rambo run time packer analysis with multiple branch
play

RAMBO: Run-time packer Analysis with Multiple Branch Observation - PowerPoint PPT Presentation

Nov 10, 2023 •177 likes •532 views

RAMBO: Run-time packer Analysis with Multiple Branch Observation Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, Pablo G. Bringas University of Deusto, Cisco Talos, Eurecom 13th Conference on Detection of Intrusions and Malware &

  1. RAMBO: Run-time packer Analysis with Multiple Branch Observation Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, Pablo G. Bringas University of Deusto, Cisco Talos, Eurecom 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment

  2. Outline • Why multi-path exploration for packers? • Approach – Domain-specific optimizations – Heuristics • Evaluation • Discuss the results

  3. Run-time packers... • Widely used by malware authors to obfuscate/ protect their code • 2 main goals – Hide the original code from static analysis – Implement anti-analysis methods • Anti-debug • Anti-dump • VM / Sandbox / Tool detection • Making both automated automated and manual manual analysis more difficult

  4. Shifting-decode-frames • Also known as “partial code revelation” • Takes advantage of the limitation of dynamic analysis – Single path! • Decrypt code/data on-demand • Prevent “run and dump” • Used by certain “advanced” protectors (i.e. Armadillo) • Presented in academic literature (Bilge et. al.) – Compile time function based protection

  13. Multi-path exploration... • Computationally complex – Specially with obfuscated (even self- modifying) code • Does not scale to real-world, large, complex malware

  14. Multi-path exploration... • Computationally complex – Specially with obfuscated (even self- modifying) code • Does not scale to real-world, large, complex malware Can Can we appl we apply op optimizations timizations to multi-path to multi-path exploration exploration fo for this specific use case?

  15. Multi-path exploration • Computationally complex – Specially with obfuscated (even self- modifying) code • Does not scale to real-world, large, complex malware Can Can we appl we apply heuristics heuristics to multi-path to multi-path exploration exploration fo for unpacking this type of packers?

  16. Some intuitions... • We do NO NOT need to explore every every single path single path in the binary, just enough paths to uncover all the interesting regions. • We do NO NOT need to understand which are the co conditions to reach each path (unlike other use-cases, such as vulnerability analysis. • We do NO NOT need to maintain the environment / system perfectly co consistent . We just need to make sure that the execution is stable enough to uncover the protected regions.

  17. Multi-path exploration • Baseline implementation – Based on the concepts presented by Moser et al. • Bitblaze platform – Dynamic taint analysis (Temu) • Taint result of function calls: – Network/file/argument/time related – Symbolic analysis (Vine) • Based on Weakest precondition & queries to STP • Concrete address for indirect memory accesses – System-level snapshots • Heavier, but we avoid dealing with system level inconsistencies: handles, open files, sockets...

  18. Optimizations #1 Partial symbolic execution Only execute certain regions of interest #2 Inconsistent multi-path exploration Ignore path constraints if solver cannot provide a solution Give priority to paths that can be solved consistently #3 Sacrifice global consistency Maintain consistency only for the regions of interest

  19. Optimizations #4 Discard long traces #5 Bypass blocking API calls #6 String comparisons Our model avoids exploring string comparison API calls We taint the output whenever input arguments are tainted This relaxes the constraints, allowing certain inconsistencies The general The g eneral g goal oal is is to simplify to simplify symbolic symbolic pr proc ocessing essing

  20. General workflow Approach: 1. Extract unpacked memory regions (frames) – Generically detect the frames & dump at the appropriate point • Prev. work: Deep Packer Inspection 2. Process extracted code (disassemble, compute CFG) 3. Find interesting points in the code (specific instructions) 4. Compute which paths lead to these points 5. Prioritize these paths during multi-path exploration

  21. General workflow Approach: 1. Extract unpacked memory regions (frames) – Generically detect the frames & dump at the appropriate point • Prev. work: Deep Packer Inspection 2. Process extracted code (disassemble, compute CFG) 3. Find interesting points in the code (specific instructions) 4. Compute which paths lead to these points 5. Prioritize these paths during multi-path exploration

  22. Heuristic Decide which paths which paths should be expanded first first • Sev Several eral paths paths can trigger the execution of a region • We can skip paths skip paths that can only lead to re regions alr already eady unpack unpacked ed

  23. Heuristic Steer the execution to the interesting points: • JMP & CALL instructions – that we have not executed in any run, but: – If they lead to a region that has not been unpacked yet • CJMP instructions leading to protected regions – That have not been executed (but were unpacked) – If we have only explored one of their paths • Direct memory access (address not unpacked yet) • Indirect calls (explore all the paths to these points) • Immediate values that fall in the range of a protected memory region (may represent a memory access)

  24. Heuristic Also need to consider inter-procedural CFG: • Explore all the paths that lead to a function, if it contains “points of interest”. Path selection during MPE: • Breadth First Search – Incrementally expand all the paths in the tree – Prioritize other paths over loops • Prioritize branches with the lowest number of expansions • Prioritize paths that can be forced consistently over inconsistent ones

  25. Heuristic Last resort: path bruteforcing • Set maximum number maximum number o of expansions expansions for each branch. • When this limit is reached for all the tainted branches: – Force the alternative path of non-tainted branches (INCONSISTENT!) • Introduces inconsistencies, but can be useful to: – Bypass loops or control structures with very complex internal logic depending on input • E.g.: Parsers – In some cases, we just need to jump to some point in the code to trigger its unpacking.

  26. Evaluation Case study Case study #1: Backpack #1: Backpack + + Kaiten Kaiten IRC Bo IRC Bot t • Compile-time packer proposed by Bilge et al. • Function based granularity • Kaiten: IRC bot that connects a channel and receives commands

  27. Iteration 0 Iteration 1 Iteration 2 No Heur. Functions unpacked 5/31 11/31 27/31 8/31 Interesting points - 52 96 - Cjmps - 36 110 - Snapshots - 167 544 6015 Tainted-consistent cjmps - 161 525 5888 Tainted-inconsistent cjmps - 6 19 127 Untainted cjmps - 0 40 - Long traces discarded - 6 0 - Time 5m 24m 1.2h 8h

  28. Evaluation Case study Case study # #2: 2: Armadillo Armadillo • Page based granularity (based on memory protection) • Protected 2 bots: SDBot, SpyBot.

  29. SDBOT It. 0 It. 1 It. 2 It. 3 No Heur. Functions unpacked 2/7 4/7 6/7 7/7 4/7 Interesting points - 3 2 7 - Cjmps - 65 162 264 - Snapshots - 14 366 367 3974 Tainted-consistent cjmps - 13 295 296 3660 Tainted-inconsistent cjmps - 1 71 71 314 Untainted cjmps - 0 1 1 - Long traces discarded - 1 14 14 - Time 30m 2.2h 2.8h 3.2h 8h

  30. SPYBOT Iteration 0 Iteration 1 Iteration 2 No Heur. Functions unpacked 3/9 8/9 9/9 6/9 Interesting points - 26 1 - Cjmps - 163 214 - Snapshots - 113 153 4466 Tainted-consistent cjmps - 17 31 4096 Tainted-inconsistent cjmps - 96 122 370 Untainted cjmps - 17 34 - Long traces discarded - 9 34 - Time 30m 3h 2.75h 8h

  31. Conclusions • Plain vanilla multi-path exploration was not able to recover the code in a reasonable time (even with partial/ inconsistent exploration) • With heuristic: – Almost 100% recovery of code / data – Significant reduction of time / resources when applying heuristics

  32. Discussion • Strong limitations for sample selection – For backpack, we needed linux-based source code. – We needed sufficiently complex samples: • For Armadillo, several pages of code. • Complex parsing routines or logic. – We needed non-packed samples. • Otherwise, the packer would reveal all the original code at once. – Simple malware families execute most the code in a single run (we needed bots).

  33. Discussion Technical complexity of protectors may affect multi-path • exploration – Calling convention violation – Alternative methods to redirect control flow (push + ret, indirect calls, SEH/VEH based…) – Resource exhaustion (intentionally introduce complexity to exhaust time-consuming analysis engines such as emulators) – Nanomites (substitute branches by interrupts, compute the branch in a separate region of code or process)

  34. Questions!

  35. talosintelligence.com blog.talosintel.com @talossecurity

Recommend

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to be able to create VM images on OpenBSD for VMM and many other virtualizers. Philipp Bhler <pb@sysfive.com> @pb_double sysfive.com portfolio

510 views • 20 slides
1 Predictor for a Single Branch Branch History Table of 1-bit Predictor BHT also Called Branch

1 Predictor for a Single Branch Branch History Table of 1-bit Predictor BHT also Called Branch

Reducing Branch Penalty Branch penalty in dynamically scheduled processors: wasted cycles due to pipeline flushing on mis- predicted branches Lecture 9: Branch Prediction I Reduce branch penalty: 1. Prediction analysis, 1-bit predictor,

378 views • 3 slides
Analysis of Multiple Time Series Kevin Sheppard

Analysis of Multiple Time Series Kevin Sheppard

Analysis of Multiple Time Series Kevin Sheppard ttsr Oxford MFE This version: February 24, 2020 February March, 2020 This weeks material Vector Autoregressions

867 views • 67 slides
Multiple failure-time data Multiple failure-time data or multivariate survival data are

Multiple failure-time data Multiple failure-time data or multivariate survival data are

Multiple failure-time data Multiple failure-time data or multivariate survival data are frequently encountered in biomedical and other investigations. These data arise from time-to-event studies when either of two or more events (failures) occur

681 views • 40 slides
Network meta-analysis of biological response modifiers in rheumatoid arthritis including multiple

Network meta-analysis of biological response modifiers in rheumatoid arthritis including multiple

Network meta-analysis of biological response modifiers in rheumatoid arthritis including multiple outcomes at multiple time points David Jenkins, Reynaldo Martina, Sylwia Bujkiewicz, Pascale Dequen & Keith Abrams Department of Health

826 views • 21 slides
Deep Sea Coral Analysis Overview of approach and analysis of Option 7 NEFSC Social Sciences

Deep Sea Coral Analysis Overview of approach and analysis of Option 7 NEFSC Social Sciences

Deep Sea Coral Analysis Overview of approach and analysis of Option 7 NEFSC Social Sciences Branch December 20, 2017 Utilize multiple data sources Attempt to overcome shortcomings in each Vessel Trip Report (VTR) Census of

441 views • 19 slides
Log all the things! Honza Krl @honzakral Logs? Events! Log lines Twitter feed Invoices

Log all the things! Honza Krl @honzakral Logs? Events! Log lines Twitter feed Invoices

Log all the things! Honza Krl @honzakral Logs? Events! Log lines Twitter feed Invoices Metrics Why? What happened last Tuesday? Grep? Multiple machines Multiple logs Analysis/Discovery Time period Time? Time?! Time! apache

592 views • 33 slides
A Branch-and-Price Approach for a Ship Routing Problem with Multiple Products and Inventory

A Branch-and-Price Approach for a Ship Routing Problem with Multiple Products and Inventory

A Branch-and-Price Approach for a Ship Routing Problem with Multiple Products and Inventory Constraints Rutger de Mare 1 Dennis Huisman 2,3 1. ORTEC, Gouda 2. Econometric Institute and ECOPT, Erasmus Univ. Rotterdam 3. Dept. of Logistics,

242 views • 21 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
1 Branch History Table of 1-bit Predictor 1-bit BHT Weakness BHT also Called Branch Example: in

1 Branch History Table of 1-bit Predictor 1-bit BHT Weakness BHT also Called Branch Example: in

Reducing Branch Penalty Branch penalty in dynamically scheduled processors: wasted cycles due to pipeline flushing on mis- predicted branches Lecture 9: Branch Prediction Reduce branch penalty: 1. Basic idea, saturating counter, BHT, Predict

248 views • 3 slides
package package ca function function ca mjca (simple) correspondence multiple

package package ca function function ca mjca (simple) correspondence multiple

Assos Venue for CARME in ASSOS View of Aegean Sea and island of Lesbos. Turkey, August 2010. Simple correspondence analysis (CA), Simple correspondence analysis (CA), Multiple correspondence analysis (MCA), Multiple correspondence analysis

866 views • 34 slides
Lab - UWP App Creation Paul Rambo PM, Windows Developer Platform Brian Rockwell PM, Microsoft

Lab - UWP App Creation Paul Rambo PM, Windows Developer Platform Brian Rockwell PM, Microsoft

Lab - UWP App Creation Paul Rambo PM, Windows Developer Platform Brian Rockwell PM, Microsoft Smart Connected Peripherals Braeden Petruk Software Engineer, Microsoft Smart Connected Peripherals 11 October 2015 AllSeen Alliance 1 Agenda

205 views • 18 slides
An Introduction to Analysis of Multiple Gene Expression Datasets Pratyaksha Wirapati Statistical

An Introduction to Analysis of Multiple Gene Expression Datasets Pratyaksha Wirapati Statistical

An Introduction to Analysis of Multiple Gene Expression Datasets Pratyaksha Wirapati Statistical Analysis Applied to Genome and Proteome Analysis EMBnet Course, Lausanne, 5 February 2008 Outline Why should we analyze multiple datasets?

429 views • 29 slides
IDEAS AND EVIDENCE FOR FORCE DESIGN THE ROLE OF FORCE ANALYSIS BRANCH F O R C E A N A LY S I S

IDEAS AND EVIDENCE FOR FORCE DESIGN THE ROLE OF FORCE ANALYSIS BRANCH F O R C E A N A LY S I S

Dr David Connery and Colonel Andy Haebich IDEAS AND EVIDENCE FOR FORCE DESIGN THE ROLE OF FORCE ANALYSIS BRANCH F O R C E A N A LY S I S B R A N C H 1 KEY MESSAGES Our Branch What our organisation needs to think about New Methods

393 views • 16 slides
Branch Prediction Branch Prediction vs vs Execution Time Execution Time Prediction

Branch Prediction Branch Prediction vs vs Execution Time Execution Time Prediction

Branch Prediction Branch Prediction vs vs Execution Time Execution Time Prediction Prediction Jakob Engblom, PhD Jakob Engblom, PhD Uppsala Unive University rsity & Virtutech Inc. & Virtutech Inc. Uppsala virtutech virtu

377 views • 26 slides
PACKER. TO BE OR NOT TO BE? 1 1 CONFIDENTIAL CONFIDENTIAL About me Devops lead with more

PACKER. TO BE OR NOT TO BE? 1 1 CONFIDENTIAL CONFIDENTIAL About me Devops lead with more

PACKER. TO BE OR NOT TO BE? 1 1 CONFIDENTIAL CONFIDENTIAL About me Devops lead with more than 8 years of experience in system administration which includes Media servers Load balancing technologies and cloud technologies-

588 views • 27 slides
Tim Time of St e of Stor orm Isaiah 4:2-6 But in that day, the Branch of the Lord will be

Tim Time of St e of Stor orm Isaiah 4:2-6 But in that day, the Branch of the Lord will be

Ou Our Shelt r Shelter er In In The The Tim Time of St e of Stor orm Isaiah 4:2-6 But in that day, the Branch of the Lord will be beautiful and glorious; the fruit of the land will be the pride and glory of all who survive in Israel. All

623 views • 43 slides
Optimizing MySQL performance with ZFS Neelakanth Nadgir Allan Packer Sun Microsystems Who are

Optimizing MySQL performance with ZFS Neelakanth Nadgir Allan Packer Sun Microsystems Who are

Optimizing MySQL performance with ZFS Neelakanth Nadgir Allan Packer Sun Microsystems Who are we? Allan Packer Principal Engineer, Performance http://blogs.sun.com/allanp Neelakanth Nadgir Senior Engineer, Performance

827 views • 37 slides
Portfolio Analysis in OPASI at NIH Timothy Hays, Ph.D. Branch Chief, Portfolio Analysis and

Portfolio Analysis in OPASI at NIH Timothy Hays, Ph.D. Branch Chief, Portfolio Analysis and

Portfolio Analysis in OPASI at NIH Timothy Hays, Ph.D. Branch Chief, Portfolio Analysis and Scientific Opportunities Office of Portfolio Analysis & Strategic Initiatives (OPASI) Office of the Director National Institutes of Health June

201 views • 18 slides
A class of anisotropic multiple multiresolution analysis Mariantonia Cotronei University of

A class of anisotropic multiple multiresolution analysis Mariantonia Cotronei University of

A class of anisotropic multiple multiresolution analysis Mariantonia Cotronei University of Reggio Calabria, Italy MAIA 2013, Erice, September 2013 Jointly with: Mira Bozzini, Milvia Rossini, Tomas Sauer Multiple multiresolution analysis

1.21k views • 100 slides
Cell Quota Based Population Models and their Applications Aaron Packer School of Mathematical

Cell Quota Based Population Models and their Applications Aaron Packer School of Mathematical

Cell Quota Based Population Models and their Applications Aaron Packer School of Mathematical & Statistical Sciences Arizona State University November 17, 2014 A. Packer Cell Quota Based Models + Applications Nov 17, 2014 1 / 72

1.06k views • 93 slides
branch prediction 1 last time what happens with TLB in access patterns overlapping TLB and

branch prediction 1 last time what happens with TLB in access patterns overlapping TLB and

branch prediction 1 last time what happens with TLB in access patterns overlapping TLB and cache index lookup overview of caches and page table lookups and TLB generally 3 an OOO pipeline combined with register-ready info to issue

1.36k views • 100 slides
1 KULKUNYA PRAYARACH, PH.D. Multiple Regression Analysis I. Analysis of Data III. Dummy

1 KULKUNYA PRAYARACH, PH.D. Multiple Regression Analysis I. Analysis of Data III. Dummy

Multiple Regression Analysis I. Analysis of Data III. Dummy Variable II. Hypothesis Testing IV. Research & Group Work 1 KULKUNYA PRAYARACH, PH.D. Multiple Regression Analysis I. Analysis of Data III. Dummy Variable II. Hypothesis

501 views • 24 slides
The two-machine flowshop total completion time problem: A branch-and-bound based on network-flow

The two-machine flowshop total completion time problem: A branch-and-bound based on network-flow

Introduction Lower bounds Branch-and-bound Numerical results The two-machine flowshop total completion time problem: A branch-and-bound based on network-flow formulation Boris Detienne 1 , Ruslan Sadykov 1 , Shunji Tanaka 2 1 : Team Inria

804 views • 54 slides

More recommend