![Page 1: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/1.jpg)
A Bug or Malware? Catastrophic consequences either way.
Ben Holland, Suresh Kothari Iowa State University
![Page 2: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/2.jpg)
![Page 3: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/3.jpg)
![Page 4: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/4.jpg)
![Page 5: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/5.jpg)
![Page 6: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/6.jpg)
![Page 7: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/7.jpg)
…but not necessarily in that order ;)
![Page 8: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/8.jpg)
![Page 9: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/9.jpg)
![Page 10: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/10.jpg)
DARPA’s APAC Program
• Automated Program Analysis For Cybersecurity (APAC) • Scenario: Hardened devices, internal app store, untrusted contractors, expert adversaries • Focused on Android
![Page 11: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/11.jpg)
DARPA’s APAC Program
• Automated Program Analysis For Cybersecurity (APAC) • Scenario: Hardened devices, internal app store, untrusted contractors, expert adversaries • Focused on Android
Need precision tools to detected novel and sophis*cated malware in advance!
![Page 12: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/12.jpg)
What have we learned?
![Page 13: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/13.jpg)
What to expect in this talk…
• This talk does not have all the answers… • Step back and ask some fundamental quesMons • Let’s start a discussion
![Page 14: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/14.jpg)
Ice Breaker: Do you agree?
• AnMvirus protects us from modern malware. • AnMvirus protects us from yesterday’s threats. • AnMvirus protects us from last year’s threats. • AnMvirus is totally worthless.
![Page 15: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/15.jpg)
Exercise: Refactoring CVE-‐2012-‐4681
• “Allows remote aRackers to execute arbitrary code via a craSed applet that bypasses SecurityManager restricMons…” • CVE Created August 27th 2012 (~2 years ago…) • github.com/benjholla/CVE-‐2012-‐4681-‐Armoring Sample Notes Score (posi*ve detec*ons) Original Sample hRp://pasMe.org/4594319 30/55 Technique A Changed Class/Method names 28/55 Techniques A and B Obfuscate strings 16/55 Techniques A-‐C Change Control Flow 16/55 Techniques A-‐D ReflecMve invocaMons (on sensiMve APIs) 3/55 Techniques A-‐E Simple XOR Packer 0/55
![Page 16: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/16.jpg)
Let’s define malware
• Bad (malicious) soSware • Examples: Viruses, Worms, Trojan Horses, Rootkits, Backdoors, Adware, Spyware, Keyloggers, Dialers, Ransomware…
![Page 17: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/17.jpg)
Let’s define a “bug”
• UnintenMonal error, flaw, failure, fault • Examples: Rounding errors, null pointers, infinite loops, stack overflows, race condiMons, memory leaks, business logic flaws…
• Is a soSware bug malware? • What if I added the bug intenMonally?
![Page 18: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/18.jpg)
A bug or malware?
• Context: Found in a CVS commit to the Linux Kernel source
Hint: This never executes…
"=" vs. "==“ is a subtle yet important difference! Would grant root privilege to any user that knew how to trigger this condiMon.
![Page 19: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/19.jpg)
Malware: Linux Backdoor AVempt (2003)
• hRps://freedom-‐to-‐Mnker.com/blog/felten/the-‐linux-‐backdoor-‐aRempt-‐of-‐2003/
Hint: This never executes…
"=" vs. "==“ is a subtle yet important difference! Would grant root privilege to any user that knew how to trigger this condiMon.
![Page 20: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/20.jpg)
A bug or malware?
![Page 21: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/21.jpg)
Always goto fail
A bug or malware?
Never does the check to verify server authenMcity…
![Page 22: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/22.jpg)
Always goto fail
Never does the check to verify server authenMcity…
Bug?: Apple SSL CVE-‐2014-‐1266 • Should have been caught by automated tools
• Survived almost a year
• Affected OSX and iOS
![Page 23: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/23.jpg)
A bug or malware?
Hint: More SSL fun…
![Page 24: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/24.jpg)
Bug (I hope): Heartbleed
• Much less obvious • Survived several code audits • Live for ~2 years
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
-‐Bruce Schneier
Reads too much data!
Heartbeat message size controlled by the aRacker…
Response size also controlled by the aRacker…
![Page 25: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/25.jpg)
A bug or malware?
…
Hint…
Missing some input validaMon checks…
Fix adds:
![Page 26: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/26.jpg)
• Bug is the due to the absence of code (validaMon checks) • Present for 25 years!? • Even more complicated to find • SMll learning the extent of this bug
Bug (probably): Shellshock CVE-‐2014-‐6271/7169
![Page 27: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/27.jpg)
Bug (probably): Shellshock CVE-‐2014-‐6271/7169
![Page 28: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/28.jpg)
A bug or malware?
![Page 29: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/29.jpg)
Malware: VM escape using bit flips
• Govindavajhala, S.; Appel, AW., "Using memory errors to aRack a virtual machine," Proceedings of IEEE Symposium on Security and Privacy, pp.154-‐165, May 2003.
Wait for a bit flip to obtain two pointers of incompaMble types that point to the same locaMon to circumvent the type system and execute arbitrary code in the program address space.
![Page 30: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/30.jpg)
So what’s your point?
• Both bugs and malware have catastrophic consequences • Some bugs are indisMnguishable from malware
• Plausible deniability, malicious intent cannot be determined from code
• Some issues can be found automaMcally, but not all • Novel aRacks can be extremely hard to detect
AnMvirus looking for malice
Program Analysis looking for bugs…
Next Mme you own a box try dropping a program with an exploitable “bug”
Are we doing ourselves a disservice by labeling these as separate problems?
![Page 31: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/31.jpg)
So what can we do about it?
• Growing infrastructure • Complexity of systems keeps increasing
• Manual work is expensive • Cost of soSware is increasing while hardware costs decrease
• We obviously can’t automate it all • Malware is a cat and mouse game • Tricky bugs are tricky…
Need a process to increase human producMvity…
![Page 32: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/32.jpg)
OODA and You
• “Security is a process, not a product” – Bruce Schneier
![Page 33: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/33.jpg)
OODA and You
“...IA > AI, that is, that intelligence amplifying systems can, at any given level of available systems technology, beat AI systems. That is, a machine and a mind can beat a mind-‐imitaMng machine working by itself.” – Fred Brooks
You
Opponent
Our opponent • Time • EvoluMon of malware
![Page 34: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/34.jpg)
Speeding through OODA with Atlas
2-‐way Source Correspondence
Program DeclaraMons, Control Flow, and Data Flow
Queryable Graph Database
![Page 35: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/35.jpg)
Speeding through OODA with Atlas
SoSware Analyst Evidence
Accept or Reject
Analysis Query
Analysis Result
Android App
Atlas SoSware
Security Toolbox
![Page 36: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/36.jpg)
What about binaries?
• Approach is similar for binary analysis • Binary -‐> Intermediate Language -‐> Program Graph
• Demo: Analysis of Stels malware • Download and execute files • Steal contacts lists • Report system informaMon • Make phone calls • Send SMS messages (to premium numbers) • Monitor and record and hide SMS messages • Show noMficaMons • Uninstall apps
Source: hRp://www.secureworks.com/cyber-‐threat-‐intelligence/threats/stels-‐android-‐trojan-‐malware-‐analysis/
![Page 37: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/37.jpg)
SpellWrecker
• Consider a spell checker. Invert its logic and what do you get? • How do we semanMcally detect the bad one? • github.com/benjholla/spellwrecker
“SomeMmes you have to demo a threat to spark a soluMon” -‐ Barnaby Jack
![Page 38: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/38.jpg)
SpellWrecker
• Consider a spell checker. Invert its logic and what do you get? • How do we semanMcally detect the bad one? • github.com/benjholla/spellwrecker
![Page 39: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/39.jpg)
Hypothebcal Malware
• Cars are becoming drive-‐by-‐wire • Electronic Stability Controls (ESC) are being added to SUVs for rollover prevenMon
• Invert logic on roll over prevenMon systems • Plenty of evil ways to implement it, e.g. greedy algorithms
• J. Bang-‐Jensen, G. GuMn, and A. Yeo, “When the greedy algorithm fails,” Discrete OpMmizaMons, vol. 1, no. 2, pp. 121–127, Nov. 2004.
• LegiMmate bugs are hard enough, how can we hope to find illegiMmate bugs?
![Page 40: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/40.jpg)
Quesbons?
• Thanks!
• Try Atlas: hRp://www.ensoScorp.com/atlas/ • Complimentary academic licenses • Request a trial
![Page 41: ABugorMalware? Catastrophicconsequenceseitherway....DARPA’s"APAC"Program • Automated$Program$Analysis$For$Cybersecurity$(APAC)$ • Scenario:$Hardened$devices,$internal$app$store,$untrusted$](https://reader033.vdocument.in/reader033/viewer/2022051607/603ad4078d711e058f76a7fd/html5/thumbnails/41.jpg)
What properMes would ideal malware have? • OperaMonal goals
• EffecMve, adaptable • Maintaining ownership • Cross playorm, cross architecture • Persistence (survival, removal, updatable)
• DetecMon avoidance • Resistant to staMc/dynamic analysis (intractable analysis problems) • Difficult to characterize • Small footprint (low resource consumpMon, minimal impact) • Blends well with legiMmate funcMonality
• DetecMon miMgaMon • Plausible deniability • Kerckhoffs's principle (ex: untraceable transacMons)
• General SoSware Design Issues • Maintainable, deployable, scalable, etc.