Upload
abhisheksingh245
View
224
Download
0
Embed Size (px)
Citation preview
8/8/2019 Automated Vulnerabiltiy Analysis
1/47
1
Microsoft Malware Protection CenterThreat Research and Response Team
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
2/47
2
Introduction
Microsoft Malware Protection Center (MMPC)Threat Research and Response Team
Abhishek Singh (MMPC)Nikola Livic (MMPC)
Tanmay Ganacharya (MMPC)
Scott Lambert (MMPC)Swapnil Bhalode (MMPC)
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
3/47
3
Agenda
OverviewResults
Paladin
DemoKey Lessons
Conclusion
Q&A
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
4/47
Overview
MotivationAutomate processes like
Analyzing exploits
Identify malicious input bytes
Identify how shell code gets executed
Narrow the search space
PaladinRefers to a suite of toolsSupport rapid, scalable vulnerability analysis
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
5/47
5
Results - Paladin
Categories Completed Detected Not Detected Success
File-based (complex) 10 4 6 40%
File-based (simple) 10 8 2 80%
Scripting-based 10 6 4 60%
Network-based 15 9 6 60%
Total 45 27 18 60%
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
6/47
6
Results - Paladin
05
1015
Network-based
Scripting-based
File-based (Simple)
File-based (Complex)
Not Detected
Detected
Total
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
7/477
Brief tour
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
8/478
Paladin
Core component - VigilanteEnd-to-end approach to automate wormcontainment
Tech-transferred from MSR/Incubation
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
9/479
Vigilante
Started in Microsoft Research (MSR) by ManuelCosta and Miguel Castro and later transitioned toan Incubation team.
Timeline with the followingOct. 2004 (Devadas)
Nov. 2004 (MSR)Dec. 2004 (Minos)Feb. 2005 (TaintCheck)
Leverages dynamic dataflow analysis to track theuse of untrusted data and block it from being
executed or loaded into the program counterSince then it has forked in different directions
Use for malware analysis (spyware, etc)Information leakage, etc
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
10/4710
Major Components - Vigilante
Program Instrumentation (dynamic binary re-writing)Used to instrument the program to enable monitoringof how untrusted input data is used
Detection Engine
Leverages dynamic data-flow analysis to identify attacksand generate alerts
Alert Verifier and DistributorContains enough information to reproduce the issue onother hosts and distribute accordingly
Filter GeneratorProvides protection from future attempts by blockingmalicious input.
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
11/47
Detection Engine
Dynamic dataflow analysis
Track the flow of data from input messages
Common Input Sources: File, network, etc
mark memory as tainted when input data is receivedtrack all data movement within the program
Terminate program before its too late
detect execution of input data (virtual address is markedtainted)
detect loading of input data into program counter (saved retoverwrite, etc)
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
12/4712
Dynamic Data Flow Analysis
Step 1: Keep track of which memory locationsand CPU registers are tainted with untrustedinput data
Instrument every data-movement instruction
(e.g. MOV,MOVS, PUSH, POP on x86 CPUs) to keep track
Step 2: Identify and block dangerous uses of
untrusted input dataInstrument every control transfer instruction
(e.g. RET, CALL, JMP on x86 CPUs)
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
13/4713
Dangerous uses of input data
Alert TypesArbitrary Execution Control (AEC)
When tainted data is about to be loaded into the programcounter
Arbitrary Code Execution (ACE)When tainted data is about to be executed
Arbitrary Function argument (AFA)
When a critical argument to a critical function is tainted
Denial of Service (DoS)
When tainted data leads to an access violation
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
14/4714
Dynamic dataflow analysis
return address
netbuf
buffer
//vulnerable codepush len
push netbuf
push sock
call recv
push netbuf
push localbuf
call strcpy
ret
alert: value loaded intoprogram counter is tainted
stack pointer
points to tainted
data
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
15/4715
vulnProcess [pid:1033]
Static Data
Code
Stack
Exploit
How does Vigilante work?
C:\>_VulnProcess
C:\>_nirvExec /clientname detector.dll /attach 1033
C:\>_
Detector
exploitProcess
C:\>_
vulnProcess [pid:1033]
Static Data
Code
Stack
Detector
Vigi_log.log
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
16/47
16
Dynamic dataflow analysis
//vulnerable codepush len
push buff
push sock
call recv
mov eax, buf[3]
call eax
...
Vulnerable Process
.EXE
buff
Detector
buff
Alert!!!
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
17/47
17
CVE-2008-1087
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
18/47
18
Results Revisited
Categories Completed Detected Not Detected Success
File-based (complex) 10 4 6 40%
File-based (simple) 10 8 2 80%
Scripting-based 10 6 4 60%
Network-based 15 9 6 60%
Total 45 27 18 60%
What detection means?
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
19/47
19
What does it mean to not detect?
Incorrect Alert pointIncomplete log file
No log file
And the reasons?
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
20/47
20
Overcoming the challenges
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
21/47
21
Lessons Learned
Beyond scopeFalse alerts
Engineering issues
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
22/47
22
Scope
Not include:Temporal based vulnerabilitiesE.g. CVE-2003-0813 RPC timing issue 2 threads
Kernel-level vulnerabilities
E.g. CVE-2006-1314: Mailslot driver Heap OF
Data Independent Vulnerabilities
E.g. CVE-2007-0938: CMS
E.g. CVE-2007-0039: ICal
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
23/47
23
Data Independent Example 1
CVE-2007-0938 CMS, DOShttp://foo/000-000,%21frames.htm
Parse function returns negative value
Value goes into memcpy-like function
ParseURL(WCHAR *URL)
{
DWORD SizeOfSubString = CommaOffset(URL);
DoCopy(SizeOfSubString); // Crash here
return SizeOfSubString;
}
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
24/47
24
Data Independent Example 2
CVE-2006-2376 ICal (DOS null dereference)Begin:Vcalender.
Cause a improper Free of structure
Dereference.
ReadCalender(WCHAR *In_Bytes)
{
*Table = Allocate();
if (In_Bytes == Bad_Value){
Free(Table);
}
Table->Func(); // Crash here
}
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
25/47
25
False Alerts and Mitigations
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
26/47
26
False Alerts
Erroneous alert generated due to:Imprecise taint propagation
Non malicious inputs being tracked as malicious
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
27/47
27
False Alerts in Theory
Table Lookup:result = table[in_byte]; // False Positive
result = table[in_byte]; // Should be
Implicit flows:
if (in_byte == 1) result = 1; // False Negative
if (in_byte == 1) result = 1; // Should be
if (in_byte == 2) result = 2; // False Negative
if (in_byte == 2) result = 2; // Should beArithmetic restrictions:
result = (in_byte & 0x00); // False Positive
result = (in_byte & 0x00); // Should be
Newsome and Song: Influence: A Quantitative Approach for Data Integrity 2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
28/47
28
False Positives (FP) in Practice
FPs in jump tables
FPs due to marking input as tainted when it is
innocuous
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
29/47
29
FPs in JumpTables Example
CVE-2006-4691: BO NetJoinDomain Workstation ServiceVia RPC
CallRPCInterface(BYTES *In_Bytes)
{NetJoinDomain= DispatchTable[In_Bytes];
Invoke( NetJoinDomain, //
8/8/2019 Automated Vulnerabiltiy Analysis
30/47
30
FPs in tracking
CVE-2009-0076 (IE vulnerability CSS MemoryCorruption)
\??\C:\Documents and Settings\vigilante\Recent\desktop.iniHandle = 410 FileSize = 96Tracked handle: Buf = 5fc0000PostIoInitiation: pIosb=169646c; pBuf=5fc0000; hFile=410; hEvent=0Io completed synchronously.HandleIoCompletion: pIosb=169646c; dwLen=96
SetTaint: Base=5fc0000 Len=96ADDR 0x5fc0000 - 0x5fc0095 set to dirty= 0x2RANGE 5fc0000..5fc0095 set to = [2..97]
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
31/47
31
Mitigations to FPs in Practice
Flags:IndirectAddressing mov [disp + ref1 + ref2*i], 0xff
JmpCallIndirect jmp/call [disp + ref1 + ref2*i]
LowFalsePositives Turn off set of handlers
False Positives fileCVE-2008-2254 (IE HTML Obj Mem Corruption)
0x7d513573
0x7d518123
0x746c240a0x75c59c7a
Policy File
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
32/47
8/8/2019 Automated Vulnerabiltiy Analysis
33/47
33
Engineering issues
Attaching to processDetecting with complex processes
Detector protection from exploit
Miscellaneous
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
34/47
8/8/2019 Automated Vulnerabiltiy Analysis
35/47
35
Process Attachment
Example:
CVE-2008-4250 Conficker(Path Canonicalization reached via RPC)
// At Boot timeCreateFile( "\\\\pipe\\Browser");CreateIoCompletionPort();ReadFile(Buffer_Location);
// Attachment to Service hereGetQueuedCompletionStatus();
Vulnerable Process
Code
Detector
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
36/47
36
Process Attachment
MitigationsCoerce service to execute init code. (Pump utilityor waiting X period of time)
Try launching or attaching to simpler service:
(many cases)In theory change CreateProcess Routine to injectdetector at boot.
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
37/47
l / l
8/8/2019 Automated Vulnerabiltiy Analysis
38/47
38
Complex programs/services Example
VIGI_LOG.LOG -
\??\PIPE\srvsvcSetTaint: Base=d84d8 Len=44ADDR 0xd84d8 - 0xd851b set to dirty= 0x2RANGE d84d8..d851b set to = [2..45]mov rm8,rm8 -- dirtyEIP: 0x77ce3a77 ESP: 0x11cf940 TID: 0x6d0Operand1: 0x0 Dirty: 0x6, 0x7, 0x0, 0x0Operand2: 0xd84dc Dirty: 0x6, 0x7, 0x8, 0x9----------------------------------------------movz/sx r32,rm16 -- dirty
EIP: 0x77cc9f90 ESP: 0xc3fa84 TID: 0x748Operand1: 0x0 Dirty: 0x12, 0x13, 0x0, 0x0Operand2: 0xb3d52 Dirty: 0x12, 0x13, 0x0, 0x0Operand2.RefdRegister1: 0x0 Dirty: 0x12, 0x13----------------------------------------------\??\PIPE\lsarpcSetTaint: Base=d45f8 Len=44ADDR 0xd45f8 - 0xd463b set to dirty= 0x46RANGE d45f8..d463b set to = [46..89]movz/sx r32,rm16 -- dirty
EIP: 0x77cc9b6e ESP: 0x1b9f6b0 TID: 0x6b8Operand1: 0x18 Dirty: 0x4e, 0x4f, 0x0, 0x0Operand2: 0x0 Dirty: 0x4e, 0x4f, 0x0, 0x0
CAN-2002-0724 LANMAN
vulnerability
DOS with unchecked buffer to
NetShareEnum
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
39/47
Complex programs/services
Mitigations:
Smaller svchost group
Find easier program
e.g. ImageViewer instead of IE
Packet cleaner utility
2009 Microsoft Corporation. All rights reserved.
f l
8/8/2019 Automated Vulnerabiltiy Analysis
40/47
40
Detector protection from exploit
CVE-2009-0133 MS Help Workshop(a shellhunter payload)
Mitigations
Move the stack aroundPage protect
Stack
Detector
buf
Detector
2009 Microsoft Corporation. All rights reserved.
ll
8/8/2019 Automated Vulnerabiltiy Analysis
41/47
41
Miscellaneous
Logging without deadlockingSpace considerations
2009 Microsoft Corporation. All rights reserved.
l i d d d d
8/8/2019 Automated Vulnerabiltiy Analysis
42/47
42
Results Revisted and Extended
Categories Completed Detected(Minimal
effort)
Detected(Considerable
effort)
Not Detected
File-based (complex) 10 0 4 6
File-based (simple) 10 6 2 2
Scripting-based 10 4 2 4Network-based 15 4 2 6
Total 45 14 10 18
2009 Microsoft Corporation. All rights reserved.
D i Eff
8/8/2019 Automated Vulnerabiltiy Analysis
43/47
43
Detection Effort
Simple File-BasedComplex File-Based
Network Scripting
Minimal
Considerable
No Detection
2009 Microsoft Corporation. All rights reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
44/47
44 2009 Microsoft Corporation. All rights reserved.
C l i
8/8/2019 Automated Vulnerabiltiy Analysis
45/47
45
Conclusion
First attempt at using dynamic dataflow analysis inproduction
Delineated real world challenges
Provided mitigation strategies
Helped reduce response time
Supports rapid, scalable vulnerability analysis
Great investment for the futureLessons learned enlarged the scope of effectiveness
More to come
2009 Microsoft Cor oration. All ri hts reserved.
8/8/2019 Automated Vulnerabiltiy Analysis
46/47
46 2009 Microsoft Corporation. All rights reserved.
{absing, niklivic, tanmayg, scottlam, sbhalod}@microsoft.com
8/8/2019 Automated Vulnerabiltiy Analysis
47/47