Instruction subsets in software diversity
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

Instruction Subsets in Software Diversity PowerPoint PPT Presentation


  • 75 Views
  • Uploaded on
  • Presentation posted in: General

Instruction Subsets in Software Diversity. Malware Project Nguyet Nguyen Nov. 30 th 2004. Motivation: Visit the company Computer. CPU is the main worker of the company Computer CPU joins a set of parts called Insts into robots called Softs.

Download Presentation

Instruction Subsets in Software Diversity

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Instruction Subsets in Software Diversity

Malware Project

Nguyet Nguyen

Nov. 30th 2004


Motivation: Visit the company Computer

  • CPU is the main worker of the company Computer

  • CPU joins a set of parts called Insts into robots called Softs

  • Softs work at the Computer office

  • Computer stores some gold boxes in the office

  • Insts are delivered by Developers

  • Gold boxes have some holes on it

  • The office door is opened


Computer’s Office

Software

Gold boxes

Inst

Inst

CPU

Inst

Inst


Motivation: meet Evil

  • Mr Evil knows how CPU works

  • Mr Evil knows the holes of gold boxes

  • Evil creates a new array of Insts that CPU will assemble them in to a new kinds of Robots called Worms

  • Worms can steal gold via the holes


Problems occurIn Computer Office

Software

Worms

Gold boxes

Inst

Inst

CPU

Inst

Inst


Bigger Problem: All companies


Current Solutions

  • Using a Gatekeeper before CPU

  • Dye the Insts with dying solution Key

  • Gatekeeper applies rev-Key to dyed Insts

Randomizing

Instruction DIALECTS


Hu hu, I cannot do anything

Illustrator

Inst

Inst

Inst

Inst

Inst


Is it good?

  • Portable? No

  • Performance? reduce

  • Security?

    • Rely on the enforcement environment

    • Key can be guessed


Hu hu, I cannot do anything

Subset

Inst

Inst

Inst


Is Instruction Subset better?

  • Portable

  • Performance: Hardware Gatekeeper

  • Security:

    • work without the enforcement environment

    • Difference size of versions


Groups of Instructions

  • Divide the Instruction Set in to Groups:

    • Group of unique instructions (UI)

    • Groups of equivalent instructions (EIs)

  • New IS = UI + new EI

    • EI’s members are selected from each of old EIs


Unique Instructions

  • Call

  • Int/Ret

  • Convert Instructions: Cbw, Cdq

  • Set/Clear Interrupt Flag: CLI, SLI

  • Ascii and Decimal Adjust: Aaa, Aad

  • ESC, Halt

  • Lea

  • Lock

  • Nop

  • Push/Pop, PushF/PopF

  • Wait/FWait

  • In/Out


Groups of EIs

  • Load instructions: lds, lodsb, lodsw

  • Store instructions: sodsb, sodw

  • Branch instructions: jump, loop, repeat 35+5+5=45 insts

  • Move instructions: Mov, Movs, Movsx, Movsz

  • Add/Sub: Add, Inc, Dec, Sub

  • Mul/Div: imul, mul, idiv, div

  • Test: ;

  • Interchange: Cmp and Change

  • Flags set:

  • Logical Operation: and, or, xor, not (4 insts)


Transformation

  • Some transformation is easy, others are not

  • Transformation complexity depends from other groups

    Ex:

    • dec and sub

    • Jmp 

      Mov ax,0

      Je ax;


Instruction selecting in EI sets

  • Insts with transformation complexity are statically omitted or allowed (50% of allowing)

    • Inc, dec, mov, jmp

  • Pick randomly 1 of remaining instructions


  • Does it work?

    • 3 questions:

      • Is it possible for a worm to use only UI to complete its work?

      • How many diverse subsets we have?

      • How long should a worm be to ensure an acceptable rate of protection?


    Question 1: UI is enough?

    • NO

    • Why?

      • A worm should use a Jump

      • A worm should use a load

    • Verification?

      • CodeRed

      • Shapphire

      • Nimda

      • Unix worms: ADM Worm v1


    Question 2: How diverse this approach is?

    • The number of difference version we have is:

      2number_of_static_instx number_of_EI1x…

    • Depends on the number of EIs that we apply selecting process and how many instruction that we pick up in a set


    Question 3: Performance?

    • Not depends on how long a worm is

    • It is how many different instruction a worm uses

    • Using only opcode limits opportunities of subset diversity


    Example: Sapphire

    • push

    • mov

    • xor

    • loop

    • lea

    • call

    • cmp

    • jz

    • or

    • shl

    • jmp

    UI: push, call, lea

    • OI:

      • Logical Operation: or,xor, cmp, shl

      • Branch Operation: loop, jz, jmp

      • Move Operation: mov

    PERFOMANCE:

    P(all insts pass)=2(3/4)(2/3)(1/45)(1/45)(1/2)

    =10-4

    Anything wrong?


    How to enhance Diversity?

    • Determine how many instructions needed to complete a worm?

    • Enhance diversity of UI by adding addressing mode/operant mode

      • Complicated? Yes

      • How to reduce costs: apply with only “important instructions”


    High Level Hypothesis about worms

    • Every worm needs to use a call

    • Every worm needs to use a push

    • Every worm needs communication instructions?

    • Every worm needs a load or a store

    • Every worm needs at least one of arithmetic instructions

    What are we need?


    Push and Call

    • Push: 6 Operant Modes

    • Call: 30 Operant Modes

      • 6 near

      • 8 far

      • 4 task

      • 12 gate


    Example: Sapphire (II)

    • Call

      call eax

      call dword ptr [esi]

    • Push:

      push 42B0C9DCh

      push eax

      call esi

    PERFOMANCE:

    P(all call/push passed)=(1/6)(1/8)(1/6)(1/6)(1/6)


    Issues?

    • Instruction Guessing?

      • Worms may not be fast enough

      • People can try to guess from simple to complicated instruction

    • Hypothesis proof

      • Disassembled code

      • Static Analysis


    Conclusions

    Nothing is perfect

    More solutions of diversity  better diversity


    Thank you


  • Login