of 21 /21
How Twiggy Saved Sparky Joseph Calandrino Matt Spear Malware Seminar – Fall 2004

How Twiggy Saved Sparky

  • Author

  • View

  • Download

Embed Size (px)


How Twiggy Saved Sparky. Joseph Calandrino Matt Spear Malware Seminar – Fall 2004. Meet Twiggy. Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data. http://goatload.com/mt/. Meet Robbie. - PowerPoint PPT Presentation

Text of How Twiggy Saved Sparky

  • How Twiggy Saved SparkyJoseph CalandrinoMatt Spear

    Malware Seminar Fall 2004

  • Meet Twiggyhttp://goatload.com/mt/Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data.

  • Meet Robbiehttp://www.mumi.org/metissages/fr/artificiel/artificiel.htmlhttp://www.dachshundalley.com/

  • Robbies SetupwalkAnimal(name)petAnimal(name)doAction(action, name)feedAnimal(name)call

  • Evil Is Afoothttp://www.austinpowers.com/http://www.rit.edu/~sli4356/ If only I could modify the action for doAction

  • More on RobbiepetAnimal(name)doAction(action, name)nameactionDisclaimer: This is simplified


  • Evil Is AfootpetAnimal(SPARKYEA)Sparky is mine!!!

  • More on RobbiepetAnimal(name)nameactiondoAction(action, name)


  • Sparky Senses DangerpetAnimal(name)nameactiondoAction(action, name)http://www.svet-je-lep.com/gallery/slike/Twiggy/Zanimiv_morfing.jpg



  • The Dreaded Double Pointernameactionhttp://www.austinpowers.com/



  • Evil Will Not Be Deterrednameaction



  • Turn on the Twiggy-Signalhttp://www.erva.com/pics/ProductIdeal/SQUIRREL%201.jpg

  • Twiggy to the Rescuehttp://kevintdriver.hopto.org/images/squirrel.ski.jpgnameactionaddrlenhashAlso stores data for name:Modify Robbies code to maintain hashes of all buffers:Secret key = 32589 Robbie needs to store this somewhere inaccessible to Dr. Evil




  • Without Spoiling Your DayBut Twiggy is a busy squirrel, so he enlists the aid of a source-to-source transformer.http://www.lemta.com/boatshows/midamerica/twiggy-history.shtml

  • Stop That Modification!petAnimal(name)doAction(action, name)if(hash(_) != _) exitCheck it before use:



  • Dr. Evil Is Foiledhttp://www.cotbn.com/2002_12_01_archive.htmlDr. Evil cant effectively modify buffers without altering entries in the table which are hashed using a secret key.

  • But At What Cost?Hashes and checks can be computationally expensiveCan Robbie feed Twiggy and Sparky on time?http://www.pets.info.vic.gov.au/02/sdd_dlang.htmhttp://www.nd.edu/~tdavidso/Mexico.htm

  • The Statistics

  • Reduce the CostDo we need to check all buffers?What about only checking buffers used as inputs to dangerous methods?(Thats all the buffers in our example, but likely far fewer than in the program)Can Twiggy use call-graph analysis to find those buffers?

  • Did It Work?Basic defense method protects buffers from modification.Aliasing ignored.Can we track down critical buffer values?Were still working on that.But, for Twiggy, yes (this is supposed to be a happy story)

  • Happily Ever AfterBy maintaining hashes of critical buffer values and verifying them before dangerous function calls, Twiggy efficiently prevents malicious modifications and moves on to new adventures.http://greywolf.critter.net/gallery/ironclawgallery-icsu04.htm