"Binary Instrumentation of Apache Server to Cluster Malicoius Attacks"

Category: Education

Presentation Description

Computer Science Spring 2013 Student Research Presentation by Cynthia Cheng


Presentation Transcript

Binary Instrumentation of Apache Server to Cluster Malicious Attack Strings: 

Binary Instrumentation of Apache Server to Cluster Malicious Attack Strings Presented by: Cynthia Cheng Advisor: Dr. Xiang Fu


Background More than 90 million unique strands of malware 1 of 14 downloads is Malware Companies that have suffered security breach incidents: Sony PlayStation Network RSA Google References: http://www.pcmag.com/article2/0,2817,2385541,00.asp http://money.cnn.com/2012/09/04/technology/malware-cyber-attacks/index.html http://money.cnn.com/galleries/2012/technology/1206/gallery.9-worst-security-breaches.fortune/4.html http://www.cioinsight.com/c/a/Security/Malicious-Attacks-Skyrocket-As-Hackers-Explore-New-Targets-356545/

HTTP Attack: 

HTTP Attack Directory Traversal Attack PHP Servlet … Given file name, reads that file name … / var /www/notification.php http://chikarauniversity.php?page=../etc/ passwd /etc/ passwd Reference : http://www.explorehacking.com/2011/01/directory-transversal-vulnerability.html http://chikarauniversity.php?page=notification.php PHP Servlet … Given file name, reads that file name … But didn’t check the validity – did not remove “../”


Goal Cluster malicious attack strings Assumption: Majority of the REQUESTS are benign BAD REQUESTS look different Our Approach Intercept ALL open requests Cluster good and bad requests


Tools Oracle VM VirtualBox Intel Pin Apache HTTP Server

INTEL Pin Introduction: 

INTEL Pin Introduction Binary instrumentation tool – allows us to insert extra code into a program Reference: www.jaleels.org/ajaleel/ Pin /slides/1_Intro.ppt ‎

Example: Inject Logic at Each Instruction Call: 

Example: Inject Logic at Each Instruction Call itrace.cpp file – modified from Pin Example Function called when a new instruction call is encountered If open is the instruction call, print register value ESP+4, content of this location and the string captured


Challenges Dynamic Linking Dummy function for system call open Apache has its own versions to REALLY call the open OS system call


Improvements Find real entry address of open system call

GOT Entry Dynamic Linking: 

GOT Entry Dynamic Linking When you call Open, you are not shown the real address of system call Open Demo using GNU Debugger show how to find GOT Entry and then find the real Open address

Code of READING Entry: 

Code of READING Entry http_request.c file – located in files for apache_1.3.41 Multiple printf calls so shortcut to real entry is stored and will utilized in First find plt address and GOT address. Then find actual open address of Apache server


Result itrace.out

Future Work: 

Future Work Given the string convert them into numbers Use Classroom package and cluster data Unclustered data Clustered data Reference: http://www.codeproject.com/Articles/369387/Data-Clustering-Simulation-in-Python-and-PyGame