DOC PREVIEW
MIT 6 857 - Worms and Worm Mitigation

This preview shows page 1-2-3-4-31-32-33-34-35-63-64-65-66 out of 66 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 66 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Worms and Worm Mitigation Saman Amarasinghe Associate Professor MIT EECS CSAIL CTO Determina Inc Outline Worm Basics Program Shepherding Intrusion Prevention Systems Anatomy of an Attack The Determina Story Outline Worm Basics Program Shepherding Intrusion Prevention Systems Anatomy of an Attack The Determina Story What is a worm Virus a code segment which replicates by attaching copies to existing executables Self replication Requires a host program as a carrier Activated by external action Worm a program which replicates itself and causes execution of the new copy Self replication Self contained does not require a host Activated by hijacking or creating a process Types of Worms E mail based worm The payload arrives as an e mail attachment Payload gets executed Social Engineering or Program vulnerability Self propagate Memory based worm The payload arrive as packets on an open port Takes advantage of a program vulnerability Hijacks the program Self propagate History of Worms 1982 PARC Worms as an administrative tool Perform legitimate tasks on a distributed system 1987 Christmas Tree Exec attacked IBM mainframes E mail with a program that displayed a x mas tree but also send it to everyone in the user s address book 1988 The Morris Worm First true internet worm Attacked both Sun and DEC unix systems Used TCP IP attacked known OS bugs and admin flows Automatic penetration activation and propagation Brought down the Internet for the first time 2001 2003 2003 2004 2004 Code Red Worm Slammer Worm Blaster Worm Sasser Worm Witty Worm Today s Worm Threat One of the biggest threats to the modern information infrastructure Characteristics of Modern Worm Threat Relatively rare two a year Extreme rapid propagation human vs machine speed Infects millions of systems May or may not cause real damage Catastrophic situations for many enterprises Example Blaster and CSX Worldwide Code Red Infections 700 000 machines infected 2 2 9 billion in damage Computer Economics 200 million in damage per day during attacks Outline Worm Basics Program Shepherding Intrusion Prevention Systems Anatomy of an Attack The Determina Story Program Shepherding Outline Memory based attacks Motivating Example A buffer overflow attack Dissecting the lifecycle in the penetration phase Overview of Program Shepherding DynamoRIO basics Technique 1 Restricted Code Origins Technique 2 Restricted Control Transfer Technique 3 Uncircumventable Sandboxing Self Protection Memory Based Attacks Attack that that directly enters an application corrupts the application s memory and hijack the application Types of memory based attacks Buffer Overflow Heap Manipulation Format String Vulnerabilities Shatter Attacks Return to Libc Attacks Danger of Memory based attacks Once the application is hijacked the attack can do anything that the application can do Modern server applications run with a lot of privileges An Example Buffer Overflow Attack Code Stack Network Arguments Return Address handle URL handle h Data char url 64 char tmp geturl h Instructions strcpy url tmp Application Local Variables Argument h Return Address Local Variables tmp Local Variables URL Operating System An Example Buffer Overflow Attack Network Program Counter Executes the Data Program Instruction by Instruction Application Instructions Operating System An Example Buffer Overflow Attack Code handle URL handle h char url 64 char tmp geturl h strcpy url tmp Stack Arguments Return Address Local Variables Argument h Return Address Local Variables tmp Local Variables URL URL http cag lcs mit edu saman tmp doitnow pl helper foobar myid 123453 junk 23 42 FFNLQ RFNL An Example Buffer Overflow Attack Code handle URL handle h char url 64 char tmp geturl h strcpy url tmp Stack Arguments Return Address Local Variables Argument h Return Address Local Variables tmp Local Variables URL URL http cag lcs mit edu saman tmp doitnow pl helper foobar myid 123453 junk 23 42 FFNLQ RFNL An Example Buffer Overflow Attack Network Enter Data Application Instructions Operating System An Example Buffer Overflow Attack Code handle URL handle h char url 64 char tmp geturl h strcpy url tmp Stack 0x12FA2 Arguments Return Address lea ecx eax sub 0x1c edi eax movzx 0x8 edi ecx shl 0x07 ecx cmp eax ecx Local Variables Malicious code segment Argument h Return Address 0x12FA2 Local Variables tmp Local Variables URL URL http 0011101101101110110100010101101011010101101101 10110110110110101011010101010110101011010101010110 An Example Buffer Overflow Attack Network Enter Data Application Hijack Instructions Attack Operating System Stop Applications From Being When to stop an attack Hijacked Enter Monitoring is simple Catch in the catch act ofan criminal behavior Systematically entire class of attacks All false programs follow strict conventions No positives Processor Execution Environment ABI Application Binary Interface Catch them before they do ANY bad activity no attack code is ever run The Calling Convention Currently no Conventional Wisdom Impossible to do without a large performance penalty enforcement ABI encrypted channels Hijack conventions Enforcing only known criminals can be identified Even known bad guys are hard to detect Port monitoring or system call monitoring Don t know good guy from bad guy All attacks violate of these conventions Need to be inside thesome application Need to monitor activity at a very fine grain each instruction at a time Attack Overhead willcan be be overwhelming Monitoring done System call monitoring Program Shepherding lets you do just that Hard to distinguish between actions of a normal program vs a compromised program Able to Leads amortize the positives cost of enforcement eliminating the overhead to false How Program Shepherding Work call jmp br Program Counter Executes the Program Run time Instruction by System Instruction Never Let go of the Program Counter ret Program Code Cache Restricted Code Origins Restricted Control Transfer Is this code came from a code page Is it legal to go from here to there A Basic Interpreter next VPC fetch next instruction decode Validate Instruction Interpreter execute update VPC exception handling Never give up the Program Counter PC PC is in the interpreter Slowdown factor Performance of the Basic Interpreter Trick I Adding a Code Cache next VPC lookup VPC exception handling fetch block at VPC emit block execute block context switch BASIC BLOCK CACHE non control flow instructions Slowdown factor Adding a Basic Block Cache


View Full Document

MIT 6 857 - Worms and Worm Mitigation

Documents in this Course
Load more
Download Worms and Worm Mitigation
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Worms and Worm Mitigation and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Worms and Worm Mitigation 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?