View
233
Download
0
Category
Preview:
Citation preview
Problem Korset Theory Implementation Evaluation Epilogue
Korset: Code-based Intrusion Detection for Linux
Ohad Ben-Cohen Avishai Wool
Tel Aviv University
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue
Table of Contents
why what how
demo!
evaluate
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Section 1: The Problem
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Exploit this
void sayhi(char ∗param){
char buf[96];gets(buf);printf("Hi %s, please don’t hurt me!\n", buf);}
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Buffer Overflow
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Buffer Overflow
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Buffer Overflow
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Buffer Overflow
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Buffer Overflow
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Code Injection
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Defense
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Host-based Intrusion Detection Systems (HIDS’s)
To Identify Malicious Activities
Pre-construct a model of normal behavior
Monitor running processes
Compare data to model
Alarm when deviates
Terms
False Positives (⇒ usability)
False Negatives (⇒ precision)
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Host-based Intrusion Detection Systems (HIDS’s)
To Identify Malicious Activities
Pre-construct a model of normal behavior
Monitor running processes
Compare data to model
Alarm when deviates
Terms
False Positives (⇒ usability)
False Negatives (⇒ precision)
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Models of normal behavior
1. Machine Learning
Automated
Capable of detecting a wide range of attacks
Statistical ⇒ Have False Alarms
False Alarms are inherent and inevitable
if(time() < YEAR2009)read(...);
elsewrite(...);
2. Program Policies
Can be very accurate ⇒ Eliminate False Alarms
Tedious and demanding
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Models of normal behavior
1. Machine Learning
Automated
Capable of detecting a wide range of attacks
Statistical ⇒ Have False Alarms
False Alarms are inherent and inevitable
if(time() < YEAR2009)read(...);
elsewrite(...);
2. Program Policies
Can be very accurate ⇒ Eliminate False Alarms
Tedious and demanding
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Models of normal behavior
1. Machine Learning
Automated
Capable of detecting a wide range of attacks
Statistical ⇒ Have False Alarms
False Alarms are inherent and inevitable
if(time() < YEAR2009)read(...);
elsewrite(...);
2. Program Policies
Can be very accurate ⇒ Eliminate False Alarms
Tedious and demanding
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Models of normal behavior
1. Machine Learning
Automated
Capable of detecting a wide range of attacks
Statistical ⇒ Have False Alarms
False Alarms are inherent and inevitable
if(time() < YEAR2009)read(...);
elsewrite(...);
2. Program Policies
Can be very accurate ⇒ Eliminate False Alarms
Tedious and demanding
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Exploits HIDS
Models of normal behavior
1. Machine Learning
Automated
Capable of detecting a wide range of attacks
Statistical ⇒ Have False Alarms
False Alarms are inherent and inevitable
if(time() < YEAR2009)read(...);
elsewrite(...);
2. Program Policies
Can be very accurate ⇒ Eliminate False Alarms
Tedious and demanding
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Section 2: Korset
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
General Architecture
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Model of Normal Behavior
Control Flow Graph (CFG)
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
General Architecture
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
General Architecture
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Stage #1: ModelPreconstruction
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Assumption:
System calls are the onlyway to inflict damage
(Not entirely true...)
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protect me
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Model of Normal Behavior
System call sequences ⇒ Paths in the graph
No path in the graph⇒ Invalid system call sequence
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Model of Normal Behavior
System call sequences ⇒ Paths in the graph
No path in the graph⇒ Invalid system call sequence
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Stage #2: RuntimeMonitoring
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Protecting
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
In words
Model of Normal Behavior
Control Flow Graphs (CFG)
Only System Calls
Statically Preconstructed
Once for every app
Runtime Monitoring
Monitor system calls emitted in run-time
Simulate observed system calls on automata
Always maintain a current node
Terminate diverging processes
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Code-based IntrusionDetection
First work by David Wagner and Drew Dean, 2001
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Code-based IntrusionDetection
First work by David Wagner and Drew Dean, 2001
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Intrusion Detection via Static Analysis
Pros
Automated
Provable zero false positives(assuming that code isn’t self modifying)
Cons
Limited to code injection attacks
High precision comes with a cost
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Intrusion Detection via Static Analysis
Pros
Automated
Provable zero false positives(assuming that code isn’t self modifying)
Cons
Limited to code injection attacks
High precision comes with a cost
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue CIDS Demo
Action !
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Section 3: Not so simple
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Functions
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Functions - Link CFGs
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
And... Simplify
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Simplification Process
Simple and Smooth
u w
y
v
z
u w
y z
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Challenge #1
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Functions Redux - Context Insensitivity
Before linking
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Functions Redux - Context Insensitivity
After linking
... So ?
Impossible execution paths are allowed
E.g.: open-read-write
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Functions Redux - Context Insensitivity
After linking
... So ?
Impossible execution paths are allowed
E.g.: open-read-write
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Functions Redux - Context Insensitivity
After linking
... So ?
Impossible execution paths are allowed
E.g.: open-read-write
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Context Insensitivity
A Function after linking
... So ?
Impossible execution paths are allowed
E.g.: open-read-write
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Hey before you link
Not all functions emit/lead to system calls
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Graph Unlinking
Do not link them
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Graph Unlinking
Just ditch their calling nodes...
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Graph Inlining
Inline CFGs of functions that issue system calls
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Graph Inlining
Create Private Copies
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Graph Inlining
Link Private Copies
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Graph Inlining
Simplify Result
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Graph Inlining
After Simplifying
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Graph Inlining
Inlining Depth ?
(currently - depth 1)
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Graph Inlining
Inlining Depth ?(currently - depth 1)
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Challenge #2
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Non Determinism
Which write is it ?
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
%EIP ?
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
%EIP does not help
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Solution: Merge Nodes
Solution: Merge nodes
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Non Determinism
Solution: Merge nodes
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Merging cost
Graph now allows impossible paths!
r r
gb o
y g
r
gb o
y g
accepting: gry, grg, bry, org, brg, ory
accepting: gry, grg, bry, org
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
Minimizing Merging cost
Don’t merge, add
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
the Deterministic Callgraph Automaton (DCA)
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Context Insensitivity Non Determinism
the Deterministic Callgraph Automaton (DCA)
Only system call nodes
There are no ε-edges
⇒ Need to check only direct descendants
No control flow ambiguity
No more than a single match
⇒ Current state is always a single node
Complexity
Time: O(|∑|) (
∑- set of system calls)
Space: O(1)
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Section 4: Implementation
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
General Architecture
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
General Architecture
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
General Architecture
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Kernel guts
The Monitoring Agent
ELF executable
example
read
writeclose
example.korset
User SpaceUser Space Kernel SpaceKernel Space
readwrite
close
KorsetMonitoring
Agent
KernelSystem Call
Handler
System Calls
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Per process state
sched.h
struct task struct {...char ∗korset graph;u32 korset node;...
};
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Monitoring Agent - via a new LSM hook
entry.S
ENTRY(system call)...GET THREAD INFO(%rcx)SAVE ARGSmovq %rax,%rsimovq %rcx,%rdicall security system callcmpl $0, %eaxjnz syscall nopermRESTORE ARGS...call ∗sys call table(,%rax,8)...
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Monitoring Agent - via a new LSM hook
entry.S
ENTRY(system call)...GET THREAD INFO(%rcx)SAVE ARGSmovq %rax,%rsimovq %rcx,%rdi
call security system call
cmpl $0, %eaxjnz syscall nopermRESTORE ARGS...call ∗sys call table(,%rax,8)...
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Monitoring Agent - via a new LSM hook
entry.S
ENTRY(system call)...GET THREAD INFO(%rcx)SAVE ARGS
movq %rax ,%rsi
movq %rcx ,%rdicall security system callcmpl $0, %eaxjnz syscall nopermRESTORE ARGS...call ∗sys call table(,%rax,8)...
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Monitoring Agent - via a new LSM hook
entry.S
ENTRY(system call)...GET THREAD INFO(%rcx)SAVE ARGSmovq %rax,%rsimovq %rcx,%rdicall security system call
cmpl $0, %eaxjnz syscall nopermRESTORE ARGS...call ∗sys call table(,%rax,8)...
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
$ korset runtime monitor
start
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
$ korset runtime monitor
stop
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Monitoring Agent
Sum up
Integrated into the Kernel’s system call handler
Uses and extends the Linux Security Module (LSM) interface
Simulate automaton on observed system calls
Terminate subverted applications
Can dynamically update in-memory DCA
Can dump updated DCA back to disk
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Userland
The Static Analyzer
i = read(fd, buf, n);if (i == n) {
write(fd, buf, n);}close(fd);
example.c
gcc, ld, ...ELF executable
example
read
writeclose
example.korset
KorsetStatic Analyzer
User SpaceUser Space
Kernel Space
Kernel Space
System Calls
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
$ korset static analyzer
start
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
$ gcc -c foo.c -o foo.o
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
$ gcc -c bar.S -o bar.o
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
$ ar c foobar.a foo.o
bar.o
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
$ gcc foo.o bar.o -o
foobar
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
foo.o.kvcg
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
bar.o.kvcg
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
foobar.a.kvcg
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
foobar.korset
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
$ korset static analyzer
stop
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Static Analyzer
Sum up
Wraps the Linux build tools
Transparently runs whenever user compiles, links or ar(chives)
Creates DCAs for objects, libraries and executables
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Constructing the Graphs
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
GCC saves the day
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
GCC saves the day
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
GCC saves the day
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
GCC saves the day
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
GCC saves the day
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
GCC saves the day
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
GCC saves the day
GCC Plugins ?
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
GCC saves the day
$ gcc -dv -fdump-rtl-pass
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Visualization of Compiler Graphs (VCG)
Just parse and the CFG is yours
graph: { title: "hack digit"...node: { title: "hack digit.0" }...edge: { sourcename: "hack digit.0" targetname:"hack digit.7" color: blue }
node: {title: "hack digit.7"
label: "note 7"}...
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Creating CFGs for C files
Use gcc’s VCG output
$ gcc -dv -fdump-rtl-pass -c foo.c
void foo(void){
int i;for (i = 0; i < 10; i++)
fwrite("Hello!\n", 7, 1, stdout);}
basic block 7
code_label 11 insn 14 insn 16 insn 17 insn 18 call_insn 19 insn 21 code_label 22 insn 24
jump_insn 25 insn 45
note 47
insn 40 insn 41 insn 42 insn 8
jump_insn 46 END
note 6 jump_insn 9
foo.0
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Simplification Process
Simple and Smooth
u w
y
v
z
u w
y z
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Creating CFGs for C files
After simplifying VCG output
void foo(void){
int i;for (i = 0; i < 10; i++)
fwrite("Hello!\n", 7, 1, stdout);}
vcg-demo.o
foo.0
call fwrite
END
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
VCG Summary
Neat.
Does not apply for Assemblyfiles...
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
VCG Summary
Neat.
Does not apply for Assemblyfiles...
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Creating CFGs for Assembly files
Lots of Macros...
#include <sysdep cancel.h>
PSEUDO ( libc read, read, 3)ret
PSEUDO END( libc read)
libc hidden def ( libc read)weak alias ( libc read, read)libc hidden weak ( read)weak alias ( libc read, read)libc hidden weak (read)
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Creating CFGs for Assembly files
Disassemble corresponding object file:
mov %rdx,0x18(%rsp)callq 35 < write nocancel+0x2c>
R X86 64 PC32 libc enable asynccancelmov 0x8(%rsp),%rdimov 0x10(%rsp),%rsimov 0x18(%rsp),%rdxmov %rax,(%rsp)mov $0x1,%eaxsyscall
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Creating CFGs for Assembly files
Look for system and function calls:
mov %rdx,0x18(%rsp)
callq 35 < write nocancel+0x2c>
R X86 64 PC32 libc enable asynccancel
mov 0x8(%rsp),%rdimov 0x10(%rsp),%rsimov 0x18(%rsp),%rdxmov %rax,(%rsp)
mov $0x1 ,%eax
syscall
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Creating CFGs for Assembly files
Create a simplified matching graph
Crude, ok for simple files
Sound solution
Requires a better flow analysis
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Creating CFGs for stdin files
something like this:
$ gcc -x c++ -o output.o -
redundant ?
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Creating CFGs for stdin files
common glibc build:
(echo ’#include <sysdep cancel.h>’; \echo ’PSEUDO ( libc read, read, 3)’; \echo ’ ret’; \echo ’PSEUDO END( libc read)’; \echo ’libc hidden def ( libc read)’; \echo ’weak alias ( libc read, read)’; \echo ’libc hidden weak ( read)’; \echo ’weak alias ( libc read, read)’; \echo ’libc hidden weak (read)’; \
) | gcc c x assembler with cpp o read.o
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Creating CFGs for stdin files
Disassemble output file and build graph:
(echo ’#include <sysdep cancel.h>’; \echo ’PSEUDO ( libc read , read, 3)’; \echo ’ ret’; \echo ’PSEUDO END( libc read)’; \echo ’libc hidden def ( libc read)’; \echo ’weak alias ( libc read, read)’; \echo ’libc hidden weak ( read)’; \echo ’weak alias ( libc read, read)’; \echo ’libc hidden weak (read)’; \
) | gcc c x assembler with cpp o read.o
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Creating CFGs for stdin files
Result: a simplified matching graph
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Is it enough ?
common glibc build:
(echo ’#include <sysdep cancel.h>’; \echo ’PSEUDO ( libc read, read, 3)’; \echo ’ ret’; \echo ’PSEUDO END( libc read)’; \echo ’libc hidden def ( libc read)’; \echo ’weak alias ( libc read, read)’; \echo ’libc hidden weak ( read)’; \echo ’weak alias ( libc read, read)’; \echo ’libc hidden weak (read)’; \
) | gcc c x assembler with cpp o read.o
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Pay attention to symbol aliases
common glibc build:
(echo ’#include <sysdep cancel.h>’; \echo ’PSEUDO ( libc read, read, 3)’; \echo ’ ret’; \echo ’PSEUDO END( libc read)’; \echo ’libc hidden def ( libc read)’; \echo ’ weak alias ( libc read, read) ’; \echo ’libc hidden weak ( read)’; \echo ’ weak alias ( libc read, read) ’; \echo ’libc hidden weak (read)’; \
) | gcc c x assembler with cpp o read.o
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Collect symbol information
objdump –syms
read.o: file format elf64 x86 64
SYMBOL TABLE:00000000 g F .text 00000073 libc read00000009 g F .text 00000014 read nocancel00000000 w F .text 00000073 read00000000 w F .text 00000073 read
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Collect symbol information
objdump –syms
read.o: file format elf64 x86 64
SYMBOL TABLE:
00000000 g F .text 00000073 libc read00000009 g F .text 00000014 read nocancel
00000000 w F .text 00000073 read
00000000 w F .text 00000073 read
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Add symbol aliases
Before
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Add symbol aliases
After
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Linking issues
Not all functions are equal
malloc.o: file format elf64 x86 64
SYMBOL TABLE:000032e4 l F .text 0000009f malloc check00001c46 l F .text 000000f2 free check00000000 w ∗UND∗ 00000000 dso handle0000395e g F .text 00000331 calloc0000395e w F .text 00000331 calloc00001b79 g F .text 000000cd cfree00001b79 w F .text 000000cd cfree00003e41 g F .text 000001cf malloc
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Linking issues
Not all functions are equal
malloc.o: file format elf64 x86 64
SYMBOL TABLE:
000032e4 l F .text 0000009f malloc check
00001c46 l F .text 000000f2 free check00000000 w ∗UND∗ 00000000 dso handle0000395e g F .text 00000331 calloc
0000395e w F .text 00000331 calloc00001b79 g F .text 000000cd cfree
00001b79 w F .text 000000cd cfree00003e41 g F .text 000001cf malloc
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Linking issues
Not all functions are equal
malloc.o: file format elf64 x86 64
SYMBOL TABLE:000032e4 l F .text 0000009f malloc check00001c46 l F .text 000000f2 free check00000000 w ∗UND∗ 00000000 dso handle0000395e g F .text 00000331 calloc0000395e w F .text 00000331 calloc00001b79 g F .text 000000cd cfree00001b79 w F .text 000000cd cfree00003e41 g F .text 000001cf malloc
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Overview Kernel Userland Construction
Linking issues
Not all functions are equal
malloc.o: file format elf64 x86 64
SYMBOL TABLE:000032e4 l F .text 0000009f malloc check00001c46 l F .text 000000f2 free check
00000000 w ∗UND∗ 00000000 dso handle0000395e g F .text 00000331 calloc0000395e w F .text 00000331 calloc00001b79 g F .text 000000cd cfree00001b79 w F .text 000000cd cfree00003e41 g F .text 000001cf malloc
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision
Section 4: Evaluation
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision
Micro-Benchmarks
write read write > /dev/null
setuid0
10
20
30
40
50
60
70
80
90
100
110
120
Micro-Benchmarks
BestCaseBadCaseWorstCase
Ove
rhea
d P
erce
ntag
e
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision
Core-utils Benchmarks
cp ls cat0
0.1
0.2
0.30.4
0.5
0.60.7
0.8
0.9
11.1
1.2
1.3
Core-Utils Benchmark
Ove
rhea
d (%
)
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision
Precision Analysis
The Branching Factor
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision
Graphs Analysis
Glibc Graph Branching
open read write execve malloc gets fopen fread fwrite printf empty main
0.1
1
10
100
1000
2 2 2
1
108 108 108 108 108 108 118
1 1 1 1
33 33 33 33 33 33 36
1 1 1 1
46
18
96
33 36
glibc DCA branching
э-less CFGbasic DCAFinal DCA
aver
age
bran
ch d
egre
e
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision
malloc()
malloc()
syscall 45
syscall 91
syscall 125syscall 90
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision
fwrite()
fwrite()
syscall 90
syscall 140
syscall 197
syscall 108
syscall 4
syscall 45
syscall 125
syscall 91
syscall 54
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision
Empty main
void main(void){}
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue Runtime Precision
Empty main
empt
y.c.
49.s
tack
sysc
all
197
sysc
all
85
sysc
all
158
sysc
all
4
sysc
all
183
sysc
all
108
sysc
all
3
sysc
all
140
sysc
all
191
sysc
all
76
sysc
all
54
sysc
all
55
sysc
all
221
sysc
all
201
sysc
all
49
sysc
all
5
sysc
all
195
sysc
all
243
sysc
all
141
sysc
all
220
sysc
all
45
sysc
all
67
sysc
all
174
sysc
all
106
sysc
all
13
sysc
all
20
sysc
all
146
sysc
all
33
sysc
all
196
sysc
all
107
sysc
all
192
sysc
all
125
sysc
all
163
sysc
all
102
sysc
all
90
sysc
all
6
sysc
all
91
sysc
all
224
sysc
all
270
sysc
all
175
sysc
all
126
sysc
all
252
sysc
all
1
sysc
all
266
_sta
rt.0
sysc
all
122
sysc
all
199
sysc
all
24
sysc
all
202
sysc
all
50
sysc
all
200
sysc
all
47
sysc
all
238Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue
Section 5: Sum up
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue
Sum up
Summary
Zero False Positives Intrusion Detection
Negligible (/Bounded) Runtime Overhead
Linux Kernel Prototype
Automatic Analysis of the GNU C library
Free Software (GPL’ed)
Status
Proof of concept!
Very limited, e.g.: only static linking
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue
http://www.korset.org
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Problem Korset Theory Implementation Evaluation Epilogue
THE END
Ohad Ben-Cohen Avishai Wool OWASP IL 2008
Recommended