Cansec West 2009

Microsoft Malware Protection Center
Threat Research and Response Team

1 © 2009 Microsoft Corporation. All rights reserved.

Introduction
Microsoft Malware Protection Center (MMPC)
Threat Research and Response Team

Abhishek Singh (MMPC)
Nikola Livic (MMPC)
Tanmay Ganacharya (MMPC)
Scott Lambert (MMPC)
Swapnil Bhalode (MMPC)

2
© 2009 Microsoft Corporation. All rights reserved.

Agenda
Overview
Results
Paladin
Demo
Key Lessons
Conclusion
Q&A

3

Overview
Motivation
Automate processes like
Analyzing exploits
Identify malicious input bytes
Identify how shell code gets executed
Narrow the search space

Paladin
Refers to a suite of tools…
Support rapid, scalable vulnerability analysis


Results - Paladin
Categories Completed Detected Not Detected Success
File-based (complex) 10 4 6 40%
File-based (simple) 10 8 2 80%
Scripting-based 10 6 4 60%
Network-based 15 9 6 60%

Total 45 27 18 60%

5

Results - Paladin

File-based (Complex)

File-based (Simple)
Not Detected
Scripting-based Detected
Total
Network-based

0
5
10
15

6

Brief tour

7

Paladin
Core component - Vigilante
End-to-end approach to automate worm
containment
Tech-transferred from MSR/Incubation

8

Vigilante
Started in Microsoft Research (MSR) by Manuel
Costa and Miguel Castro and later transitioned to
an Incubation team.
Timeline with the following
Oct. 2004 (Devadas)
Nov. 2004 (MSR)
Dec. 2004 (Minos)
Feb. 2005 (TaintCheck)
Leverages dynamic dataflow analysis to track the
use of untrusted data and block it from being
executed or loaded into the program counter
Since then it has forked in different directions
Use for malware analysis (spyware, etc)
Information leakage, etc

9

Major Components - Vigilante
Program Instrumentation (dynamic binary re-
writing)
Used to instrument the program to enable monitoring
of how untrusted input data is used
Detection Engine
Leverages dynamic data-flow analysis to identify attacks
and generate alerts
Alert Verifier and Distributor
Contains enough information to reproduce the issue on
other hosts and distribute accordingly
Filter Generator
Provides protection from future attempts by blocking
malicious input.

10

Detection Engine
Dynamic dataflow analysis
Track the flow of data from input messages
Common Input Sources: File, network, etc
mark memory as tainted when input data is received
track all data movement within the program
Terminate program before it’s too late
detect execution of input data (virtual address is marked
tainted)
detect loading of input data into program counter (saved ret
overwrite, etc)


Dynamic Data Flow Analysis
Step 1: Keep track of which memory locations
and CPU registers are tainted with untrusted
input data
Instrument every data-movement instruction
(e.g. MOV,MOVS, PUSH, POP on x86 CPUs) to keep track

Step 2: Identify and block dangerous uses of
untrusted input data
Instrument every control transfer instruction
(e.g. RET, CALL, JMP on x86 CPUs)

12

Dangerous uses of input data
Alert Types
Arbitrary Execution Control (AEC)
When tainted data is about to be loaded into the program
counter
Arbitrary Code Execution (ACE)
When tainted data is about to be executed
Arbitrary Function argument (AFA)
When a critical argument to a critical function is tainted
Denial of Service (DoS)
When tainted data leads to an access violation

13

//vulnerable code
push len stack pointer return address
push netbuf points to tainted
push sock
data
call recv buffer
push netbuf
push localbuf
call strcpy
ret

netbuf

alert: value loaded into
program counter is tainted

14

How does Vigilante work?
C:> _ ulnProcess
V
Stack C:> _
nirvExec /clientname “detector.dll” /attach 1033
C:> _ Exploit
exploitProcess
C:> _

Detector

Static Data

Code
Vigi_log.log

vulnProcess [pid:1033]
15

//vulnerable code
.EXE
push len
push buff
push sock
call recv buff
buff
mov eax, buf[3]
call eax
...

Detector
Alert!!!

Vulnerable Process
16

CVE-2008-1087

17

Results Revisited
Categories Completed Detected Not Detected Success
File-based (complex) 10 4 6 40%
File-based (simple) 10 8 2 80%
Scripting-based 10 6 4 60%
Network-based 15 9 6 60%

Total 45 27 18 60%

What detection means?

18

What does it mean to not detect?
Incorrect Alert point
Incomplete log file
No log file

And the reasons?

19

Overcoming the challenges

20

Lessons Learned
Beyond scope
False alerts
Engineering issues

21

Scope
Not include:
Temporal based vulnerabilities
E.g. CVE-2003-0813 RPC timing issue 2 threads
Kernel-level vulnerabilities
E.g. CVE-2006-1314: Mailslot driver Heap OF
Data Independent Vulnerabilities
E.g. CVE-2007-0938: CMS
E.g. CVE-2007-0039: ICal

22

Data Independent Example 1
CVE-2007-0938 CMS, DOS
“http://foo/000-000,%21frames.htm”
Parse function returns negative value
Value goes into memcpy-like function

ParseURL(WCHAR *URL)
{
DWORD SizeOfSubString = CommaOffset(URL);

DoCopy(SizeOfSubString); // Crash here

return SizeOfSubString;
}

23

Data Independent Example 2
CVE-2006-2376 ICal (DOS null dereference)
Begin:Vcalender….
Cause a improper Free of structure
Dereference.
ReadCalender(WCHAR *In_Bytes)
{
*Table = Allocate();

if (In_Bytes == Bad_Value)
{
Free(Table);
}
Table->Func(); // Crash here
}

24

False Alerts and Mitigations

25

False Alerts
Erroneous alert generated due to:
Imprecise taint propagation
Non malicious inputs being tracked as malicious

26

False Alerts in Theory
Table Lookup:
result = table[in_byte]; // False Positive
result = table[in_byte]; // Should be
Implicit flows:
if (in_byte == 1) result = 1; // False Negative
if (in_byte == 1) result = 1; // Should be
if (in_byte == 2) result = 2; // False Negative
if (in_byte == 2) result = 2; // Should be
Arithmetic restrictions:
result = (in_byte & 0x00); // False Positive
result = (in_byte & 0x00); // Should be
27
Newsome and Song: “Influence: A Quantitative Approach for Data Integrity” © 2009 Microsoft Corporation. All rights reserved.

False Positives (FP) in Practice
FPs in jump tables

FPs due to marking input as tainted when it is
innocuous

28

FPs in JumpTables Example
CVE-2006-4691: BO NetJoinDomain Workstation Service
Via RPC

CallRPCInterface(BYTES *In_Bytes)
{
NetJoinDomain= DispatchTable[In_Bytes];
Invoke( NetJoinDomain, // <<<<<<< FALSE POSITIVE
pArgBuffer,
ArgNum );
}

29

FPs in tracking
CVE-2009-0076 (IE vulnerability CSS Memory
Corruption)

??C:Documents and SettingsvigilanteRecentdesktop.ini
Handle = 410 FileSize = 96
Tracked handle: Buf = 5fc0000
PostIoInitiation: pIosb=169646c; pBuf=5fc0000; hFile=410; hEvent=0
Io completed synchronously.
HandleIoCompletion: pIosb=169646c; dwLen=96
SetTaint: Base=5fc0000 Len=96
ADDR 0x5fc0000 - 0x5fc0095 set to dirty= 0x2
RANGE 5fc0000..5fc0095 set to = [2..97]

30

Mitigations to FPs in Practice
Flags:
IndirectAddressing mov [disp + ref1 + ref2*i], 0xff
JmpCallIndirect jmp/call [disp + ref1 + ref2*i]
LowFalsePositives Turn off set of handlers

False Positives file
CVE-2008-2254 (IE HTML Obj Mem Corruption)
0x7d513573
0x7d518123
0x746c240a
0x75c59c7a

Policy File

31

Engineering issues and Mitigations

32

Engineering issues
Attaching to process
Detecting with complex processes
Detector protection from exploit
Miscellaneous

33

Process Attachment

Simple case:
Winsock (Create, bind, listen, accept, recv)
Named pipes (CreateFile, ReadFile)
Disk IO (CreateFile, ReadFile)

Realistic case:
Async Receive on sockets and named pipes
AcceptEx
Completion routines
NtIoControlFile
Completion ports
Overlapped
Overlapped polling
Wait Events


Process Attachment

Example:

CVE-2008-4250 Conficker
(Path Canonicalization reached via RPC)
// At Boot time
CreateFile( "pipeBrowser"); Detector
CreateIoCompletionPort(…);
ReadFile(Buffer_Location);
…
// Attachment to Service here Code
…
GetQueuedCompletionStatus();
…
Vulnerable Process

35

Process Attachment

Mitigations
Coerce service to execute init code. (“Pump” utility
or waiting X period of time)
Try launching or attaching to simpler service:
(many cases)
In theory change CreateProcess Routine to inject
detector at boot.

36

Complex programs/services
Extraneous Log info
Higher probability of not detecting

37

Complex programs/services Example
VIGI_LOG.LOG -
??PIPEsrvsvc
CAN-2002-0724 LANMAN SetTaint: Base=d84d8 Len=44
ADDR 0xd84d8 - 0xd851b set to dirty= 0x2
vulnerability RANGE d84d8..d851b set to = [2..45]
mov rm8,rm8 -- dirty
EIP: 0x77ce3a77 ESP: 0x11cf940 TID: 0x6d0
DOS with unchecked buffer to Operand1: 0x0 Dirty: 0x6, 0x7, 0x0, 0x0
Operand2: 0xd84dc Dirty: 0x6, 0x7, 0x8, 0x9
NetShareEnum ----------------------------------------------
movz/sx r32,rm16 -- dirty
EIP: 0x77cc9f90 ESP: 0xc3fa84 TID: 0x748
Operand1: 0x0 Dirty: 0x12, 0x13, 0x0, 0x0
Operand2: 0xb3d52 Dirty: 0x12, 0x13, 0x0, 0x0
Operand2.RefdRegister1: 0x0 Dirty: 0x12, 0x13
----------------------------------------------
??PIPElsarpc
SetTaint: Base=d45f8 Len=44
ADDR 0xd45f8 - 0xd463b set to dirty= 0x46
RANGE d45f8..d463b set to = [46..89]
movz/sx r32,rm16 -- dirty
EIP: 0x77cc9b6e ESP: 0x1b9f6b0 TID: 0x6b8
Operand1: 0x18 Dirty: 0x4e, 0x4f, 0x0, 0x0
Operand2: 0x0 Dirty: 0x4e, 0x4f, 0x0, 0x0

38

Complex programs/services
Mitigations:

Smaller svchost group
Find easier program
e.g. ImageViewer instead of IE
Packet cleaner utility


Detector protection from exploit
CVE-2009-0133 MS Help Workshop
(a shellhunter payload)

Detector
Mitigations
Move the stack around
Page protect
buf

Stack

40

Miscellaneous
Logging without deadlocking
Space considerations

41

Results Revisted and Extended
Categories Completed Detected Detected Not Detected
(Minimal (Considerable
effort) effort)
File-based (complex) 10 0 4 6
File-based (simple) 10 6 2 2
Scripting-based 10 4 2 4
Network-based 15 4 2 6

Total 45 14 10 18

42

Detection Effort

Complex File-Based Simple File-Based

Minimal
Considerable
No Detection

Network Scripting

43

44

Conclusion
First attempt at using dynamic dataflow analysis in
production
Delineated real world challenges
Provided mitigation strategies

Helped reduce response time
Supports rapid, scalable vulnerability analysis

Great investment for the future
Lessons learned enlarged the scope of effectiveness

More to come…
45

{absing, niklivic, tanmayg, scottlam, sbhalod}@microsoft.com

46

47

Cansec West 2009

More Related Content

Similar to Cansec West 2009

Recently uploaded

Cansec West 2009