View
259
Download
3
Embed Size (px)
Citation preview
1
Automatic Real-time Counterattack System against Remote Buffer Overflow Attack
許富皓先進防禦實驗室
資訊工程學系國立中央大學
2
Some Recently News Titles
Downadup worm infects more than 3.5 million - Published: 2009-01-14
Downadup virus exposes millions of PCs to hijack – CNN 16th Jan. 2009
Microsoft announces $250000 Conficker worm bounty - Network World
3
Introduction of Arcs
Automatic real-time counterattack system– Counterattack worms spreading through remote
buffer overflow attacks– Unpatched compromised attack hosts
Arcs hostAttacking host Buffer Overflow Attack
Fight back
Modification&
Generation
4
Introduction of Arcs
Why use code injection-based remote buffer overflow attack?
– Flexibility Target selection malicious activities
– Simplicity Shellcode programming
– Portability Repeated deviation addresses NOP sled
5
Explanation of BOAs (1)
b
return address add_g
address of G’s
frame point
C[0]
H’s stack
frame
G(int a)
{
H(3);
add_g:
}
H( int b)
{ char c[100];
int i;
while((c[i++]=getch())!=EOF)
{
}
}
C[99]
Input String: xyzZ
Y
X
G’s stack frame
0xabc
0xaba0xabb
6
Explanation of BOAs (2)
b
return address add_g
address of G’s
frame point
C[0]
H’s stack
frame
addrress oxabc
G(int a)
{
H(3);
add_g:
}
H( int b)
{ char c[100];
int i;
while((c[i++]=getch())!=EOF)
{
}
}
C[99]
Injected Code0xabc
Attack String: xxInjected Codexy0xabc
Length=108 bytes
0xaba0xabb x
x
x
y
7
Injected Code:
The attacked programs usually have root privilege; therefore, the injected code is executed with root privilege.
The injected code is already in machine instruction form; therefore, a CPU can directly execute it.
– However the above fact also means that the injected code must match the CPU type of the attacked host.
Usually the injected code will fork a shell; hence, after an attack, an attacker could have a root shell.
8
Injected Code of Remote BOAs
In order to be able to interact with the newly forked root shell, the injected code usually need to execute the following two steps:– Open a socket.– Redirect standard input and output of the newly
forked root shell to the socket.
9
Example of Injected Code for X86 Architecture : Shell Code
char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
10
Two Factors for A Successful Buffer Overflow-style Attack(1)
A successful buffer overflow-style attack should be able to overflow the right place (e.g. the place to hold a return address with the correct value (e.g. the address of injected code entry point)).
11
Two Factors for A Successful Buffer Overflow-style Attack(2)
buffer where the
overflow startinjected code
return address
offset between the beginning of the
overflowed buffer and the overflow
target.
address of injected code
entry point.
The offset and the entry point address are non-predicable. They can not decided by just looking the source code or local binary code.
12
Non-predicable Offset
For performance concerns, most compilers don’t allocate memory for local variables in the order they appear in the source code, sometimes some space may be inserted between them. (Source Code doesn’t help)
Different compiler/OS uses different allocation strategy. (Local binaries don’t help)
Address obfuscation insert random number of space between local variables and return address. (Super good luck may help)
13
Non-predicable Entry Point Address
[fhsu@ecsl]#
0xbfffffff system data
environment variablesargument strings
env pointersargv pointers
argc
webserver –a –b security
command line arguments
and environment variables
Function main()’s stack frame
14
Strategies Used by Attackers to Increase Their Success Chance
Repeat address patterns. Insert NOP (0x90) operations before the entry
point of injected code.
15
Buffer Overflow Attack String
Classic code injection buffer overflow attacking string format
16
Buffer Overflow Attack String
Characteristics– Injected code (shellcode)
NOP sled used– 0x90 (NOP)– One byte non-privileged instructions
– Repeated Deviation address Repeat every 4 bytes Point to stack or heap:
– Code injection
17
Modification of Buffer Overflow Attack String
Modification– Injected code replacement– Preserve Effectiveness
padding deviation addresses rest part of the attack
string
項目\種類 反擊字串
填充段 同原攻擊字串
更改位址值 同原攻擊字串
注入程式碼 替換成反擊程式碼
注入程式碼長度
反擊程式碼必須小於原注入程式碼
總字串長度 同原攻擊字串
Fight back injected code
Fight Back String
18
Arcser
Arcs Core
Linux Kernel level
Linux user level
Implementation
Arcs Design– Arcs Core– Arcser
detected
add event
Polling
fetch event
network data stream
Fight Back String
19
Demonstration
Effectiveness demonstration– Target: normal Linux host
屬性 內容描述
漏洞程式描述
corehttpd[v0.5.3alpha]: httpd remote buffer overflow
NOP sled 268 bytes continue 0x90
注入程式碼
Portbind shellcode at port 7979 after NOP sled
Running vulnerable Corehttpd service a
t port 8080
launch an attack though the
exploit
Portbind shell at port
7979
Normal Linux
20
Demonstration
Effectiveness Demonstration– Target: Arcs host
Attacking host Arcs host
Running vulnerable Corehttpd service a
t port 8080
Running vulnerable
Corehttpd service at port
8080
Attack generated by
the exploitFight back
Portbind shell at port
30000
屬性 內容描述
漏洞程式描述
corehttpd[v0.5.3alpha]: httpd remote buffer overflow
NOP sled 268 bytes continue 0x90
注入程式碼
Portbind shellcode at port 7979 after NOP sled
Portbind shell at
port 7979 ?
21
Discussion
Arcs against Internet Worm– Uniform random target selection worm model– Arcs
Decrease the number of vulnerable hosts in the Internet
– portable Arcs Decrease the number of malicious hosts in the Internet
Infected host Infected host
Immune host
Arcs hostvulnerable host
Portable Arcs host
vulnerable hostInfected host Arcs hostInfected host
Portable Arcs host
22
Discussion
Arcs based solution against Internet Worm
It = N – (Vt M∪ t S∪ t)
23
Discussion
Arcs against Internet Worm N Number of total targets
Vt Number of uninfected Vulnerable hosts at tth time tick
Ps The probability of a successful attack for each attack
Number of attacks generated by an infected host in a time tick
tM
t N
-N-1P
tstt1t VPP-VV
0stt1t SPPII
S0 Initial number of Arcs hosts
It Number of Immune hosts at tth time tick
Mt Number of infected malicious hosts at tth time tick
Pt The probability of a host being attacked at least once at t th time tick
0sttstt1t SPP-VPPMM
24
Discussion
Portable Arcs against Internet Worm
N Number of total targets
Vt Number of uninfected Vulnerable hosts at tth time tick
Ps The probability of a successful attack for each attack
Number of attacks generated by an infected host in a time tick
tM
t N
-N-1P
tstt1t SPPSS
tsttstt1t SPP-VPPMM
St Number of Arcs hosts at tth time tick
Mt Number of infected malicious hosts at tth time tick
Pt The probability of a host being attacked at least once at t th time tick
tstt1t VPP-VV
25
Discussion
Against Internet Worm500S 2000, t10, 300,M ,2V ,2N 00
160
24
Arcs Portable Arcs
Num
ber
of H
ost
Number of Time tick Number of Time tick
Num
ber
of H
ost
26
Discussion
Against Internet Worm1000S 2000, t10, 300,M ,2V ,2N 00
160
24
Arcs Portable Arcs
Num
ber
of H
ost
Number of Time tick Number of Time tick
Num
ber
of H
ost
27
Discussion
Against Internet Worm5000S 2000, t10, 300,M ,2V ,2N 00
160
24
Arcs Portable Arcs
Num
ber
of H
ost
Number of Time tick Number of Time tick
Num
ber
of H
ost
28
Discussion
Limitations– Detection
NON-repeated deviation address
– Modification Multiple NOP sleds Extremely small injected code
29
Discussion
Counterattack risk– Legal or illegal– Arcs attacks Arcs
30
Discussion
Deployment strategies– As Honeypot– As important server protection– Both of above.– Depending on managers’ requirements
Future work– Arcs-based worm auto cleaning system
31
Related work
Worm– White Worm– Watertight compartment – Vaccination– Detection and monitoring
32
Conclusion
Automatic buffer overflow attacking string modification– Injected code replacement– Effectiveness preserved
Arcs– Automatic real-time counterattack system– Flexible deployment– Remote buffer overflow attack deterrence
Arcs-based applications– Cleaning worm– Detecting and identifying Botnet
33
Q&A