Embed Size (px)
Citation preview
2
Scenario
Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly
High-power base station
3
Message Authentication Code (MAC)
• Essentially a one-way hash function with a key, k
• Used for message integrity and authentication– If m is altered to m’ then MAC(m) ≠ MAC(m’)– Only those that know k can create correct MAC
4
Cryptographic Hash Chains
f f f x
K3 = f (x)
K2 = f (f (x))K1 = f (f (f (x)))
Initially store: K0 = f4(x)K1 = f3(x)
verify f (K1) = f(f3(x)) = K0
K2 = f2(x) verify f 2(K2) = f2(f2(x))
= K0
time
f is a one-way function: easy to calculate f(x), but difficult to invert f.
Kj = f (Kj+1)
5
µTesla [Perrig, et. al., 2002]
• Initially: sensor nodes know K0 = fn(x)
base station knows x
• Base station messages encrypted using K1 = fn-1(x)
• Nodes store and time stamp messages, but cannot decrypt them (yet)
• At time t1, base station broadcasts K1
• Nodes verify f (K1) = K0
• Nodes use K1 to decrypt earlier messages
• Nodes and base station must have loosely synchronized clocks: cannot accept messages encrypted with K1 after K1 was revealed
6
Part IIViruses and Cryptography
Principles and Practise of X-RAYINGF. Perriot, P. Ferrie
Virus Bulletin, Sept. 2004
7
Lessons to Learn
• Simple methods of encryption are prevalent
• Viruses provide good applications of things you have seen in this class so far
• Another security trade-off– Resources in sensornets– Speed in virus scanning
8
Introduction
• Cohen’s definition of a virus– A program that is
able to infect other programs by modifying them to include a possibly evolved copy of itself
Win32 PE file (.exe)
virus
9
Historical Glimpse of Malware
• “Elk Cloner”– 1982: First PC virus– Displayed poem after 50th reset
• Morris Worm– 1988: A network program that attacked many
different vulnerabilities to compromise machine
• Blaster Worm– 2004: Typical unpatched UVa CS machine
compromised ~1 to 2 minutes
10
Virus Infection (PE files)
• Easiest way is to prepend while overwriting host application beginning– Original application will not work
• Can append into last section of PE file– Change entry point to beginning of the virus– Insert jmp at entry point to jump to the virus
• Virus writers need something more to fight detection
11
Armored Viruses
• Encryption– Thwarts disassembly– Can hide virus code
; From W95/Mad.2736 Virus
; mov src, dest
mov ecx, LENGTH_OF_VIRUS
Decrypt:
xor [edi], al ; key is in al
inc edi
loop Decrypt ; decrement ecx
12
Detecting Encrypted Viruses
• Polymorphic viruses mutate decryptors
• Static decryptors are easier to detect– Advanced polymorphic virus decryptors can
still be statically detected• MtE has a constant, conditional backwards jump
– Use wildcards in matching algorithm (e.g., 0x75 ?? 0xBF)
13
More complicated Decryption
Decryptor
Decryptor
Decryptor
Decryptor
Decryptor n
14
Other complicating methods of Decryption
• Virus can use brute force to decrypt (no key needed)
• Multiple layers of encryption
• Key can slide, shift
• Non-linear decryption (substitution)
• Debuggers can modify decryption code (e.g., when decryption code is used as key)– Emulators may optimize decryption code
15
X-RAY detection
• X-RAY– Attacking the encryption of the virus code
• Virus encryption is usually weak
• Only have a few seconds (make it fast)
71 99 99 c4
e8 00 00 5dP
C
If XOR is only encryption used, how can we quickly determine key?
16
Why X-RAY
• Can be cheaper (faster) than emulation
• Emulator may not be able to emulate virus
• Decryptors can be buggy
• Works on ~50% of recent Win32 viruses
17
X-RAY Overview
• Known-plaintext attack– Assume we know virus body (or variant)– Just need to know if the virus is really present
• Sliding x-ray
C 71 99 99 c4
C 71 99 99 c4 25
25
C 71 99 99 c4 25 …
18
X-RAY Approaches
• Key Recovery– Guess key, then match
ciphertext to some part of plaintext
• Key validation– Recover several keys
or pieces of keys– Do the keys match with
respect to given encryption method?
71 99 99 c4
e8 00 00 5dP
C
^^^^
99 99 99 99
19
X-RAY Approaches• Invariant scanning
– Can reduce ciphertext and then compare against reduced plaintext
– Very fast– Check Rc == Rp
71 99 99 c4 e8 00 00 5dPC
71 99 99 c4C >> 1
e8 00 5dRc =C ^ (C>>1)
e8 00 00 5dP >> 1
e8 00 5dRp =P ^ (P>>1)
20
P
C >> 1
Rc =C ^ (C>>1)
C
P
P >> 1
Rp =P ^ (P>>1)
Reduce Ciphertext
Reduce Plaintext
Label each plaintext character
e8 00 00 5d
p0 p1 p2 p3Invariant Example
E8^99 00^99 00^99 5d^99
p0^p1 p1^p2 p2^p3
p0 p1 p2 p3
p0 p1 p2 p3
p0^p1 p1^p2 p2^p3
E8^99 00^99 00^99 5d^99
21
How to apply X-RAYing• Want to filter out files for X-RAYing
– Use file geometry, positions and sizes of segments that characterize infected objects (e.g., virus decryptor, virus body, min/max size of decryptor, min infected file size, …)
– Use frequency analysis• Encrypted bytes will have fairly random distribution• Look at ratio of zero bytes to non-zero bytes
22
How to apply X-RAYing• Choice of signatures
– Look at segments from begin, middle, and end of last section
• Length of signatures– Related to unicity distance– If a virus has a max key length of n bits, add n
bits to plaintext signature– Want to avoid false positives
• Misalignment (e.g., sub on 4 bytes instead of single bytes)
23
W95/PerenastXOR cipher
• To encrypt:1. XOR dword (32 bits) of virus with a key2. Add encrypted value to key to produce next
key3. Rotate key i times (later variants did this)
• 1011 rotated 1 time to right: 1101
4. Jump to step 1 if virus not encrypted
• To X-RAY:– XOR first 2 dwords of ciphertext with first 2
dwords of plaintext– Compute the difference (may need to rotate
second dword value if key was rotated)
24
W32/Efish.ASubstitution Cipher
• Uses a 256 byte substitution table– Key size of XOR: 256 bits– Key size of 16x16 byte substitution table: 256!
possible tables
• Use geometry of file– If a duplicate byte value occurs within 256 bytes
of its duplicate, then the 256 bytes cannot be the key
– Have to do this fast!
25
X-RAY Problems
• Multiple layers of encryption with a changing key are too expensive to X-RAY
• If each layer of encryption uses a fixed key with simple operations (e.g., XOR, ROR, etc.), then X-RAYing can be done
• Unaligned layers cause too much diffusion
26
W32/MagistrMore Advanced X-RAY techniques• Many operations such as XOR, ADD, shifts,
etc. are often used to modify the key each round (“running keys”)
• Can X-RAY by trying each possible operation, but it needs more data
For i = 0 to VIRUS_SIZE
p[i] = c[i] ^ k1
k1 = k1 + k2 (these 2 lines can
k1 = k1 rol k3 can be swapped)
end for
27
W32/Magistr• Assume order is ADD
then ROL• XOR 2nd encrypted
dword (try all 31 ROL arguments)
• For some i in the 31 ROL results, result - k1 yields ADD value (k2)
• Check by encrypting 3rd dword of plaintext
// encrypting virus code
For i = 0 to VIRUS_SIZE
p[i] = c[i] ^ k1
k1 = k1 + k2 (these 2 lines can
k1 = k1 rol k3 can be swapped)
end for
28
Homophonic Cipher
• NOON could encrypt to ERTY
• Notice N and O encrypt to 2 different ciphertext letters
• Will work as long as each ciphertext symbol maps to a unique plaintext symbol
• Hides frequency distribution
29
W32/Efish.CHomophonic Cipher
• Build decryption keys– For each ci and pi, record decryption key
– If 2 distinct plaintext values map to the same decryption key, cipher is not substitution or homophonic
– If there are multiple encrypted values for a given plaintext element, it’s homophonic
– Brute force for this is SLOW
30
W32/Efish.CAttacking PRNG
• Using timestamps, C rand() function is bad
• Take care to seed PRNG well
• Efish.C uses a PRNG named the Mersenne Twister– With 94% chance, a random substitution table is
used, or– 6% of the time, it searches for an unused
plaintext byte
31
W32/Efish.CAttacking PRNG
• After ~350 bytes, the chance of an unused byte is less than 10-9
– So after the 350th byte, it’s just a substitution cipher
• Use frequency analysis, determine if a virus uses a simple substitution cipher– If frequencies are not preserved, we know it’s
not a substitution cipher
32
Questions?
(Make sure you got leaked document on midterm and copy
of X-RAY paper)
33
W32/Efish.AScanning for duplicate bytes
• Naïve solution– Consider first 5 bytes, if duplicate found, slide 5-
byte window one position down– It takes 4 bytes to stop the scan on first scan– It takes 3 bytes to stop for the next scan, and
it’s the first 2 bytes– End up looking at same bytes multiple times
52 f2 ce f2 09 …
0 1 2 3 4 …
34
W32/Efish.AMore Efficient Scanning
• Better solution– Start from end– If duplicate seen, slide window down 256 –
examined bytes• If positions 442 and 431 are the first duplicates, we
can start scanning at position 432• On average, it takes ~20 bytes to find duplicate
…
52 f2 ce … 08 …
0 1 2 431 …
08
442
…
…
35
Other X-RAY Options
• For W95/Perenast, the encryption is
encrypt: c = p ^ k
k = k – c
loop encrypt
• If p == 0, then k becomes 0
• If any bits in p are 0, then those bits become 0 in k
36
W32/Bagif• Used 2 layers of encryption
– First layer is a polymorphic decryptor that builds a second layer decryptor that decrypts virus body
• For 2nd layer, to encrypt:1. Initialize counter to VIRUS_SIZE
2. XOR byte with last 8 bits of 32-bit key
3. Rotate key right by one bit
4. Subract counter from key, decrement counter
5. Jump to step 2 if counter not 0
37
X-RAYing W32/Bagif• To X-RAY, do reverse:
1. We can quickly get last 8 bits of key, k, from last byte of virus body• last encrypted virus byte XOR last plaintext
virus byte (set c = 2)
2. Set k = c + k, then increment c
3. Rotate k left by one bit
4. XOR ciphertext byte with known 7 bits of key plus 1 unknown bit
5. Jump to step 2 if counter not VIRUS_SIZE
38
Multiple Layers of Encryption
• Recover code and data keys from decryptor
• Recover code key to X-RAY data key (check for often-used opcodes in decryptor)
• Data key usually spread through many instructions– May need emulator
