Shellos enabling fast detection and forensic analysis of code injection attacks
Download
1 / 38

SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks - PowerPoint PPT Presentation


  • 139 Views
  • Uploaded on

SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks. Kevin Z. Snow, Srinivas Krishnan, Fabian Monrose University of North Carolina at Chapel Hill Niels Provos Google 20 th USENIX Security (August, 2011). Outline. Introduction Related Work

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks' - sef


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Shellos enabling fast detection and forensic analysis of code injection attacks

SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks

Kevin Z. Snow, Srinivas Krishnan, Fabian Monrose

University of North Carolina at Chapel Hill

NielsProvos

Google

20th USENIX Security (August, 2011)


Outline
Outline Code Injection Attacks

  • Introduction

  • Related Work

  • Challenges for Software-based CPU Emulation Detection Approaches

  • Our Approach

  • Evaluation

  • Limitations

A Seminar at Advaced Defense Lab


Introduction
Introduction Code Injection Attacks

  • In recent years, code-injection attacks have become a widely popular modus operandi for performing malicious actions on network services and client-based programs.[link]

  • Exploitation toolkits

    • Phoenix [link]

A Seminar at Advaced Defense Lab


Malicious pdf files
Malicious PDF Files Code Injection Attacks

  • Today, malicious PDFs are distributed via mass mailing, targeted email, and drive-by downloads.

  • The “stream objects” in PDF allow many types of encodings to be used, including multi-level compression, obfuscation, and even encryption.

A Seminar at Advaced Defense Lab


Dynamic analysis
Dynamic Analysis Code Injection Attacks

  • The key to detecting these attacks lies in accurately discovering the presence of the shellcode in network payloads or process buffers.

  • In this paper, we argue that a promising technique for detecting shellcode is to examine the input and efficiently execute its content to find what lurks within.

A Seminar at Advaced Defense Lab


Related work
Related Work Code Injection Attacks

  • Finding the presence of malicious code by searching for tell-tale signs of executable code

  • Toth and Kruegel, “Accurate Buffer Overflow Detection via Abstract Payload Execution”, 2002

A Seminar at Advaced Defense Lab


Network level emulation
Network-level Emulation Code Injection Attacks

  • Polychronakis et al., “Network-level Polymorphic Shellcode Detection using Emulation”, 2006

A Seminar at Advaced Defense Lab


Challenges for software based cpu emulation detection approaches
Challenges for Software-based CPU Emulation Detection Approaches

  • the instruction set for modern CISC architectures is very complex, and so it is unlikely that software emulators will ever be bug free.

    • FPU-based GetPC instructions [link]

  • Special purpose CPU emulators

    • Nemu, libemu[link]

    • large subsets of instructions rarely used by injected code are skipped

A Seminar at Advaced Defense Lab


Emulation performance
Emulation Performance Approaches

  • the vast majority of network streams will contain benign data, some of which might be significant in size.

  • A separate execution chain must be attempted for each offset in a network stream because the starting location of injected code is unknown.

A Seminar at Advaced Defense Lab


Our approach
Our Approach Approaches

  • We allow instruction sequences to execute directly on the CPU using hardware virtualization, and only trace specific memory reads, writes, and executions through hardware-supported paging mechanisms.

  • Our design for enabling hardware-support of code injection attacks is built upon Kernel-based Virtual Machine (KVM).

A Seminar at Advaced Defense Lab


Architecture
Architecture Approaches

A Seminar at Advaced Defense Lab


The shellos kernel
The SHELLOS Kernel Approaches

  • The kernel supports loading arbitrary snapshots created using the minidump format[link].

  • instructions are executed directly on the CPU in usermode until execution is interrupted by a fault, trap, or timeout.

A Seminar at Advaced Defense Lab


Detection
Detection Approaches

  • We force a trap to occur on access to an arbitrary virtual address by clearing the present bit of the page entry.

  • Any heuristic based on memory reads, writes, or executions can be supported with coarse-grained tracing.

A Seminar at Advaced Defense Lab


Porting other s solution
Porting other’s solution Approaches

  • we chose to implement the PEB heuristic proposed by Polychronakis et al.

  • This heuristic detects injected code that parses the process-level TEB and PEB data structures.

A Seminar at Advaced Defense Lab


Diagnostics
Diagnostics Approaches

  • We place traps on the addresses of the specific functions, and when triggered, a handler for the corresponding call is invoked.

A Seminar at Advaced Defense Lab


Extensibility
Extensibility Approaches

  • We built two platforms that rely on ShellOS to scan buffers for injected code.

  • For client-based programs

    • We implemented a lightweight memory monitoring facility that allows ShellOS to scan buffers created by documents loaded.

A Seminar at Advaced Defense Lab



Extensibility cont
Extensibility (cont.) Approaches

  • For network services

    • We build a platform to detect code injection attacks on network services by reassembling observed network streams and executing each of these streams.

A Seminar at Advaced Defense Lab


Evaluation
Evaluation Approaches

  • Environment

    • Intel Xeon Quad Processor machine with 32 GB of memory.

    • The host OS was Ubuntu with kernel version 2.6.35.

A Seminar at Advaced Defense Lab


Attack samples
Attack samples Approaches

  • Metasploit

    • For each encoder, we generated 100s of attack instances by randomly selecting 1 of 7 exploits, 1 of 9 self-contained payloads.

  • As the attacks launched, we captured the network traffic for later network-level buffer analysis.

A Seminar at Advaced Defense Lab


Detection results
Detection Results Approaches

A Seminar at Advaced Defense Lab


Performance
Performance Approaches

A Seminar at Advaced Defense Lab


Throughput
Throughput Approaches

  • We built a testbed consisting of 32 machines running FreeBSD 6.0 and generated traffic using a state-of-the-art traffic generator, Tmix [link].

  • We supply Tmix with a network trace of HTTP connections captured on the border links of UNC-Chapel Hill in October, 2009.

A Seminar at Advaced Defense Lab


Testbed
Testbed Approaches

A Seminar at Advaced Defense Lab


Result
Result Approaches

A Seminar at Advaced Defense Lab


Multi core for shellos
Multi-core for ApproachesShellOS

A Seminar at Advaced Defense Lab


Case study pdf code injection
Case Study: ApproachesPDF Code Injection

  • The malicious PDFs were randomly selected from suspicious files flagged by a large-scale web malware detection system.

  • We also use a collection of 179 benign PDFs from various USENIX conferences.

A Seminar at Advaced Defense Lab


Cve distribution
CVE Distribution Approaches

All attacks use ROP

A Seminar at Advaced Defense Lab


Sizes of the extracted buffers
Sizes of the extracted buffers Approaches

512KB

A Seminar at Advaced Defense Lab


Elapsed time for extracting heap objects
Elapsed time for Approachesextracting heap objects

5 secs

26 secs

A Seminar at Advaced Defense Lab


Average time of analysis
Average time of analysis Approaches

A Seminar at Advaced Defense Lab


Forensic analysis
Forensic Analysis Approaches

  • 85% of the injected code exhibited an identical API call sequence.

A Seminar at Advaced Defense Lab


Another example
Another Example Approaches

A Seminar at Advaced Defense Lab


Instruction level trace
Instruction-level trace Approaches

  • Although the code copy is not apparent in the API call sequence alone, ShellOS may also provide an instruction-level trace by single-stepping each instruction via the TRAP bit in the flags register.

A Seminar at Advaced Defense Lab


Analysis resistant shellcode
Analysis-resistant ApproachesShellcode

  • We note, however, that this particular challenge is not unique to ShellOS.

A Seminar at Advaced Defense Lab


Limitations
Limitations Approaches

  • Shellcode designed to execute under very specific conditions may not operate as expected.

  • Software-based emulators are able to quickly detect and exit an infinite loop.

  • It may still be possible to detect a virtualized environment through the small set of instructions.

A Seminar at Advaced Defense Lab


Limitations cont
Limitations (cont.) Approaches

  • ShellOS provides a framework for fast detection and analysis of a buffer, but an analyst or automated data pre-processor must provide these buffers.

A Seminar at Advaced Defense Lab


Thank you

Thank You. Approaches

Any Question?

A Seminar at Advaced Defense Lab