Automated Vulnerabiltiy Analysis

8/8/2019 Automated Vulnerabiltiy Analysis

1/47

1

Microsoft Malware Protection CenterThreat Research and Response Team

2009 Microsoft Corporation. All rights reserved.


2/47

2

Introduction

Microsoft Malware Protection Center (MMPC)Threat Research and Response Team

Abhishek Singh (MMPC)Nikola Livic (MMPC)

Tanmay Ganacharya (MMPC)

Scott Lambert (MMPC)Swapnil Bhalode (MMPC)



3/47

3

Agenda

OverviewResults

Paladin

DemoKey Lessons

Conclusion

Q&A



4/47

Overview

MotivationAutomate processes like

Analyzing exploits

Identify malicious input bytes

Identify how shell code gets executed

Narrow the search space

PaladinRefers to a suite of toolsSupport rapid, scalable vulnerability analysis



5/47

5

Results - Paladin

Categories Completed Detected Not Detected Success

File-based (complex) 10 4 6 40%

File-based (simple) 10 8 2 80%

Scripting-based 10 6 4 60%

Network-based 15 9 6 60%

Total 45 27 18 60%



6/47

6

Results - Paladin

05

1015

Network-based

Scripting-based

File-based (Simple)

File-based (Complex)

Not Detected

Detected

Total



7/477

Brief tour



8/478

Paladin

Core component - VigilanteEnd-to-end approach to automate wormcontainment

Tech-transferred from MSR/Incubation



9/479

Vigilante

Started in Microsoft Research (MSR) by ManuelCosta and Miguel Castro and later transitioned toan Incubation team.

Timeline with the followingOct. 2004 (Devadas)

Nov. 2004 (MSR)Dec. 2004 (Minos)Feb. 2005 (TaintCheck)

Leverages dynamic dataflow analysis to track theuse of untrusted data and block it from being

executed or loaded into the program counterSince then it has forked in different directions

Use for malware analysis (spyware, etc)Information leakage, etc



10/4710

Major Components - Vigilante

Program Instrumentation (dynamic binary re-writing)Used to instrument the program to enable monitoringof how untrusted input data is used

Detection Engine

Leverages dynamic data-flow analysis to identify attacksand generate alerts

Alert Verifier and DistributorContains enough information to reproduce the issue onother hosts and distribute accordingly

Filter GeneratorProvides protection from future attempts by blockingmalicious input.



11/47

Detection Engine

Dynamic dataflow analysis

Track the flow of data from input messages

Common Input Sources: File, network, etc

mark memory as tainted when input data is receivedtrack all data movement within the program

Terminate program before its too late

detect execution of input data (virtual address is markedtainted)

detect loading of input data into program counter (saved retoverwrite, etc)



12/4712

Dynamic Data Flow Analysis

Step 1: Keep track of which memory locationsand CPU registers are tainted with untrustedinput data

Instrument every data-movement instruction

(e.g. MOV,MOVS, PUSH, POP on x86 CPUs) to keep track

Step 2: Identify and block dangerous uses of

untrusted input dataInstrument every control transfer instruction

(e.g. RET, CALL, JMP on x86 CPUs)



13/4713

Dangerous uses of input data

Alert TypesArbitrary Execution Control (AEC)

When tainted data is about to be loaded into the programcounter

Arbitrary Code Execution (ACE)When tainted data is about to be executed

Arbitrary Function argument (AFA)

When a critical argument to a critical function is tainted

Denial of Service (DoS)

When tainted data leads to an access violation



14/4714


return address

netbuf

buffer

//vulnerable codepush len

push netbuf

push sock

call recv

push netbuf

push localbuf

call strcpy

ret

alert: value loaded intoprogram counter is tainted

stack pointer

points to tainted

data



15/4715

vulnProcess [pid:1033]

Static Data

Code

Stack

Exploit

How does Vigilante work?

C:\>_VulnProcess

C:\>_nirvExec /clientname detector.dll /attach 1033

C:\>_

Detector

exploitProcess

C:\>_

vulnProcess [pid:1033]

Static Data

Code

Stack

Detector

Vigi_log.log



16/47

16


//vulnerable codepush len

push buff

push sock

call recv

mov eax, buf[3]

call eax

...

Vulnerable Process

.EXE

buff

Detector

buff

Alert!!!



17/47

17

CVE-2008-1087



18/47

18

Results Revisited

Categories Completed Detected Not Detected Success

File-based (complex) 10 4 6 40%

File-based (simple) 10 8 2 80%

Scripting-based 10 6 4 60%

Network-based 15 9 6 60%

Total 45 27 18 60%

What detection means?



19/47

19

What does it mean to not detect?

Incorrect Alert pointIncomplete log file

No log file

And the reasons?



20/47

20

Overcoming the challenges



21/47

21

Lessons Learned

Beyond scopeFalse alerts

Engineering issues



22/47

22

Scope

Not include:Temporal based vulnerabilitiesE.g. CVE-2003-0813 RPC timing issue 2 threads

Kernel-level vulnerabilities

E.g. CVE-2006-1314: Mailslot driver Heap OF

Data Independent Vulnerabilities

E.g. CVE-2007-0938: CMS

E.g. CVE-2007-0039: ICal



23/47

23

Data Independent Example 1

CVE-2007-0938 CMS, DOShttp://foo/000-000,%21frames.htm

Parse function returns negative value

Value goes into memcpy-like function

ParseURL(WCHAR *URL)

{

DWORD SizeOfSubString = CommaOffset(URL);

DoCopy(SizeOfSubString); // Crash here

return SizeOfSubString;

}



24/47

24

Data Independent Example 2

CVE-2006-2376 ICal (DOS null dereference)Begin:Vcalender.

Cause a improper Free of structure

Dereference.

ReadCalender(WCHAR *In_Bytes)

{

*Table = Allocate();

if (In_Bytes == Bad_Value){

Free(Table);

}

Table->Func(); // Crash here

}



25/47

25

False Alerts and Mitigations



26/47

26

False Alerts

Erroneous alert generated due to:Imprecise taint propagation

Non malicious inputs being tracked as malicious



27/47

27

False Alerts in Theory

Table Lookup:result = table[in_byte]; // False Positive

result = table[in_byte]; // Should be

Implicit flows:

if (in_byte == 1) result = 1; // False Negative

if (in_byte == 1) result = 1; // Should be

if (in_byte == 2) result = 2; // False Negative

if (in_byte == 2) result = 2; // Should beArithmetic restrictions:

result = (in_byte & 0x00); // False Positive

result = (in_byte & 0x00); // Should be

Newsome and Song: Influence: A Quantitative Approach for Data Integrity 2009 Microsoft Corporation. All rights reserved.


28/47

28

False Positives (FP) in Practice

FPs in jump tables

FPs due to marking input as tainted when it is

innocuous



29/47

29

FPs in JumpTables Example

CVE-2006-4691: BO NetJoinDomain Workstation ServiceVia RPC

CallRPCInterface(BYTES *In_Bytes)

{NetJoinDomain= DispatchTable[In_Bytes];

Invoke( NetJoinDomain, //


30/47

30

FPs in tracking

CVE-2009-0076 (IE vulnerability CSS MemoryCorruption)

\??\C:\Documents and Settings\vigilante\Recent\desktop.iniHandle = 410 FileSize = 96Tracked handle: Buf = 5fc0000PostIoInitiation: pIosb=169646c; pBuf=5fc0000; hFile=410; hEvent=0Io completed synchronously.HandleIoCompletion: pIosb=169646c; dwLen=96

SetTaint: Base=5fc0000 Len=96ADDR 0x5fc0000 - 0x5fc0095 set to dirty= 0x2RANGE 5fc0000..5fc0095 set to = [2..97]



31/47

31

Mitigations to FPs in Practice

Flags:IndirectAddressing mov [disp + ref1 + ref2*i], 0xff

JmpCallIndirect jmp/call [disp + ref1 + ref2*i]

LowFalsePositives Turn off set of handlers

False Positives fileCVE-2008-2254 (IE HTML Obj Mem Corruption)

0x7d513573

0x7d518123

0x746c240a0x75c59c7a

Policy File



32/47


33/47

33

Engineering issues

Attaching to processDetecting with complex processes

Detector protection from exploit

Miscellaneous



34/47


35/47

35

Process Attachment

Example:

CVE-2008-4250 Conficker(Path Canonicalization reached via RPC)

// At Boot timeCreateFile( "\\\\pipe\\Browser");CreateIoCompletionPort();ReadFile(Buffer_Location);

// Attachment to Service hereGetQueuedCompletionStatus();

Vulnerable Process

Code

Detector



36/47

36

Process Attachment

MitigationsCoerce service to execute init code. (Pump utilityor waiting X period of time)

Try launching or attaching to simpler service:

(many cases)In theory change CreateProcess Routine to injectdetector at boot.



37/47

l / l


38/47

38

Complex programs/services Example

VIGI_LOG.LOG -

\??\PIPE\srvsvcSetTaint: Base=d84d8 Len=44ADDR 0xd84d8 - 0xd851b set to dirty= 0x2RANGE d84d8..d851b set to = [2..45]mov rm8,rm8 -- dirtyEIP: 0x77ce3a77 ESP: 0x11cf940 TID: 0x6d0Operand1: 0x0 Dirty: 0x6, 0x7, 0x0, 0x0Operand2: 0xd84dc Dirty: 0x6, 0x7, 0x8, 0x9----------------------------------------------movz/sx r32,rm16 -- dirty

EIP: 0x77cc9f90 ESP: 0xc3fa84 TID: 0x748Operand1: 0x0 Dirty: 0x12, 0x13, 0x0, 0x0Operand2: 0xb3d52 Dirty: 0x12, 0x13, 0x0, 0x0Operand2.RefdRegister1: 0x0 Dirty: 0x12, 0x13----------------------------------------------\??\PIPE\lsarpcSetTaint: Base=d45f8 Len=44ADDR 0xd45f8 - 0xd463b set to dirty= 0x46RANGE d45f8..d463b set to = [46..89]movz/sx r32,rm16 -- dirty

EIP: 0x77cc9b6e ESP: 0x1b9f6b0 TID: 0x6b8Operand1: 0x18 Dirty: 0x4e, 0x4f, 0x0, 0x0Operand2: 0x0 Dirty: 0x4e, 0x4f, 0x0, 0x0

CAN-2002-0724 LANMAN

vulnerability

DOS with unchecked buffer to

NetShareEnum



39/47

Complex programs/services

Mitigations:

Smaller svchost group

Find easier program

e.g. ImageViewer instead of IE

Packet cleaner utility


f l


40/47

40

Detector protection from exploit

CVE-2009-0133 MS Help Workshop(a shellhunter payload)

Mitigations

Move the stack aroundPage protect

Stack

Detector

buf

Detector


ll


41/47

41

Miscellaneous

Logging without deadlockingSpace considerations


l i d d d d


42/47

42

Results Revisted and Extended

Categories Completed Detected(Minimal

effort)

Detected(Considerable

effort)

Not Detected

File-based (complex) 10 0 4 6

File-based (simple) 10 6 2 2

Scripting-based 10 4 2 4Network-based 15 4 2 6

Total 45 14 10 18


D i Eff


43/47

43

Detection Effort

Simple File-BasedComplex File-Based

Network Scripting

Minimal

Considerable

No Detection



45/47

45

Conclusion

First attempt at using dynamic dataflow analysis inproduction

Delineated real world challenges

Provided mitigation strategies

Helped reduce response time

Supports rapid, scalable vulnerability analysis

Great investment for the futureLessons learned enlarged the scope of effectiveness

More to come

2009 Microsoft Cor oration. All ri hts reserved.


47/47