive Distributed Computing CS 431/631 451/651 (Winter 2019) Part 3: Analyzing Text (1/2) January 29, 2019 Adam Roegiest Kira Systems These slides are available at http://roegiest.com/bigdata-2019w/ This work is licensed under a

1.07k views • 65 slides
SITOLA Network Performing Arts Production Workshop 20130312 1/32 UltraGrid Platform GPU

SITOLA Network Performing Arts Production Workshop 20130312 1/32 UltraGrid Platform GPU

UltraGrid Platform GPU Acceleration Latency Distribution Updates & Plans World Firsts... UltraGrid: Low-Latency High-Quality Video Transmissions on Commodity Hardware Petr Holub CESNET z.s.p.o., Prague/Brno, Czech Republic

611 views • 32 slides
Pharmacys Mission in a Changing World: A Christian Perspective (ACPE#: ) Jeffrey Copeland,

Pharmacys Mission in a Changing World: A Christian Perspective (ACPE#: ) Jeffrey Copeland,

Pharmacys Mission in a Changing World: A Christian Perspective (ACPE#: ) Jeffrey Copeland, BS, ThM, PharmD Disclaimer I do not have a vested interest in or affiliation with any corporate organization offering financial support or grant

960 views • 51 slides
Basic Number Theory The integers are the natural numbers, 0 and the additive inverses of the

Basic Number Theory The integers are the natural numbers, 0 and the additive inverses of the

Basic Number Theory http://localhost/~senning/courses/ma229/slides/number-theory/slide01.html Basic Number Theory http://localhost/~senning/courses/ma229/slides/number-theory/slide02.html Basic Number Theory prev | slides | next prev | slides

464 views • 7 slides
Internet content HTML SGML CSS XML XHTML MIME HTTP DD1335 (Lecture 2) Basic Internet

Internet content HTML SGML CSS XML XHTML MIME HTTP DD1335 (Lecture 2) Basic Internet

Internet content Internet content HTML SGML CSS XML XHTML MIME HTTP DD1335 (Lecture 2) Basic Internet Programming Spring 2010 1 / 27 Internet content Objectives What HTML is, what its origins are, and where one can find information

394 views • 27 slides
MARKET STRUCTURE AND MARKET POWER Measuring market power One firm: margin m = p MC p

MARKET STRUCTURE AND MARKET POWER Measuring market power One firm: margin m = p MC p

MARKET STRUCTURE AND MARKET POWER Measuring market power One firm: margin m = p MC p Many firms: average margin, a.k.a. Lerner index n p MC i L s i p i =1 Measuring market structure n (number of firms), or 1 / n

431 views • 10 slides
Steven Minton, InferLink Corporation Sofus Macskassy, Fetch

Steven Minton, InferLink Corporation Sofus Macskassy, Fetch

Steven Minton, InferLink Corporation Sofus Macskassy, Fetch Technologies Peter LaMonica, Air Force Research Laboratories Kane See, InferLink Corporation Craig

556 views • 39 slides

More recommend