argos emulator georgios portokalidis asia slowinska herbert bos vrije universiteit amsterdam
TRANSCRIPT
Argos Emulator
Georgios Portokalidis
Asia Slowinska
Herbert Bos
Vrije Universiteit Amsterdam
Georgios Portokalidis VU Amsterdam 2
0
1000
2000
3000
4000
5000
6000
2003 2004 2005
CERT/CC Reported Vulnerabilities
Why?
Too many vulnerabilities
New worm attacks Human intervention
too slow Current solutions
are problematic– Time consuming– Inaccurate
Georgios Portokalidis VU Amsterdam 3
Goals
Platform for next generation honeypots
Protect entire OS Detect most
common attack vectors
Accuracy
Georgios Portokalidis VU Amsterdam 4
It Works!
Apache chunked encoding overflow
IIS ISAPI .printer host header overflow
WebDav ntdll.dll overflow
FrontPage Server Extensions Debug Overflow
War-FTP overflow
ASN.1 Library Bitstring Heap Overflow
Windows Message Queueing Remote Overflow
RPC DCOM Interface overflow
LSASS Overflow
Windows PnP Service Remote Overflow
nbSMTP remote format string exploit
WMF exploit
Georgios Portokalidis VU Amsterdam 5
Argos Overview
Argos Emulator
Guest OS
Host OS
Applications
Log
Forensics
Snitch
Signature Post-ProcessingSub-system
Georgios Portokalidis VU Amsterdam 6
Network Data Tracking
Register = network_read Registers
Reg. A = Reg. A + Reg. B Registers
Registers
MemoryMemory(A) = Reg. A
Reg.B = Reg.A / 156.345 Registers
Georgios Portokalidis VU Amsterdam 7
Capturing Attacks
Diverting control flow
Executing arbitrary instructions
Overwriting system call arguments
JMPCALL
RET
TaggedRegisterOperands
TaggedMemory
SYSCALL
Georgios Portokalidis VU Amsterdam 8
Forensics
Registers
RAMArgos Emulator
Guest OS
Applications
Virtual Address Space
Virtual Address Space Process name
Linked Libraries
Open Ports
Georgios Portokalidis VU Amsterdam 9
Logged Network Flows
Signature Generation
Argos Memory Log
Critical Exploit Bytes(e.g. value loaded on EIP)
NewSignature
SimilarSignatures
GeneralisedSignature
Georgios Portokalidis VU Amsterdam 10
Emulator Performance
0
5
10
15
20
25
30
bunzip2 apache nbenchinteger
nbenchfloat
nbenchmemory
Vanilla Qemu ArgosOverhead (y times slower)
Georgios Portokalidis VU Amsterdam 11
Signature Generation Performance
0
2
4
6
8
10
12
14
1.15 5 10 15 20 25 30 60Tcpdump trace size(MB)
Time to generate signature(sec)
Georgios Portokalidis VU Amsterdam 12
Future Work
Replaying attacks Integration with nepenthes honeypot Increase data tracking precision Protocol aware signature generation Generate self certifying alerts
Georgios Portokalidis VU Amsterdam 13
On The Web
http://www.few.vu.nl/argos
Georgios Portokalidis VU Amsterdam 14
Network Data Tracking
Tag network data as “tainted”
EAX EBX ECX EDX RAM
Port I/O
EBX
Georgios Portokalidis VU Amsterdam 15
EBX
Network Data Tracking
Tag network data as “tainted”
Track “tainted” data propagation– Arithmetic, logical
operations– Memory operations
EAX ECX EDX RAMEAX
A
Georgios Portokalidis VU Amsterdam 16
EAX EBX
Network Data Tracking
Tag network data as “tainted”
Track “tainted” data propagation– Arithmetic, logical
operations– Memory operations
Sanitise data– Floating point, SSE
ECX EDX RAM
A
EAX EBX
Georgios Portokalidis VU Amsterdam 17
Identifying Attacks
Jumps Function calls Function returns System calls
EAX EBX ECX EDX RAMEBX
JMP EAXCALL EAXRETJMP AINT 0x80
Georgios Portokalidis VU Amsterdam 18
SweetBait Design
Georgios Portokalidis VU Amsterdam 19
Logs Format
Type RIDFormat TimestampRegister values Register tagsEIP value EIP origin EFLAGS
Format Tainted Flag V. AddressP. AddressSizeMemory Block Contents
Georgios Portokalidis VU Amsterdam 20
Forensics Shellcode Injection
Lookup process’s read-only pages
Inject code at last text segment page
Point EIP to shellcode
.text
Process Address Space(Windows PE, ELF, etc)
Georgios Portokalidis VU Amsterdam 21
Forensics – The Snitch
Pid = getpid() Rid [injected by
Argos] Connect(localhost) Send(pid & rid)
Listen() Accept() Read(pid & rid) Exec(Netstat or
OpenPorts) Connect(argos host) Send(info)