SlideShare a Scribd company logo

Cansec West 2009

A
abhicc285
Education
1 of 47
Microsoft Malware Protection Center Threat Research and Response Team 1 © 2009 Microsoft Corporation. All rights reserved.
Introduction Microsoft Malware Protection Center (MMPC) Threat Research and Response Team Abhishek Singh (MMPC) Nikola Livic (MMPC) Tanmay Ganacharya (MMPC) Scott Lambert (MMPC) Swapnil Bhalode (MMPC) 2 © 2009 Microsoft Corporation. All rights reserved.
Agenda Overview Results Paladin Demo Key Lessons Conclusion Q&A 3 © 2009 Microsoft Corporation. All rights reserved.
Overview Motivation Automate processes like Analyzing exploits Identify malicious input bytes Identify how shell code gets executed Narrow the search space Paladin Refers to a suite of tools… Support rapid, scalable vulnerability analysis © 2009 Microsoft Corporation. All rights reserved.
Results - Paladin Categories Completed Detected Not Detected Success File-based (complex) 10 4 6 40% File-based (simple) 10 8 2 80% Scripting-based 10 6 4 60% Network-based 15 9 6 60% Total 45 27 18 60% 5 © 2009 Microsoft Corporation. All rights reserved.
Results - Paladin File-based (Complex) File-based (Simple) Not Detected Scripting-based Detected Total Network-based 0 5 10 15 6 © 2009 Microsoft Corporation. All rights reserved.
Brief tour 7 © 2009 Microsoft Corporation. All rights reserved.
Paladin Core component - Vigilante End-to-end approach to automate worm containment Tech-transferred from MSR/Incubation 8 © 2009 Microsoft Corporation. All rights reserved.
Vigilante Started in Microsoft Research (MSR) by Manuel Costa and Miguel Castro and later transitioned to an Incubation team. Timeline with the following Oct. 2004 (Devadas) Nov. 2004 (MSR) Dec. 2004 (Minos) Feb. 2005 (TaintCheck) Leverages dynamic dataflow analysis to track the use of untrusted data and block it from being executed or loaded into the program counter Since then it has forked in different directions Use for malware analysis (spyware, etc) Information leakage, etc 9 © 2009 Microsoft Corporation. All rights reserved.
Major Components - Vigilante Program Instrumentation (dynamic binary re- writing) Used to instrument the program to enable monitoring of how untrusted input data is used Detection Engine Leverages dynamic data-flow analysis to identify attacks and generate alerts Alert Verifier and Distributor Contains enough information to reproduce the issue on other hosts and distribute accordingly Filter Generator Provides protection from future attempts by blocking malicious input. 10 © 2009 Microsoft Corporation. All rights reserved.
Detection Engine Dynamic dataflow analysis Track the flow of data from input messages Common Input Sources: File, network, etc mark memory as tainted when input data is received track all data movement within the program Terminate program before it’s too late detect execution of input data (virtual address is marked tainted) detect loading of input data into program counter (saved ret overwrite, etc) © 2009 Microsoft Corporation. All rights reserved.
Dynamic Data Flow Analysis Step 1: Keep track of which memory locations and CPU registers are tainted with untrusted input data Instrument every data-movement instruction (e.g. MOV,MOVS, PUSH, POP on x86 CPUs) to keep track Step 2: Identify and block dangerous uses of untrusted input data Instrument every control transfer instruction (e.g. RET, CALL, JMP on x86 CPUs) 12 © 2009 Microsoft Corporation. All rights reserved.
Dangerous uses of input data Alert Types Arbitrary Execution Control (AEC) When tainted data is about to be loaded into the program counter Arbitrary Code Execution (ACE) When tainted data is about to be executed Arbitrary Function argument (AFA) When a critical argument to a critical function is tainted Denial of Service (DoS) When tainted data leads to an access violation 13 © 2009 Microsoft Corporation. All rights reserved.
Dynamic dataflow analysis //vulnerable code push len stack pointer return address push netbuf points to tainted push sock data call recv buffer push netbuf push localbuf call strcpy ret netbuf alert: value loaded into program counter is tainted 14 © 2009 Microsoft Corporation. All rights reserved.
How does Vigilante work? C:> _ ulnProcess V Stack C:> _ nirvExec /clientname “detector.dll” /attach 1033 C:> _ Exploit exploitProcess C:> _ Detector Static Data Code Vigi_log.log vulnProcess [pid:1033] 15 © 2009 Microsoft Corporation. All rights reserved.
Dynamic dataflow analysis //vulnerable code .EXE push len push buff push sock call recv buff buff mov eax, buf[3] call eax ... Detector Alert!!! Vulnerable Process 16 © 2009 Microsoft Corporation. All rights reserved.
CVE-2008-1087 17 © 2009 Microsoft Corporation. All rights reserved.
Results Revisited Categories Completed Detected Not Detected Success File-based (complex) 10 4 6 40% File-based (simple) 10 8 2 80% Scripting-based 10 6 4 60% Network-based 15 9 6 60% Total 45 27 18 60% What detection means? 18 © 2009 Microsoft Corporation. All rights reserved.
What does it mean to not detect? Incorrect Alert point Incomplete log file No log file And the reasons? 19 © 2009 Microsoft Corporation. All rights reserved.
Overcoming the challenges 20 © 2009 Microsoft Corporation. All rights reserved.
Lessons Learned Beyond scope False alerts Engineering issues 21 © 2009 Microsoft Corporation. All rights reserved.
Scope Not include: Temporal based vulnerabilities E.g. CVE-2003-0813 RPC timing issue 2 threads Kernel-level vulnerabilities E.g. CVE-2006-1314: Mailslot driver Heap OF Data Independent Vulnerabilities E.g. CVE-2007-0938: CMS E.g. CVE-2007-0039: ICal 22 © 2009 Microsoft Corporation. All rights reserved.
Data Independent Example 1 CVE-2007-0938 CMS, DOS “http://foo/000-000,%21frames.htm” Parse function returns negative value Value goes into memcpy-like function ParseURL(WCHAR *URL) { DWORD SizeOfSubString = CommaOffset(URL); DoCopy(SizeOfSubString); // Crash here return SizeOfSubString; } 23 © 2009 Microsoft Corporation. All rights reserved.
Data Independent Example 2 CVE-2006-2376 ICal (DOS null dereference) Begin:Vcalender…. Cause a improper Free of structure Dereference. ReadCalender(WCHAR *In_Bytes) { *Table = Allocate(); if (In_Bytes == Bad_Value) { Free(Table); } Table->Func(); // Crash here } 24 © 2009 Microsoft Corporation. All rights reserved.
False Alerts and Mitigations 25 © 2009 Microsoft Corporation. All rights reserved.
False Alerts Erroneous alert generated due to: Imprecise taint propagation Non malicious inputs being tracked as malicious 26 © 2009 Microsoft Corporation. All rights reserved.
False Alerts in Theory Table Lookup: result = table[in_byte]; // False Positive result = table[in_byte]; // Should be Implicit flows: if (in_byte == 1) result = 1; // False Negative if (in_byte == 1) result = 1; // Should be if (in_byte == 2) result = 2; // False Negative if (in_byte == 2) result = 2; // Should be Arithmetic restrictions: result = (in_byte & 0x00); // False Positive result = (in_byte & 0x00); // Should be 27 Newsome and Song: “Influence: A Quantitative Approach for Data Integrity” © 2009 Microsoft Corporation. All rights reserved.
False Positives (FP) in Practice FPs in jump tables FPs due to marking input as tainted when it is innocuous 28 © 2009 Microsoft Corporation. All rights reserved.
FPs in JumpTables Example CVE-2006-4691: BO NetJoinDomain Workstation Service Via RPC CallRPCInterface(BYTES *In_Bytes) { NetJoinDomain= DispatchTable[In_Bytes]; Invoke( NetJoinDomain, // <<<<<<< FALSE POSITIVE pArgBuffer, ArgNum ); } 29 © 2009 Microsoft Corporation. All rights reserved.
FPs in tracking CVE-2009-0076 (IE vulnerability CSS Memory Corruption) ??C:Documents and SettingsvigilanteRecentdesktop.ini Handle = 410 FileSize = 96 Tracked handle: Buf = 5fc0000 PostIoInitiation: pIosb=169646c; pBuf=5fc0000; hFile=410; hEvent=0 Io completed synchronously. HandleIoCompletion: pIosb=169646c; dwLen=96 SetTaint: Base=5fc0000 Len=96 ADDR 0x5fc0000 - 0x5fc0095 set to dirty= 0x2 RANGE 5fc0000..5fc0095 set to = [2..97] 30 © 2009 Microsoft Corporation. All rights reserved.
Mitigations to FPs in Practice Flags: IndirectAddressing mov [disp + ref1 + ref2*i], 0xff JmpCallIndirect jmp/call [disp + ref1 + ref2*i] LowFalsePositives Turn off set of handlers False Positives file CVE-2008-2254 (IE HTML Obj Mem Corruption) 0x7d513573 0x7d518123 0x746c240a 0x75c59c7a Policy File 31 © 2009 Microsoft Corporation. All rights reserved.
Engineering issues and Mitigations 32 © 2009 Microsoft Corporation. All rights reserved.
Engineering issues Attaching to process Detecting with complex processes Detector protection from exploit Miscellaneous 33 © 2009 Microsoft Corporation. All rights reserved.
Process Attachment Simple case: Winsock (Create, bind, listen, accept, recv) Named pipes (CreateFile, ReadFile) Disk IO (CreateFile, ReadFile) Realistic case: Async Receive on sockets and named pipes AcceptEx Completion routines NtIoControlFile Completion ports Overlapped Overlapped polling Wait Events © 2009 Microsoft Corporation. All rights reserved.
Process Attachment Example: CVE-2008-4250 Conficker (Path Canonicalization reached via RPC) // At Boot time CreateFile( "pipeBrowser"); Detector CreateIoCompletionPort(…); ReadFile(Buffer_Location); … // Attachment to Service here Code … GetQueuedCompletionStatus(); … Vulnerable Process 35 © 2009 Microsoft Corporation. All rights reserved.
Process Attachment Mitigations Coerce service to execute init code. (“Pump” utility or waiting X period of time) Try launching or attaching to simpler service: (many cases) In theory change CreateProcess Routine to inject detector at boot. 36 © 2009 Microsoft Corporation. All rights reserved.
Complex programs/services Extraneous Log info Higher probability of not detecting 37 © 2009 Microsoft Corporation. All rights reserved.
Complex programs/services Example VIGI_LOG.LOG - ??PIPEsrvsvc CAN-2002-0724 LANMAN SetTaint: Base=d84d8 Len=44 ADDR 0xd84d8 - 0xd851b set to dirty= 0x2 vulnerability RANGE d84d8..d851b set to = [2..45] mov rm8,rm8 -- dirty EIP: 0x77ce3a77 ESP: 0x11cf940 TID: 0x6d0 DOS with unchecked buffer to Operand1: 0x0 Dirty: 0x6, 0x7, 0x0, 0x0 Operand2: 0xd84dc Dirty: 0x6, 0x7, 0x8, 0x9 NetShareEnum ---------------------------------------------- movz/sx r32,rm16 -- dirty EIP: 0x77cc9f90 ESP: 0xc3fa84 TID: 0x748 Operand1: 0x0 Dirty: 0x12, 0x13, 0x0, 0x0 Operand2: 0xb3d52 Dirty: 0x12, 0x13, 0x0, 0x0 Operand2.RefdRegister1: 0x0 Dirty: 0x12, 0x13 ---------------------------------------------- ??PIPElsarpc SetTaint: Base=d45f8 Len=44 ADDR 0xd45f8 - 0xd463b set to dirty= 0x46 RANGE d45f8..d463b set to = [46..89] movz/sx r32,rm16 -- dirty EIP: 0x77cc9b6e ESP: 0x1b9f6b0 TID: 0x6b8 Operand1: 0x18 Dirty: 0x4e, 0x4f, 0x0, 0x0 Operand2: 0x0 Dirty: 0x4e, 0x4f, 0x0, 0x0 38 © 2009 Microsoft Corporation. All rights reserved.
Complex programs/services Mitigations: Smaller svchost group Find easier program e.g. ImageViewer instead of IE Packet cleaner utility © 2009 Microsoft Corporation. All rights reserved.
Detector protection from exploit CVE-2009-0133 MS Help Workshop (a shellhunter payload) Detector Mitigations Move the stack around Page protect buf Stack 40 © 2009 Microsoft Corporation. All rights reserved.
Miscellaneous Logging without deadlocking Space considerations 41 © 2009 Microsoft Corporation. All rights reserved.
Results Revisted and Extended Categories Completed Detected Detected Not Detected (Minimal (Considerable effort) effort) File-based (complex) 10 0 4 6 File-based (simple) 10 6 2 2 Scripting-based 10 4 2 4 Network-based 15 4 2 6 Total 45 14 10 18 42 © 2009 Microsoft Corporation. All rights reserved.
Detection Effort Complex File-Based Simple File-Based Minimal Considerable No Detection Network Scripting 43 © 2009 Microsoft Corporation. All rights reserved.
44 © 2009 Microsoft Corporation. All rights reserved.
Conclusion First attempt at using dynamic dataflow analysis in production Delineated real world challenges Provided mitigation strategies Helped reduce response time Supports rapid, scalable vulnerability analysis Great investment for the future Lessons learned enlarged the scope of effectiveness More to come… 45 © 2009 Microsoft Corporation. All rights reserved.
{absing, niklivic, tanmayg, scottlam, sbhalod}@microsoft.com 46 © 2009 Microsoft Corporation. All rights reserved.
47 © 2009 Microsoft Corporation. All rights reserved.

Recommended

HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...Asuka Nakajima
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackersAntonio Parata
 
Zen and the art of collecting and analyzing malware
Zen and the art of collecting and analyzing malwareZen and the art of collecting and analyzing malware
Zen and the art of collecting and analyzing malwareGaetano Zappulla
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple FeaturesMuhammad Najmi Ahmad Zabidi
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceAsep Sopyan
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCanSecWest
 

Recommended

HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...Asuka Nakajima
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackersAntonio Parata
 
Zen and the art of collecting and analyzing malware
Zen and the art of collecting and analyzing malwareZen and the art of collecting and analyzing malware
Zen and the art of collecting and analyzing malwareGaetano Zappulla
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple FeaturesMuhammad Najmi Ahmad Zabidi
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceAsep Sopyan
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCanSecWest
 
CanSecWest (1)
CanSecWest (1)CanSecWest (1)
CanSecWest (1)Abhishek Singh
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Apt presso good to learn
Apt presso good to learnApt presso good to learn
Apt presso good to learnFajar Isnanto
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirusUltraUploader
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
spamzombieppt
spamzombiepptspamzombieppt
spamzombiepptkajol agarwal
 
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsRainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsTEO LT, AB
 
Ethical hacking basics
Ethical hacking basicsEthical hacking basics
Ethical hacking basicsBHAWESH RAJPAL
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 

More Related Content

Similar to Cansec West 2009

IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Apt presso good to learn
Apt presso good to learnApt presso good to learn
Apt presso good to learnFajar Isnanto
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report PresentationSophos
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsRainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsTEO LT, AB
 
Ethical hacking basics
Ethical hacking basicsEthical hacking basics
Ethical hacking basicsBHAWESH RAJPAL
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 

Similar to Cansec West 2009 (20)

CanSecWest (1)
CanSecWest (1)CanSecWest (1)
CanSecWest (1)
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Apt presso good to learn
Apt presso good to learnApt presso good to learn
Apt presso good to learn
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
 
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
spamzombieppt
spamzombiepptspamzombieppt
spamzombieppt
 
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsRainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
 
Ethical hacking basics
Ethical hacking basicsEthical hacking basics
Ethical hacking basics
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 

Recently uploaded

Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 

Recently uploaded (20)

Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 

Cansec West 2009

  • 1. Microsoft Malware Protection Center Threat Research and Response Team 1 © 2009 Microsoft Corporation. All rights reserved.
  • 2. Introduction Microsoft Malware Protection Center (MMPC) Threat Research and Response Team Abhishek Singh (MMPC) Nikola Livic (MMPC) Tanmay Ganacharya (MMPC) Scott Lambert (MMPC) Swapnil Bhalode (MMPC) 2 © 2009 Microsoft Corporation. All rights reserved.
  • 3. Agenda Overview Results Paladin Demo Key Lessons Conclusion Q&A 3 © 2009 Microsoft Corporation. All rights reserved.
  • 4. Overview Motivation Automate processes like Analyzing exploits Identify malicious input bytes Identify how shell code gets executed Narrow the search space Paladin Refers to a suite of tools… Support rapid, scalable vulnerability analysis © 2009 Microsoft Corporation. All rights reserved.
  • 5. Results - Paladin Categories Completed Detected Not Detected Success File-based (complex) 10 4 6 40% File-based (simple) 10 8 2 80% Scripting-based 10 6 4 60% Network-based 15 9 6 60% Total 45 27 18 60% 5 © 2009 Microsoft Corporation. All rights reserved.
  • 6. Results - Paladin File-based (Complex) File-based (Simple) Not Detected Scripting-based Detected Total Network-based 0 5 10 15 6 © 2009 Microsoft Corporation. All rights reserved.
  • 7. Brief tour 7 © 2009 Microsoft Corporation. All rights reserved.
  • 8. Paladin Core component - Vigilante End-to-end approach to automate worm containment Tech-transferred from MSR/Incubation 8 © 2009 Microsoft Corporation. All rights reserved.
  • 9. Vigilante Started in Microsoft Research (MSR) by Manuel Costa and Miguel Castro and later transitioned to an Incubation team. Timeline with the following Oct. 2004 (Devadas) Nov. 2004 (MSR) Dec. 2004 (Minos) Feb. 2005 (TaintCheck) Leverages dynamic dataflow analysis to track the use of untrusted data and block it from being executed or loaded into the program counter Since then it has forked in different directions Use for malware analysis (spyware, etc) Information leakage, etc 9 © 2009 Microsoft Corporation. All rights reserved.
  • 10. Major Components - Vigilante Program Instrumentation (dynamic binary re- writing) Used to instrument the program to enable monitoring of how untrusted input data is used Detection Engine Leverages dynamic data-flow analysis to identify attacks and generate alerts Alert Verifier and Distributor Contains enough information to reproduce the issue on other hosts and distribute accordingly Filter Generator Provides protection from future attempts by blocking malicious input. 10 © 2009 Microsoft Corporation. All rights reserved.
  • 11. Detection Engine Dynamic dataflow analysis Track the flow of data from input messages Common Input Sources: File, network, etc mark memory as tainted when input data is received track all data movement within the program Terminate program before it’s too late detect execution of input data (virtual address is marked tainted) detect loading of input data into program counter (saved ret overwrite, etc) © 2009 Microsoft Corporation. All rights reserved.
  • 12. Dynamic Data Flow Analysis Step 1: Keep track of which memory locations and CPU registers are tainted with untrusted input data Instrument every data-movement instruction (e.g. MOV,MOVS, PUSH, POP on x86 CPUs) to keep track Step 2: Identify and block dangerous uses of untrusted input data Instrument every control transfer instruction (e.g. RET, CALL, JMP on x86 CPUs) 12 © 2009 Microsoft Corporation. All rights reserved.
  • 13. Dangerous uses of input data Alert Types Arbitrary Execution Control (AEC) When tainted data is about to be loaded into the program counter Arbitrary Code Execution (ACE) When tainted data is about to be executed Arbitrary Function argument (AFA) When a critical argument to a critical function is tainted Denial of Service (DoS) When tainted data leads to an access violation 13 © 2009 Microsoft Corporation. All rights reserved.
  • 14. Dynamic dataflow analysis //vulnerable code push len stack pointer return address push netbuf points to tainted push sock data call recv buffer push netbuf push localbuf call strcpy ret netbuf alert: value loaded into program counter is tainted 14 © 2009 Microsoft Corporation. All rights reserved.
  • 15. How does Vigilante work? C:> _ ulnProcess V Stack C:> _ nirvExec /clientname “detector.dll” /attach 1033 C:> _ Exploit exploitProcess C:> _ Detector Static Data Code Vigi_log.log vulnProcess [pid:1033] 15 © 2009 Microsoft Corporation. All rights reserved.
  • 16. Dynamic dataflow analysis //vulnerable code .EXE push len push buff push sock call recv buff buff mov eax, buf[3] call eax ... Detector Alert!!! Vulnerable Process 16 © 2009 Microsoft Corporation. All rights reserved.
  • 17. CVE-2008-1087 17 © 2009 Microsoft Corporation. All rights reserved.
  • 18. Results Revisited Categories Completed Detected Not Detected Success File-based (complex) 10 4 6 40% File-based (simple) 10 8 2 80% Scripting-based 10 6 4 60% Network-based 15 9 6 60% Total 45 27 18 60% What detection means? 18 © 2009 Microsoft Corporation. All rights reserved.
  • 19. What does it mean to not detect? Incorrect Alert point Incomplete log file No log file And the reasons? 19 © 2009 Microsoft Corporation. All rights reserved.
  • 20. Overcoming the challenges 20 © 2009 Microsoft Corporation. All rights reserved.
  • 21. Lessons Learned Beyond scope False alerts Engineering issues 21 © 2009 Microsoft Corporation. All rights reserved.
  • 22. Scope Not include: Temporal based vulnerabilities E.g. CVE-2003-0813 RPC timing issue 2 threads Kernel-level vulnerabilities E.g. CVE-2006-1314: Mailslot driver Heap OF Data Independent Vulnerabilities E.g. CVE-2007-0938: CMS E.g. CVE-2007-0039: ICal 22 © 2009 Microsoft Corporation. All rights reserved.
  • 23. Data Independent Example 1 CVE-2007-0938 CMS, DOS “http://foo/000-000,%21frames.htm” Parse function returns negative value Value goes into memcpy-like function ParseURL(WCHAR *URL) { DWORD SizeOfSubString = CommaOffset(URL); DoCopy(SizeOfSubString); // Crash here return SizeOfSubString; } 23 © 2009 Microsoft Corporation. All rights reserved.
  • 24. Data Independent Example 2 CVE-2006-2376 ICal (DOS null dereference) Begin:Vcalender…. Cause a improper Free of structure Dereference. ReadCalender(WCHAR *In_Bytes) { *Table = Allocate(); if (In_Bytes == Bad_Value) { Free(Table); } Table->Func(); // Crash here } 24 © 2009 Microsoft Corporation. All rights reserved.
  • 25. False Alerts and Mitigations 25 © 2009 Microsoft Corporation. All rights reserved.
  • 26. False Alerts Erroneous alert generated due to: Imprecise taint propagation Non malicious inputs being tracked as malicious 26 © 2009 Microsoft Corporation. All rights reserved.
  • 27. False Alerts in Theory Table Lookup: result = table[in_byte]; // False Positive result = table[in_byte]; // Should be Implicit flows: if (in_byte == 1) result = 1; // False Negative if (in_byte == 1) result = 1; // Should be if (in_byte == 2) result = 2; // False Negative if (in_byte == 2) result = 2; // Should be Arithmetic restrictions: result = (in_byte & 0x00); // False Positive result = (in_byte & 0x00); // Should be 27 Newsome and Song: “Influence: A Quantitative Approach for Data Integrity” © 2009 Microsoft Corporation. All rights reserved.
  • 28. False Positives (FP) in Practice FPs in jump tables FPs due to marking input as tainted when it is innocuous 28 © 2009 Microsoft Corporation. All rights reserved.
  • 29. FPs in JumpTables Example CVE-2006-4691: BO NetJoinDomain Workstation Service Via RPC CallRPCInterface(BYTES *In_Bytes) { NetJoinDomain= DispatchTable[In_Bytes]; Invoke( NetJoinDomain, // <<<<<<< FALSE POSITIVE pArgBuffer, ArgNum ); } 29 © 2009 Microsoft Corporation. All rights reserved.
  • 30. FPs in tracking CVE-2009-0076 (IE vulnerability CSS Memory Corruption) ??C:Documents and SettingsvigilanteRecentdesktop.ini Handle = 410 FileSize = 96 Tracked handle: Buf = 5fc0000 PostIoInitiation: pIosb=169646c; pBuf=5fc0000; hFile=410; hEvent=0 Io completed synchronously. HandleIoCompletion: pIosb=169646c; dwLen=96 SetTaint: Base=5fc0000 Len=96 ADDR 0x5fc0000 - 0x5fc0095 set to dirty= 0x2 RANGE 5fc0000..5fc0095 set to = [2..97] 30 © 2009 Microsoft Corporation. All rights reserved.
  • 31. Mitigations to FPs in Practice Flags: IndirectAddressing mov [disp + ref1 + ref2*i], 0xff JmpCallIndirect jmp/call [disp + ref1 + ref2*i] LowFalsePositives Turn off set of handlers False Positives file CVE-2008-2254 (IE HTML Obj Mem Corruption) 0x7d513573 0x7d518123 0x746c240a 0x75c59c7a Policy File 31 © 2009 Microsoft Corporation. All rights reserved.
  • 32. Engineering issues and Mitigations 32 © 2009 Microsoft Corporation. All rights reserved.
  • 33. Engineering issues Attaching to process Detecting with complex processes Detector protection from exploit Miscellaneous 33 © 2009 Microsoft Corporation. All rights reserved.
  • 34. Process Attachment Simple case: Winsock (Create, bind, listen, accept, recv) Named pipes (CreateFile, ReadFile) Disk IO (CreateFile, ReadFile) Realistic case: Async Receive on sockets and named pipes AcceptEx Completion routines NtIoControlFile Completion ports Overlapped Overlapped polling Wait Events © 2009 Microsoft Corporation. All rights reserved.
  • 35. Process Attachment Example: CVE-2008-4250 Conficker (Path Canonicalization reached via RPC) // At Boot time CreateFile( "pipeBrowser"); Detector CreateIoCompletionPort(…); ReadFile(Buffer_Location); … // Attachment to Service here Code … GetQueuedCompletionStatus(); … Vulnerable Process 35 © 2009 Microsoft Corporation. All rights reserved.
  • 36. Process Attachment Mitigations Coerce service to execute init code. (“Pump” utility or waiting X period of time) Try launching or attaching to simpler service: (many cases) In theory change CreateProcess Routine to inject detector at boot. 36 © 2009 Microsoft Corporation. All rights reserved.
  • 37. Complex programs/services Extraneous Log info Higher probability of not detecting 37 © 2009 Microsoft Corporation. All rights reserved.
  • 38. Complex programs/services Example VIGI_LOG.LOG - ??PIPEsrvsvc CAN-2002-0724 LANMAN SetTaint: Base=d84d8 Len=44 ADDR 0xd84d8 - 0xd851b set to dirty= 0x2 vulnerability RANGE d84d8..d851b set to = [2..45] mov rm8,rm8 -- dirty EIP: 0x77ce3a77 ESP: 0x11cf940 TID: 0x6d0 DOS with unchecked buffer to Operand1: 0x0 Dirty: 0x6, 0x7, 0x0, 0x0 Operand2: 0xd84dc Dirty: 0x6, 0x7, 0x8, 0x9 NetShareEnum ---------------------------------------------- movz/sx r32,rm16 -- dirty EIP: 0x77cc9f90 ESP: 0xc3fa84 TID: 0x748 Operand1: 0x0 Dirty: 0x12, 0x13, 0x0, 0x0 Operand2: 0xb3d52 Dirty: 0x12, 0x13, 0x0, 0x0 Operand2.RefdRegister1: 0x0 Dirty: 0x12, 0x13 ---------------------------------------------- ??PIPElsarpc SetTaint: Base=d45f8 Len=44 ADDR 0xd45f8 - 0xd463b set to dirty= 0x46 RANGE d45f8..d463b set to = [46..89] movz/sx r32,rm16 -- dirty EIP: 0x77cc9b6e ESP: 0x1b9f6b0 TID: 0x6b8 Operand1: 0x18 Dirty: 0x4e, 0x4f, 0x0, 0x0 Operand2: 0x0 Dirty: 0x4e, 0x4f, 0x0, 0x0 38 © 2009 Microsoft Corporation. All rights reserved.
  • 39. Complex programs/services Mitigations: Smaller svchost group Find easier program e.g. ImageViewer instead of IE Packet cleaner utility © 2009 Microsoft Corporation. All rights reserved.
  • 40. Detector protection from exploit CVE-2009-0133 MS Help Workshop (a shellhunter payload) Detector Mitigations Move the stack around Page protect buf Stack 40 © 2009 Microsoft Corporation. All rights reserved.
  • 41. Miscellaneous Logging without deadlocking Space considerations 41 © 2009 Microsoft Corporation. All rights reserved.
  • 42. Results Revisted and Extended Categories Completed Detected Detected Not Detected (Minimal (Considerable effort) effort) File-based (complex) 10 0 4 6 File-based (simple) 10 6 2 2 Scripting-based 10 4 2 4 Network-based 15 4 2 6 Total 45 14 10 18 42 © 2009 Microsoft Corporation. All rights reserved.
  • 43. Detection Effort Complex File-Based Simple File-Based Minimal Considerable No Detection Network Scripting 43 © 2009 Microsoft Corporation. All rights reserved.
  • 44. 44 © 2009 Microsoft Corporation. All rights reserved.
  • 45. Conclusion First attempt at using dynamic dataflow analysis in production Delineated real world challenges Provided mitigation strategies Helped reduce response time Supports rapid, scalable vulnerability analysis Great investment for the future Lessons learned enlarged the scope of effectiveness More to come… 45 © 2009 Microsoft Corporation. All rights reserved.
  • 46. {absing, niklivic, tanmayg, scottlam, sbhalod}@microsoft.com 46 © 2009 Microsoft Corporation. All rights reserved.
  • 47. 47 © 2009 Microsoft Corporation. All rights reserved.