stringer measuring the importance of static data
play

Stringer: Measuring the Importance of Static Data Comparisons to - PowerPoint PPT Presentation

Nov 14, 2022 •270 likes •700 views

Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and Undocumented Functionality Sam L. Thomas , Tom Chothia, Flavio D. Garcia School of Computer Science University of Birmingham Birmingham United Kingdom B15

  1. Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and Undocumented Functionality Sam L. Thomas , Tom Chothia, Flavio D. Garcia School of Computer Science University of Birmingham Birmingham United Kingdom B15 2TT { s.l.thomas,t.p.chothia,f.garcia } @cs.bham.ac.uk European Symposium on Research in Computer Security (ESORICS) 2017 Thomas, Chothia, Garcia Stringer ESORICS 2017 1 / 41

  2. Challenge How do we reduce the manual effort required to identify undocumented functionality and backdoors within software? Thomas, Chothia, Garcia Stringer ESORICS 2017 2 / 41

  3. Challenge How do we reduce the manual effort required to identify undocumented functionality and backdoors within software? Thomas, Chothia, Garcia Stringer ESORICS 2017 3 / 41

  4. Motivation Undocumented functionality? Backdoors? Authentication bypass by “magic” words. Hard-coded credential checks. Additional protocol messages that activate unexpected functionality. Thomas, Chothia, Garcia Stringer ESORICS 2017 4 / 41

  5. Application Focus on embedded device firmware – it’s a challenging target: Lots of devices, lots of firmware. Multiple firmware versions for each device. Impossible to manually analyse every firmware image. Thomas, Chothia, Garcia Stringer ESORICS 2017 5 / 41

  6. Stringer Thomas, Chothia, Garcia Stringer ESORICS 2017 6 / 41

  7. Objective Identify interesting code structures and static data comparisons that lead to backdoor-like behaviour. Lightweight analysis. Thomas, Chothia, Garcia Stringer ESORICS 2017 7 / 41

  8. Method 1 Automatically identify static data comparison functions. 2 A metric for measuring the degree a binary’s functions branching is influenced by comparisons with static data. Thomas, Chothia, Garcia Stringer ESORICS 2017 8 / 41

  9. Stringer For a given binary: 1 Identify all possible static data comparison functions: Thomas, Chothia, Garcia Stringer ESORICS 2017 9 / 41

  10. Stringer 2 Label the basic blocks of all functions with the sets of static data sequences that must be matched against to reach them: Thomas, Chothia, Garcia Stringer ESORICS 2017 10 / 41

  11. Stringer 3 Using the computed sets, calculate a score for each element of static data: A = 100 B = 200 . . . Thomas, Chothia, Garcia Stringer ESORICS 2017 11 / 41

  12. Stringer 3 Using the computed sets, calculate a score for each element of static data: A = 100 B = 200 . . . 4 Finally, using the scores for each item of static data, compute a score for each function: f = 300 . . . Thomas, Chothia, Garcia Stringer ESORICS 2017 11 / 41

  13. Identifying Static Data Comparison Functions Thomas, Chothia, Garcia Stringer ESORICS 2017 12 / 41

  14. Identifying static data comparison functions Approach based upon concrete observations: Analyse calls to static data comparison functions in C/C++ binaries. Collect properties that are common amonst them: call-sites, number of arguments, how they influence branching, . . . Thomas, Chothia, Garcia Stringer ESORICS 2017 13 / 41

  15. Motivating Example HTTP protocol parser from mini httpd binary: Thomas, Chothia, Garcia Stringer ESORICS 2017 14 / 41

  16. Call-site Properties Argument references : at least one argument refers to the data/read-only data section: Thomas, Chothia, Garcia Stringer ESORICS 2017 15 / 41

  17. Call-site Properties Function arity : (number of arguments passed): usually 2-3: Thomas, Chothia, Garcia Stringer ESORICS 2017 16 / 41

  18. Call-site Properties Branching properties : boolean comparison (i.e. matches or not): Thomas, Chothia, Garcia Stringer ESORICS 2017 17 / 41

  19. Call-site Properties Local call frequency : (for parsers: use same comparison function many times with different static data): Thomas, Chothia, Garcia Stringer ESORICS 2017 18 / 41

  20. Data Properties Identify static data properties (with parsers in mind): Thomas, Chothia, Garcia Stringer ESORICS 2017 19 / 41

  21. Finding Static Data Comparisons 1 For each function, identify blocks that contain function calls. 2 Filter those blocks where the function call does not influence branching or the comparison condition is not boolean. Thomas, Chothia, Garcia Stringer ESORICS 2017 20 / 41

  22. Finding Static Data Comparisons (cont.) 3 For each argument, tag what it refers to: data section, read-only data section, other (e.g. register): Thomas, Chothia, Garcia Stringer ESORICS 2017 21 / 41

  23. Finding Static Data Comparisons (cont.) 4 Using these assignments, update likelihood of function being a comparison function: Thomas, Chothia, Garcia Stringer ESORICS 2017 22 / 41

  24. Assigning Scores to Static Data & Functions Thomas, Chothia, Garcia Stringer ESORICS 2017 23 / 41

  25. Scoring Goals A means to discover those branches within each function that are dependent upon static data and assign them and the associated static data a score of relative importance in relation to other such branches within that function based upon how much unique functionality they guard. A function-level score that signifies which functions contain a relatively high density of decision logic that depends on comparison with static data (i.e. a large amount of their decision logic is influenced by comparison with static data). Thomas, Chothia, Garcia Stringer ESORICS 2017 24 / 41

  26. Control Flow Properties Minimise the score propagated from join-points - blocks reached by many paths: Thomas, Chothia, Garcia Stringer ESORICS 2017 25 / 41

  27. Control Flow Properties Maximise score of blocks that guard unique functionality - can’t be reached by any other path: Thomas, Chothia, Garcia Stringer ESORICS 2017 26 / 41

  28. Computation of Scores Two stage process: 1 Compute static data sequences: sets of sequences of static data that must be matched to reach each block. 2 Distribute scores based upon computed static data sequences. Thomas, Chothia, Garcia Stringer ESORICS 2017 27 / 41

  29. Computation of Static Data Sequences Compute sets of sequences of static data that must be matched to reach a given block: Thomas, Chothia, Garcia Stringer ESORICS 2017 28 / 41

  30. Computation of Static Data Scores 1 For each block’s static data set of sequences, we calculate a fraction of how each element of static data impacts the reachability to that block; e.g. for block 6: Thomas, Chothia, Garcia Stringer ESORICS 2017 29 / 41

  31. Computation of Static Data Scores 1 For each block’s static data set of sequences, we calculate a fraction of how each element of static data impacts the reachability to that block; e.g. for node 6: We have: { [ A ] , [ A , B , C ] } , so we calculate: A : 2 2 , B : 1 2 , C : 1 2 . Thomas, Chothia, Garcia Stringer ESORICS 2017 30 / 41

  32. Computation of Static Data Scores 2 We calculate two other values for the block ( b ): 1 ω ( b ) deg in ( b ) A base score for the block The penalty incurred for being reachable by multiple blocks Thomas, Chothia, Garcia Stringer ESORICS 2017 31 / 41

  33. Computation of Static Data Scores 3 . . . and calculate the update to the influence of an element of static data; e.g. for C : C score ← C score + ω ( b ) × ln(1 + 1 1 2 × deg in ( b ) ) Thomas, Chothia, Garcia Stringer ESORICS 2017 32 / 41

  34. Computation of Function Score The score assigned to a function is the sum of the scores assigned to the static data that influences its branching. From the previous example: f score = A score + B score + C score Thomas, Chothia, Garcia Stringer ESORICS 2017 33 / 41

  35. Results & Evaluation Thomas, Chothia, Garcia Stringer ESORICS 2017 34 / 41

  36. Hard-coded Credentials in Ray Sharp DVR Firmware Identification of hard-coded credential pair in Ray Sharp DVR firmware: Comparison Function Score 5170 . 30 strcmp sub 1C7EC ( strcmp wrapper) 1351 . 96 1109 . 73 strncmp 353 . 93 strstr 222 . 00 memcmp (1) (2) Label Score Static Data Function Depends 1 30 . 23 664225 strcmp { [] } 2 2 . 77 { [ 664225 ] } root strcmp Thomas, Chothia, Garcia Stringer ESORICS 2017 35 / 41

  37. Hard-coded Credentials in Q-See DVR Firmware Identification of a hard-coded credential backdoor in DVR firmware – different behaviour for each hardcoded password: Comparison Function Score 1464 . 70 strcmp (1) 779 . 33 strncmp (5) CRYPTO malloc (FP) 685 . 10 (2) ZNKSs7compareEPKc 376 . 20 (3) 306 . 00 strstr 196 . 00 (6) strcasecmp (4) Label Score Static Data Function Depends (7) 1 171 . 39 { [] } admin strcmp 2 58 . 92 { [ admin ] } ppttzz51shezhi strcmp 3 45 . 13 { [ admin ] } 6036logo strcmp + 4 42 . 14 { [ admin ] } 6036adws strcmp 5 37 . 54 { [ admin ] } 6036huanyuan strcmp 6 35 . 21 { [ admin ] } 6036market strcmp 7 31 . 05 jiamijiami6036 strcmp { [ admin ] } Thomas, Chothia, Garcia Stringer ESORICS 2017 36 / 41

  38. TrendNet HTTP Authentication with Hard-coded Credentials HTTP authentication check with comparison against hard-coded credential values: Comparison Function Score 1635 . 01 strcmp 481 . 20 strstr nvram get (FP) 413 . 10 strncmp 265 . 45 sub A2D0 (FP) 131 . 00 Static Data Score Function Depends 132 . 17 { . . . } emptyuserrrrrrrrrrrr strcmp 128 . 61 { [ . . . , emptyuserrrrrrrrrrrr ] } emptypasswordddddddd strcmp Thomas, Chothia, Garcia Stringer ESORICS 2017 37 / 41

Recommend

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New

Mining Data that Changes 17 July 2015 Data is Not Static Data is not static New transactions, new friends, stop following somebody in T witter, But most data mining algorithms assume static data Even a minor change requires

925 views • 44 slides
THE IMPORTANCE OF MEASURING OUTCOMES IN PBIS ORGANIZATIONS SERVING INDIVIDUALS WITH I/DD 17 TH

THE IMPORTANCE OF MEASURING OUTCOMES IN PBIS ORGANIZATIONS SERVING INDIVIDUALS WITH I/DD 17 TH

THE IMPORTANCE OF MEASURING OUTCOMES IN PBIS ORGANIZATIONS SERVING INDIVIDUALS WITH I/DD 17 TH INTERNATIONAL CONFERENCE ON POSITIVE BEHAVIOR SUPPORT ROBERT PUTNAM, STEWART SHEAR, MEG DEPASQUALE, JENNIFER JEFFREY-PEARSALL MARCH 13, 2020

448 views • 30 slides
The Importance of Measuring Outcomes in PBIS Organizations Serving Individuals with I/DD Bob

The Importance of Measuring Outcomes in PBIS Organizations Serving Individuals with I/DD Bob

The Importance of Measuring Outcomes in PBIS Organizations Serving Individuals with I/DD Bob Putnam May Institute Steward Shear Devereux Jennifer Jeffrey-Pearsall Sheppard Pratt Health System Meg DePasquale Maryland Development Disabilities

515 views • 25 slides
Party on! A new, conditional variable importance A new, conditional importance measure for

Party on! A new, conditional variable importance A new, conditional importance measure for

Measuring variable Party on! A new, conditional variable importance A new, conditional importance measure for random forests importance Conclusion available in party References Carolin Strobl (LMU M unchen) and Achim Zeileis (WU Wien)

639 views • 21 slides
Jonathan Sharples jonathan.sharples@eefoundation.org.uk Eleanor Stringer

Jonathan Sharples jonathan.sharples@eefoundation.org.uk Eleanor Stringer

Raising the Bar Challenge Fund: Scaling up evidence-based programmes 27 th April 2016 Jonathan Sharples jonathan.sharples@eefoundation.org.uk Eleanor Stringer eleanor.stringer@eefoundation.org.uk www.educationendowmentfoundation.org.uk Who we

149 views • 11 slides
Measuring Happiness the Big Data Way Measuring emotional content Clinical and Translational

Measuring Happiness the Big Data Way Measuring emotional content Clinical and Translational

Happiness Some motivation Measuring Happiness the Big Data Way Measuring emotional content Clinical and Translational Research Seminar, UVM Data sets Analysis Songs Peter Dodds, Chris Danforth, Blogs SOTU Isabel Kloumann, Cathy Bliss,

886 views • 62 slides
Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static properties 2.2 Generative models for random graphs 2.3 Measures of node importance Summer Term 2009 Web Dynamics 2 1 Notation: Graphs G=(V(G),E(G))

766 views • 57 slides
Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static

Web Dynamics Part 2 Modeling static and evolving graphs 2.1 The Web graph and its static properties 2.2 Generative models for random graphs 2.3 Measures of node importance Summer Term 2010 Web Dynamics 2-1 Notation: Graphs

890 views • 58 slides
Measuring Happiness the Big Data Way Measuring emotional content DPG Spring Meeting, Dresden

Measuring Happiness the Big Data Way Measuring emotional content DPG Spring Meeting, Dresden

Happiness Some motivation Measuring Happiness the Big Data Way Measuring emotional content DPG Spring Meeting, Dresden 2011 Data sets Analysis Songs Peter Dodds, Chris Danforth, Blogs Tweets Isabel Kloumann, Cathy Bliss, and Kameron

791 views • 55 slides
Building socket-aware BPF programs Joe Stringer Cilium.io Linux Plumbers 2018, Vancouver, BC

Building socket-aware BPF programs Joe Stringer Cilium.io Linux Plumbers 2018, Vancouver, BC

Building socket-aware BPF programs Joe Stringer Cilium.io Linux Plumbers 2018, Vancouver, BC Joe Stringer BPF Socket Lookup Nov 13, 2018 1 / 32 Joe Stringer BPF Socket Lookup Nov 13, 2018 2 / 32 Background Network Policy Endpoint A

432 views • 32 slides
Measuring variable importance in random forests Variable Variable importance in RF importance

Measuring variable importance in random forests Variable Variable importance in RF importance

Measuring variable importance in random forests Variable Variable importance in RF importance in RF 1 1 1 1 Start Start Start Start p < 0.001 p < 0.001 p < 0.001 p < 0.001 A Comparison of Different 8 > 8 12

282 views • 16 slides
Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets

Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets

Technische Universitt Mnchen Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets Using the Expected Systemic Shortfall (ESS) Indicator Lahmann / Kaserer (2011) 11 th Annual Bank Research

207 views • 20 slides
Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of Computer Science CAV 2017 ETH Zurich July 22-28, Heidelberg Writing a Static Analyzer Framework for Java Static Type Checker Static Type

805 views • 46 slides
Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel

Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel

Learning a Static Analyzer from Data by Pavol Bielik, Veselin Raychev, and Martin Vechev Daniel Perez The University of Tokyo January 29, 2018 Static analyzers Writing a static analyzer is hard JavaScript points-to sample global.length = 4;

299 views • 15 slides
Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers 2019, Lisbon, Portugal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 1 / 29 Overview 1 Background 2 Deploying fast datapaths fast

831 views • 53 slides
Measuring happiness Measuring emotional content Santa Fe Institute, June 10, 2009 Data sets

Measuring happiness Measuring emotional content Santa Fe Institute, June 10, 2009 Data sets

Happiness Some motivation Measuring happiness Measuring emotional content Santa Fe Institute, June 10, 2009 Data sets Analysis Songs Blogs Peter Dodds & Chris Danforth SOTU Future work Prediction Department of Mathematics &

1.05k views • 91 slides
Static and Method Overloading static One per class, not per object static variables

Static and Method Overloading static One per class, not per object static variables

Static and Method Overloading static One per class, not per object static variables all instances of the class share the same static variable example: serial/VIN number for Car static methods invoked through class

324 views • 7 slides
Static and Dynamic Data in Past and Future Machine Translation Michael Carl CBS - CRITT

Static and Dynamic Data in Past and Future Machine Translation Michael Carl CBS - CRITT

Static and Dynamic Data in Past and Future Machine Translation Michael Carl CBS - CRITT Overview Three origins of data-driven MT concepts / representations / connectivity Static data-driven MT example-based & statistical MT

965 views • 38 slides
1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

Static/ Dynamic Deformation I ntroduction to Static deformation Dynamic deformation Static/ Dynamic Deformation with Mass-Spring Systems undeformed shape f internal + = f inertia = 0 f external Min Gyu Choi deformed

426 views • 4 slides
openvswitch.ko minus Open vSwitch Joe Stringer, VMware

openvswitch.ko minus Open vSwitch Joe Stringer, VMware

openvswitch.ko minus Open vSwitch Joe Stringer, VMware http://garfieldminusgarfield.net/post/26843739 2 Software-Defined Networking 3 Flows Classify a set of packets that have some common criteria Not all flows are created equal

755 views • 32 slides
Measuring Intangible Assets (IP & Data) for the Knowledge-based and Data-driven Economy Jim

Measuring Intangible Assets (IP & Data) for the Knowledge-based and Data-driven Economy Jim

Measuring Intangible Assets (IP & Data) for the Knowledge-based and Data-driven Economy Jim Balsillie Chair and Co-founder of CIGI IMF Statistical Forum November 20, 2018 Big Data, Artificial Intelligence and Machine-learning Challenges

342 views • 13 slides
SYNTHETIC DATA GENERATION FOR AN ALL-IN-ONE DMS Sagar Bhokre NEED FOR SYNTHETIC DATA Where does

SYNTHETIC DATA GENERATION FOR AN ALL-IN-ONE DMS Sagar Bhokre NEED FOR SYNTHETIC DATA Where does

SYNTHETIC DATA GENERATION FOR AN ALL-IN-ONE DMS Sagar Bhokre NEED FOR SYNTHETIC DATA Where does real world data fall short? High resolution devices are needed for measuring parameters headpose, gaze Some measuring devices interfere with

263 views • 23 slides
A YANG Data Model for MPLS Base and Static LSPs (draft-saad-mpls-static-yang-00) Tarek Saad

A YANG Data Model for MPLS Base and Static LSPs (draft-saad-mpls-static-yang-00) Tarek Saad

IETF 94 Yokohama Nov 2015 A YANG Data Model for MPLS Base and Static LSPs (draft-saad-mpls-static-yang-00) Tarek Saad (Cisco) Kamran Raza (Cisco) >> Presenter Rakesh Gandhi (Cisco) Xufeng Liu (Ericsson) Vishnu Pavan Beeram

325 views • 16 slides
implications for high-value agriculture Nicholas Minot , Randy Stringer, Wendy Umberger, and

implications for high-value agriculture Nicholas Minot , Randy Stringer, Wendy Umberger, and

Urban shopping patterns and implications for high-value agriculture Nicholas Minot , Randy Stringer, Wendy Umberger, and Wahida 28 March 2013 ARD / East Asia & the Pacific region The World Bank, Washington, DC INTERNATIONAL FOOD POLICY

588 views • 26 slides

More recommend