e- -NeXSh: OS Fortification NeXSh: OS Fortification e Protecting Software from Internet Malware Protecting Software from Internet Malware Gaurav S. Kc Kc, , Angelos Angelos D. D. Keromytis Keromytis Gaurav S. Columbia University Columbia University
Bane of the Internet Bane of the Internet � Internet Malware Internet Malware � � Internet worms and Internet Internet worms and Internet- -cracking tools cracking tools � � Override program control to execute malcode Override program control to execute malcode � � Internet Worms Internet Worms � � Morris '88, Code Red II '01, Nimda '01, Morris '88, Code Red II '01, Nimda '01, � Slapper '02, Blaster '03, MS- -SQL Slammer '03, SQL Slammer '03, Slapper '02, Blaster '03, MS Sasser '04 Sasser '04 � Automatic propagation Automatic propagation � � Internet Crackers Internet Crackers � � “ “ j00 j00 got got h4x0r3d h4x0r3d !!” !!” � � After breaking in, malware will: After breaking in, malware will: � � Create backdoors, install Create backdoors, install rootkits rootkits (conceal (conceal � malcode existence), join a bot bot- -net, generate net, generate malcode existence), join a spam spam � e e- -NeXSh NeXSh can thwart such can thwart such malware malware � 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 2
Outline Outline � Software Run Software Run- -Time Environments (x86/Linux) Time Environments (x86/Linux) � � Bugs, and Breaches: Anatomy of Attacks Bugs, and Breaches: Anatomy of Attacks � � e e- -NeXSh NeXSh: OS Fortification : OS Fortification � � Related Work Related Work � � Conclusions Conclusions � 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 3
Process Run- -Time Time Process Run � Linux: Multi Linux: Multi- -processor OS processor OS � � Resource manager and scheduler Resource manager and scheduler � � Inter Inter- -process communication (IPC) process communication (IPC) � � Access: network, persistent storage devices Access: network, persistent storage devices � � Process scheduling and context Process scheduling and context- -switching switching � � Process Process: abstraction of : abstraction of � program in execution program in execution � 4GB of virtual memory 4GB of virtual memory � � Code + data segments Code + data segments � .stack segment segment � .stack � � Activation records Activation records � 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 4
Process Run- -Time Time Process Run � Activation records Activation records � Activation Frame Header Activation Frame Header return_address, old_frame_pointer return_address, old_frame_pointer PC SP void function(char *s, float y, int x) { FP int a; int b; char buffer[SIZE]; int c; strcpy(buffer, s); return; } 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 5
Invoking System Calls Invoking System Calls � Applications access Applications access � 0xffffffff KERNEL MEMORY system_call: kernel resources kernel resources sys_socket: system-call stack frames sock_create: sock_alloc: Machine instruction in .text section socki_lookup program.c bar() { 0xbfffffff USERSPACE MEMORY ... int $0x80 ; trap instr. ... main: } program stack frames foo: foo() { bar(); } bar: main() { foo(); } kernel system_call() { call *0x0(,%eax,4) ; } sys_socket() { sock_create(); } sock_create() { sock_alloc(); } sock_alloc() { socki_lookup(); } socki_lookup() { ... } 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 6
System Calls via LIBC System Calls via LIBC program.c 0xffffffff KERNEL MEMORY system_call: bar() { socket(...); sys_socket: } system-call stack frames sock_create: foo() { bar(); } sock_alloc: main() { foo(); } socki_lookup libc.so 0xbfffffff USERSPACE MEMORY socket() { ... main: int $0x80 ; trap instr. program stack frames ... foo: } bar: Machine instruction in libc stack frames LIBC .text section socket: kernel system_call() { call *0x0(,%eax,4) ; } sys_socket() { sock_create(); } sock_create() { sock_alloc(); } sock_alloc() { socki_lookup(); } socki_lookup() { ... } 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 7
Security Vulnerabilities Security Vulnerabilities � C: A low-level, systems language with unsafe features � No bounds-checking. Not strongly typed. � Arbitrary memory overwrites � Common security vulnerabilities � Buffer overflows � Format-string vulnerability � Integer overflows � Double-free vulnerability 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 8
Anatomy of a Process- -Subversion Subversion Anatomy of a Process Attack Attack Analysis of common attack techniques Analysis of common attack techniques � � Phrack magazine, BugTraq, worms in “the wild” Phrack magazine, BugTraq, worms in “the wild” � � Stages of a process- -subversion attack subversion attack Stages of a process � � Trigger vulnerability vulnerability in software in software Trigger 1. 1. Overwrite code Overwrite code pointer pointer 2. 2. Execute malcode malcode of the attacker’s choosing, and invoke system calls of the attacker’s choosing, and invoke system calls Execute 3. 3. 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 9
Process- -Subversion Attacks Subversion Attacks Process contd. contd. Component Elements (C.E.) of an attack (C.E.) of an attack Component Elements � � exploitable vulnerability exploitable vulnerability 1. 1. e.g., buffer overflows, format- -string vulnerabilities string vulnerabilities e.g., buffer overflows, format overwritable code pointer overwritable code pointer 2. 2. e.g., return address, function pointer variables e.g., return address, function pointer variables executable malcode executable malcode 3. 3. e.g., machine code injected into data memory, e.g., machine code injected into data memory, existing application or LIBC code existing application or LIBC code Focus of e-NeXSh! 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 10
Methods of Attack Methods of Attack void function(char *s, float y, int x) { int a; int b; char buffer[SIZE]; int c; strcpy(buffer, s); int x ... ... return; float y ... ... } char *s PC &buffer &buffer ret. addr: &buffer &buffer 0x0abcdef0 &buffer &buffer old fp: Buffer-overflow 0x4fedcba8 ... ... vulnerability call &system ... int a int b push “/bin/sh” int $0x80 nop nop Stacksmashing (LIBC-Based) Stacksmashing (Code Injection) nop nop char buffer[SIZE] nop nop int c Overrun buffer Overrun buffer Overwrite return address Overwrite return address Injected code invokes LIBC function Injected code invokes system call 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 11
Outline Outline � Software Run Software Run- -Time Environments (x86/Linux) Time Environments (x86/Linux) � � Bugs, and Breaches: Anatomy of Attacks Bugs, and Breaches: Anatomy of Attacks � � e e- -NeXSh NeXSh: OS Fortification : OS Fortification � � Related Work Related Work � � Conclusions Conclusions � 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 12
e- -NeXSh: Monitoring Processes for NeXSh: Monitoring Processes for e Anomalous and Malicious Behaviour Anomalous and Malicious Behaviour � Monitor LIBC function invocations Monitor LIBC function invocations � If ( call stack call stack doesn’t match doesn’t match call graph call graph ) ) If ( LIBC- -based attack based attack ); exit ( LIBC exit ( ); � Monitor system Monitor system- -call invocations call invocations � If ( system call system call invoked from invoked from data memory data memory ) ) If ( exit ( injected code execution injected code execution ); ); exit ( � Explicit policy definitions required! Explicit policy definitions required! � � Use program disassembly information and memory layout. Use program disassembly information and memory layout. � � Code can still execute on stack/heap, just cannot Code can still execute on stack/heap, just cannot � invoke system calls directly or via LIBC functions invoke system calls directly or via LIBC functions 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 13
e- -NeXSh: System Calls via LIBC NeXSh: System Calls via LIBC e program.c bar() { 0xffffffff KERNEL MEMORY system_call: socket(...); } sys_socket: foo() { bar(); } system-call stack frames sock_create: main() { foo(); } sock_alloc: socki_lookup e-NeXSh.so socket() { 0xbfffffff USERSPACE MEMORY Valid call stack // validate call stack libc.so :: socket(); } main: libc.so program stack frames foo: socket() { bar: int $0x80 ; trap instr. } e-NeXSh.so socket: kernel libc stack frames socket: system_call() { Valid return address // validate “return address” call *0x0(,%eax,4) ; } sys_socket() { sock_create(); } sock_create() { sock_alloc(); } 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 14
e- -NeXSh: Validating the Call Stack NeXSh: Validating the Call Stack e 07 NOV, 2005. ACSAC Gaurav S. Kc / Columbia University 15
Recommend
More recommend