Enviar búsqueda
Cargar
Cansec West 2009
•
2 recomendaciones
•
449 vistas
A
abhicc285
Seguir
Educación
Denunciar
Compartir
Denunciar
Compartir
1 de 47
Recomendados
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
Asuka Nakajima
.NET for hackers
.NET for hackers
Antonio Parata
Zen and the art of collecting and analyzing malware
Zen and the art of collecting and analyzing malware
Gaetano Zappulla
Malware Detection With Multiple Features
Malware Detection With Multiple Features
Muhammad Najmi Ahmad Zabidi
Malware Evasion Techniques
Malware Evasion Techniques
Thomas Roccia
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of service
Asep Sopyan
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CanSecWest
Recomendados
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
Asuka Nakajima
.NET for hackers
.NET for hackers
Antonio Parata
Zen and the art of collecting and analyzing malware
Zen and the art of collecting and analyzing malware
Gaetano Zappulla
Malware Detection With Multiple Features
Malware Detection With Multiple Features
Muhammad Najmi Ahmad Zabidi
Malware Evasion Techniques
Malware Evasion Techniques
Thomas Roccia
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of service
Asep Sopyan
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CanSecWest
CanSecWest (1)
CanSecWest (1)
Abhishek Singh
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
WASecurity
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
Rahul Mohandas
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
Apt presso good to learn
Apt presso good to learn
Fajar Isnanto
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
Sophos
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Source Conference
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
Attacking antivirus
Attacking antivirus
UltraUploader
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
Tom Eston
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
spamzombieppt
spamzombieppt
kajol agarwal
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
TEO LT, AB
Ethical hacking basics
Ethical hacking basics
BHAWESH RAJPAL
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
Tom Eston
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
Reverse Engineering 101
Reverse Engineering 101
ysurer
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
Celine George
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
Más contenido relacionado
Similar a Cansec West 2009
CanSecWest (1)
CanSecWest (1)
Abhishek Singh
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
WASecurity
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
Rahul Mohandas
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
Apt presso good to learn
Apt presso good to learn
Fajar Isnanto
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
Sophos
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Source Conference
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
Attacking antivirus
Attacking antivirus
UltraUploader
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
Tom Eston
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
spamzombieppt
spamzombieppt
kajol agarwal
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
TEO LT, AB
Ethical hacking basics
Ethical hacking basics
BHAWESH RAJPAL
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
Tom Eston
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
Reverse Engineering 101
Reverse Engineering 101
ysurer
Similar a Cansec West 2009
(20)
CanSecWest (1)
CanSecWest (1)
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
Apt presso good to learn
Apt presso good to learn
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
2013 Security Threat Report Presentation
2013 Security Threat Report Presentation
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Attacking antivirus
Attacking antivirus
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
spamzombieppt
spamzombieppt
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmės
Ethical hacking basics
Ethical hacking basics
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Reverse Engineering 101
Reverse Engineering 101
Último
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
Celine George
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
iammrhaywood
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
Celine George
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
Thiyagu K
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
PoojaSen20
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
Jayanti Pande
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
misteraugie
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
VishalSingh1417
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
National Information Standards Organization (NISO)
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Celine George
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Shubhangi Sonawane
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
EduSkills OECD
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
National Information Standards Organization (NISO)
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
KokoStevan
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
VishalSingh1417
Último
(20)
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
Cansec West 2009
1.
Microsoft Malware Protection
Center Threat Research and Response Team 1 © 2009 Microsoft Corporation. All rights reserved.
2.
Introduction
Microsoft Malware Protection Center (MMPC) Threat Research and Response Team Abhishek Singh (MMPC) Nikola Livic (MMPC) Tanmay Ganacharya (MMPC) Scott Lambert (MMPC) Swapnil Bhalode (MMPC) 2 © 2009 Microsoft Corporation. All rights reserved.
3.
Agenda
Overview Results Paladin Demo Key Lessons Conclusion Q&A 3 © 2009 Microsoft Corporation. All rights reserved.
4.
Overview Motivation
Automate processes like Analyzing exploits Identify malicious input bytes Identify how shell code gets executed Narrow the search space Paladin Refers to a suite of tools… Support rapid, scalable vulnerability analysis © 2009 Microsoft Corporation. All rights reserved.
5.
Results - Paladin
Categories Completed Detected Not Detected Success File-based (complex) 10 4 6 40% File-based (simple) 10 8 2 80% Scripting-based 10 6 4 60% Network-based 15 9 6 60% Total 45 27 18 60% 5 © 2009 Microsoft Corporation. All rights reserved.
6.
Results - Paladin
File-based (Complex) File-based (Simple) Not Detected Scripting-based Detected Total Network-based 0 5 10 15 6 © 2009 Microsoft Corporation. All rights reserved.
7.
Brief tour 7
© 2009 Microsoft Corporation. All rights reserved.
8.
Paladin
Core component - Vigilante End-to-end approach to automate worm containment Tech-transferred from MSR/Incubation 8 © 2009 Microsoft Corporation. All rights reserved.
9.
Vigilante
Started in Microsoft Research (MSR) by Manuel Costa and Miguel Castro and later transitioned to an Incubation team. Timeline with the following Oct. 2004 (Devadas) Nov. 2004 (MSR) Dec. 2004 (Minos) Feb. 2005 (TaintCheck) Leverages dynamic dataflow analysis to track the use of untrusted data and block it from being executed or loaded into the program counter Since then it has forked in different directions Use for malware analysis (spyware, etc) Information leakage, etc 9 © 2009 Microsoft Corporation. All rights reserved.
10.
Major Components -
Vigilante Program Instrumentation (dynamic binary re- writing) Used to instrument the program to enable monitoring of how untrusted input data is used Detection Engine Leverages dynamic data-flow analysis to identify attacks and generate alerts Alert Verifier and Distributor Contains enough information to reproduce the issue on other hosts and distribute accordingly Filter Generator Provides protection from future attempts by blocking malicious input. 10 © 2009 Microsoft Corporation. All rights reserved.
11.
Detection Engine Dynamic dataflow
analysis Track the flow of data from input messages Common Input Sources: File, network, etc mark memory as tainted when input data is received track all data movement within the program Terminate program before it’s too late detect execution of input data (virtual address is marked tainted) detect loading of input data into program counter (saved ret overwrite, etc) © 2009 Microsoft Corporation. All rights reserved.
12.
Dynamic Data Flow
Analysis Step 1: Keep track of which memory locations and CPU registers are tainted with untrusted input data Instrument every data-movement instruction (e.g. MOV,MOVS, PUSH, POP on x86 CPUs) to keep track Step 2: Identify and block dangerous uses of untrusted input data Instrument every control transfer instruction (e.g. RET, CALL, JMP on x86 CPUs) 12 © 2009 Microsoft Corporation. All rights reserved.
13.
Dangerous uses of
input data Alert Types Arbitrary Execution Control (AEC) When tainted data is about to be loaded into the program counter Arbitrary Code Execution (ACE) When tainted data is about to be executed Arbitrary Function argument (AFA) When a critical argument to a critical function is tainted Denial of Service (DoS) When tainted data leads to an access violation 13 © 2009 Microsoft Corporation. All rights reserved.
14.
Dynamic dataflow analysis
//vulnerable code push len stack pointer return address push netbuf points to tainted push sock data call recv buffer push netbuf push localbuf call strcpy ret netbuf alert: value loaded into program counter is tainted 14 © 2009 Microsoft Corporation. All rights reserved.
15.
How does Vigilante
work? C:> _ ulnProcess V Stack C:> _ nirvExec /clientname “detector.dll” /attach 1033 C:> _ Exploit exploitProcess C:> _ Detector Static Data Code Vigi_log.log vulnProcess [pid:1033] 15 © 2009 Microsoft Corporation. All rights reserved.
16.
Dynamic dataflow analysis
//vulnerable code .EXE push len push buff push sock call recv buff buff mov eax, buf[3] call eax ... Detector Alert!!! Vulnerable Process 16 © 2009 Microsoft Corporation. All rights reserved.
17.
CVE-2008-1087 17
© 2009 Microsoft Corporation. All rights reserved.
18.
Results Revisited
Categories Completed Detected Not Detected Success File-based (complex) 10 4 6 40% File-based (simple) 10 8 2 80% Scripting-based 10 6 4 60% Network-based 15 9 6 60% Total 45 27 18 60% What detection means? 18 © 2009 Microsoft Corporation. All rights reserved.
19.
What does it
mean to not detect? Incorrect Alert point Incomplete log file No log file And the reasons? 19 © 2009 Microsoft Corporation. All rights reserved.
20.
Overcoming the challenges 20
© 2009 Microsoft Corporation. All rights reserved.
21.
Lessons Learned
Beyond scope False alerts Engineering issues 21 © 2009 Microsoft Corporation. All rights reserved.
22.
Scope
Not include: Temporal based vulnerabilities E.g. CVE-2003-0813 RPC timing issue 2 threads Kernel-level vulnerabilities E.g. CVE-2006-1314: Mailslot driver Heap OF Data Independent Vulnerabilities E.g. CVE-2007-0938: CMS E.g. CVE-2007-0039: ICal 22 © 2009 Microsoft Corporation. All rights reserved.
23.
Data Independent Example
1 CVE-2007-0938 CMS, DOS “http://foo/000-000,%21frames.htm” Parse function returns negative value Value goes into memcpy-like function ParseURL(WCHAR *URL) { DWORD SizeOfSubString = CommaOffset(URL); DoCopy(SizeOfSubString); // Crash here return SizeOfSubString; } 23 © 2009 Microsoft Corporation. All rights reserved.
24.
Data Independent Example
2 CVE-2006-2376 ICal (DOS null dereference) Begin:Vcalender…. Cause a improper Free of structure Dereference. ReadCalender(WCHAR *In_Bytes) { *Table = Allocate(); if (In_Bytes == Bad_Value) { Free(Table); } Table->Func(); // Crash here } 24 © 2009 Microsoft Corporation. All rights reserved.
25.
False Alerts and
Mitigations 25 © 2009 Microsoft Corporation. All rights reserved.
26.
False Alerts
Erroneous alert generated due to: Imprecise taint propagation Non malicious inputs being tracked as malicious 26 © 2009 Microsoft Corporation. All rights reserved.
27.
False Alerts in
Theory Table Lookup: result = table[in_byte]; // False Positive result = table[in_byte]; // Should be Implicit flows: if (in_byte == 1) result = 1; // False Negative if (in_byte == 1) result = 1; // Should be if (in_byte == 2) result = 2; // False Negative if (in_byte == 2) result = 2; // Should be Arithmetic restrictions: result = (in_byte & 0x00); // False Positive result = (in_byte & 0x00); // Should be 27 Newsome and Song: “Influence: A Quantitative Approach for Data Integrity” © 2009 Microsoft Corporation. All rights reserved.
28.
False Positives (FP)
in Practice FPs in jump tables FPs due to marking input as tainted when it is innocuous 28 © 2009 Microsoft Corporation. All rights reserved.
29.
FPs in JumpTables
Example CVE-2006-4691: BO NetJoinDomain Workstation Service Via RPC CallRPCInterface(BYTES *In_Bytes) { NetJoinDomain= DispatchTable[In_Bytes]; Invoke( NetJoinDomain, // <<<<<<< FALSE POSITIVE pArgBuffer, ArgNum ); } 29 © 2009 Microsoft Corporation. All rights reserved.
30.
FPs in tracking
CVE-2009-0076 (IE vulnerability CSS Memory Corruption) ??C:Documents and SettingsvigilanteRecentdesktop.ini Handle = 410 FileSize = 96 Tracked handle: Buf = 5fc0000 PostIoInitiation: pIosb=169646c; pBuf=5fc0000; hFile=410; hEvent=0 Io completed synchronously. HandleIoCompletion: pIosb=169646c; dwLen=96 SetTaint: Base=5fc0000 Len=96 ADDR 0x5fc0000 - 0x5fc0095 set to dirty= 0x2 RANGE 5fc0000..5fc0095 set to = [2..97] 30 © 2009 Microsoft Corporation. All rights reserved.
31.
Mitigations to FPs
in Practice Flags: IndirectAddressing mov [disp + ref1 + ref2*i], 0xff JmpCallIndirect jmp/call [disp + ref1 + ref2*i] LowFalsePositives Turn off set of handlers False Positives file CVE-2008-2254 (IE HTML Obj Mem Corruption) 0x7d513573 0x7d518123 0x746c240a 0x75c59c7a Policy File 31 © 2009 Microsoft Corporation. All rights reserved.
32.
Engineering issues and
Mitigations 32 © 2009 Microsoft Corporation. All rights reserved.
33.
Engineering issues
Attaching to process Detecting with complex processes Detector protection from exploit Miscellaneous 33 © 2009 Microsoft Corporation. All rights reserved.
34.
Process Attachment Simple case:
Winsock (Create, bind, listen, accept, recv) Named pipes (CreateFile, ReadFile) Disk IO (CreateFile, ReadFile) Realistic case: Async Receive on sockets and named pipes AcceptEx Completion routines NtIoControlFile Completion ports Overlapped Overlapped polling Wait Events © 2009 Microsoft Corporation. All rights reserved.
35.
Process Attachment
Example: CVE-2008-4250 Conficker (Path Canonicalization reached via RPC) // At Boot time CreateFile( "pipeBrowser"); Detector CreateIoCompletionPort(…); ReadFile(Buffer_Location); … // Attachment to Service here Code … GetQueuedCompletionStatus(); … Vulnerable Process 35 © 2009 Microsoft Corporation. All rights reserved.
36.
Process Attachment
Mitigations Coerce service to execute init code. (“Pump” utility or waiting X period of time) Try launching or attaching to simpler service: (many cases) In theory change CreateProcess Routine to inject detector at boot. 36 © 2009 Microsoft Corporation. All rights reserved.
37.
Complex programs/services
Extraneous Log info Higher probability of not detecting 37 © 2009 Microsoft Corporation. All rights reserved.
38.
Complex programs/services Example
VIGI_LOG.LOG - ??PIPEsrvsvc CAN-2002-0724 LANMAN SetTaint: Base=d84d8 Len=44 ADDR 0xd84d8 - 0xd851b set to dirty= 0x2 vulnerability RANGE d84d8..d851b set to = [2..45] mov rm8,rm8 -- dirty EIP: 0x77ce3a77 ESP: 0x11cf940 TID: 0x6d0 DOS with unchecked buffer to Operand1: 0x0 Dirty: 0x6, 0x7, 0x0, 0x0 Operand2: 0xd84dc Dirty: 0x6, 0x7, 0x8, 0x9 NetShareEnum ---------------------------------------------- movz/sx r32,rm16 -- dirty EIP: 0x77cc9f90 ESP: 0xc3fa84 TID: 0x748 Operand1: 0x0 Dirty: 0x12, 0x13, 0x0, 0x0 Operand2: 0xb3d52 Dirty: 0x12, 0x13, 0x0, 0x0 Operand2.RefdRegister1: 0x0 Dirty: 0x12, 0x13 ---------------------------------------------- ??PIPElsarpc SetTaint: Base=d45f8 Len=44 ADDR 0xd45f8 - 0xd463b set to dirty= 0x46 RANGE d45f8..d463b set to = [46..89] movz/sx r32,rm16 -- dirty EIP: 0x77cc9b6e ESP: 0x1b9f6b0 TID: 0x6b8 Operand1: 0x18 Dirty: 0x4e, 0x4f, 0x0, 0x0 Operand2: 0x0 Dirty: 0x4e, 0x4f, 0x0, 0x0 38 © 2009 Microsoft Corporation. All rights reserved.
39.
Complex programs/services Mitigations:
Smaller svchost group Find easier program e.g. ImageViewer instead of IE Packet cleaner utility © 2009 Microsoft Corporation. All rights reserved.
40.
Detector protection from
exploit CVE-2009-0133 MS Help Workshop (a shellhunter payload) Detector Mitigations Move the stack around Page protect buf Stack 40 © 2009 Microsoft Corporation. All rights reserved.
41.
Miscellaneous
Logging without deadlocking Space considerations 41 © 2009 Microsoft Corporation. All rights reserved.
42.
Results Revisted and
Extended Categories Completed Detected Detected Not Detected (Minimal (Considerable effort) effort) File-based (complex) 10 0 4 6 File-based (simple) 10 6 2 2 Scripting-based 10 4 2 4 Network-based 15 4 2 6 Total 45 14 10 18 42 © 2009 Microsoft Corporation. All rights reserved.
43.
Detection Effort Complex
File-Based Simple File-Based Minimal Considerable No Detection Network Scripting 43 © 2009 Microsoft Corporation. All rights reserved.
44.
44
© 2009 Microsoft Corporation. All rights reserved.
45.
Conclusion
First attempt at using dynamic dataflow analysis in production Delineated real world challenges Provided mitigation strategies Helped reduce response time Supports rapid, scalable vulnerability analysis Great investment for the future Lessons learned enlarged the scope of effectiveness More to come… 45 © 2009 Microsoft Corporation. All rights reserved.
46.
{absing, niklivic, tanmayg,
scottlam, sbhalod}@microsoft.com 46 © 2009 Microsoft Corporation. All rights reserved.
47.
47
© 2009 Microsoft Corporation. All rights reserved.