Download - How Twiggy Saved Sparky
![Page 1: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/1.jpg)
How Twiggy Saved Sparky
Joseph Calandrino
Matt Spear
Malware Seminar – Fall 2004
![Page 2: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/2.jpg)
Meet Twiggy
http://goatload.com/mt/
Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data.
![Page 3: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/3.jpg)
Meet Robbie
http://www.mumi.org/metissages/fr/artificiel/artificiel.htmlhttp://www.dachshundalley.com/
![Page 4: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/4.jpg)
walkAnimal(name)
Robbie’s Setup
petAnimal(name)
doAction(action, name)
feedAnimal(name)
call
![Page 5: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/5.jpg)
Evil Is Afoot
http://www.austinpowers.com/http://www.rit.edu/~sli4356/
If only I could modify the action for doAction…
![Page 6: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/6.jpg)
More on Robbie
petAnimal(name)
P E T
doAction(action, name)
name action
Disclaimer: This is simplified
![Page 7: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/7.jpg)
Evil Is Afoot
petAnimal(“SPARKYEA”)…Sparky is mine!!!
![Page 8: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/8.jpg)
More on Robbie
petAnimal(name)
S P A R K Y E A T
name action
doAction(action, name)
![Page 9: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/9.jpg)
Sparky Senses Danger
petAnimal(name)
S P A R K Y
name action
doAction(action, name)
P E T
http://www.svet-je-lep.com/gallery/slike/Twiggy/Zanimiv_morfing.jpg
![Page 10: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/10.jpg)
The Dreaded Double Pointer
S P A R K Y
name action
P E T
http://www.austinpowers.com/
![Page 11: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/11.jpg)
Evil Will Not Be Deterred
S P A R K Y
name action
E A T
![Page 12: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/12.jpg)
Turn on the Twiggy-Signal
http://www.erva.com/pics/ProductIdeal/SQUIRREL%201.jpg
![Page 13: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/13.jpg)
Twiggy to the Rescue
http://kevintdriver.hopto.org/images/squirrel.ski.jpg
P E T
name action
action 3 hash(PET)addr len hash
name - Hash(…)Also stores data for name:
Modify Robbie’s code tomaintain hashes of all buffers:
Secret key = 32589Robbie needs to store this somewhere inaccessible to Dr. Evil…
![Page 14: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/14.jpg)
Without Spoiling Your Day
But Twiggy is a busy squirrel, so he enlists the aid of a source-to-source transformer.
http://www.lemta.com/boatshows/midamerica/twiggy-history.shtml
![Page 15: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/15.jpg)
Stop That Modification!
petAnimal(name)
doAction(action, name)
S P A R K Y E A T
action 3 hash(PET)
if(hash(_) != _) exit
Check it before use:
![Page 16: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/16.jpg)
Dr. Evil Is Foiled
http://www.cotbn.com/2002_12_01_archive.html
Dr. Evil can’t effectively modify buffers without altering entries in the table… which are hashed using a secret key.
![Page 17: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/17.jpg)
But At What Cost?
Hashes and checks can be computationally expensive
Can Robbie feed Twiggy and Sparky on time?
http://www.pets.info.vic.gov.au/02/sdd_dlang.htmhttp://www.nd.edu/~tdavidso/Mexico.htm
![Page 18: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/18.jpg)
The StatisticsRobbie Runtime
148000
172000
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
200000
Unmodified Modified
Program (Robbie's Control System)
Cycle
co
un
t (T
ime t
o F
eed
Tw
igg
y a
nd
Sp
ark
y)
![Page 19: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/19.jpg)
Reduce the Cost
Do we need to check all buffers?
What about only checking buffers used as inputs to dangerous
methods?
(That’s all the buffers in our example, but likely far fewer than in
the program)
Can Twiggy use call-graph analysis to find those buffers?
![Page 20: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/20.jpg)
Did It Work?
• Basic defense method protects buffers from modification.
• Aliasing ignored.
• Can we track down critical buffer values?
• We’re still working on that.
• But, for Twiggy, yes (this is supposed to be a happy story)
![Page 21: How Twiggy Saved Sparky](https://reader030.vdocument.in/reader030/viewer/2022032415/5681344b550346895d9b31e7/html5/thumbnails/21.jpg)
Happily Ever After
By maintaining hashes of critical buffer values and verifying them before dangerous function calls, Twiggy efficiently prevents malicious modifications and moves on to
new adventures.
http://greywolf.critter.net/gallery/ironclawgallery-icsu04.htm