-
How Twiggy Saved SparkyJoseph CalandrinoMatt Spear
Malware Seminar Fall 2004
-
Meet Twiggyhttp://goatload.com/mt/Twiggy, while aware of the
performance penalties, supports StackShield-like protection methods
for critical data.
-
Meet
Robbiehttp://www.mumi.org/metissages/fr/artificiel/artificiel.htmlhttp://www.dachshundalley.com/
-
Robbies SetupwalkAnimal(name)petAnimal(name)doAction(action,
name)feedAnimal(name)call
-
Evil Is
Afoothttp://www.austinpowers.com/http://www.rit.edu/~sli4356/ If
only I could modify the action for doAction
-
More on RobbiepetAnimal(name)doAction(action,
name)nameactionDisclaimer: This is simplified
PET
-
Evil Is AfootpetAnimal(SPARKYEA)Sparky is mine!!!
-
More on RobbiepetAnimal(name)nameactiondoAction(action,
name)
SPARKYEAT
-
Sparky Senses DangerpetAnimal(name)nameactiondoAction(action,
name)http://www.svet-je-lep.com/gallery/slike/Twiggy/Zanimiv_morfing.jpg
SPARKY
PET
-
The Dreaded Double
Pointernameactionhttp://www.austinpowers.com/
SPARKY
PET
-
Evil Will Not Be Deterrednameaction
SPARKY
EAT
-
Turn on the
Twiggy-Signalhttp://www.erva.com/pics/ProductIdeal/SQUIRREL%201.jpg
-
Twiggy to the
Rescuehttp://kevintdriver.hopto.org/images/squirrel.ski.jpgnameactionaddrlenhashAlso
stores data for name:Modify Robbies code to maintain hashes of all
buffers:Secret key = 32589 Robbie needs to store this somewhere
inaccessible to Dr. Evil
PET
action3hash(PET)
name-Hash()
-
Without Spoiling Your DayBut Twiggy is a busy squirrel, so he
enlists the aid of a source-to-source
transformer.http://www.lemta.com/boatshows/midamerica/twiggy-history.shtml
-
Stop That Modification!petAnimal(name)doAction(action,
name)if(hash(_) != _) exitCheck it before use:
SPARKYEAT
action3hash(PET)
-
Dr. Evil Is
Foiledhttp://www.cotbn.com/2002_12_01_archive.htmlDr. Evil cant
effectively modify buffers without altering entries in the table
which are hashed using a secret key.
-
But At What Cost?Hashes and checks can be computationally
expensiveCan Robbie feed Twiggy and Sparky on
time?http://www.pets.info.vic.gov.au/02/sdd_dlang.htmhttp://www.nd.edu/~tdavidso/Mexico.htm
-
The Statistics
-
Reduce the CostDo we need to check all buffers?What about only
checking buffers used as inputs to dangerous methods?(Thats all the
buffers in our example, but likely far fewer than in the
program)Can Twiggy use call-graph analysis to find those
buffers?
-
Did It Work?Basic defense method protects buffers from
modification.Aliasing ignored.Can we track down critical buffer
values?Were still working on that.But, for Twiggy, yes (this is
supposed to be a happy story)
-
Happily Ever AfterBy maintaining hashes of critical buffer
values and verifying them before dangerous function calls, Twiggy
efficiently prevents malicious modifications and moves on to new
adventures.http://greywolf.critter.net/gallery/ironclawgallery-icsu04.htm
