21
How Twiggy Saved Sparky Joseph Calandrino Matt Spear Malware Seminar – Fall 2004

How Twiggy Saved Sparky

Embed Size (px)

DESCRIPTION

How Twiggy Saved Sparky. Joseph Calandrino Matt Spear Malware Seminar – Fall 2004. Meet Twiggy. Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data. http://goatload.com/mt/. Meet Robbie. - PowerPoint PPT Presentation

Citation preview

Page 1: How Twiggy Saved Sparky

How Twiggy Saved Sparky

Joseph Calandrino

Matt Spear

Malware Seminar – Fall 2004

Page 2: How Twiggy Saved Sparky

Meet Twiggy

http://goatload.com/mt/

Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data.

Page 3: How Twiggy Saved Sparky

Meet Robbie

http://www.mumi.org/metissages/fr/artificiel/artificiel.htmlhttp://www.dachshundalley.com/

Page 4: How Twiggy Saved Sparky

walkAnimal(name)

Robbie’s Setup

petAnimal(name)

doAction(action, name)

feedAnimal(name)

call

Page 5: How Twiggy Saved Sparky

Evil Is Afoot

http://www.austinpowers.com/http://www.rit.edu/~sli4356/

If only I could modify the action for doAction…

Page 6: How Twiggy Saved Sparky

More on Robbie

petAnimal(name)

P E T

doAction(action, name)

name action

Disclaimer: This is simplified

Page 7: How Twiggy Saved Sparky

Evil Is Afoot

petAnimal(“SPARKYEA”)…Sparky is mine!!!

Page 8: How Twiggy Saved Sparky

More on Robbie

petAnimal(name)

S P A R K Y E A T

name action

doAction(action, name)

Page 9: How Twiggy Saved Sparky

Sparky Senses Danger

petAnimal(name)

S P A R K Y

name action

doAction(action, name)

P E T

http://www.svet-je-lep.com/gallery/slike/Twiggy/Zanimiv_morfing.jpg

Page 10: How Twiggy Saved Sparky

The Dreaded Double Pointer

S P A R K Y

name action

P E T

http://www.austinpowers.com/

Page 11: How Twiggy Saved Sparky

Evil Will Not Be Deterred

S P A R K Y

name action

E A T

Page 12: How Twiggy Saved Sparky

Turn on the Twiggy-Signal

http://www.erva.com/pics/ProductIdeal/SQUIRREL%201.jpg

Page 13: How Twiggy Saved Sparky

Twiggy to the Rescue

http://kevintdriver.hopto.org/images/squirrel.ski.jpg

P E T

name action

action 3 hash(PET)addr len hash

name - Hash(…)Also stores data for name:

Modify Robbie’s code tomaintain hashes of all buffers:

Secret key = 32589Robbie needs to store this somewhere inaccessible to Dr. Evil…

Page 14: How Twiggy Saved Sparky

Without Spoiling Your Day

But Twiggy is a busy squirrel, so he enlists the aid of a source-to-source transformer.

http://www.lemta.com/boatshows/midamerica/twiggy-history.shtml

Page 15: How Twiggy Saved Sparky

Stop That Modification!

petAnimal(name)

doAction(action, name)

S P A R K Y E A T

action 3 hash(PET)

if(hash(_) != _) exit

Check it before use:

Page 16: How Twiggy Saved Sparky

Dr. Evil Is Foiled

http://www.cotbn.com/2002_12_01_archive.html

Dr. Evil can’t effectively modify buffers without altering entries in the table… which are hashed using a secret key.

Page 17: How Twiggy Saved Sparky

But At What Cost?

Hashes and checks can be computationally expensive

Can Robbie feed Twiggy and Sparky on time?

http://www.pets.info.vic.gov.au/02/sdd_dlang.htmhttp://www.nd.edu/~tdavidso/Mexico.htm

Page 18: How Twiggy Saved Sparky

The StatisticsRobbie Runtime

148000

172000

0

20000

40000

60000

80000

100000

120000

140000

160000

180000

200000

Unmodified Modified

Program (Robbie's Control System)

Cycle

co

un

t (T

ime t

o F

eed

Tw

igg

y a

nd

Sp

ark

y)

Page 19: How Twiggy Saved Sparky

Reduce the Cost

Do we need to check all buffers?

What about only checking buffers used as inputs to dangerous

methods?

(That’s all the buffers in our example, but likely far fewer than in

the program)

Can Twiggy use call-graph analysis to find those buffers?

Page 20: How Twiggy Saved Sparky

Did It Work?

• Basic defense method protects buffers from modification.

• Aliasing ignored.

• Can we track down critical buffer values?

• We’re still working on that.

• But, for Twiggy, yes (this is supposed to be a happy story)

Page 21: How Twiggy Saved Sparky

Happily Ever After

By maintaining hashes of critical buffer values and verifying them before dangerous function calls, Twiggy efficiently prevents malicious modifications and moves on to

new adventures.

http://greywolf.critter.net/gallery/ironclawgallery-icsu04.htm