faros illuminating in memory injection attacks via
play

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based - PowerPoint PPT Presentation

Dec 30, 2022 •264 likes •588 views

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking Meisam Navaki Arefi , Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira and

  1. FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking Meisam Navaki Arefi , Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira and Jedidiah R. Crandall

  2. Problem ● In-memory Injection attacks. ● They are becoming more and more common. ● We built a reverse engineering tool to flag them and give analysts the information they need to reverse engineer such malware. 2 ● An analyst needs visibly into memory throughout the execution.

  3. In-Memory Injection Attack ● Operates only on memory ● Acts very stealthy ● Hard to detect 3 ● An analyst needs visibly into memory throughout the execution.

  4. Threat Model ● Reflective DLL injection ● Process hollowing/replacement ● Code/process injection 4

  5. Threat Model - Reflective DLL Injection ● Reflective DLL injection refers to loading a DLL from memory rather than from disk. ● Windows doesn’t have such loading function. ● Write your own load function: Omitting some of the things Windows normally does, e.g. registering the DLL as a loaded module. 5

  6. Threat Model - Process Hollowing ● Start a process in a suspended state. ● Replace the process image with a malicious one. ● Run the process. ● Easy! 6

  7. Threat Model - Code Injection ● Write the malicious code directly to the address space of the target process. ● Have the target process run the code. ● Easy! 7

  8. Motivation ● Current malware analysis solutions, e.g. CuckooBox and memory forensics tools, are no match. ● An analyst needs visibility into memory throughout the execution to flag such attacks. ● Question: ○ How the attack was conducted? ○ What is the source of the attack? ○ ... 8

  9. Dynamic Information Flow Tracking (DIFT) ● Makes systems transparent for attack detection, enforcement of security policies and forensics* *Suh et al. 2004, Minos (Crandall and Chong 2004), TaintCheck (Newsome and Song 2005), and Vigilante (Costa et al. 2004) 9

  10. DIFT - How? I. Introduce the tags/taints II. Propagate the tags III. Check the status of tags 10

  11. Shadow Memory 11

  12. DIFT Example 12

  13. DIFT Example 13

  14. DIFT Example 14

  15. DIFT Example 15

  16. DIFT Example 16

  17. DIFT Example 17

  18. Provenance List ● Each byte could have a list of tags (provenance list). A provenance list for a specific byte 18

  19. Tag Confluence ● Two or more tags of different types can “come together”. 19

  20. Tag Confluence ● A bytes comes in from the network and then moves to the physical memory. 20

  21. Tag Confluence ● Process #1 accesses that byte. 21

  22. Flagging Policy via Provenance-based DIFT Data coming in from the network ( Netflow tag ) SHOULD NOT “come together” with linking/loading data exported by the kernel ( export table tag ). That shouldn’t happen under normal circumstances! 22

  23. Flagging Policy via Provenance-based DIFT ● Tag confluence heuristic: 23

  24. System Architecture 24

  25. Results - Reflective DLL Injection 25

  26. Results - Reflective DLL Injection 26

  27. Comparison with CuckooBox ● Most popular open-source malware analysis system. ● We tested CuckooBox on in-memory injection attacks. ● CuckooBox (along with malfind and Volatility plugins) provided limited visibility into these attacks. ● With CuckooBox, we are blind as to how the attack was conducted. 27

  28. True/False Positive Analysis ● Tested against 6 memory injection attacks and successfully flagged them all. ● Tested against 90 non-injecting malware samples and 14 benign software from various categories. ○ FAROS presented a very low false positive rate of 2% . 28

  29. Performance Evaluation ● Performance is not a priority for FAROS. ● Focused on providing a low false positive rate. ● FAROS’ slowdown is 56X compared to QEMU. 29

  30. Conclusions ● Presented FAROS, a DIFT-based reverse engineering tool, which can illuminate in-memory injection attacks. ● Tag confluence as a promising heuristic. ● Very low false positive (2%). ● FAROS ○ can save reverse engineers substantial time and effort in practice. ○ can provide reverse engineers with valuable information about any in-memory injection attacks. ● FAROS is open source: ○ https://github.com/mnavaki/FAROS 30

  31. Acknowledgments ● Our reviewers and our shepherd, Etienne Riviere. ● DARPA Trusted Computing Project (Grant No. FA8650-15-C-7565) and the U.S. National Science Foundation (Grant Nos. #1518523, #1518878). ● NSF disclaimer: Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation. 31

  32. Thank you! mnavaki@unm.edu 32

Recommend

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp

Computer Science 161 Fall 2016 Nicholas Weaver Injection Attacks and Memory Safety Nicholas Weaver based on David Wagners slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 Nicholas Weaver You really really really

944 views • 50 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks & XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC

in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC

in memory: an evolution of attacks Mathias Payer <mathias.payer@nebelwelt.net> UC Berkeley Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory attacks: an ongoing war David

725 views • 44 slides
SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . . Lecture 16 Page 1

646 views • 21 slides
Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to Computer Security Day 4: Low-level attacks Shellcode techniques Stephen McCamant University of Minnesota, Computer Science & Engineering

412 views • 5 slides
Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
Illuminating The JVM with FlameGraphs Nitsan Wakart (@nitsanw) Illuminating The JVM with

Illuminating The JVM with FlameGraphs Nitsan Wakart (@nitsanw) Illuminating The JVM with

Illuminating The JVM with FlameGraphs Nitsan Wakart (@nitsanw) Illuminating The JVM with FlameGraphs Nitsan Wakart (@nitsanw) By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=196363 Thanks! I, Programmer Performance

942 views • 39 slides
CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year:

CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year:

CSS Injection Attacks or how to leak content with <style> * { author: Pepe Vila; year: 2019; } Historical background (might be historically inaccurate) ~2007: Gareth Heyes, David Lindsay and Eduardo Vela (from sla.ckers.org) published

412 views • 15 slides
Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William

Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks William G.J. Halfond Alessandro Orso Panagiotis Manolios Georgia Institute of Technology Supported by NSF awards CCR-0205422 and CCR-0306372 to GA Tech and

678 views • 34 slides
Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William Halfond & Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to

187 views • 17 slides
AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond

AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond

AMNESIA: Analysis and Monitoring for Neutralizing SQL- Injection Attacks William Halfond Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to Georgia Tech,

627 views • 23 slides
Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript? Relevant and challenging

520 views • 48 slides
SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD (

SoC, why should we care about Fault Injection Attacks ? Guillaume BOUFFARD ( guillaume.boufgard@ssi.gouv.fr ) David EL-BAZE ( david.elbaze@ssi.gouv.fr ) with the help of Thomas TROUCHKINE Agence nationale de la scurit des systmes

523 views • 28 slides
Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software Architect 1 Agenda Problem Description Fileless Attacks Overview Common Injection Techniques Current Challenges with memory

870 views • 22 slides
Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru

Synode: Understanding and Automatically Preventing Injection Attacks on Node.js Cristian-Alexandru Staicu 1 Michael Pradel 1 Ben Livshits 2 1 TU Darmstadt 2 Imperial College London, Brave Software February 20, 2018 This Talk Node.JS and

492 views • 47 slides
Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia

Preventing SQL Injection Attacks Using AMNESIA William G.J. Halfond and Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF awards CCR-0205422 and CCR-0209322 to Georgia

239 views • 21 slides
Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and

Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and

Cheap & Cheerful A Low-Cost Digital Sensor for Detecting Laser Fault Injection Attacks Wei He, Jakub Breier, Shivam Bhasin Physical Analysis and Cryptographic Engineering (PACE), Nanyang Technological University, Singapore SPACE 2016,

667 views • 31 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides

More recommend