1 / 27

Exploit Hijacking: Side Effects of Smart Defenses

Exploit Hijacking: Side Effects of Smart Defenses. Costin Raiciu, Mark Handley, David S. Rosenblum University College London LSAD 2006. What is this about?. Hijacking. Worms. Defenses. Research. Does this matter?. Worm. Defense. Hijacking. Defenses not deployed yet!

ninon
Download Presentation

Exploit Hijacking: Side Effects of Smart Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exploit Hijacking: Side Effects of Smart Defenses Costin Raiciu, Mark Handley, David S. Rosenblum University College London LSAD 2006

  2. What is this about? Hijacking Worms Defenses Research

  3. Does this matter? Worm Defense Hijacking • Defenses not deployed yet! • Competitive pressure Hosts Time

  4. Story • Smart Defenses • Hijacking • Impact • Defenses

  5. Self Certifying Alerts • Population of hosts • Detectors • Susceptible Hosts • Protected Hosts • Infected Hosts • Detectors • Detect break-ins • Create Self Certifying Alerts • SCAs propagated P2P, checked at every hop

  6. What do SCAs contain? Example SCA Service: Microsoft SQL Server 8.00.194 Alert type: Arbitrary Code Execution Verification Information: Address offset 101 of message 0 Number messages: 1 Message: 0 to endpoint UDP:1434 Message data: 04, 41, 41, 41, 41, 42, 42, 42, 42, 43, 43, 43, 43, 44, 44, 44, 44, 45, 45, 45, 45, 46, 46, 46, 46, 47, 47, 47, 47, 48, 48, 48, 48, 49,49,49, 49, 4A, 4A, 4A, 4A, 4B,...

  7. SCA Hijacking • Population of hosts • Detectors • Susceptible Hosts • Protected Hosts • Infected Hosts • Hijacker • Waits for exploit to appear • Uses SCA to create worm

  8. Hijacking • Can we steal an existing exploit and use it to create malware that works in our benefit? • Motivation • Creating exploits is generally hard • Using other people’s exploits is easy • Can hijacking be automated? • Using detectors – yes, Castaneda et al. [2004] • Using Self-Certifying Alerts • Using network level techniques - see paper Can we steal an existing exploit and use it to create malware that works in our benefit?

  9. Exploit … … ShellCode Hijacking using SCAs Example SCA Service: Microsoft SQL Server … Alert type: Arbitrary Code Execution Verify: … offset 101 … Message: ... • The hijacker uses generic exploit code • Pastes it in the message at the specified offset • Sends the message to vulnerable hosts • Tested using • Portable shellcode (332 bytes) • Slammer and Blaster attack messages

  10. In reality, more complicated • Two additional types of SCAs • Arbitrary Execution Control – make the program jump to a user specified address • Arbitrary Function Argument – supply parameters to sensitive functions

  11. Exploit Jmp esp Arbitrary Execution Control SCAs • If overflow is stack based • Use as jump address a “jmp esp” – found one in kernel32.dll • Build database of kernel32.dll offsets in applications • Paste exploit after return address SCA Offset ESP … … ShellCode Addr

  12. Arbitrary Execution Control SCAs(2) • Other vulnerabilities, use two-phase exploit: • Use application functionality to map code at predictable address • Paste address in message using SCA data • Mapping code at predictable addresses: • Database of mappings – per application • Tested: Microsoft IIS 5.1: • Memory mapped logging • Predictable heap addresses • Stack IIS 5.1 Memory Layout GET /resource1 … GET /resource2 … …

  13. Arbitrary Function Argument SCAs • Cannot hijack in the general case: depends on function! • Simple to hijack for: • exec syscall • SQL interpreter

  14. Story • Smart Defenses • Hijacking • Impact • Defenses

  15. Scenario 1: Auto-Worms Start with Bot-Net + Use Hijacking Larger or more valuable Bot-Net • Hijacker: • Runs detectors and registers for SCAs • Creates hit-lists for different software products • Spreads as fast as possible

  16. Speed Matters! 10% Hit-list 1% detectors0.1% bots

  17. Hit-List Size Matters! Auto-worm speed 4x 1% detectors 0.1% bots

  18. Auto-Worms Impact • Competitive pressure • On exploits – turn them into worms • On worms – be fast or have little impact • On SCAs – be simultaneous or be harmful

  19. Scenario 2: Targeted Attacks Start with few hosts + Use SCA Hijacking Infect hosts in a given company, country or your ex girlfriend’s machine • Targeted attacker • Maps software on target machines slowly • Registers for SCAs • When receives an SCA, attacks only the target machines

  20. Targeted Attacks Impact 10 bots (0.01%) Targets: 1000 random hosts

  21. Targeted Attacks Impact • Hijacker does not need many bots – uses SCAs instead • Assume SCAs are deployed and target machine does not use them => hijacker always wins • Everybody must use SCAs, otherwise things are worse

  22. Story • Smart Defenses • Hijacking • Impact • Defenses

  23. What now? • SCAs can be hijacked. Are they doomed? • Hijacking is possible even without SCAs • All exploits are pushed to become flash worms • SCAs are needed! • Can they be fixed? • SCAs are disseminated in a peer to peer fashion: • Tradeoff between timeliness and risk of DoS • Mainly due to complete lack of trust

  24. Proposal 1: ISP level SCA • Disseminate SCAs to ISP nodes • Install filters based on SCAs at ISP nodes • End hosts do not receive SCAs • Pros • Smaller group means faster propagation – less opportunity for hijacking • Cons • Can we protect end-hosts using filters in the network?

  25. Proposal 2: Two Phase Dissemination • Mimic simultaneous delivery of SCAs using 2 phases: • Deliver a warning to all hosts • Deliver the SCA after all hosts received warning • If SCA is fake, take punitive action • Two types of warnings – none perfect • Crash SCAs – inspired after ZKP protocols • Commitments – signatures of SCA sensitive information. • This can be used in tandem with ISP solutions

  26. Conclusions SCAs Host-Based Detectors Attacks Hijacking • Advances in defenses make hijacking feasible today • Competitive pressure makes attackers create flash worms • SCAs are highly needed but need fixing • Fixing SCAs to cope with hijacking • Initial steps look promising • Creating a full solution is challenging

  27. Q&A Costin Raiciu c.raiciu@cs.ucl.ac.uk Thank You

More Related