Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Microsoft Malware Protection Center
    Threat Research and Response Team



1                                 © 2009 Micr...
Introduction
     Microsoft Malware Protection Center (MMPC)
       Threat Research and Response Team

     Abhishek Singh...
Agenda
     Overview
     Results
     Paladin
     Demo
     Key Lessons
     Conclusion
     Q&A



3
                  ...
Overview
 Motivation
   Automate processes like
     Analyzing exploits
     Identify malicious input bytes
     Identify ...
Results - Paladin
    Categories             Completed   Detected   Not Detected           Success
    File-based (complex...
Results - Paladin

     File-based (Complex)


       File-based (Simple)
                                                ...
Brief tour




7
                 © 2009 Microsoft Corporation. All rights reserved.
Paladin
     Core component - Vigilante
       End-to-end approach to automate worm
       containment
       Tech-transfe...
Vigilante
     Started in Microsoft Research (MSR) by Manuel
     Costa and Miguel Castro and later transitioned to
     a...
Major Components - Vigilante
      Program Instrumentation (dynamic binary re-
      writing)
        Used to instrument t...
Detection Engine
Dynamic dataflow analysis
  Track the flow of data from input messages
     Common Input Sources: File, n...
Dynamic Data Flow Analysis
      Step 1: Keep track of which memory locations
      and CPU registers are tainted with unt...
Dangerous uses of input data
      Alert Types
        Arbitrary Execution Control (AEC)
          When tainted data is ab...
Dynamic dataflow analysis
        //vulnerable code
         push len           stack pointer          return address
    ...
How does Vigilante work?
                              C:> _ ulnProcess
                                   V
             ...
Dynamic dataflow analysis
        //vulnerable code
                                                  .EXE
         push l...
CVE-2008-1087




17
                     © 2009 Microsoft Corporation. All rights reserved.
Results Revisited
     Categories             Completed   Detected   Not Detected           Success
     File-based (compl...
What does it mean to not detect?
      Incorrect Alert point
      Incomplete log file
      No log file

      And the re...
Overcoming the challenges




20
                                 © 2009 Microsoft Corporation. All rights reserved.
Lessons Learned
      Beyond scope
      False alerts
      Engineering issues




21
                           © 2009 Mi...
Scope
     Not include:
       Temporal based vulnerabilities
         E.g. CVE-2003-0813 RPC timing issue 2 threads
     ...
Data Independent Example 1
     CVE-2007-0938 CMS, DOS
           “http://foo/000-000,%21frames.htm”
           Parse func...
Data Independent Example 2
     CVE-2006-2376 ICal (DOS null dereference)
            Begin:Vcalender….
            Cause ...
False Alerts and Mitigations


25
                           © 2009 Microsoft Corporation. All rights reserved.
False Alerts
     Erroneous alert generated due to:
       Imprecise taint propagation
       Non malicious inputs being t...
False Alerts in Theory
     Table Lookup:
       result = table[in_byte]; // False Positive
       result = table[in_byte]...
False Positives (FP) in Practice
     FPs in jump tables

     FPs due to marking input as tainted when it is
     innocuo...
FPs in JumpTables Example
     CVE-2006-4691: BO NetJoinDomain Workstation Service
       Via RPC

       CallRPCInterface...
FPs in tracking
     CVE-2009-0076 (IE vulnerability CSS Memory
       Corruption)

     ??C:Documents and Settingsvigilan...
Mitigations to FPs in Practice
       Flags:
         IndirectAddressing   mov [disp + ref1 + ref2*i], 0xff
         JmpCa...
Engineering issues and Mitigations



32
                            © 2009 Microsoft Corporation. All rights reserved.
Engineering issues
     Attaching to process
     Detecting with complex processes
     Detector protection from exploit
 ...
Process Attachment

Simple case:
  Winsock (Create, bind, listen, accept, recv)
  Named pipes (CreateFile, ReadFile)
  Dis...
Process Attachment

     Example:

     CVE-2008-4250 Conficker
     (Path Canonicalization reached via RPC)
       // At ...
Process Attachment

        Mitigations
          Coerce service to execute init code. (“Pump” utility
          or waitin...
Complex programs/services
       Extraneous Log info
       Higher probability of not detecting




37
                   ...
Complex programs/services Example
                                    VIGI_LOG.LOG -
                                    ?...
Complex programs/services
Mitigations:

    Smaller svchost group
    Find easier program
       e.g. ImageViewer instead ...
Detector protection from exploit
      CVE-2009-0133 MS Help Workshop
      (a shellhunter payload)

                     ...
Miscellaneous
      Logging without deadlocking
      Space considerations




41
                                    © 20...
Results Revisted and Extended
     Categories             Completed   Detected   Detected               Not Detected
     ...
Detection Effort

 Complex File-Based               Simple File-Based




                                                ...
44
     © 2009 Microsoft Corporation. All rights reserved.
Conclusion
      First attempt at using dynamic dataflow analysis in
      production
        Delineated real world challe...
{absing, niklivic, tanmayg, scottlam, sbhalod}@microsoft.com




46
                                                © 2009...
47
     © 2009 Microsoft Corporation. All rights reserved.
Upcoming SlideShare
Loading in …5
×

Cansec West 2009

797 views

Published on

Published in: Education
  • Be the first to comment

Cansec West 2009

  1. 1. Microsoft Malware Protection Center Threat Research and Response Team 1 © 2009 Microsoft Corporation. All rights reserved.
  2. 2. Introduction Microsoft Malware Protection Center (MMPC) Threat Research and Response Team Abhishek Singh (MMPC) Nikola Livic (MMPC) Tanmay Ganacharya (MMPC) Scott Lambert (MMPC) Swapnil Bhalode (MMPC) 2 © 2009 Microsoft Corporation. All rights reserved.
  3. 3. Agenda Overview Results Paladin Demo Key Lessons Conclusion Q&A 3 © 2009 Microsoft Corporation. All rights reserved.
  4. 4. Overview Motivation Automate processes like Analyzing exploits Identify malicious input bytes Identify how shell code gets executed Narrow the search space Paladin Refers to a suite of tools… Support rapid, scalable vulnerability analysis © 2009 Microsoft Corporation. All rights reserved.
  5. 5. Results - Paladin Categories Completed Detected Not Detected Success File-based (complex) 10 4 6 40% File-based (simple) 10 8 2 80% Scripting-based 10 6 4 60% Network-based 15 9 6 60% Total 45 27 18 60% 5 © 2009 Microsoft Corporation. All rights reserved.
  6. 6. Results - Paladin File-based (Complex) File-based (Simple) Not Detected Scripting-based Detected Total Network-based 0 5 10 15 6 © 2009 Microsoft Corporation. All rights reserved.
  7. 7. Brief tour 7 © 2009 Microsoft Corporation. All rights reserved.
  8. 8. Paladin Core component - Vigilante End-to-end approach to automate worm containment Tech-transferred from MSR/Incubation 8 © 2009 Microsoft Corporation. All rights reserved.
  9. 9. Vigilante Started in Microsoft Research (MSR) by Manuel Costa and Miguel Castro and later transitioned to an Incubation team. Timeline with the following Oct. 2004 (Devadas) Nov. 2004 (MSR) Dec. 2004 (Minos) Feb. 2005 (TaintCheck) Leverages dynamic dataflow analysis to track the use of untrusted data and block it from being executed or loaded into the program counter Since then it has forked in different directions Use for malware analysis (spyware, etc) Information leakage, etc 9 © 2009 Microsoft Corporation. All rights reserved.
  10. 10. Major Components - Vigilante Program Instrumentation (dynamic binary re- writing) Used to instrument the program to enable monitoring of how untrusted input data is used Detection Engine Leverages dynamic data-flow analysis to identify attacks and generate alerts Alert Verifier and Distributor Contains enough information to reproduce the issue on other hosts and distribute accordingly Filter Generator Provides protection from future attempts by blocking malicious input. 10 © 2009 Microsoft Corporation. All rights reserved.
  11. 11. Detection Engine Dynamic dataflow analysis Track the flow of data from input messages Common Input Sources: File, network, etc mark memory as tainted when input data is received track all data movement within the program Terminate program before it’s too late detect execution of input data (virtual address is marked tainted) detect loading of input data into program counter (saved ret overwrite, etc) © 2009 Microsoft Corporation. All rights reserved.
  12. 12. Dynamic Data Flow Analysis Step 1: Keep track of which memory locations and CPU registers are tainted with untrusted input data Instrument every data-movement instruction (e.g. MOV,MOVS, PUSH, POP on x86 CPUs) to keep track Step 2: Identify and block dangerous uses of untrusted input data Instrument every control transfer instruction (e.g. RET, CALL, JMP on x86 CPUs) 12 © 2009 Microsoft Corporation. All rights reserved.
  13. 13. Dangerous uses of input data Alert Types Arbitrary Execution Control (AEC) When tainted data is about to be loaded into the program counter Arbitrary Code Execution (ACE) When tainted data is about to be executed Arbitrary Function argument (AFA) When a critical argument to a critical function is tainted Denial of Service (DoS) When tainted data leads to an access violation 13 © 2009 Microsoft Corporation. All rights reserved.
  14. 14. Dynamic dataflow analysis //vulnerable code push len stack pointer return address push netbuf points to tainted push sock data call recv buffer push netbuf push localbuf call strcpy ret netbuf alert: value loaded into program counter is tainted 14 © 2009 Microsoft Corporation. All rights reserved.
  15. 15. How does Vigilante work? C:> _ ulnProcess V Stack C:> _ nirvExec /clientname “detector.dll” /attach 1033 C:> _ Exploit exploitProcess C:> _ Detector Static Data Code Vigi_log.log vulnProcess [pid:1033] 15 © 2009 Microsoft Corporation. All rights reserved.
  16. 16. Dynamic dataflow analysis //vulnerable code .EXE push len push buff push sock call recv buff buff mov eax, buf[3] call eax ... Detector Alert!!! Vulnerable Process 16 © 2009 Microsoft Corporation. All rights reserved.
  17. 17. CVE-2008-1087 17 © 2009 Microsoft Corporation. All rights reserved.
  18. 18. Results Revisited Categories Completed Detected Not Detected Success File-based (complex) 10 4 6 40% File-based (simple) 10 8 2 80% Scripting-based 10 6 4 60% Network-based 15 9 6 60% Total 45 27 18 60% What detection means? 18 © 2009 Microsoft Corporation. All rights reserved.
  19. 19. What does it mean to not detect? Incorrect Alert point Incomplete log file No log file And the reasons? 19 © 2009 Microsoft Corporation. All rights reserved.
  20. 20. Overcoming the challenges 20 © 2009 Microsoft Corporation. All rights reserved.
  21. 21. Lessons Learned Beyond scope False alerts Engineering issues 21 © 2009 Microsoft Corporation. All rights reserved.
  22. 22. Scope Not include: Temporal based vulnerabilities E.g. CVE-2003-0813 RPC timing issue 2 threads Kernel-level vulnerabilities E.g. CVE-2006-1314: Mailslot driver Heap OF Data Independent Vulnerabilities E.g. CVE-2007-0938: CMS E.g. CVE-2007-0039: ICal 22 © 2009 Microsoft Corporation. All rights reserved.
  23. 23. Data Independent Example 1 CVE-2007-0938 CMS, DOS “http://foo/000-000,%21frames.htm” Parse function returns negative value Value goes into memcpy-like function ParseURL(WCHAR *URL) { DWORD SizeOfSubString = CommaOffset(URL); DoCopy(SizeOfSubString); // Crash here return SizeOfSubString; } 23 © 2009 Microsoft Corporation. All rights reserved.
  24. 24. Data Independent Example 2 CVE-2006-2376 ICal (DOS null dereference) Begin:Vcalender…. Cause a improper Free of structure Dereference. ReadCalender(WCHAR *In_Bytes) { *Table = Allocate(); if (In_Bytes == Bad_Value) { Free(Table); } Table->Func(); // Crash here } 24 © 2009 Microsoft Corporation. All rights reserved.
  25. 25. False Alerts and Mitigations 25 © 2009 Microsoft Corporation. All rights reserved.
  26. 26. False Alerts Erroneous alert generated due to: Imprecise taint propagation Non malicious inputs being tracked as malicious 26 © 2009 Microsoft Corporation. All rights reserved.
  27. 27. False Alerts in Theory Table Lookup: result = table[in_byte]; // False Positive result = table[in_byte]; // Should be Implicit flows: if (in_byte == 1) result = 1; // False Negative if (in_byte == 1) result = 1; // Should be if (in_byte == 2) result = 2; // False Negative if (in_byte == 2) result = 2; // Should be Arithmetic restrictions: result = (in_byte & 0x00); // False Positive result = (in_byte & 0x00); // Should be 27 Newsome and Song: “Influence: A Quantitative Approach for Data Integrity” © 2009 Microsoft Corporation. All rights reserved.
  28. 28. False Positives (FP) in Practice FPs in jump tables FPs due to marking input as tainted when it is innocuous 28 © 2009 Microsoft Corporation. All rights reserved.
  29. 29. FPs in JumpTables Example CVE-2006-4691: BO NetJoinDomain Workstation Service Via RPC CallRPCInterface(BYTES *In_Bytes) { NetJoinDomain= DispatchTable[In_Bytes]; Invoke( NetJoinDomain, // <<<<<<< FALSE POSITIVE pArgBuffer, ArgNum ); } 29 © 2009 Microsoft Corporation. All rights reserved.
  30. 30. FPs in tracking CVE-2009-0076 (IE vulnerability CSS Memory Corruption) ??C:Documents and SettingsvigilanteRecentdesktop.ini Handle = 410 FileSize = 96 Tracked handle: Buf = 5fc0000 PostIoInitiation: pIosb=169646c; pBuf=5fc0000; hFile=410; hEvent=0 Io completed synchronously. HandleIoCompletion: pIosb=169646c; dwLen=96 SetTaint: Base=5fc0000 Len=96 ADDR 0x5fc0000 - 0x5fc0095 set to dirty= 0x2 RANGE 5fc0000..5fc0095 set to = [2..97] 30 © 2009 Microsoft Corporation. All rights reserved.
  31. 31. Mitigations to FPs in Practice Flags: IndirectAddressing mov [disp + ref1 + ref2*i], 0xff JmpCallIndirect jmp/call [disp + ref1 + ref2*i] LowFalsePositives Turn off set of handlers False Positives file CVE-2008-2254 (IE HTML Obj Mem Corruption) 0x7d513573 0x7d518123 0x746c240a 0x75c59c7a Policy File 31 © 2009 Microsoft Corporation. All rights reserved.
  32. 32. Engineering issues and Mitigations 32 © 2009 Microsoft Corporation. All rights reserved.
  33. 33. Engineering issues Attaching to process Detecting with complex processes Detector protection from exploit Miscellaneous 33 © 2009 Microsoft Corporation. All rights reserved.
  34. 34. Process Attachment Simple case: Winsock (Create, bind, listen, accept, recv) Named pipes (CreateFile, ReadFile) Disk IO (CreateFile, ReadFile) Realistic case: Async Receive on sockets and named pipes AcceptEx Completion routines NtIoControlFile Completion ports Overlapped Overlapped polling Wait Events © 2009 Microsoft Corporation. All rights reserved.
  35. 35. Process Attachment Example: CVE-2008-4250 Conficker (Path Canonicalization reached via RPC) // At Boot time CreateFile( "pipeBrowser"); Detector CreateIoCompletionPort(…); ReadFile(Buffer_Location); … // Attachment to Service here Code … GetQueuedCompletionStatus(); … Vulnerable Process 35 © 2009 Microsoft Corporation. All rights reserved.
  36. 36. Process Attachment Mitigations Coerce service to execute init code. (“Pump” utility or waiting X period of time) Try launching or attaching to simpler service: (many cases) In theory change CreateProcess Routine to inject detector at boot. 36 © 2009 Microsoft Corporation. All rights reserved.
  37. 37. Complex programs/services Extraneous Log info Higher probability of not detecting 37 © 2009 Microsoft Corporation. All rights reserved.
  38. 38. Complex programs/services Example VIGI_LOG.LOG - ??PIPEsrvsvc CAN-2002-0724 LANMAN SetTaint: Base=d84d8 Len=44 ADDR 0xd84d8 - 0xd851b set to dirty= 0x2 vulnerability RANGE d84d8..d851b set to = [2..45] mov rm8,rm8 -- dirty EIP: 0x77ce3a77 ESP: 0x11cf940 TID: 0x6d0 DOS with unchecked buffer to Operand1: 0x0 Dirty: 0x6, 0x7, 0x0, 0x0 Operand2: 0xd84dc Dirty: 0x6, 0x7, 0x8, 0x9 NetShareEnum ---------------------------------------------- movz/sx r32,rm16 -- dirty EIP: 0x77cc9f90 ESP: 0xc3fa84 TID: 0x748 Operand1: 0x0 Dirty: 0x12, 0x13, 0x0, 0x0 Operand2: 0xb3d52 Dirty: 0x12, 0x13, 0x0, 0x0 Operand2.RefdRegister1: 0x0 Dirty: 0x12, 0x13 ---------------------------------------------- ??PIPElsarpc SetTaint: Base=d45f8 Len=44 ADDR 0xd45f8 - 0xd463b set to dirty= 0x46 RANGE d45f8..d463b set to = [46..89] movz/sx r32,rm16 -- dirty EIP: 0x77cc9b6e ESP: 0x1b9f6b0 TID: 0x6b8 Operand1: 0x18 Dirty: 0x4e, 0x4f, 0x0, 0x0 Operand2: 0x0 Dirty: 0x4e, 0x4f, 0x0, 0x0 38 © 2009 Microsoft Corporation. All rights reserved.
  39. 39. Complex programs/services Mitigations: Smaller svchost group Find easier program e.g. ImageViewer instead of IE Packet cleaner utility © 2009 Microsoft Corporation. All rights reserved.
  40. 40. Detector protection from exploit CVE-2009-0133 MS Help Workshop (a shellhunter payload) Detector Mitigations Move the stack around Page protect buf Stack 40 © 2009 Microsoft Corporation. All rights reserved.
  41. 41. Miscellaneous Logging without deadlocking Space considerations 41 © 2009 Microsoft Corporation. All rights reserved.
  42. 42. Results Revisted and Extended Categories Completed Detected Detected Not Detected (Minimal (Considerable effort) effort) File-based (complex) 10 0 4 6 File-based (simple) 10 6 2 2 Scripting-based 10 4 2 4 Network-based 15 4 2 6 Total 45 14 10 18 42 © 2009 Microsoft Corporation. All rights reserved.
  43. 43. Detection Effort Complex File-Based Simple File-Based Minimal Considerable No Detection Network Scripting 43 © 2009 Microsoft Corporation. All rights reserved.
  44. 44. 44 © 2009 Microsoft Corporation. All rights reserved.
  45. 45. Conclusion First attempt at using dynamic dataflow analysis in production Delineated real world challenges Provided mitigation strategies Helped reduce response time Supports rapid, scalable vulnerability analysis Great investment for the future Lessons learned enlarged the scope of effectiveness More to come… 45 © 2009 Microsoft Corporation. All rights reserved.
  46. 46. {absing, niklivic, tanmayg, scottlam, sbhalod}@microsoft.com 46 © 2009 Microsoft Corporation. All rights reserved.
  47. 47. 47 © 2009 Microsoft Corporation. All rights reserved.

×