More Related Content
Similar to Cansec West 2009
Similar to Cansec West 2009 (20)
Cansec West 2009
- 2. Introduction
Microsoft Malware Protection Center (MMPC)
Threat Research and Response Team
Abhishek Singh (MMPC)
Nikola Livic (MMPC)
Tanmay Ganacharya (MMPC)
Scott Lambert (MMPC)
Swapnil Bhalode (MMPC)
2
© 2009 Microsoft Corporation. All rights reserved.
- 3. Agenda
Overview
Results
Paladin
Demo
Key Lessons
Conclusion
Q&A
3
© 2009 Microsoft Corporation. All rights reserved.
- 4. Overview
Motivation
Automate processes like
Analyzing exploits
Identify malicious input bytes
Identify how shell code gets executed
Narrow the search space
Paladin
Refers to a suite of tools…
Support rapid, scalable vulnerability analysis
© 2009 Microsoft Corporation. All rights reserved.
- 5. Results - Paladin
Categories Completed Detected Not Detected Success
File-based (complex) 10 4 6 40%
File-based (simple) 10 8 2 80%
Scripting-based 10 6 4 60%
Network-based 15 9 6 60%
Total 45 27 18 60%
5
© 2009 Microsoft Corporation. All rights reserved.
- 6. Results - Paladin
File-based (Complex)
File-based (Simple)
Not Detected
Scripting-based Detected
Total
Network-based
0
5
10
15
6
© 2009 Microsoft Corporation. All rights reserved.
- 7. Brief tour
7
© 2009 Microsoft Corporation. All rights reserved.
- 8. Paladin
Core component - Vigilante
End-to-end approach to automate worm
containment
Tech-transferred from MSR/Incubation
8
© 2009 Microsoft Corporation. All rights reserved.
- 9. Vigilante
Started in Microsoft Research (MSR) by Manuel
Costa and Miguel Castro and later transitioned to
an Incubation team.
Timeline with the following
Oct. 2004 (Devadas)
Nov. 2004 (MSR)
Dec. 2004 (Minos)
Feb. 2005 (TaintCheck)
Leverages dynamic dataflow analysis to track the
use of untrusted data and block it from being
executed or loaded into the program counter
Since then it has forked in different directions
Use for malware analysis (spyware, etc)
Information leakage, etc
9
© 2009 Microsoft Corporation. All rights reserved.
- 10. Major Components - Vigilante
Program Instrumentation (dynamic binary re-
writing)
Used to instrument the program to enable monitoring
of how untrusted input data is used
Detection Engine
Leverages dynamic data-flow analysis to identify attacks
and generate alerts
Alert Verifier and Distributor
Contains enough information to reproduce the issue on
other hosts and distribute accordingly
Filter Generator
Provides protection from future attempts by blocking
malicious input.
10
© 2009 Microsoft Corporation. All rights reserved.
- 11. Detection Engine
Dynamic dataflow analysis
Track the flow of data from input messages
Common Input Sources: File, network, etc
mark memory as tainted when input data is received
track all data movement within the program
Terminate program before it’s too late
detect execution of input data (virtual address is marked
tainted)
detect loading of input data into program counter (saved ret
overwrite, etc)
© 2009 Microsoft Corporation. All rights reserved.
- 12. Dynamic Data Flow Analysis
Step 1: Keep track of which memory locations
and CPU registers are tainted with untrusted
input data
Instrument every data-movement instruction
(e.g. MOV,MOVS, PUSH, POP on x86 CPUs) to keep track
Step 2: Identify and block dangerous uses of
untrusted input data
Instrument every control transfer instruction
(e.g. RET, CALL, JMP on x86 CPUs)
12
© 2009 Microsoft Corporation. All rights reserved.
- 13. Dangerous uses of input data
Alert Types
Arbitrary Execution Control (AEC)
When tainted data is about to be loaded into the program
counter
Arbitrary Code Execution (ACE)
When tainted data is about to be executed
Arbitrary Function argument (AFA)
When a critical argument to a critical function is tainted
Denial of Service (DoS)
When tainted data leads to an access violation
13
© 2009 Microsoft Corporation. All rights reserved.
- 14. Dynamic dataflow analysis
//vulnerable code
push len stack pointer return address
push netbuf points to tainted
push sock
data
call recv buffer
push netbuf
push localbuf
call strcpy
ret
netbuf
alert: value loaded into
program counter is tainted
14
© 2009 Microsoft Corporation. All rights reserved.
- 15. How does Vigilante work?
C:> _ ulnProcess
V
Stack C:> _
nirvExec /clientname “detector.dll” /attach 1033
C:> _ Exploit
exploitProcess
C:> _
Detector
Static Data
Code
Vigi_log.log
vulnProcess [pid:1033]
15
© 2009 Microsoft Corporation. All rights reserved.
- 16. Dynamic dataflow analysis
//vulnerable code
.EXE
push len
push buff
push sock
call recv buff
buff
mov eax, buf[3]
call eax
...
Detector
Alert!!!
Vulnerable Process
16
© 2009 Microsoft Corporation. All rights reserved.
- 18. Results Revisited
Categories Completed Detected Not Detected Success
File-based (complex) 10 4 6 40%
File-based (simple) 10 8 2 80%
Scripting-based 10 6 4 60%
Network-based 15 9 6 60%
Total 45 27 18 60%
What detection means?
18
© 2009 Microsoft Corporation. All rights reserved.
- 19. What does it mean to not detect?
Incorrect Alert point
Incomplete log file
No log file
And the reasons?
19
© 2009 Microsoft Corporation. All rights reserved.
- 21. Lessons Learned
Beyond scope
False alerts
Engineering issues
21
© 2009 Microsoft Corporation. All rights reserved.
- 22. Scope
Not include:
Temporal based vulnerabilities
E.g. CVE-2003-0813 RPC timing issue 2 threads
Kernel-level vulnerabilities
E.g. CVE-2006-1314: Mailslot driver Heap OF
Data Independent Vulnerabilities
E.g. CVE-2007-0938: CMS
E.g. CVE-2007-0039: ICal
22
© 2009 Microsoft Corporation. All rights reserved.
- 23. Data Independent Example 1
CVE-2007-0938 CMS, DOS
“http://foo/000-000,%21frames.htm”
Parse function returns negative value
Value goes into memcpy-like function
ParseURL(WCHAR *URL)
{
DWORD SizeOfSubString = CommaOffset(URL);
DoCopy(SizeOfSubString); // Crash here
return SizeOfSubString;
}
23
© 2009 Microsoft Corporation. All rights reserved.
- 24. Data Independent Example 2
CVE-2006-2376 ICal (DOS null dereference)
Begin:Vcalender….
Cause a improper Free of structure
Dereference.
ReadCalender(WCHAR *In_Bytes)
{
*Table = Allocate();
if (In_Bytes == Bad_Value)
{
Free(Table);
}
Table->Func(); // Crash here
}
24
© 2009 Microsoft Corporation. All rights reserved.
- 25. False Alerts and Mitigations
25
© 2009 Microsoft Corporation. All rights reserved.
- 26. False Alerts
Erroneous alert generated due to:
Imprecise taint propagation
Non malicious inputs being tracked as malicious
26
© 2009 Microsoft Corporation. All rights reserved.
- 27. False Alerts in Theory
Table Lookup:
result = table[in_byte]; // False Positive
result = table[in_byte]; // Should be
Implicit flows:
if (in_byte == 1) result = 1; // False Negative
if (in_byte == 1) result = 1; // Should be
if (in_byte == 2) result = 2; // False Negative
if (in_byte == 2) result = 2; // Should be
Arithmetic restrictions:
result = (in_byte & 0x00); // False Positive
result = (in_byte & 0x00); // Should be
27
Newsome and Song: “Influence: A Quantitative Approach for Data Integrity” © 2009 Microsoft Corporation. All rights reserved.
- 28. False Positives (FP) in Practice
FPs in jump tables
FPs due to marking input as tainted when it is
innocuous
28
© 2009 Microsoft Corporation. All rights reserved.
- 29. FPs in JumpTables Example
CVE-2006-4691: BO NetJoinDomain Workstation Service
Via RPC
CallRPCInterface(BYTES *In_Bytes)
{
NetJoinDomain= DispatchTable[In_Bytes];
Invoke( NetJoinDomain, // <<<<<<< FALSE POSITIVE
pArgBuffer,
ArgNum );
}
29
© 2009 Microsoft Corporation. All rights reserved.
- 30. FPs in tracking
CVE-2009-0076 (IE vulnerability CSS Memory
Corruption)
??C:Documents and SettingsvigilanteRecentdesktop.ini
Handle = 410 FileSize = 96
Tracked handle: Buf = 5fc0000
PostIoInitiation: pIosb=169646c; pBuf=5fc0000; hFile=410; hEvent=0
Io completed synchronously.
HandleIoCompletion: pIosb=169646c; dwLen=96
SetTaint: Base=5fc0000 Len=96
ADDR 0x5fc0000 - 0x5fc0095 set to dirty= 0x2
RANGE 5fc0000..5fc0095 set to = [2..97]
30
© 2009 Microsoft Corporation. All rights reserved.
- 31. Mitigations to FPs in Practice
Flags:
IndirectAddressing mov [disp + ref1 + ref2*i], 0xff
JmpCallIndirect jmp/call [disp + ref1 + ref2*i]
LowFalsePositives Turn off set of handlers
False Positives file
CVE-2008-2254 (IE HTML Obj Mem Corruption)
0x7d513573
0x7d518123
0x746c240a
0x75c59c7a
Policy File
31
© 2009 Microsoft Corporation. All rights reserved.
- 33. Engineering issues
Attaching to process
Detecting with complex processes
Detector protection from exploit
Miscellaneous
33
© 2009 Microsoft Corporation. All rights reserved.
- 34. Process Attachment
Simple case:
Winsock (Create, bind, listen, accept, recv)
Named pipes (CreateFile, ReadFile)
Disk IO (CreateFile, ReadFile)
Realistic case:
Async Receive on sockets and named pipes
AcceptEx
Completion routines
NtIoControlFile
Completion ports
Overlapped
Overlapped polling
Wait Events
© 2009 Microsoft Corporation. All rights reserved.
- 35. Process Attachment
Example:
CVE-2008-4250 Conficker
(Path Canonicalization reached via RPC)
// At Boot time
CreateFile( "pipeBrowser"); Detector
CreateIoCompletionPort(…);
ReadFile(Buffer_Location);
…
// Attachment to Service here Code
…
GetQueuedCompletionStatus();
…
Vulnerable Process
35
© 2009 Microsoft Corporation. All rights reserved.
- 36. Process Attachment
Mitigations
Coerce service to execute init code. (“Pump” utility
or waiting X period of time)
Try launching or attaching to simpler service:
(many cases)
In theory change CreateProcess Routine to inject
detector at boot.
36
© 2009 Microsoft Corporation. All rights reserved.
- 37. Complex programs/services
Extraneous Log info
Higher probability of not detecting
37
© 2009 Microsoft Corporation. All rights reserved.
- 38. Complex programs/services Example
VIGI_LOG.LOG -
??PIPEsrvsvc
CAN-2002-0724 LANMAN SetTaint: Base=d84d8 Len=44
ADDR 0xd84d8 - 0xd851b set to dirty= 0x2
vulnerability RANGE d84d8..d851b set to = [2..45]
mov rm8,rm8 -- dirty
EIP: 0x77ce3a77 ESP: 0x11cf940 TID: 0x6d0
DOS with unchecked buffer to Operand1: 0x0 Dirty: 0x6, 0x7, 0x0, 0x0
Operand2: 0xd84dc Dirty: 0x6, 0x7, 0x8, 0x9
NetShareEnum ----------------------------------------------
movz/sx r32,rm16 -- dirty
EIP: 0x77cc9f90 ESP: 0xc3fa84 TID: 0x748
Operand1: 0x0 Dirty: 0x12, 0x13, 0x0, 0x0
Operand2: 0xb3d52 Dirty: 0x12, 0x13, 0x0, 0x0
Operand2.RefdRegister1: 0x0 Dirty: 0x12, 0x13
----------------------------------------------
??PIPElsarpc
SetTaint: Base=d45f8 Len=44
ADDR 0xd45f8 - 0xd463b set to dirty= 0x46
RANGE d45f8..d463b set to = [46..89]
movz/sx r32,rm16 -- dirty
EIP: 0x77cc9b6e ESP: 0x1b9f6b0 TID: 0x6b8
Operand1: 0x18 Dirty: 0x4e, 0x4f, 0x0, 0x0
Operand2: 0x0 Dirty: 0x4e, 0x4f, 0x0, 0x0
38
© 2009 Microsoft Corporation. All rights reserved.
- 40. Detector protection from exploit
CVE-2009-0133 MS Help Workshop
(a shellhunter payload)
Detector
Mitigations
Move the stack around
Page protect
buf
Stack
40
© 2009 Microsoft Corporation. All rights reserved.
- 41. Miscellaneous
Logging without deadlocking
Space considerations
41
© 2009 Microsoft Corporation. All rights reserved.
- 42. Results Revisted and Extended
Categories Completed Detected Detected Not Detected
(Minimal (Considerable
effort) effort)
File-based (complex) 10 0 4 6
File-based (simple) 10 6 2 2
Scripting-based 10 4 2 4
Network-based 15 4 2 6
Total 45 14 10 18
42
© 2009 Microsoft Corporation. All rights reserved.
- 43. Detection Effort
Complex File-Based Simple File-Based
Minimal
Considerable
No Detection
Network Scripting
43
© 2009 Microsoft Corporation. All rights reserved.
- 44. 44
© 2009 Microsoft Corporation. All rights reserved.
- 45. Conclusion
First attempt at using dynamic dataflow analysis in
production
Delineated real world challenges
Provided mitigation strategies
Helped reduce response time
Supports rapid, scalable vulnerability analysis
Great investment for the future
Lessons learned enlarged the scope of effectiveness
More to come…
45
© 2009 Microsoft Corporation. All rights reserved.
- 47. 47
© 2009 Microsoft Corporation. All rights reserved.