All problems of design are solved by All problems of design are solved by

the addition of a layer of indirection.the addition of a layer of indirection.

All problems of efficiency are solved All problems of efficiency are solved byby

the removal of a layer of indirection.the removal of a layer of indirection.

A Linguistic A Linguistic Platform for Threat Platform for Threat

Development Development Ben KurtzBen Kurtz

Imperfect NetworksImperfect Networks

IntroductionIntroduction

By applying programming language By applying programming language theory to the development of new theory to the development of new networks attacks, we can create networks attacks, we can create next-generation platforms capable of next-generation platforms capable of quickly handling arbitrary protocols quickly handling arbitrary protocols and hardware, and exponentially and hardware, and exponentially reducing threat development time.reducing threat development time.

OverviewOverview

MotivationMotivation Threat TestingThreat Testing Goals of a new systemGoals of a new system Applications of Programming Applications of Programming

Language TheoryLanguage Theory

MotivationMotivation

We want to break stuff!We want to break stuff! EasierEasier FasterFaster BetterBetter

Minimize threat development Minimize threat development turnaround timeturnaround time

Motivation (cont.)Motivation (cont.)

Why do we want to break stuff?Why do we want to break stuff? Network Equipment/Service TestingNetwork Equipment/Service Testing MaliceMalice

IDS systems eventually have to be IDS systems eventually have to be tested…tested…

And they must be tested with REAL And they must be tested with REAL threats!threats!

Motivation (cont.)Motivation (cont.)

You can’t have 0-day protection You can’t have 0-day protection

without 0-day testing!without 0-day testing!

This requires same-day threat testing.This requires same-day threat testing.

The Threat Testing CycleThe Threat Testing Cycle

Quantify

Codify

Research

Test

Implement

Window of VulnerabilityWindow of Vulnerability

If it takes two weeks to complete the If it takes two weeks to complete the cycle,cycle,

Your Window of Vulnerability is two Your Window of Vulnerability is two weeks!weeks!

Options for ImprovementOptions for Improvement

Option 1Option 1 Hire more peopleHire more people Work in parallelWork in parallel Still limited by Still limited by

current time-current time-consuming toolsconsuming tools

Window of Window of Vulnerability Vulnerability remains the sameremains the same

Option 2Option 2 Automate the Automate the

common, repetitive common, repetitive tasks associated tasks associated with threat with threat development.development.

Better toolsBetter tools Only deal with the Only deal with the

unique aspects of a unique aspects of a threat.threat.

So…So…

Hiring more people would be great!Hiring more people would be great!

But it’s not going to happen.But it’s not going to happen.

We need better tools.We need better tools.

Threat PlatformsThreat Platforms

We have some threat platforms We have some threat platforms available to us already…available to us already… Metasploit / CanvasMetasploit / Canvas NessusNessus … … PerlPerl

VersatilityVersatility Speed of DevelopmentSpeed of Development Real, Live ThreatsReal, Live Threats

Design GoalsDesign Goals

One tool to generate all possible One tool to generate all possible threatsthreats

Platform/Target independencePlatform/Target independence PCAP importPCAP import Multi-source traffic playbackMulti-source traffic playback Simulation and TestingSimulation and Testing Unified platform means unified Unified platform means unified

reportingreporting

Programming Language Programming Language TheoryTheory

GrammarsGrammars Rules that describe a languageRules that describe a language Serve dual purposes:Serve dual purposes:

Generation – to make valid expressionsGeneration – to make valid expressions Validation – to determine validity of an Validation – to determine validity of an

expressionexpression

Extended Backus-Naur Form (EBNF)Extended Backus-Naur Form (EBNF)

CompilersCompilers

Translates one language to anotherTranslates one language to another Stages of compilationStages of compilation

Lex – syntaxLex – syntax Parse – semanticsParse – semantics Intermediate RepresentationIntermediate Representation Code GenerationCode Generation

Can use well-documented methods Can use well-documented methods and algorithms.and algorithms.

Parser GeneratorsParser Generators

Also called Compiler CompilersAlso called Compiler Compilers Often overlooked, but powerfulOften overlooked, but powerful PG’s are compilers that can PG’s are compilers that can

dynamically redefine the input and dynamically redefine the input and output grammarsoutput grammars

EBNF specification of input or output EBNF specification of input or output grammarsgrammars

Good at handling many different Good at handling many different languageslanguages

SoupSoup

ARP, BGP, CDP, DHCP, DNS, Ethernet, GRE,ARP, BGP, CDP, DHCP, DNS, Ethernet, GRE,

HSRP, HTTP, ICMP, 802.3, 802.11, IGMP, HSRP, HTTP, ICMP, 802.3, 802.11, IGMP, IPv4, IPv4,

IPv6, ISAKMP, L2F, LWAPP, NTP, OSPF, PIM, IPv6, ISAKMP, L2F, LWAPP, NTP, OSPF, PIM,

RADIUS, RIP, RTCP, SLP, SMTP, SNAP, ST2, RADIUS, RIP, RTCP, SLP, SMTP, SNAP, ST2,

STP, TACACS, TCP, TFTP, UDP, VAT, VLANSTP, TACACS, TCP, TFTP, UDP, VAT, VLAN

And countless others…And countless others…

The Big IdeaThe Big Idea

Network Protocols are Network Protocols are Languages!Languages!

(And Normal Languages at that!)(And Normal Languages at that!)

Protocol SpecificationProtocol Specification

Each protocol is an ordered list of fields.Each protocol is an ordered list of fields. Protocols that allow encapsulated Protocols that allow encapsulated

protocols have a Payload, a special field protocols have a Payload, a special field akin to a non-terminal.akin to a non-terminal.

The Payload will point to the grammar The Payload will point to the grammar of the encapsulated protocolof the encapsulated protocol

The innermost Payload can contain The innermost Payload can contain arbitrary binary information, such as arbitrary binary information, such as shellcode shellcode

Ethernet ExampleEthernet Example

Start -> ETHStart -> ETH ETH -> srcMAC destMAC pktType ETH -> srcMAC destMAC pktType

PayloadPayload srcMAC -> (regex for a MAC Address)srcMAC -> (regex for a MAC Address) destMAC -> (regex for a MACAddress)destMAC -> (regex for a MACAddress) pktType -> (regex for 2 Bytes of Hex)pktType -> (regex for 2 Bytes of Hex) Payload -> (unbound non-terminal)Payload -> (unbound non-terminal)

Putting it TogetherPutting it TogetherEthernet+srcMAC+destMAC+pktType+Payload IP

+Version+HeaderLen+TOS+Protocol+...+Payload TCP

+srcPort+destPort+SeqNum+...+Payload

Dynamic ProtocolsDynamic Protocols

I lied. Not all protocols are just a list I lied. Not all protocols are just a list of fields.of fields.

Some have different structures Some have different structures based on the value of a ‘Type’ fieldbased on the value of a ‘Type’ field

Examples: ICMP, OSPF, DHCPExamples: ICMP, OSPF, DHCP These dynamic protocols can be These dynamic protocols can be

handled by splitting up the handled by splitting up the definitionsdefinitions

Ethernet+srcMAC+destMAC+pktType+Payload IP

+Version+HeaderLen+TOS+Protocol+...+Payload OSPF_Header

+Version+Type+PktLen+...+Payload OSPF_Hello

+NetMask+Interval+Options+...

Protocol Specifications

Dynamically Generated GUI

Parser Generator

Threat File

Dynamic GUIDynamic GUI

We need the GUI to provide:We need the GUI to provide: The ability to create stacks of protocolsThe ability to create stacks of protocols The ability to create series of stacksThe ability to create series of stacks The ability to assign things to fieldsThe ability to assign things to fields

Types of things for fields:Types of things for fields: FunctionsFunctions VariablesVariables ValuesValues

Some Useful FunctionsSome Useful Functions

RangeRange RandomRandom Random StringRandom String Homogenous String of Length XHomogenous String of Length X ConcatenationConcatenation ChecksumsChecksums

Threat DescriptionThreat Description

Behavior of ThreatsBehavior of Threats MetadataMetadata Named VariablesNamed Variables FunctionsFunctions ListsLists

Protocol Specifications

Threat File

Parser Generator

Bound Threat

Threat Engine

Binding and PlaybackBinding and Playback

Pre-compilation of Pre-compilation of Threats (Threat Threats (Threat Binding)Binding)

Distributed designDistributed design Multi-Source Multi-Source

Traffic PlaybackTraffic Playback

Importing from PCAPImporting from PCAP

Grammar-based PCAP Grammar-based PCAP decompositiondecomposition

Translating using Protocol Translating using Protocol DefinitionsDefinitions

Multi-sourced PCAP filesMulti-sourced PCAP files Edit your imported PCAP for Edit your imported PCAP for

playbackplayback

Protocol Specifications

PCAP File

Parser Generator

Threat File

ConclusionConclusion

Threat Development and Delivery Threat Development and Delivery Platforms based on Parser Platforms based on Parser Generators have several advantages:Generators have several advantages: Speed of DevelopmentSpeed of Development Live TestingLive Testing PCAP Import and PlaybackPCAP Import and Playback Platform and Protocol IndependencePlatform and Protocol Independence

Q & AQ & A

At this time, I’d like At this time, I’d like

to open the floor up for to open the floor up for

questions.questions.

Grammars: Ins and OutsGrammars: Ins and Outs

Threat File

Threat File

Bound Threat Bound Threat

PCAPPCAP

Protocol GrammarsProtocol

Grammars

ParserGenerator

ParserGenerator