c ontext k eyed p ayload e ncoding f ighting the n ext g
play

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION - PowerPoint PPT Presentation

Jul 04, 2023 •15 likes •315 views

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos dimitris at census-labs.com Census, Inc. Athens IT Security Conference (AthCon 2010) C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G

  1. C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos dimitris at census-labs.com Census, Inc. Athens IT Security Conference (AthCon 2010) C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  2. O VERVIEW I NTRODUCTION S HELLCODE D ETECTION T ECHNIQUES C ONTEXT -K EYED P AYLOAD E NCODING I MPLEMENTATION D EMONSTRATION B EST P RACTICES C ONCLUSION C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  3. I NTRODUCTION C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  4. T HE B ASICS ◮ What is shellcode ? ◮ Memory corruption bugs sometimes allow an attacker to execute her own instructions on the CPU of a vulnerable host. ◮ These instructions usually provide the attacker with a command interpreter (e.g. a UNIX shell) and that’s why they’re called shellcode . ◮ What is an Intrusion Detection System (IDS) ? ◮ A system that detects malicious activities by examining a host’s operating environment (HIDS) and/or network traffic (NIDS). ◮ This presentation focuses on: ◮ Shellcode detection techniques for NIDS. ◮ NIDS evasion techniques for stealthy shellcode. C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  5. 5 R EASONS FOR T RACKING S HELLCODE ON T HE W IRE ◮ CVE-2007-1365 OpenBSD IPv6 mbufs remote kernel buffer overflow ◮ CVE-2007-2586 Cisco IOS FTP Vulnerability ◮ CVE-2009-0065 Linux SCTP FWD Chunk Memory Corruption ◮ CVE-2009-0950 Apple iTunes ITMS Overflow ◮ CVE-2010-0239 Windows ICMPv6 Router Advertisement Vulnerability C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  6. S HELLCODE D ETECTION T ECHNIQUES C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  7. S HELLCODE E NVIRONMENT ◮ Return Address ◮ Points to an area close to the shellcode. ◮ Overwrites a saved EIP or function pointer. ◮ NOP sled ◮ Dummy instructions! ◮ They guide the instruction pointer towards the actual shellcode when its address is not known in advance. ◮ Payload ◮ Contains the shellcode instructions. C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  8. T HE 3 S CHOOLS OF M ALWARE D ETECTION ◮ Signature Matching ◮ Detect known shellcode bytes [Snort] ◮ Detect known NOP bytes (Snort thinks 25 ’C’s are a ’inc %ebx’ NOP sled) ◮ Detect known return address ranges (Buttercup) ◮ Cannot detect 0-day exploits. ◮ Anomaly Detection ◮ Perform statistical analysis on traffic (Snort SPADE) ◮ If incoming packets deviate from “normal” traffic/protocol, warn the user. ◮ Requires training. ◮ Static / Dynamic Analysis ◮ Inspect packets for code with certain characteristics (see [Polychronakis06]). ◮ Takes time... C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  9. P OLYMORPHISM AND M ETAMORPHISM ◮ Polymorphic Encoding ◮ Encrypt payload with random key. ◮ Payload instructions will be decrypted and executed at runtime. ◮ Metamorphic Encoding ◮ Reimplement a set of operations with equivalent instructions. ◮ Build tools to generate the equivalent code automatically. C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  10. T HE 3 S CHOOLS R EVISITED ◮ Signature Matching ◮ Polymorphism allows the payload to evade detection. ◮ Metamorphism allows the polymorphic decoder stub to evade detection. ◮ See “Shikata Ga Nai” encoder of Metasploit. ◮ Anomaly Detection ◮ Metamorphic encoders can produce instruction bytes that have similar statistical properties with the canonical traffic... ◮ See “Alpha2” encoder of Metasploit. ◮ Static / Dynamic Analysis ◮ Static Analysis fails to determine if a packet contains junk or a polymorphic payload. ◮ Dynamic Analysis can spot the malicious payload, once it has emulated correctly the polymorphic code! C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  11. E MULATION T ROUBLES ◮ NIDSs guard the perimeter. ◮ NIDSs with emulation support, emulate incoming packets “blindly”. ◮ Emulation happens within a fake/minimal environment. ◮ What if the shellcode depends on a piece of information from the environment of the vulnerable host? ◮ It will fail to execute on the NIDS. ◮ But it may execute correctly on the vulnerable host. ◮ Hmm, IDS evasion! C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  12. C ONTEXT -K EYED P AYLOAD E NCODING C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  13. T HE M AIN I DEA ◮ Encrypt the payload with your favorite algorithm. ◮ At execution time, get the decryption key from the environment (context) of the vulnerable host! C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  14. M EMORY - BASED K EYING ◮ Use the bytes found at a specific memory location as the encryption key. ◮ | ) ruid has implemented this for Metasploit. ◮ To find memory addresses with static values, the tool smem-map is used. ◮ See [ToorCon9] for more details. ◮ jDuck has written something similar, checking if a particular bit is set at a certain memory location. ◮ Can we guess this value for a remote host? ◮ Think about distributions that use binary packages. ◮ PIE binaries and ASLR can be an issue here. C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  15. CPU- BASED K EYING ◮ The cpuid x86 instruction returns processor information. ◮ Processor info is broken down into multiple vectors . ◮ The number of available vectors depends on the processor model. ◮ R. R. Branco and Itzik use “Vendor ID” as a shellcode encryption key (see [Troopers09]). ◮ We will extend this to include all vectors containing Basic Processor Information. ◮ XOR-ing all vector data gives us a richer 32-bit key. ◮ Can we guess this value for a remote host? ◮ Think about standard server models and Qemu guests... C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  16. T EMPORAL D ATA - BASED K EYING ◮ Build the decryption key from something that is going to be there for a certain amount of time. ◮ The Hydra shellcode engine (see [Hydra09]) uses some high-order bits from the time(2) system call. ◮ time(2) returns a 32-bit integer (secs since epoch ). ◮ We’ll use the 16 most significant bits, providing an execution window of 18 hours. ◮ Can we guess the time on a remote server? :-) ◮ Is it so difficult for this system call to be emulated? ◮ This encoder may slightly buffle reversers studying your code at a later time. But brute forcing 16bits is hardly a challenge... C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  17. F ILESYSTEM - BASED K EYING ( NEW !) ◮ Usually NIDSs don’t have access to the filesystems of the servers they are protecting. ◮ We can make a context key from filesystem metadata (see stat(2)). ◮ Good candidates: the st size and st mtime members of struct stat. ◮ st size is guessable if the target hosts a known software package in binary form. ◮ st mtime is guessable in Debian (records timestamp of last update by package maintainer). ◮ Let’s XOR these to create a context key! ◮ What happens if we stat(2) a file that we later rename/delete? ◮ Is this temporal data? :-) C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  18. I MPLEMENTATION C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

  19. D ESIGN D ECISIONS ◮ Make CKPE a PenTester’s Commodity. ◮ Build on the Metasploit Framework! ◮ No Key Generator classes are available... ◮ Each CKPE method becomes a separate encoder. ◮ Context Keys are generated by aux. applications. ◮ Fed to CKP encoders via command line arguments. ◮ Actual payload encoder: Shikata Ga Nai, 32bit key. ◮ Execution in wrong context: Undefined behaviour :-) Usage example $ cd metasploit/trunk $ ./tools/stat-key /bin/ps 0xbebaf012 $ ./msfpayload linux/x86/exec CMD=/bin/sh R > /tmp/raw_payload $ ./msfencode -e x86/context_stat -t elf -i /tmp/raw_payload -o /tmp/encoded_payload \ STAT_KEY=0xbebaf012 STAT_FILE=/bin/ps $ /tmp/encoded_payload sh-3.2$ C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS :: A TH C ON 2010 :: C ENSUS , I NC .

Recommend

S OLUTIONS A R EVIEW OF C URRENT LED I NTERIOR & E XTERIOR L IGHTING A PPLICATIONS D OUGLAS

S OLUTIONS A R EVIEW OF C URRENT LED I NTERIOR & E XTERIOR L IGHTING A PPLICATIONS D OUGLAS

C OST -E FFECTIVE LED L IGHTING S OLUTIONS A R EVIEW OF C URRENT LED I NTERIOR & E XTERIOR L IGHTING A PPLICATIONS D OUGLAS T RIMBACH V ICE P RESIDENT L IGHTING O PTIMIZERS , USA DTRIMBACH @ LIGHTINGOPTUSA . COM W HY LOOK AT L IGHTING R

575 views • 14 slides
SCD: A S CALABLE C OHERENCE D IRECTORY WITH F LEXIBLE S HARER S ET E NCODING Daniel Sanchez and

SCD: A S CALABLE C OHERENCE D IRECTORY WITH F LEXIBLE S HARER S ET E NCODING Daniel Sanchez and

SCD: A S CALABLE C OHERENCE D IRECTORY WITH F LEXIBLE S HARER S ET E NCODING Daniel Sanchez and Christos Kozyrakis Stanford University HPCA-18, February 27 th 2012 Executive Summary 2 Directories are hard to scale, degrade performance

669 views • 27 slides
Automeris louisiana Louisiana Eyed Silkmoth Citizen Science Project April August 2017

Automeris louisiana Louisiana Eyed Silkmoth Citizen Science Project April August 2017

Automeris louisiana Louisiana Eyed Silkmoth Citizen Science Project April August 2017 Jennifer Wilson, Project Leader Report prepared by Peggy Romfh Louisiana Eyed Silkmoth (LAESM) Disco Discover ered ed in in 19 1981 81 alon

245 views • 23 slides
Ramseys theorem under a computable perspective Ludovic PATEY 1 / 69 June 12, 2017 M

Ramseys theorem under a computable perspective Ludovic PATEY 1 / 69 June 12, 2017 M

M OTIVATIONS E NCODING SETS O PEN QUESTIONS Ramseys theorem under a computable perspective Ludovic PATEY 1 / 69 June 12, 2017 M OTIVATIONS E NCODING SETS O PEN QUESTIONS Motivations 2 / 69 M OTIVATIONS E NCODING SETS O PEN QUESTIONS R

1.09k views • 84 slides
POP 2016-15 Yellow-eyed penguin foraging and indirect effects Conservation Services Programme

POP 2016-15 Yellow-eyed penguin foraging and indirect effects Conservation Services Programme

POP 2016-15 Yellow-eyed penguin foraging and indirect effects Conservation Services Programme Technical Working Group Update, July 2017 MEL YOUNG, UNIVERSITY OF OTAGO POP 2016-15 Yellow-eyed penguin foraging and indirect effects Project

342 views • 31 slides
C ONTEXT The importance of post-secondary education in providing benefits both to individuals and

C ONTEXT The importance of post-secondary education in providing benefits both to individuals and

Submission to the Legislative Assembly of British Columbia Select Standing Committee on Finance and Government Services September 18, 2014 _________________________________________________________________________________ C ONTEXT The importance

329 views • 10 slides
F IGHTING AGAINST I LLEGAL , U NREPORTED AND U NREGULATED FISHING (IUU) Successes in fighting IUU

F IGHTING AGAINST I LLEGAL , U NREPORTED AND U NREGULATED FISHING (IUU) Successes in fighting IUU

Brussels Policy Brief No. 38 F IGHTING AGAINST I LLEGAL , U NREPORTED AND U NREGULATED FISHING (IUU) Successes in fighting IUU Fishing: The case of Fiji 27 th October 2014 O UTLINE Preface Location Background of Fiji Fiji Fisheries

459 views • 17 slides
Guide idelines lines for or Prop open ensity sity Scor Sc ore e Weigh ighting ting wi

Guide idelines lines for or Prop open ensity sity Scor Sc ore e Weigh ighting ting wi

St Step-by by-Step ep Guide idelines lines for or Prop open ensity sity Scor Sc ore e Weigh ighting ting wi with th Two o Grou oups ps Beth Ann Griffin 1 Four key steps 1) Choose the primary treatment effect of interest

840 views • 45 slides
Janua uary, ry, 2015 The eyed egg will multiply its size many times and in time grow into an

Janua uary, ry, 2015 The eyed egg will multiply its size many times and in time grow into an

Janua uary, ry, 2015 The eyed egg will multiply its size many times and in time grow into an adult salmon. It is a good metaphor for Cooke; we started small, weve become a good sized fish and we live in a challenging, ever-changing

439 views • 25 slides
CASCOM CASCOM C ontext- -A Aware Business Application ware Business Application S Service

CASCOM CASCOM C ontext- -A Aware Business Application ware Business Application S Service

CASCOM CASCOM C ontext- -A Aware Business Application ware Business Application S Service ervice C ontext Co- -ordination in ordination in M Mobile Computing Environments obile Computing Environments Co pecific Targeted Research

377 views • 25 slides
Yellow-eyed penguin / hoiho Megadyptes antipodes Distribution Distribution Almost all species

Yellow-eyed penguin / hoiho Megadyptes antipodes Distribution Distribution Almost all species

Yellow-eyed penguin / hoiho Megadyptes antipodes Distribution Distribution Almost all species information originates from mainland Foraging behaviour Foraging behaviour 275 of 300 dives went to seafloor Total trip duration: 11.6 hrs Time

432 views • 27 slides
C ONSISTENT M ANAGEMENT OF C ONTEXT I NFORMATION IN U BIQUITOUS S YSTEMS Gabriel

C ONSISTENT M ANAGEMENT OF C ONTEXT I NFORMATION IN U BIQUITOUS S YSTEMS Gabriel

C ONSISTENT M ANAGEMENT OF C ONTEXT I NFORMATION IN U BIQUITOUS S YSTEMS Gabriel Guerrero-Contreras gjguerrero@ugr.es Jos Luis Garrido jgarrido@ugr.es Carlos Rodrguez-Domnguez carlosrodriguez@ugr.es Sara Balderas-Daz

549 views • 27 slides
$TITLE: M5-1.GMS, ordinary least squares using NLP $ONTEXT there are I observations on two

$TITLE: M5-1.GMS, ordinary least squares using NLP $ONTEXT there are I observations on two

C:\jim\COURSES\8858\code-bk 2012\M5-1.gms Monday, January 09, 2012 6:05:32 AM Page 1 $TITLE: M5-1.GMS, ordinary least squares using NLP $ONTEXT there are I observations on two variables (set J), a dependent variables Y and an independent

457 views • 3 slides
Hoiho Threat Management and Recovery Plan Report on progress to the Annual Yellow-eyed Penguin

Hoiho Threat Management and Recovery Plan Report on progress to the Annual Yellow-eyed Penguin

Hoiho Threat Management and Recovery Plan Report on progress to the Annual Yellow-eyed Penguin Symposium 2018 Hoiho Governance/Technical Group representatives at Symposium: DOC Ian Angus Fisheries New Zealand Jenny Oliver Ngi Tahu

356 views • 17 slides
PCFG : P robabilistic C ontext F ree G rammars Presenter: Ba Dat Nguyen Advisor: Dr. Martin

PCFG : P robabilistic C ontext F ree G rammars Presenter: Ba Dat Nguyen Advisor: Dr. Martin

PCFG : P robabilistic C ontext F ree G rammars Presenter: Ba Dat Nguyen Advisor: Dr. Martin Theobald Max-Planck-Institut fr Informatik Saarbrcken, Germany Probabilistic Context Free Grammars 2 / 25 Outline Introduction P

749 views • 50 slides
cont ontext xt in af affectiv fective e or or non on-affec affectiv tive e pr

cont ontext xt in af affectiv fective e or or non on-affec affectiv tive e pr

Neur urological ological rol ole e of of cont ontext xt in af affectiv fective e or or non on-affec affectiv tive e pr primacy imacy - Asmita Bhattacharya AIM :

895 views • 10 slides
T RANSFORMING R EHABILITATION Professor Chris Fox @MMUPolicyEval C ONTEXT N ATIONAL O FFENDER M

T RANSFORMING R EHABILITATION Professor Chris Fox @MMUPolicyEval C ONTEXT N ATIONAL O FFENDER M

T RANSFORMING R EHABILITATION Professor Chris Fox @MMUPolicyEval C ONTEXT N ATIONAL O FFENDER M ANAGEMENT S ERVICE CUTS NOMS saw 900m cut from its budget in four years Figure from Prison Reform Trust 2016, based on NOMS/MoJ data Between

571 views • 19 slides
S TROKE R ISK AND O UTCOMES : THE C OMMUNITY C ONTEXT Arleen F. Brown, MD, PhD Associate Professor

S TROKE R ISK AND O UTCOMES : THE C OMMUNITY C ONTEXT Arleen F. Brown, MD, PhD Associate Professor

S TROKE R ISK AND O UTCOMES : THE C OMMUNITY C ONTEXT Arleen F. Brown, MD, PhD Associate Professor Division of General Internal Medicine and Health Services Research Co Director, Community Education and Research Program, Clinical and

725 views • 55 slides
T HE ENERGY TRANSITION IN G ERMANY AND THE RENEWABLE ENERGY SOURCES ACT : C ONTEXT , LEGAL AND

T HE ENERGY TRANSITION IN G ERMANY AND THE RENEWABLE ENERGY SOURCES ACT : C ONTEXT , LEGAL AND

T HE ENERGY TRANSITION IN G ERMANY AND THE RENEWABLE ENERGY SOURCES ACT : C ONTEXT , LEGAL AND PROCEDURAL ASPECTS NDRC study tour, Berlin, 5 July 2016 Dr. Stephan Sina Senior Fellow, Coordinator Energy, Ecologic Institute Energy transition in

390 views • 22 slides
$TITLE M9-1.GMS: Two-Country Oligopoly with free entry, segmented markets * $ONTEXT YI YJ

$TITLE M9-1.GMS: Two-Country Oligopoly with free entry, segmented markets * $ONTEXT YI YJ

C:\jim\COURSES\8858\code-bk 2012\M9-1.gms Tuesday, January 10, 2012 5:07:29 AM Page 1 $TITLE M9-1.GMS: Two-Country Oligopoly with free entry, segmented markets * $ONTEXT YI YJ XI XJ NI NJ PUI PUJ CONI CONJ EHTI ENTJ PYI

368 views • 10 slides
$TITLE Model M10-2: TWOxTWOxONE economy -- MPS/GE version of model M3-4b $ONTEXT This is the

$TITLE Model M10-2: TWOxTWOxONE economy -- MPS/GE version of model M3-4b $ONTEXT This is the

C:\jim\COURSES\8858\code-bk 2012\M10-2.gms Thursday, March 29, 2012 4:34:58 AM Page 1 $TITLE Model M10-2: TWOxTWOxONE economy -- MPS/GE version of model M3-4b $ONTEXT This is the exact same model as M3-4b.GMS but uses the MPS/GE format.

348 views • 5 slides
$TITLE: M7-2.GMS: Monopoly with fixed costs $ONTEXT Production Sectors Consumers

$TITLE: M7-2.GMS: Monopoly with fixed costs $ONTEXT Production Sectors Consumers

C:\jim\COURSES\8858\code-bk 2012\M7-2.gms Tuesday, February 21, 2012 8:36:53 AM Page 1 $TITLE: M7-2.GMS: Monopoly with fixed costs $ONTEXT Production Sectors Consumers Markets | C FC Y W | CONS ENTR

549 views • 6 slides
RALPH TORRIE S ETTING THE C ONTEXT : G LOBAL C LIMATE C HANGE AND S OCIAL H OUSING : W HAT S

RALPH TORRIE S ETTING THE C ONTEXT : G LOBAL C LIMATE C HANGE AND S OCIAL H OUSING : W HAT S

P RESENTATION S LIDES RALPH TORRIE S ETTING THE C ONTEXT : G LOBAL C LIMATE C HANGE AND S OCIAL H OUSING : W HAT S THE C ONNECTION ? W HAT S THE O PPORTUNITY ? C LEAN A IR P ARTNERSHIP W ORKSHOP : I MPROVING THE O DDS FOR A CHIEVING S

385 views • 22 slides
$TITLE M9_1.GMS: Two-Country Oligopoly, free entry, segmented markets * $ONTEXT YI YJ XI

$TITLE M9_1.GMS: Two-Country Oligopoly, free entry, segmented markets * $ONTEXT YI YJ XI

C:\jim\COURSES\8858\code-bk 2012\M9-1.gms Tuesday, March 20, 2012 11:43:07 AM Page 1 $TITLE M9_1.GMS: Two-Country Oligopoly, free entry, segmented markets * $ONTEXT YI YJ XI XJ NI NJ PUI PUJ CONI CONJ EHTI ENTJ PYI 100

282 views • 12 slides

More recommend