Automated Vulnerabiltiy Analysis

Microsoft Malware Protection Center
Threat Research and Response Team
1 © 2009 Microsoft Corporation. All rights reserved.

Introduction
Microsoft Malware Protection Center (MMPC)
Threat Research and Response Team
Abhishek Singh (MMPC)

Nikola Livic (MMPC)
Tanmay Ganacharya (MMPC)
Scott Lambert (MMPC)
Swapnil Bhalode (MMPC)
2
© 2009 Microsoft Corporation. All rights reserved.
Agenda
Overview
Results
Paladin
Demo
Key Lessons
Conclusion
Q&A
3
Overview
Motivation
Automate processes like
Analyzing exploits
Identify malicious input bytes
Identify how shell code gets executed
Narrow the search space
Paladin
Refers to a suite of tools…
Support rapid, scalable vulnerability analysis

Results - Paladin
Categories Completed Detected Not Detected Success
File-based (complex) 10 4 6 40%
File-based (simple) 10 8 2 80%
Scripting-based 10 6 4 60%
Network-based 15 9 6 60%
Total 45 27 18 60%
5
Results - Paladin
File-based (Complex)
File-based (Simple)
Not Detected
Scripting-based Detected
Total
Network-based
0
5
10
15
6
Brief tour
7
Paladin
Core component - Vigilante
End-to-end approach to automate worm
containment
Tech-transferred from MSR/Incubation
8
Vigilante
Started in Microsoft Research (MSR) by Manuel
Costa and Miguel Castro and later transitioned to
an Incubation team.
Timeline with the following
Oct. 2004 (Devadas)
Nov. 2004 (MSR)
Dec. 2004 (Minos)
Feb. 2005 (TaintCheck)
Leverages dynamic dataflow analysis to track the
use of untrusted data and block it from being
executed or loaded into the program counter
Since then it has forked in different directions
Use for malware analysis (spyware, etc)
Information leakage, etc
9
Major Components - Vigilante
Program Instrumentation (dynamic binary re-
writing)
Used to instrument the program to enable monitoring
of how untrusted input data is used
Detection Engine
Leverages dynamic data-flow analysis to identify attacks
and generate alerts
Alert Verifier and Distributor
Contains enough information to reproduce the issue on
other hosts and distribute accordingly
Filter Generator
Provides protection from future attempts by blocking
malicious input.
10
Detection Engine
Dynamic dataflow analysis
Track the flow of data from input messages
Common Input Sources: File, network, etc
mark memory as tainted when input data is received
track all data movement within the program
Terminate program before it’s too late
detect execution of input data (virtual address is marked
tainted)
detect loading of input data into program counter (saved ret
overwrite, etc)

Dynamic Data Flow Analysis
Step 1: Keep track of which memory locations
and CPU registers are tainted with untrusted
input data
Instrument every data-movement instruction
(e.g. MOV,MOVS, PUSH, POP on x86 CPUs) to keep track
Step 2: Identify and block dangerous uses of

untrusted input data
Instrument every control transfer instruction
(e.g. RET, CALL, JMP on x86 CPUs)
12
Dangerous uses of input data
Alert Types
Arbitrary Execution Control (AEC)
When tainted data is about to be loaded into the program
counter
Arbitrary Code Execution (ACE)
When tainted data is about to be executed
Arbitrary Function argument (AFA)
When a critical argument to a critical function is tainted
Denial of Service (DoS)
When tainted data leads to an access violation
13
//vulnerable code
push len stack pointer return address
push netbuf points to tainted
push sock
data
call recv buffer
push netbuf
push localbuf
call strcpy
ret
netbuf
alert: value loaded into

program counter is tainted
14
How does Vigilante work?
C:\> _VulnProcess
Stack C:\> _nirvExec /clientname “detector.dll” /attach 1033
C:\> _exploitProcess
Exploit
C:\> _
Detector
Static Data
Code
Vigi_log.log
vulnProcess [pid:1033]
15
//vulnerable code
.EXE
push len
push buff
push sock
call recv buff
buff
mov eax, buf[3]
call eax
...
Detector
Alert!!!
Vulnerable Process
16
CVE-2008-1087
17
Results Revisited
Categories Completed Detected Not Detected Success
File-based (complex) 10 4 6 40%
File-based (simple) 10 8 2 80%
Scripting-based 10 6 4 60%
Network-based 15 9 6 60%
Total 45 27 18 60%
What detection means?
18
What does it mean to not detect?
Incorrect Alert point
Incomplete log file
No log file
And the reasons?
19
Overcoming the challenges
20
Lessons Learned
Beyond scope
False alerts
Engineering issues
21
Scope
Not include:
Temporal based vulnerabilities
E.g. CVE-2003-0813 RPC timing issue 2 threads
Kernel-level vulnerabilities
E.g. CVE-2006-1314: Mailslot driver Heap OF
Data Independent Vulnerabilities
E.g. CVE-2007-0938: CMS
E.g. CVE-2007-0039: ICal
22
Data Independent Example 1
CVE-2007-0938 CMS, DOS
“http://foo/000-000,%21frames.htm”
Parse function returns negative value
Value goes into memcpy-like function
ParseURL(WCHAR *URL)
{
DWORD SizeOfSubString = CommaOffset(URL);
DoCopy(SizeOfSubString); // Crash here
return SizeOfSubString;
}
23
Data Independent Example 2
CVE-2006-2376 ICal (DOS null dereference)
Begin:Vcalender….
Cause a improper Free of structure
Dereference.
ReadCalender(WCHAR *In_Bytes)
{
*Table = Allocate();
if (In_Bytes == Bad_Value)
{
Free(Table);
}
Table->Func(); // Crash here
}
24
False Alerts and Mitigations
25
False Alerts
Erroneous alert generated due to:
Imprecise taint propagation
Non malicious inputs being tracked as malicious
26
False Alerts in Theory
Table Lookup:
result = table[in_byte]; // False Positive
result = table[in_byte]; // Should be
Implicit flows:
if (in_byte == 1) result = 1; // False Negative
if (in_byte == 1) result = 1; // Should be
if (in_byte == 2) result = 2; // False Negative
if (in_byte == 2) result = 2; // Should be
Arithmetic restrictions:
result = (in_byte & 0x00); // False Positive
result = (in_byte & 0x00); // Should be
27
Newsome and Song: “Influence: A Quantitative Approach for Data Integrity” © 2009 Microsoft Corporation. All rights reserved.
False Positives (FP) in Practice
FPs in jump tables
FPs due to marking input as tainted when it is

innocuous
28
FPs in JumpTables Example
CVE-2006-4691: BO NetJoinDomain Workstation Service
Via RPC
CallRPCInterface(BYTES *In_Bytes)
{
NetJoinDomain= DispatchTable[In_Bytes];
Invoke( NetJoinDomain, // <<<<<<< FALSE POSITIVE
pArgBuffer,
ArgNum );
}
29
FPs in tracking
CVE-2009-0076 (IE vulnerability CSS Memory
Corruption)
\??\C:\Documents and Settings\vigilante\Recent\desktop.ini

Handle = 410 FileSize = 96
Tracked handle: Buf = 5fc0000
PostIoInitiation: pIosb=169646c; pBuf=5fc0000; hFile=410; hEvent=0
Io completed synchronously.
HandleIoCompletion: pIosb=169646c; dwLen=96
SetTaint: Base=5fc0000 Len=96
ADDR 0x5fc0000 - 0x5fc0095 set to dirty= 0x2
RANGE 5fc0000..5fc0095 set to = [2..97]
30
Mitigations to FPs in Practice
Flags:
IndirectAddressing mov [disp + ref1 + ref2*i], 0xff
JmpCallIndirect jmp/call [disp + ref1 + ref2*i]
LowFalsePositives Turn off set of handlers
False Positives file

CVE-2008-2254 (IE HTML Obj Mem Corruption)
0x7d513573
0x7d518123
0x746c240a
0x75c59c7a
Policy File
31
Engineering issues and Mitigations
32
Engineering issues
Attaching to process
Detecting with complex processes
Detector protection from exploit
Miscellaneous
33
Process Attachment
Simple case:
Winsock (Create, bind, listen, accept, recv)
Named pipes (CreateFile, ReadFile)
Disk IO (CreateFile, ReadFile)
Realistic case:
Async Receive on sockets and named pipes
AcceptEx
Completion routines
NtIoControlFile
Completion ports
Overlapped
Overlapped polling
Wait Events

Process Attachment
Example:
CVE-2008-4250 Conficker
(Path Canonicalization reached via RPC)
// At Boot time
CreateFile( "\\\\pipe\\Browser"); Detector
CreateIoCompletionPort(…);
ReadFile(Buffer_Location);
…
// Attachment to Service here Code
…
GetQueuedCompletionStatus();
…
Vulnerable Process
35
Process Attachment
Mitigations
Coerce service to execute init code. (“Pump” utility
or waiting X period of time)
Try launching or attaching to simpler service:
(many cases)
In theory change CreateProcess Routine to inject
detector at boot.
36
Complex programs/services
Extraneous Log info
Higher probability of not detecting
37
Complex programs/services Example
VIGI_LOG.LOG -
\??\PIPE\srvsvc
CAN-2002-0724 LANMAN SetTaint: Base=d84d8 Len=44
ADDR 0xd84d8 - 0xd851b set to dirty= 0x2
vulnerability RANGE d84d8..d851b set to = [2..45]
mov rm8,rm8 -- dirty
EIP: 0x77ce3a77 ESP: 0x11cf940 TID: 0x6d0
DOS with unchecked buffer to Operand1: 0x0 Dirty: 0x6, 0x7, 0x0, 0x0
Operand2: 0xd84dc Dirty: 0x6, 0x7, 0x8, 0x9
NetShareEnum ----------------------------------------------
movz/sx r32,rm16 -- dirty
EIP: 0x77cc9f90 ESP: 0xc3fa84 TID: 0x748
Operand1: 0x0 Dirty: 0x12, 0x13, 0x0, 0x0
Operand2: 0xb3d52 Dirty: 0x12, 0x13, 0x0, 0x0
Operand2.RefdRegister1: 0x0 Dirty: 0x12, 0x13
----------------------------------------------
\??\PIPE\lsarpc
SetTaint: Base=d45f8 Len=44
ADDR 0xd45f8 - 0xd463b set to dirty= 0x46
RANGE d45f8..d463b set to = [46..89]
movz/sx r32,rm16 -- dirty
EIP: 0x77cc9b6e ESP: 0x1b9f6b0 TID: 0x6b8
Operand1: 0x18 Dirty: 0x4e, 0x4f, 0x0, 0x0
Operand2: 0x0 Dirty: 0x4e, 0x4f, 0x0, 0x0
38
Complex programs/services
Mitigations:
Smaller svchost group

Find easier program
e.g. ImageViewer instead of IE
Packet cleaner utility

Detector protection from exploit
CVE-2009-0133 MS Help Workshop
(a shellhunter payload)
Detector
Mitigations
Move the stack around
Page protect
buf
Stack
40
Miscellaneous
Logging without deadlocking
Space considerations
41
Results Revisted and Extended
Categories Completed Detected Detected Not Detected
(Minimal (Considerable
effort) effort)
File-based (complex) 10 0 4 6
File-based (simple) 10 6 2 2
Scripting-based 10 4 2 4
Network-based 15 4 2 6
Total 45 14 10 18
42
Detection Effort
Complex File-Based Simple File-Based
Minimal
Considerable
No Detection
Network Scripting
43
44
Conclusion
First attempt at using dynamic dataflow analysis in
production
Delineated real world challenges
Provided mitigation strategies
Helped reduce response time

Supports rapid, scalable vulnerability analysis
Great investment for the future

Lessons learned enlarged the scope of effectiveness
More to come…
45
{absing, niklivic, tanmayg, scottlam, sbhalod}@microsoft.com
46
47

Automated Vulnerabiltiy Analysis

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Automated Vulnerabiltiy Analysis

Diunggah oleh

Hak Cipta:

Format Tersedia

Microsoft Malware Protection Center

Threat Research and Response Team

1 © 2009 Microsoft Corporation. All rights reserved.

Abhishek Singh (MMPC)

© 2009 Microsoft Corporation. All rights reserved.

© 2009 Microsoft Corporation. All rights reserved.

Step 2: Identify and block dangerous uses of

alert: value loaded into

What detection means?

And the reasons?

DoCopy(SizeOfSubString); // Crash here

FPs due to marking input as tainted when it is

\??\C:\Documents and Settings\vigilante\Recent\desktop.ini

False Positives file

© 2009 Microsoft Corporation. All rights reserved.

Smaller svchost group

© 2009 Microsoft Corporation. All rights reserved.

Complex File-Based Simple File-Based

Helped reduce response time

Great investment for the future

Anda mungkin juga menyukai