stringer measuring the importance of static data
play

Stringer: Measuring the Importance of Static Data Comparisons to - PowerPoint PPT Presentation

Nov 14, 2022 •270 likes •700 views

Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and Undocumented Functionality Sam L. Thomas , Tom Chothia, Flavio D. Garcia School of Computer Science University of Birmingham Birmingham United Kingdom B15

  1. Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and Undocumented Functionality Sam L. Thomas , Tom Chothia, Flavio D. Garcia School of Computer Science University of Birmingham Birmingham United Kingdom B15 2TT { s.l.thomas,t.p.chothia,f.garcia } @cs.bham.ac.uk European Symposium on Research in Computer Security (ESORICS) 2017 Thomas, Chothia, Garcia Stringer ESORICS 2017 1 / 41

  2. Challenge How do we reduce the manual effort required to identify undocumented functionality and backdoors within software? Thomas, Chothia, Garcia Stringer ESORICS 2017 2 / 41

  3. Challenge How do we reduce the manual effort required to identify undocumented functionality and backdoors within software? Thomas, Chothia, Garcia Stringer ESORICS 2017 3 / 41

  4. Motivation Undocumented functionality? Backdoors? Authentication bypass by “magic” words. Hard-coded credential checks. Additional protocol messages that activate unexpected functionality. Thomas, Chothia, Garcia Stringer ESORICS 2017 4 / 41

  5. Application Focus on embedded device firmware – it’s a challenging target: Lots of devices, lots of firmware. Multiple firmware versions for each device. Impossible to manually analyse every firmware image. Thomas, Chothia, Garcia Stringer ESORICS 2017 5 / 41

  6. Stringer Thomas, Chothia, Garcia Stringer ESORICS 2017 6 / 41

  7. Objective Identify interesting code structures and static data comparisons that lead to backdoor-like behaviour. Lightweight analysis. Thomas, Chothia, Garcia Stringer ESORICS 2017 7 / 41

  8. Method 1 Automatically identify static data comparison functions. 2 A metric for measuring the degree a binary’s functions branching is influenced by comparisons with static data. Thomas, Chothia, Garcia Stringer ESORICS 2017 8 / 41

  9. Stringer For a given binary: 1 Identify all possible static data comparison functions: Thomas, Chothia, Garcia Stringer ESORICS 2017 9 / 41

  10. Stringer 2 Label the basic blocks of all functions with the sets of static data sequences that must be matched against to reach them: Thomas, Chothia, Garcia Stringer ESORICS 2017 10 / 41

  11. Stringer 3 Using the computed sets, calculate a score for each element of static data: A = 100 B = 200 . . . Thomas, Chothia, Garcia Stringer ESORICS 2017 11 / 41

  12. Stringer 3 Using the computed sets, calculate a score for each element of static data: A = 100 B = 200 . . . 4 Finally, using the scores for each item of static data, compute a score for each function: f = 300 . . . Thomas, Chothia, Garcia Stringer ESORICS 2017 11 / 41

  13. Identifying Static Data Comparison Functions Thomas, Chothia, Garcia Stringer ESORICS 2017 12 / 41

  14. Identifying static data comparison functions Approach based upon concrete observations: Analyse calls to static data comparison functions in C/C++ binaries. Collect properties that are common amonst them: call-sites, number of arguments, how they influence branching, . . . Thomas, Chothia, Garcia Stringer ESORICS 2017 13 / 41

  15. Motivating Example HTTP protocol parser from mini httpd binary: Thomas, Chothia, Garcia Stringer ESORICS 2017 14 / 41

  16. Call-site Properties Argument references : at least one argument refers to the data/read-only data section: Thomas, Chothia, Garcia Stringer ESORICS 2017 15 / 41

  17. Call-site Properties Function arity : (number of arguments passed): usually 2-3: Thomas, Chothia, Garcia Stringer ESORICS 2017 16 / 41

  18. Call-site Properties Branching properties : boolean comparison (i.e. matches or not): Thomas, Chothia, Garcia Stringer ESORICS 2017 17 / 41

  19. Call-site Properties Local call frequency : (for parsers: use same comparison function many times with different static data): Thomas, Chothia, Garcia Stringer ESORICS 2017 18 / 41

  20. Data Properties Identify static data properties (with parsers in mind): Thomas, Chothia, Garcia Stringer ESORICS 2017 19 / 41

  21. Finding Static Data Comparisons 1 For each function, identify blocks that contain function calls. 2 Filter those blocks where the function call does not influence branching or the comparison condition is not boolean. Thomas, Chothia, Garcia Stringer ESORICS 2017 20 / 41

  22. Finding Static Data Comparisons (cont.) 3 For each argument, tag what it refers to: data section, read-only data section, other (e.g. register): Thomas, Chothia, Garcia Stringer ESORICS 2017 21 / 41

  23. Finding Static Data Comparisons (cont.) 4 Using these assignments, update likelihood of function being a comparison function: Thomas, Chothia, Garcia Stringer ESORICS 2017 22 / 41

  24. Assigning Scores to Static Data & Functions Thomas, Chothia, Garcia Stringer ESORICS 2017 23 / 41

  25. Scoring Goals A means to discover those branches within each function that are dependent upon static data and assign them and the associated static data a score of relative importance in relation to other such branches within that function based upon how much unique functionality they guard. A function-level score that signifies which functions contain a relatively high density of decision logic that depends on comparison with static data (i.e. a large amount of their decision logic is influenced by comparison with static data). Thomas, Chothia, Garcia Stringer ESORICS 2017 24 / 41

  26. Control Flow Properties Minimise the score propagated from join-points - blocks reached by many paths: Thomas, Chothia, Garcia Stringer ESORICS 2017 25 / 41

  27. Control Flow Properties Maximise score of blocks that guard unique functionality - can’t be reached by any other path: Thomas, Chothia, Garcia Stringer ESORICS 2017 26 / 41

  28. Computation of Scores Two stage process: 1 Compute static data sequences: sets of sequences of static data that must be matched to reach each block. 2 Distribute scores based upon computed static data sequences. Thomas, Chothia, Garcia Stringer ESORICS 2017 27 / 41

  29. Computation of Static Data Sequences Compute sets of sequences of static data that must be matched to reach a given block: Thomas, Chothia, Garcia Stringer ESORICS 2017 28 / 41

  30. Computation of Static Data Scores 1 For each block’s static data set of sequences, we calculate a fraction of how each element of static data impacts the reachability to that block; e.g. for block 6: Thomas, Chothia, Garcia Stringer ESORICS 2017 29 / 41

  31. Computation of Static Data Scores 1 For each block’s static data set of sequences, we calculate a fraction of how each element of static data impacts the reachability to that block; e.g. for node 6: We have: { [ A ] , [ A , B , C ] } , so we calculate: A : 2 2 , B : 1 2 , C : 1 2 . Thomas, Chothia, Garcia Stringer ESORICS 2017 30 / 41

  32. Computation of Static Data Scores 2 We calculate two other values for the block ( b ): 1 ω ( b ) deg in ( b ) A base score for the block The penalty incurred for being reachable by multiple blocks Thomas, Chothia, Garcia Stringer ESORICS 2017 31 / 41

  33. Computation of Static Data Scores 3 . . . and calculate the update to the influence of an element of static data; e.g. for C : C score ← C score + ω ( b ) × ln(1 + 1 1 2 × deg in ( b ) ) Thomas, Chothia, Garcia Stringer ESORICS 2017 32 / 41

  34. Computation of Function Score The score assigned to a function is the sum of the scores assigned to the static data that influences its branching. From the previous example: f score = A score + B score + C score Thomas, Chothia, Garcia Stringer ESORICS 2017 33 / 41

  35. Results & Evaluation Thomas, Chothia, Garcia Stringer ESORICS 2017 34 / 41

  36. Hard-coded Credentials in Ray Sharp DVR Firmware Identification of hard-coded credential pair in Ray Sharp DVR firmware: Comparison Function Score 5170 . 30 strcmp sub 1C7EC ( strcmp wrapper) 1351 . 96 1109 . 73 strncmp 353 . 93 strstr 222 . 00 memcmp (1) (2) Label Score Static Data Function Depends 1 30 . 23 664225 strcmp { [] } 2 2 . 77 { [ 664225 ] } root strcmp Thomas, Chothia, Garcia Stringer ESORICS 2017 35 / 41

  37. Hard-coded Credentials in Q-See DVR Firmware Identification of a hard-coded credential backdoor in DVR firmware – different behaviour for each hardcoded password: Comparison Function Score 1464 . 70 strcmp (1) 779 . 33 strncmp (5) CRYPTO malloc (FP) 685 . 10 (2) ZNKSs7compareEPKc 376 . 20 (3) 306 . 00 strstr 196 . 00 (6) strcasecmp (4) Label Score Static Data Function Depends (7) 1 171 . 39 { [] } admin strcmp 2 58 . 92 { [ admin ] } ppttzz51shezhi strcmp 3 45 . 13 { [ admin ] } 6036logo strcmp + 4 42 . 14 { [ admin ] } 6036adws strcmp 5 37 . 54 { [ admin ] } 6036huanyuan strcmp 6 35 . 21 { [ admin ] } 6036market strcmp 7 31 . 05 jiamijiami6036 strcmp { [ admin ] } Thomas, Chothia, Garcia Stringer ESORICS 2017 36 / 41

  38. TrendNet HTTP Authentication with Hard-coded Credentials HTTP authentication check with comparison against hard-coded credential values: Comparison Function Score 1635 . 01 strcmp 481 . 20 strstr nvram get (FP) 413 . 10 strncmp 265 . 45 sub A2D0 (FP) 131 . 00 Static Data Score Function Depends 132 . 17 { . . . } emptyuserrrrrrrrrrrr strcmp 128 . 61 { [ . . . , emptyuserrrrrrrrrrrr ] } emptypasswordddddddd strcmp Thomas, Chothia, Garcia Stringer ESORICS 2017 37 / 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New transactions, new friends, stop following somebody in T witter, But most data mining algorithms assume static data Even a minor change requires

925 views • 44 slides
THE IMPORTANCE OF MEASURING OUTCOMES IN PBIS ORGANIZATIONS SERVING INDIVIDUALS WITH I/DD 17 TH

THE IMPORTANCE OF MEASURING OUTCOMES IN PBIS ORGANIZATIONS SERVING INDIVIDUALS WITH I/DD 17 TH

THE IMPORTANCE OF MEASURING OUTCOMES IN PBIS ORGANIZATIONS SERVING INDIVIDUALS WITH I/DD 17 TH INTERNATIONAL CONFERENCE ON POSITIVE BEHAVIOR SUPPORT ROBERT PUTNAM, STEWART SHEAR, MEG DEPASQUALE, JENNIFER JEFFREY-PEARSALL MARCH 13, 2020

448 views • 30 slides
The Importance of Measuring Outcomes in PBIS Organizations Serving Individuals with I/DD Bob

The Importance of Measuring Outcomes in PBIS Organizations Serving Individuals with I/DD Bob

The Importance of Measuring Outcomes in PBIS Organizations Serving Individuals with I/DD Bob Putnam May Institute Steward Shear Devereux Jennifer Jeffrey-Pearsall Sheppard Pratt Health System Meg DePasquale Maryland Development Disabilities

515 views • 25 slides
Party on! A new, conditional variable importance A new, conditional importance measure for

Party on! A new, conditional variable importance A new, conditional importance measure for

Measuring variable Party on! A new, conditional variable importance A new, conditional importance measure for random forests importance Conclusion available in party References Carolin Strobl (LMU M unchen) and Achim Zeileis (WU Wien)

639 views • 21 slides
Jonathan Sharples jonathan.sharples@eefoundation.org.uk Eleanor Stringer

Jonathan Sharples jonathan.sharples@eefoundation.org.uk Eleanor Stringer

Raising the Bar Challenge Fund: Scaling up evidence-based programmes 27 th April 2016 Jonathan Sharples jonathan.sharples@eefoundation.org.uk Eleanor Stringer eleanor.stringer@eefoundation.org.uk www.educationendowmentfoundation.org.uk Who we

149 views • 11 slides
Measuring Happiness the Big Data Way Measuring emotional content Clinical and Translational

Measuring Happiness the Big Data Way Measuring emotional content Clinical and Translational

Happiness Some motivation Measuring Happiness the Big Data Way Measuring emotional content Clinical and Translational Research Seminar, UVM Data sets Analysis Songs Peter Dodds, Chris Danforth, Blogs SOTU Isabel Kloumann, Cathy Bliss,

886 views • 62 slides
Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static properties 2.2 Generative models for random graphs 2.3 Measures of node importance Summer Term 2009 Web Dynamics 2 1 Notation: Graphs G=(V(G),E(G))

766 views • 57 slides
Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static properties 2.2 Generative models for random graphs 2.3 Measures of node importance Summer Term 2010 Web Dynamics 2-1 Notation: Graphs

890 views • 58 slides
Measuring Happiness the Big Data Way Measuring emotional content DPG Spring Meeting, Dresden

Measuring Happiness the Big Data Way Measuring emotional content DPG Spring Meeting, Dresden

Happiness Some motivation Measuring Happiness the Big Data Way Measuring emotional content DPG Spring Meeting, Dresden 2011 Data sets Analysis Songs Peter Dodds, Chris Danforth, Blogs Tweets Isabel Kloumann, Cathy Bliss, and Kameron

791 views • 55 slides
Building socket-aware BPF programs Joe Stringer Cilium.io Linux Plumbers 2018, Vancouver, BC

Building socket-aware BPF programs Joe Stringer Cilium.io Linux Plumbers 2018, Vancouver, BC

Building socket-aware BPF programs Joe Stringer Cilium.io Linux Plumbers 2018, Vancouver, BC Joe Stringer BPF Socket Lookup Nov 13, 2018 1 / 32 Joe Stringer BPF Socket Lookup Nov 13, 2018 2 / 32 Background Network Policy Endpoint A

432 views • 32 slides
Measuring variable importance in random forests Variable Variable importance in RF importance

Measuring variable importance in random forests Variable Variable importance in RF importance

Measuring variable importance in random forests Variable Variable importance in RF importance in RF 1 1 1 1 Start Start Start Start p < 0.001 p < 0.001 p < 0.001 p < 0.001 A Comparison of Different 8 > 8 12

282 views • 16 slides
Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets

Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets

Technische Universitt Mnchen Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets Using the Expected Systemic Shortfall (ESS) Indicator Lahmann / Kaserer (2011) 11 th Annual Bank Research

207 views • 20 slides
Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of Computer Science CAV 2017 ETH Zurich July 22-28, Heidelberg Writing a Static Analyzer Framework for Java Static Type Checker Static Type

805 views • 46 slides
Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel

Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel

Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel Perez The University of Tokyo January 29, 2018 Static analyzers Writing a static analyzer is hard JavaScript points-to sample global.length = 4;

299 views • 15 slides
Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers 2019, Lisbon, Portugal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 1 / 29 Overview 1 Background 2 Deploying fast datapaths fast

831 views • 53 slides
Measuring happiness Measuring emotional content Santa Fe Institute, June 10, 2009 Data sets

Measuring happiness Measuring emotional content Santa Fe Institute, June 10, 2009 Data sets

Happiness Some motivation Measuring happiness Measuring emotional content Santa Fe Institute, June 10, 2009 Data sets Analysis Songs Blogs Peter Dodds & Chris Danforth SOTU Future work Prediction Department of Mathematics &

1.05k views • 91 slides
Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Lus

Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Lus

Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Lus Pina l.pina@imperial.ac.uk Joint work with Cristian Cadar , Anastasios Andronidis , and John Regehr Imperial College London, UK University of

945 views • 72 slides
Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos VU University Amsterdam DIMVA 2014 Introduction Trigger-Based Malware Trigger-based malware (TBM) remains dormant until a specific trigger E.g.

586 views • 14 slides
Lattice polynomial functions and their use in qualitative decision making AAA83 . . . . .

Lattice polynomial functions and their use in qualitative decision making AAA83 . . . . .

. . Lattice polynomial functions and their use in qualitative decision making AAA83 . . . . . Miguel Couceiro Jointly with D. Dubois, J.-L. Marichal, T. Waldhauser, . . . University of Luxembourg March 2012 Decision making DM Main

1.09k views • 69 slides
Analogy-Based Preference Learning with Kernels Mohsen Ahmadi Fahandar , Eyke Hllermeier

Analogy-Based Preference Learning with Kernels Mohsen Ahmadi Fahandar , Eyke Hllermeier

Analogy-Based Preference Learning with Kernels Mohsen Ahmadi Fahandar , Eyke Hllermeier Intelligent Systems and Machine Learning Group Heinz Nixdorf Institute and Department of Computer Science Paderborn University KI 2019, Wednesday,

496 views • 22 slides
HOMSC14 WG-5, Low Level RF, Controls and System Integra@on

HOMSC14 WG-5, Low Level RF, Controls and System Integra@on

HOMSC14 WG-5, Low Level RF, Controls and System Integra@on Brian Chase, Larry DooliEle Familiar block diagram Common to LLRF and Instrumenta@on

628 views • 9 slides
Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction

Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction

Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction 2. Examples 3. Application: Stackelberg Duopoly 4. [Next Application: Negotiation] 2 Definitions Perfect-Information game is a game in which all

331 views • 11 slides
Complexity of backward induction games Jakub Szymanik October 17, 2012 Outline Introduction

Complexity of backward induction games Jakub Szymanik October 17, 2012 Outline Introduction

Complexity of backward induction games Jakub Szymanik October 17, 2012 Outline Introduction Computational complexity Complexity of a single trial Outlook Only surprising thing about the WikiLeaks revelations is that they contain no

1.21k views • 82 slides
A note on the complexity of backward induction games Jakub Szymanik RAIN @ NASSLLI 2012 Outline

A note on the complexity of backward induction games Jakub Szymanik RAIN @ NASSLLI 2012 Outline

A note on the complexity of backward induction games Jakub Szymanik RAIN @ NASSLLI 2012 Outline Introduction Computational complexity Complexity of a single trial Outlook Outline Introduction Computational complexity Complexity of a

1.03k views • 65 slides

More recommend