Cansec West 2009

746 views
684 views

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
746
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cansec West 2009

  1. 1. Microsoft Malware Protection Center Threat Research and Response Team 1 © 2009 Microsoft Corporation. All rights reserved.
  2. 2. Introduction Microsoft Malware Protection Center (MMPC) Threat Research and Response Team Abhishek Singh (MMPC) Nikola Livic (MMPC) Tanmay Ganacharya (MMPC) Scott Lambert (MMPC) Swapnil Bhalode (MMPC) 2 © 2009 Microsoft Corporation. All rights reserved.
  3. 3. Agenda Overview Results Paladin Demo Key Lessons Conclusion Q&A 3 © 2009 Microsoft Corporation. All rights reserved.
  4. 4. Overview Motivation Automate processes like Analyzing exploits Identify malicious input bytes Identify how shell code gets executed Narrow the search space Paladin Refers to a suite of tools… Support rapid, scalable vulnerability analysis © 2009 Microsoft Corporation. All rights reserved.
  5. 5. Results - Paladin Categories Completed Detected Not Detected Success File-based (complex) 10 4 6 40% File-based (simple) 10 8 2 80% Scripting-based 10 6 4 60% Network-based 15 9 6 60% Total 45 27 18 60% 5 © 2009 Microsoft Corporation. All rights reserved.
  6. 6. Results - Paladin File-based (Complex) File-based (Simple) Not Detected Scripting-based Detected Total Network-based 0 5 10 15 6 © 2009 Microsoft Corporation. All rights reserved.
  7. 7. Brief tour 7 © 2009 Microsoft Corporation. All rights reserved.
  8. 8. Paladin Core component - Vigilante End-to-end approach to automate worm containment Tech-transferred from MSR/Incubation 8 © 2009 Microsoft Corporation. All rights reserved.
  9. 9. Vigilante Started in Microsoft Research (MSR) by Manuel Costa and Miguel Castro and later transitioned to an Incubation team. Timeline with the following Oct. 2004 (Devadas) Nov. 2004 (MSR) Dec. 2004 (Minos) Feb. 2005 (TaintCheck) Leverages dynamic dataflow analysis to track the use of untrusted data and block it from being executed or loaded into the program counter Since then it has forked in different directions Use for malware analysis (spyware, etc) Information leakage, etc 9 © 2009 Microsoft Corporation. All rights reserved.
  10. 10. Major Components - Vigilante Program Instrumentation (dynamic binary re- writing) Used to instrument the program to enable monitoring of how untrusted input data is used Detection Engine Leverages dynamic data-flow analysis to identify attacks and generate alerts Alert Verifier and Distributor Contains enough information to reproduce the issue on other hosts and distribute accordingly Filter Generator Provides protection from future attempts by blocking malicious input. 10 © 2009 Microsoft Corporation. All rights reserved.
  11. 11. Detection Engine Dynamic dataflow analysis Track the flow of data from input messages Common Input Sources: File, network, etc mark memory as tainted when input data is received track all data movement within the program Terminate program before it’s too late detect execution of input data (virtual address is marked tainted) detect loading of input data into program counter (saved ret overwrite, etc) © 2009 Microsoft Corporation. All rights reserved.
  12. 12. Dynamic Data Flow Analysis Step 1: Keep track of which memory locations and CPU registers are tainted with untrusted input data Instrument every data-movement instruction (e.g. MOV,MOVS, PUSH, POP on x86 CPUs) to keep track Step 2: Identify and block dangerous uses of untrusted input data Instrument every control transfer instruction (e.g. RET, CALL, JMP on x86 CPUs) 12 © 2009 Microsoft Corporation. All rights reserved.
  13. 13. Dangerous uses of input data Alert Types Arbitrary Execution Control (AEC) When tainted data is about to be loaded into the program counter Arbitrary Code Execution (ACE) When tainted data is about to be executed Arbitrary Function argument (AFA) When a critical argument to a critical function is tainted Denial of Service (DoS) When tainted data leads to an access violation 13 © 2009 Microsoft Corporation. All rights reserved.
  14. 14. Dynamic dataflow analysis //vulnerable code push len stack pointer return address push netbuf points to tainted push sock data call recv buffer push netbuf push localbuf call strcpy ret netbuf alert: value loaded into program counter is tainted 14 © 2009 Microsoft Corporation. All rights reserved.
  15. 15. How does Vigilante work? C:> _ ulnProcess V Stack C:> _ nirvExec /clientname “detector.dll” /attach 1033 C:> _ Exploit exploitProcess C:> _ Detector Static Data Code Vigi_log.log vulnProcess [pid:1033] 15 © 2009 Microsoft Corporation. All rights reserved.
  16. 16. Dynamic dataflow analysis //vulnerable code .EXE push len push buff push sock call recv buff buff mov eax, buf[3] call eax ... Detector Alert!!! Vulnerable Process 16 © 2009 Microsoft Corporation. All rights reserved.
  17. 17. CVE-2008-1087 17 © 2009 Microsoft Corporation. All rights reserved.
  18. 18. Results Revisited Categories Completed Detected Not Detected Success File-based (complex) 10 4 6 40% File-based (simple) 10 8 2 80% Scripting-based 10 6 4 60% Network-based 15 9 6 60% Total 45 27 18 60% What detection means? 18 © 2009 Microsoft Corporation. All rights reserved.
  19. 19. What does it mean to not detect? Incorrect Alert point Incomplete log file No log file And the reasons? 19 © 2009 Microsoft Corporation. All rights reserved.
  20. 20. Overcoming the challenges 20 © 2009 Microsoft Corporation. All rights reserved.
  21. 21. Lessons Learned Beyond scope False alerts Engineering issues 21 © 2009 Microsoft Corporation. All rights reserved.
  22. 22. Scope Not include: Temporal based vulnerabilities E.g. CVE-2003-0813 RPC timing issue 2 threads Kernel-level vulnerabilities E.g. CVE-2006-1314: Mailslot driver Heap OF Data Independent Vulnerabilities E.g. CVE-2007-0938: CMS E.g. CVE-2007-0039: ICal 22 © 2009 Microsoft Corporation. All rights reserved.
  23. 23. Data Independent Example 1 CVE-2007-0938 CMS, DOS “http://foo/000-000,%21frames.htm” Parse function returns negative value Value goes into memcpy-like function ParseURL(WCHAR *URL) { DWORD SizeOfSubString = CommaOffset(URL); DoCopy(SizeOfSubString); // Crash here return SizeOfSubString; } 23 © 2009 Microsoft Corporation. All rights reserved.
  24. 24. Data Independent Example 2 CVE-2006-2376 ICal (DOS null dereference) Begin:Vcalender…. Cause a improper Free of structure Dereference. ReadCalender(WCHAR *In_Bytes) { *Table = Allocate(); if (In_Bytes == Bad_Value) { Free(Table); } Table->Func(); // Crash here } 24 © 2009 Microsoft Corporation. All rights reserved.
  25. 25. False Alerts and Mitigations 25 © 2009 Microsoft Corporation. All rights reserved.
  26. 26. False Alerts Erroneous alert generated due to: Imprecise taint propagation Non malicious inputs being tracked as malicious 26 © 2009 Microsoft Corporation. All rights reserved.
  27. 27. False Alerts in Theory Table Lookup: result = table[in_byte]; // False Positive result = table[in_byte]; // Should be Implicit flows: if (in_byte == 1) result = 1; // False Negative if (in_byte == 1) result = 1; // Should be if (in_byte == 2) result = 2; // False Negative if (in_byte == 2) result = 2; // Should be Arithmetic restrictions: result = (in_byte & 0x00); // False Positive result = (in_byte & 0x00); // Should be 27 Newsome and Song: “Influence: A Quantitative Approach for Data Integrity” © 2009 Microsoft Corporation. All rights reserved.
  28. 28. False Positives (FP) in Practice FPs in jump tables FPs due to marking input as tainted when it is innocuous 28 © 2009 Microsoft Corporation. All rights reserved.
  29. 29. FPs in JumpTables Example CVE-2006-4691: BO NetJoinDomain Workstation Service Via RPC CallRPCInterface(BYTES *In_Bytes) { NetJoinDomain= DispatchTable[In_Bytes]; Invoke( NetJoinDomain, // <<<<<<< FALSE POSITIVE pArgBuffer, ArgNum ); } 29 © 2009 Microsoft Corporation. All rights reserved.
  30. 30. FPs in tracking CVE-2009-0076 (IE vulnerability CSS Memory Corruption) ??C:Documents and SettingsvigilanteRecentdesktop.ini Handle = 410 FileSize = 96 Tracked handle: Buf = 5fc0000 PostIoInitiation: pIosb=169646c; pBuf=5fc0000; hFile=410; hEvent=0 Io completed synchronously. HandleIoCompletion: pIosb=169646c; dwLen=96 SetTaint: Base=5fc0000 Len=96 ADDR 0x5fc0000 - 0x5fc0095 set to dirty= 0x2 RANGE 5fc0000..5fc0095 set to = [2..97] 30 © 2009 Microsoft Corporation. All rights reserved.
  31. 31. Mitigations to FPs in Practice Flags: IndirectAddressing mov [disp + ref1 + ref2*i], 0xff JmpCallIndirect jmp/call [disp + ref1 + ref2*i] LowFalsePositives Turn off set of handlers False Positives file CVE-2008-2254 (IE HTML Obj Mem Corruption) 0x7d513573 0x7d518123 0x746c240a 0x75c59c7a Policy File 31 © 2009 Microsoft Corporation. All rights reserved.
  32. 32. Engineering issues and Mitigations 32 © 2009 Microsoft Corporation. All rights reserved.
  33. 33. Engineering issues Attaching to process Detecting with complex processes Detector protection from exploit Miscellaneous 33 © 2009 Microsoft Corporation. All rights reserved.
  34. 34. Process Attachment Simple case: Winsock (Create, bind, listen, accept, recv) Named pipes (CreateFile, ReadFile) Disk IO (CreateFile, ReadFile) Realistic case: Async Receive on sockets and named pipes AcceptEx Completion routines NtIoControlFile Completion ports Overlapped Overlapped polling Wait Events © 2009 Microsoft Corporation. All rights reserved.
  35. 35. Process Attachment Example: CVE-2008-4250 Conficker (Path Canonicalization reached via RPC) // At Boot time CreateFile( "pipeBrowser"); Detector CreateIoCompletionPort(…); ReadFile(Buffer_Location); … // Attachment to Service here Code … GetQueuedCompletionStatus(); … Vulnerable Process 35 © 2009 Microsoft Corporation. All rights reserved.
  36. 36. Process Attachment Mitigations Coerce service to execute init code. (“Pump” utility or waiting X period of time) Try launching or attaching to simpler service: (many cases) In theory change CreateProcess Routine to inject detector at boot. 36 © 2009 Microsoft Corporation. All rights reserved.
  37. 37. Complex programs/services Extraneous Log info Higher probability of not detecting 37 © 2009 Microsoft Corporation. All rights reserved.
  38. 38. Complex programs/services Example VIGI_LOG.LOG - ??PIPEsrvsvc CAN-2002-0724 LANMAN SetTaint: Base=d84d8 Len=44 ADDR 0xd84d8 - 0xd851b set to dirty= 0x2 vulnerability RANGE d84d8..d851b set to = [2..45] mov rm8,rm8 -- dirty EIP: 0x77ce3a77 ESP: 0x11cf940 TID: 0x6d0 DOS with unchecked buffer to Operand1: 0x0 Dirty: 0x6, 0x7, 0x0, 0x0 Operand2: 0xd84dc Dirty: 0x6, 0x7, 0x8, 0x9 NetShareEnum ---------------------------------------------- movz/sx r32,rm16 -- dirty EIP: 0x77cc9f90 ESP: 0xc3fa84 TID: 0x748 Operand1: 0x0 Dirty: 0x12, 0x13, 0x0, 0x0 Operand2: 0xb3d52 Dirty: 0x12, 0x13, 0x0, 0x0 Operand2.RefdRegister1: 0x0 Dirty: 0x12, 0x13 ---------------------------------------------- ??PIPElsarpc SetTaint: Base=d45f8 Len=44 ADDR 0xd45f8 - 0xd463b set to dirty= 0x46 RANGE d45f8..d463b set to = [46..89] movz/sx r32,rm16 -- dirty EIP: 0x77cc9b6e ESP: 0x1b9f6b0 TID: 0x6b8 Operand1: 0x18 Dirty: 0x4e, 0x4f, 0x0, 0x0 Operand2: 0x0 Dirty: 0x4e, 0x4f, 0x0, 0x0 38 © 2009 Microsoft Corporation. All rights reserved.
  39. 39. Complex programs/services Mitigations: Smaller svchost group Find easier program e.g. ImageViewer instead of IE Packet cleaner utility © 2009 Microsoft Corporation. All rights reserved.
  40. 40. Detector protection from exploit CVE-2009-0133 MS Help Workshop (a shellhunter payload) Detector Mitigations Move the stack around Page protect buf Stack 40 © 2009 Microsoft Corporation. All rights reserved.
  41. 41. Miscellaneous Logging without deadlocking Space considerations 41 © 2009 Microsoft Corporation. All rights reserved.
  42. 42. Results Revisted and Extended Categories Completed Detected Detected Not Detected (Minimal (Considerable effort) effort) File-based (complex) 10 0 4 6 File-based (simple) 10 6 2 2 Scripting-based 10 4 2 4 Network-based 15 4 2 6 Total 45 14 10 18 42 © 2009 Microsoft Corporation. All rights reserved.
  43. 43. Detection Effort Complex File-Based Simple File-Based Minimal Considerable No Detection Network Scripting 43 © 2009 Microsoft Corporation. All rights reserved.
  44. 44. 44 © 2009 Microsoft Corporation. All rights reserved.
  45. 45. Conclusion First attempt at using dynamic dataflow analysis in production Delineated real world challenges Provided mitigation strategies Helped reduce response time Supports rapid, scalable vulnerability analysis Great investment for the future Lessons learned enlarged the scope of effectiveness More to come… 45 © 2009 Microsoft Corporation. All rights reserved.
  46. 46. {absing, niklivic, tanmayg, scottlam, sbhalod}@microsoft.com 46 © 2009 Microsoft Corporation. All rights reserved.
  47. 47. 47 © 2009 Microsoft Corporation. All rights reserved.

×