1 / 28

Instruction Subsets in Software Diversity

Instruction Subsets in Software Diversity. Malware Project Nguyet Nguyen Nov. 30 th 2004. Motivation: Visit the company Computer. CPU is the main worker of the company Computer CPU joins a set of parts called Insts into robots called Softs.

eric-ramsey
Download Presentation

Instruction Subsets in Software Diversity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Instruction Subsets in Software Diversity Malware Project Nguyet Nguyen Nov. 30th 2004

  2. Motivation: Visit the company Computer • CPU is the main worker of the company Computer • CPU joins a set of parts called Insts into robots called Softs • Softs work at the Computer office • Computer stores some gold boxes in the office • Insts are delivered by Developers • Gold boxes have some holes on it • The office door is opened

  3. Computer’s Office Software Gold boxes Inst Inst CPU Inst Inst

  4. Motivation: meet Evil • Mr Evil knows how CPU works • Mr Evil knows the holes of gold boxes • Evil creates a new array of Insts that CPU will assemble them in to a new kinds of Robots called Worms • Worms can steal gold via the holes

  5. Problems occur In Computer Office Software Worms Gold boxes Inst Inst CPU Inst Inst

  6. Bigger Problem: All companies

  7. Current Solutions • Using a Gatekeeper before CPU • Dye the Insts with dying solution Key • Gatekeeper applies rev-Key to dyed Insts Randomizing Instruction DIALECTS

  8. Hu hu, I cannot do anything Illustrator Inst Inst Inst Inst Inst

  9. Is it good? • Portable? No • Performance? reduce • Security? • Rely on the enforcement environment • Key can be guessed

  10. Hu hu, I cannot do anything Subset Inst Inst Inst

  11. Is Instruction Subset better? • Portable • Performance: Hardware Gatekeeper • Security: • work without the enforcement environment • Difference size of versions

  12. Groups of Instructions • Divide the Instruction Set in to Groups: • Group of unique instructions (UI) • Groups of equivalent instructions (EIs) • New IS = UI + new EI • EI’s members are selected from each of old EIs

  13. Unique Instructions • Call • Int/Ret • Convert Instructions: Cbw, Cdq • Set/Clear Interrupt Flag: CLI, SLI • Ascii and Decimal Adjust: Aaa, Aad • ESC, Halt • Lea • Lock • Nop • Push/Pop, PushF/PopF • Wait/FWait • In/Out

  14. Groups of EIs • Load instructions: lds, lodsb, lodsw • Store instructions: sodsb, sodw • Branch instructions: jump, loop, repeat 35+5+5=45 insts • Move instructions: Mov, Movs, Movsx, Movsz • Add/Sub: Add, Inc, Dec, Sub • Mul/Div: imul, mul, idiv, div • Test: ; • Interchange: Cmp and Change • Flags set: • Logical Operation: and, or, xor, not (4 insts)

  15. Transformation • Some transformation is easy, others are not • Transformation complexity depends from other groups Ex: • dec and sub • Jmp  Mov ax,0 Je ax;

  16. Instruction selecting in EI sets • Insts with transformation complexity are statically omitted or allowed (50% of allowing) • Inc, dec, mov, jmp • Pick randomly 1 of remaining instructions

  17. Does it work? • 3 questions: • Is it possible for a worm to use only UI to complete its work? • How many diverse subsets we have? • How long should a worm be to ensure an acceptable rate of protection?

  18. Question 1: UI is enough? • NO • Why? • A worm should use a Jump • A worm should use a load • Verification? • CodeRed • Shapphire • Nimda • Unix worms: ADM Worm v1

  19. Question 2: How diverse this approach is? • The number of difference version we have is: 2number_of_static_instx number_of_EI1x… • Depends on the number of EIs that we apply selecting process and how many instruction that we pick up in a set

  20. Question 3: Performance? • Not depends on how long a worm is • It is how many different instruction a worm uses • Using only opcode limits opportunities of subset diversity

  21. Example: Sapphire • push • mov • xor • loop • lea • call • cmp • jz • or • shl • jmp UI: push, call, lea • OI: • Logical Operation: or,xor, cmp, shl • Branch Operation: loop, jz, jmp • Move Operation: mov PERFOMANCE: P(all insts pass)=2(3/4)(2/3)(1/45)(1/45)(1/2) =10-4 Anything wrong?

  22. How to enhance Diversity? • Determine how many instructions needed to complete a worm? • Enhance diversity of UI by adding addressing mode/operant mode • Complicated? Yes • How to reduce costs: apply with only “important instructions”

  23. High Level Hypothesis about worms • Every worm needs to use a call • Every worm needs to use a push • Every worm needs communication instructions? • Every worm needs a load or a store • Every worm needs at least one of arithmetic instructions What are we need?

  24. Push and Call • Push: 6 Operant Modes • Call: 30 Operant Modes • 6 near • 8 far • 4 task • 12 gate

  25. Example: Sapphire (II) • Call call eax call dword ptr [esi] • Push: push 42B0C9DCh push eax call esi PERFOMANCE: P(all call/push passed)=(1/6)(1/8)(1/6)(1/6)(1/6)

  26. Issues? • Instruction Guessing? • Worms may not be fast enough • People can try to guess from simple to complicated instruction • Hypothesis proof • Disassembled code • Static Analysis

  27. Conclusions Nothing is perfect More solutions of diversity  better diversity

  28. Thank you

More Related