protocol variable location identification

Category: Education

Presentation Description

No description available.


Presentation Transcript

A Presentation on Location Identification of protocol variables for generation of protocol level vulnerability signatures:

A Presentation on Location Identification of protocol variables for generation of protocol level vulnerability signatures Department of Computer Science & Engineering Tezpur University, Napaam Under the Guidance of Prof. D. K. Saikia Presented By Srinu Bevara Roll No – CSI09011 M.Tech – IT , 4 th semester

Brief Outline:

Brief Outline Introduction to Internet Worms 1 Classes of Internet Worm Detection Systems 2 Proposed System 3 Module Implementation 4 Conclusion and Future work 5

Internet Worms……..?:

Internet Worms……..? An Internet worm is a self replicating malware computer program. Self-replicating => it makes copies of itself and sends them over to different hosts across a network. Worms are hated because: Bandwidth consumption Might crash computers they infect Infected computers may be used for other attacks.

Classes of Internet Worms:

Classes of Internet Worms Monomorphic Worms send the payload in a straightforward unchanged fashion Polymorphic Worms change their payload dynamically by scrambling the program Metamorphic Worms change not only its appearance but also its behavior

How Internet worms Attack:

How Internet worms Attack Key Term – Vulnerability. Vulnerability? a weakness in a system which allows an attacker to violate the integrity of that system. Worms exploit vulnerabilities in the programs to hijack the control flow to execute its own malicious code and take the control of the host.

Stack Buffer Overflow Vulnerability:

Stack Buffer Overflow Vulnerability Bottom of the stack Top of the stack IP instruction pointer FP Frame Pointer SP Stack Pointer IP instruction pointer

Control flow hijack due to Buffer Overflow Vulnerability:

Control flow hijack due to Buffer Overflow Vulnerability

Internet Worm detection Systems:

Internet Worm detection Systems Detection Schemes Anomaly Based Signature Based Difficult to define normal model – dynamic nature of network Signature based approach is conceptually simpler Most deployed worm-detection systems are signature based .

Worm Signatures:

Worm Signatures Signature Exploit Based Signature Vulnerability based Signature Signature – A fingerprint which can uniquely identify a particular object.

Limitations of Exploit Based Signature:

Limitations of Exploit Based Signature Our network Signatur e: 10.*01 1010101 10111101 11111100 00010111 Traffic Filtering Internet Polymorphic worm might not have exact exploit based signature Polymorphism!

Vulnerability Signature:

Vulnerability Signature Works for polymorphic worms Works for all the worms which target the same vulnerability Vulnerability signature traffic f iltering Internet Our network Vulnerability

Proposed System:

Proposed System Based on the studies, We Proposed a Defense System that will generate protocol Level Vulnerability Signature using binary analysis. Why Binary analysis? Source codes may not be available. Analyzing Source code may not give the correct result (code optimization by the compiler). Binary codes are the actual codes which run on system. Accuracy ensured.

DFD for Vulnerability Signature Generator:

DFD for Vulnerability Signature Generator

Implementation :

Implementation Tools used – IDA Pro Version 5.5 Protocol Variables Location Identification Challenges 1 Difficult to analyze binary executables 2 Different compilers take different registers for storing the base address and protocol variable address 3 Address gets computed during run time - Dynamic analysis

Protocol Variables Location Identification:

Protocol Variables Location Identification Objective To identify the base buffer address and identify the protocol variables location address Observations Some functions uses separators to break the messages into parts(e.g. sscanf () uses space as a separator).

Algorithm for Buffer Base Address Finding and Detection of Location of Protocol Variables:

Algorithm for Buffer Base Address Finding and Detection of Location of Protocol Variables Disassemble the binary file (exe ’ s or elf ’ s). From start address, search towards end address, for “ call ” mnemonic to find the call function in the assembly file. if (!End address) if (call function = = input function) Mark this address as “ Start_search_address ” . Then starting from that address search backwards/upwards for “ push ebp ” or “ call ” . Consider the one which is found first then stop searching and mark the address as “ Stop_search_address ” . Search for the instruction “ lea eax ” or “ mov eax ” within the range of “ start_search_address ” and “ stop_search_address ” . Put a software break point at the next address of the “ lea eax ” or “ move ax ” instruction. Start execution of the program. If( break point is triggered) Read the value of eax register; which is Receive Buffer base address. Put a hardware break point at the Receive buffer address. Continue execution and start instruction tracing. If( breakpoint is triggered) If this function using memory location of receiver buffer Search upward for the occurrence(s) of “mov eax/ebx/ecx/edx” or “lea eax/ebx/ecx/edx” until we get “push ebp” instruction or a “call” mnemonic in the trace file. If(Instructions found) Read the value(s) of EAX/EBX/ECX/EDX register, which value(s) is/are changed at runtime .

Start Flow chart for Buffer Base Address Finding and Detection of Location of Protocol Variables:

Start Flow chart for Buffer Base Address Finding and Detection of Location of Protocol Variables

Example server program:

Example server program fgets(lineBuf,512,stdin); sscanf(lineBuf,"%128s %128s %128s", method, uri, ver); strncpy(host,(lineBuf+35),12); printf("method: %s\nuri: %s\nversion: %s\n",method,uri,ver); if (strcmp(method, "GET") == 0 || strcmp(method, "HEAD") == 0) { if(strncmp(uri,"/cgi-bin/",9)==0) is_cgi = 1; else is_cgi = 0; if (uri[0] != '/') return; strcpy(vulBuf, uri); } }

Experimental results:

Experimental results Debugger: process F:\sampleVulProgram\testProgram.exe has started Debugger: loaded C:\WINDOWS\system32\ntdll.dll Debugger: loaded C:\WINDOWS\system32\kernel32.dll Debugger: loaded C:\WINDOWS\system32\msvcrt.dll 4012BC: hit breakpoint Buffer Base Address : 22FB50 Adding breakpoint at 22FB50 Breakpoint added continuing process 77C40C0F: hit hardware breakpoint -> 22FB50

Experimental results:

Experimental results BREAKPOINT HITTT Instruction executed at 4012F3 function : sscanf TEV #2 before exec: 22FB50 TEV #5 before exec: 22FD50 TEV #7 before exec: 22FE50 TEV #9 before exec: 22FDD0

Conclusion and Future Work:

Conclusion and Future Work proposed New architecture for generation of protocol level vulnerability signatures using binary analysis. We have successfully implemented the algorithm in IDA Pro environment and the experimental results show the accuracy of the algorithms. We tested my algorithm using my sample programs only, these programs are single process and single thread programs only.


References Li Pele, Salour Mehdi, Su Xlao, A Survey of Internet Worm Detection and Containment, IEEE Communications Survey, Jan 2008, Vol-10, No. 1, pp 22-35. Caballero J, Liang Z, Poosankam P, Song D, Towards Generating High Coverage Vulnerability based Signatures with Protocol-level Constraint-guided Exploration, Recent Advances in Intrusion Detection, Proceedings of 12th International Symposium, RAID 2009, pp 161-181, Saint-Malo, France, September 23-25, 2009. Newsome J., Karp B., and Song D. Polygraph: Automatically Generating Signatures for Polymorphic Worms. In Proceedings of 2005 IEEE Symposium on Security and Privacy(S&P’05), pp 226–241, May 2005. Helen J. Wang , Chuanxiong Guo , Daniel R. Simon , Alf Zugenmaier, Shield: vulnerability-driven network filters for preventing known vulnerability exploits, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA. Alex Ho , Michael Fetterman , Christopher Clark , Andrew Warfield , Steven Hand, Practical taint-based protection using demand emulation, Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, April 18-21, 2006, Leuven, Belgium.

Slide 23: Thank You !

authorStream Live Help