reliably determining the outcome reliably determining the
play

Reliably Determining the Outcome Reliably Determining the Outcome - PowerPoint PPT Presentation

Sep 03, 2022 •106 likes •447 views

Reliably Determining the Outcome Reliably Determining the Outcome of Computer Network Attacks of Computer Network Attacks th Annual FIRST Conference 18 th Annual FIRST Conference 18 Capt David Chaboya Dr Richard Raines, Dr Rusty Baldwin, Dr

  1. Reliably Determining the Outcome Reliably Determining the Outcome of Computer Network Attacks of Computer Network Attacks th Annual FIRST Conference 18 th Annual FIRST Conference 18 Capt David Chaboya Dr Richard Raines, Dr Rusty Baldwin, Dr Barry Mullins Air Force Research Labs Air Force Institute of Anti-Tamper and Software Technology (AFIT) Protection Initiative (AT-SPI) Technology Office 1

  2. Introduction Introduction • Research Motivation • Determining Attack Outcome • IDS Analyst Evasion • Forging Responses • Determining Trust • Conclusion 2

  3. Research Motivation Research Motivation • Network Intrusion Detection Systems (NIDSs) are more like “attack” detection systems • Buffer overflow attacks are widespread • Manual checking of alerts is time consuming and error prone • Network analysts either overly trust network data or are too paranoid 3

  4. Determining Attack Outcome Determining Attack Outcome Reports to the analyst NIDS detects that an attack is in progress Decides if the attack is a success or failure 4

  5. Success or Failure? Success or Failure? • Immediate • The intruder makes it obvious • Server response to attack • Network understanding/mapping • Active verification 5

  6. Success or Failure? Success or Failure? • Delayed • Check patches or logs • Backdoor signatures • Anomaly Detection – Traffic analysis/Data Mining 6

  7. Network Traffic Analysis Network Traffic Analysis Graphical depiction of a typical request and response 7

  8. Network Traffic Analysis Network Traffic Analysis What the NIDS analyst sees 8

  9. Shellcode – – Simple Case Simple Case Shellcode 9

  10. Real World Advice Real World Advice • Vendor IDS Signature Guidance • “Also look for the result returned by the server. An error message probably indicates the attack failed. If successful, you may see not more traffic in this session (indicating a shell on another port) or non ftp- specific commands being issued” • Intrusion Signatures and Analysis , Book • “The DNS software should be reviewed to ensure that the system is running the latest version” 10

  11. Real World Advice Real World Advice • Snort User’s Group • “In a large number of cases there is nothing preventing the attacker from having the service return the same response as a non vulnerable service” • IDS User’s Group • “You still need a trained analyst who knows what the data means to be able to determine what has to be done with it” 11

  12. Real World Advice Real World Advice IDS User’s Group • “In general it's impossible to determine the success of attacks with only a network IDS (NIDS)” • “For attack like Nimda, you need to check the HTTP response code and see if it return the interesting stuff. For DoS attack, you need to check if the server is crash which will not send back the response” • “The behavior to that of a non-vulnerable system to an attack is often different and well-defined ...... and there are evasive measures attackers could use to avoid the appearance of success” 12

  13. Test Methodology Test Methodology • Experimental Design • Windows XP attack system running Ethereal • Metasploit Framework used to test/develop exploits • Eight buffer overflow vulnerabilities fully tested • Windows XP VMWare host running Windows 2000 Server SP 0-4 and Windows XP SP 0-1 • NIDS Test Design • Vary shellcode Exit Function, test patched and unpatched servers • Direct measurement of server response, five second captures • At least three repetitions • Ensure the vulnerability is tested and not the exploit • Use VMWare’s “Revert to Snapshot” feature 13

  14. Server Response Results Server Response Results Exploit MS Bulletin Patched Server Res ponse Unpatched Size (bytes) Reponse 542 Apache N/A HTTP/1.1 400 Bad Request None Chunked IIS_WebDAV HTTP/1.1 400 Bad Request 235 03-07 None IIS_Nsiislog HTTP/1.1 400 Bad Request 111 03-19/03-22 None or 500 Server Error IIS_Printer N/A 01-23 None None IIS_Fp30Reg 258/261 03-51 HTTP/1.1 500 Server Error None LSASS 04-11 WinXP: DCERPC Fault None WinXP:92 Win2K: LSA-DS Response Win2K:108 RPC DCOM 92 03-26 RemoteActivation Response None •Is it really this easy? •Exploit vector, bad input, custom error pages 14

  15. IDS Evasion IDS Evasion • Typically refers to techniques that evade or disrupt the computer component of the NIDS • Insertion, Evasion, Denial of Service (DOS) • Polymorphic shellcode • ADMmutate, substitute NOPs • Mimicry attacks • Modify exploit to mimic something else • NIDS analyst evasion • Convince analyst that successful attack has failed 15

  16. Evasion Technique #1 Evasion Technique #1 • Training: Analysts recognize UNIX vs. Windows shellcode • Attack: Create decoy shellcode that appears to target UNIX (i.e. /bin/sh or /etc/inetd.conf), but instead creates a Windows backdoor • Result: Analyst believes that the attack targets the wrong Operating System 16

  17. #1 Decoy Shellcode #1 Decoy Shellcode 17

  18. Evasion Technique #2 Evasion Technique #2 • Training: Analysts look for signs that an intruder could not connect to the backdoor • Attack: Create shellcode that adds a new user and then send SYN packets to a fake backdoor (i.e., 1524 ingreslock) • Result: The response from the victim server (RST/ACK) seems to indicate the attack failed 18

  19. #2 Fake Backdoor #2 Fake Backdoor 19

  20. Evasion Technique #3 Evasion Technique #3 • Training: Analysts trust success and failure error codes/characteristics • Attack: Forge the server response to return the error the analyst is expecting (i.e., HTTP/1.1 400 Bad Request) • Result: The attack is believed to have failed since the server clearly processed and denied the attack 20

  21. #3 Forged Response #3 Forged Response 21

  22. How do you forge responses? How do you forge responses? • Find the socket descriptor associated with the attacker’s connection • Findsock • Use getpeername and attacker’s source port • Doesn’t work through NAT/proxies • Findtag • Use ioctlsocket and FIONREAD to read in a hardcoded tag • Requires an additional packet after overflow 22

  23. Findtag and and Findsock Findsock Findtag Hard-coded: 40 bytes Universal: 90 bytes Process Injection (minimum API calls): 255 bytes 23

  24. Rawsock Rawsock • Create the packet from scratch using raw sockets (Windows 2000, XP, 2003 targets) • Rawsock • Socket, setsockopt, sendto • Requires administrative privilege • Requires that attacker capture Initial Sequence Numbers and calculate checksum • Hardcoded: 350 bytes 24

  25. ISAPI Forging ISAPI Forging • Use techniques introduced in public exploits to locate the connection ID during overflows in Internet Server API (ISAPI) extensions • Locate Extension Control Block • Find connection ID (socket handle equivalent) • Pick default error message (ServerSupportFunction Send Response Header) • Send forged message (Writeclient) • Smaller shellcode, does not rely on the error message size (unless custom page) 25

  26. Server Response Trust Server Response Trust • Payload Size Analysis • Calculate payload size and compare to minimum forging requirements. In most cases at least 350 bytes is required for forging and backdoor • Check if shellcode is known • Match shellcode to common exploits available on the internet (an automated tool would be best) • Keep database of most used exploits/payloads • Decode the shellcode to determine function • Requires expert skill or sophisticated computer program 26

  27. Examples Examples Success or failure? 27

  28. Examples Examples Payload size = 088e – 07c4= CA (hex) = 202 bytes Is forging possible? 28

  29. Examples Examples Success or failure? 29

  30. Examples Examples Success or failure? 30

  31. Examples Examples Payload Database Attacker’s Shellcode Do they match? 31

  32. What about Linux? What about Linux? • Server Response Characteristics • Forging attacks • Trust Determination 32

  33. Conclusion Conclusion • The outcome of many buffer overflow attacks can be automatically determined based on network data alone • There is no difference between a forged and a legitimate response • However it can be determined, in most cases, if forging is possible • NIDS developers should leave as little to the analyst as possible (obvious, but more needs to be done) • When possible block malicious traffic • Post-processing of response/validity calculation 33

  34. Questions Questions Questions? Contact Information: Contact Information: Capt David J. Chaboya Dr Richard Raines AFRL AT-SPI Technology Office Air Force Institute of Technology (937) 320-9068 ext 170 richard.raines@afit.edu david.chaboya@wpafb.af.mil 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outcome Measures Determining if Your Program Has Made a Difference Objectives At the end of

Outcome Measures Determining if Your Program Has Made a Difference Objectives At the end of

Outcome Measures Determining if Your Program Has Made a Difference Objectives At the end of this presentation, participants will be able to: Understand the difference between process 1. & outcome evaluation Describe SMART objectives 2.

1.12k views • 75 slides
Determining the Determining the Effectiveness & ROI Effectiveness & ROI of Your GRC

Determining the Determining the Effectiveness & ROI Effectiveness & ROI of Your GRC

6/18/2012 Effectiveness & ROI of GRC June 22, 2012 1 Determining the Determining the Effectiveness & ROI Effectiveness & ROI of Your GRC Program of Your GRC Program Bob Conlin, Chief Products Officer SCCE Regional Conference June

503 views • 9 slides
Progress on dip-coated bars for DUNE (We can reliably

Progress on dip-coated bars for DUNE (We can reliably

Progress on dip-coated bars for DUNE (We can reliably produce Wunderbars again) Dune light collec9on mee9ng Janet Conrad, MIT, 1/27/2016 The

574 views • 38 slides
Welcome to Day 2 Lets brainstorm! 1. How can you reliably ensure your staff do not

Welcome to Day 2 Lets brainstorm! 1. How can you reliably ensure your staff do not

Welcome to Day 2 Lets brainstorm! 1. How can you reliably ensure your staff do not operationalize any of the values and principles of Wraparound? 2. Be brutally honest, of those listed, what would your staff say you currently do? 3. What

343 views • 17 slides
Determining Swine Manure Nutrient Determining Swine Manure Nutrient Content: A Comparison of

Determining Swine Manure Nutrient Determining Swine Manure Nutrient Content: A Comparison of

Understanding Nutrients, Emissions & Odor at Harrison Farms 4 Determining Swine Manure Nutrient Determining Swine Manure Nutrient Content: A Comparison of Sampling Methods Paul Kivlin UW Extension/NPM/Discovery Farms Kevan Klingberg

453 views • 24 slides
Statistical Approaches for Statistical Approaches for Determining Normal Limits in Determining

Statistical Approaches for Statistical Approaches for Determining Normal Limits in Determining

Statistical Approaches for Statistical Approaches for Determining Normal Limits in Determining Normal Limits in OCT Databases OCT Databases Kouros Nouri Mahdavi, MD MSc Jules Stein Eye Institute University of California Los Angeles FDA/AGS

178 views • 17 slides
Saying I do to the QSAR/PBPK marriage Goal: reliably and efficiently u<lize PBPK

Saying I do to the QSAR/PBPK marriage Goal: reliably and efficiently u<lize PBPK

Saying I do to the QSAR/PBPK marriage Goal: reliably and efficiently u<lize PBPK modeling to reduce animal/human tes<ng Permeability, solubility vs. pH, pKa(s), logD vs. pH, Fup, blood:plasma ra<o, <ssue Kps, CLint,

527 views • 8 slides
Determining Land Use 2 Here are a few questions for group discussion 1 Determining Land Use and

Determining Land Use 2 Here are a few questions for group discussion 1 Determining Land Use and

Determining Land Use and On-site/Off-Site Determinations Participant Manual Federal Facilities Academy Determining Land Use and On-site/Off-site Determinations FEDERAL FACILITIES ACADEMY WEBINAR FEDERAL FACILITIES RESTORATION AND REUSE OFFICE

465 views • 32 slides
Solving the economic power dispatch and related problems more efficiently (and reliably) Richard

Solving the economic power dispatch and related problems more efficiently (and reliably) Richard

Solving the economic power dispatch and related problems more efficiently (and reliably) Richard P O'Neill FERC With Mary Cain, Anya Castillo, Clay Campaigne, Paula A. Lipka, Mehrdad Pirnia, Shmuel Oren DIMACS Workshop on Energy

720 views • 40 slides
Using Modular Arithmetic to Reliably Encode Authentication Information Within Messages Consisting

Using Modular Arithmetic to Reliably Encode Authentication Information Within Messages Consisting

Using Modular Arithmetic to Reliably Encode Authentication Information Within Messages Consisting of Port Connection Sequences Patrick F. Wilbur - wilburpf@clarkson.edu Department of Mathematics & Computer Science, Clarkson University

229 views • 9 slides
DETERMINING DISABILITY Objectives: 1. To discuss the affects of disability on the individual.

DETERMINING DISABILITY Objectives: 1. To discuss the affects of disability on the individual.

Dr. B. Baydock , MD, CCFP(SEM), FCFP, Dip Sport Medicine (CASEM) DETERMINING DISABILITY Objectives: 1. To discuss the affects of disability on the individual. 2. To review the issues associated with determining disability. 3. To provide a

442 views • 43 slides
How Xenopus embryos Complete DNA replication reliably: Solution to the Random-Completion Problem

How Xenopus embryos Complete DNA replication reliably: Solution to the Random-Completion Problem

How Xenopus embryos Complete DNA replication reliably: Solution to the Random-Completion Problem Scott Yang, John Bechhoefer Simon Fraser University, Physics BPS 2009 Outline DNA replication in frog embryos Our model Results

177 views • 13 slides
Computing Reliably with Molecular Walkers Marta Kwiatkowska, University of Oxford NWPT 2015,

Computing Reliably with Molecular Walkers Marta Kwiatkowska, University of Oxford NWPT 2015,

Computing Reliably with Molecular Walkers Marta Kwiatkowska, University of Oxford NWPT 2015, Reykjavik At the nanoscale The world of molecules width 2nm Human FGF protein DNA: versatile, easy to synthesize 2

937 views • 49 slides
Counting events reliably with storm & riak Frank Schrder - eBay Classi fi eds Group

Counting events reliably with storm & riak Frank Schrder - eBay Classi fi eds Group

Counting events reliably with storm & riak Frank Schrder - eBay Classi fi eds Group Amsterdam marktplaats.nl Classi fi eds Admarkt Pay-per-click ads for professional sellers Seller places ad, chooses a budget and cost per

790 views • 64 slides
Outline Determining the graphical structure Milk test Mastitis diagnosis Pregnancy

Outline Determining the graphical structure Milk test Mastitis diagnosis Pregnancy

Bayesian networks II. Model building Advanced Herd Management Anders Ringgaard Kristensen Outline Determining the graphical structure Milk test Mastitis diagnosis Pregnancy Determining the conditional probabilities

264 views • 22 slides
Reliably Erasing Data from Flash-Based Solid State Drives Michael Wei* Laura Grupp*, Fredrick E.

Reliably Erasing Data from Flash-Based Solid State Drives Michael Wei* Laura Grupp*, Fredrick E.

Reliably Erasing Data from Flash-Based Solid State Drives Michael Wei* Laura Grupp*, Fredrick E. Spada, Steven Swanson* * Non-Volatile Systems Laboratory Department of Computer Science and Engineering University of California, San Diego

847 views • 80 slides
.NET Passport Security Framework CPSC 328 Spring 2009 UDDI Review Publish/Find

.NET Passport Security Framework CPSC 328 Spring 2009 UDDI Review Publish/Find

.NET Passport Security Framework CPSC 328 Spring 2009 UDDI Review Publish/Find functionality Yellow Pages businessService White Pages businessEntity Green Pages bindingTemplate tModel

671 views • 9 slides
Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe,

Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe,

Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ April 14, 2011 Announcements Talk of possible interest next Monday:

492 views • 23 slides
Access Control & Video Intercom PRODUCT PROMOTION 2020 International Product Marketing

Access Control & Video Intercom PRODUCT PROMOTION 2020 International Product Marketing

Access Control & Video Intercom PRODUCT PROMOTION 2020 International Product Marketing Department Part.01 Video Intercom Products CONTENTS Part.02 Access Control Products Part.01 Video Intercom Product System DS-KB8112-IM

492 views • 35 slides
Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima

Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima

Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima <keiichi@iijlab.net> Internet Initiative Japan Inc. / WIDE Project PROJECT Background Widely deployed Internet Available in

658 views • 34 slides
PRO-CO W: Proto col Compli ance on the W eb Bala chander Krishnamur thy Mar tin

PRO-CO W: Proto col Compli ance on the W eb Bala chander Krishnamur thy Mar tin

PRO-CO W: Proto col Compli ance on the W eb Bala chander Krishnamur thy Mar tin Arlitt bala@resea rch.att.com a rlitt@hpl.hp.com A T&T Labs - Resea rch HP Labs Bala chander Krishnamur thy 1 State of the W eb

535 views • 15 slides
Trusted Components Reuse, Contracts and Patterns Prof. Dr. Bertrand Meyer Dr. Karine Arnout

Trusted Components Reuse, Contracts and Patterns Prof. Dr. Bertrand Meyer Dr. Karine Arnout

1 Last update: 19 October 2004 Trusted Components Reuse, Contracts and Patterns Prof. Dr. Bertrand Meyer Dr. Karine Arnout Trusted Components: Reuse, Contracts and Patterns - Lecture 17 Chair of Softw are Engineering 2 Lecture 17:

430 views • 39 slides
Security Jerry den Hartog Room: MF 6.063 http://www.win.tue.nl/~jhartog/CourseSecurity/ What is

Security Jerry den Hartog Room: MF 6.063 http://www.win.tue.nl/~jhartog/CourseSecurity/ What is

(An Introduction to Computer) Security Jerry den Hartog Room: MF 6.063 http://www.win.tue.nl/~jhartog/CourseSecurity/ What is Security? Lets start with some free association Course rse O Overvi rview Goal Challenge IT Infrastructures

720 views • 51 slides
Introducing Asp.Net La risposta Microsoft alle esigenze del server side (leggi JSP)

Introducing Asp.Net La risposta Microsoft alle esigenze del server side (leggi JSP)

Cos? Introducing Asp.Net La risposta Microsoft alle esigenze del server side (leggi JSP) Levoluzione (rivoluzione) di ASP Ing. Gabriele Zannoni La tecnologia per la scrittura di pagine gabriele.zannoni@unibo.it dinamiche

344 views • 7 slides

More recommend