Introduction to Computer Security - Introduction to Malware€¦ · Introduction to Computer Security Introduction to Malware Pavel Laskov Wilhelm Schickard Institute for Computer

Introduction to Computer SecurityIntroduction to Malware

Pavel LaskovWilhelm Schickard Institute for Computer Science

Malware: definitions and root causes

The term malicious software denotes program code executedwithout a user’s consent and carrying out harmful functionality.

Why is malware such a serious problem?Technical reasons:

Difficulty to separate code and dataHomogeneity of “computing base” (Windows, iPhone,Facebook)Unprecedented connectivity

Non-technical reasons:

Recklessness and ignorance of usersProfitability of security violations (spam, DoS extortion,stealing of personal information)



Why is malware such a serious problem?

Technical reasons:Difficulty to separate code and dataHomogeneity of “computing base” (Windows, iPhone,Facebook)Unprecedented connectivity















“Theoretical foundations” of malware

Von Neumann’s model (1948,1953)universal machineuniversal constructorinformation on the tape

Darwin/Core Wars: fighting programs (1966)a special assembly language with 10 instructions (“Redcode”)two programs simultaneously running in the same memorya program dies if it executes division by 0 or a null instructionto increase their survival chances, programs can replicatethemselves

Cohen’s thesis (1984)definition of a virusmathematical description of virus propagation

Pioneers of practical malware

Elk Cloner (1982)an Apple-II program written by a student Rich Skrentaa program spread via boot sector infectionon every 50-th reset a short poem was displayed by hookingthe reset handler

Brain Virus (1986)first virus to spread in the wildwritten by Ashar brothers to prevent illegal copying of softwareincluded in a boot sector of distrubuted software diskettes

Morris worm (1988)used a debugging feature of sendmail (remote execution)propagated in the Arpanetpenetrated ca. 6,000 computers (10% of Arpanet)

First generation of malware

DefinitionA virus is a program that infects other programs by modifyingthem to include a possibly modified copy of itself.

Boot sector virusesstored in disk boot sectors, executed automatically at boot

Executable virusesstored in executable data, hijack flow control

Macro virusesstored in non-executable data, started by opening a document

Second generation of malware

DefinitionA worm is a program that actively propagates over computernetworks, with or without human interaction.

Mass-mailers (e.g. Melissa, LoveLetter, Nimda)use SMTP protocol for propagationusually (but not necessarily) require manual interaction

In-memory worms (e.g. Slammer, CodeRed)proliferation over TCP/HTTPautomatic execution on vulnerable systems (very fast!)

Third generation of malware (current)

DefinitionA trojan horse is a program carrying a hidden functionality behinda seemingly useful one.

focus on stealthy operationanti-deteciton mechanisms (obfuscation, encryption andpolymorphism)combination of various malware types and techniquesincreasing commercialization

Malware carriers: boot sector

Save the original MBR in a safe locationOverwrite the MBR with an infected oneBootstrap a system using the new MBR

Viren-Infektionsvektoren Infektion des Boot-Sektors

Infektion des Boot-Sektors

Virus kopiert originalen Bootblock und überschreibt den BootblockVirus erhält Kontrolle beim Bootvorgang noch bevorBetriebssystem und Anti-Viren-SW geladen werdenGegenmaßnahme: Bootblockschutz im BIOS

Abbildung: Mehrfache Infektion durch verschiedene Viren

c© Ulrich Flegel Reaktive Sicherheit · Teil 4 21 / 130

Malware carriers: COM executables

Append a virus body to a programSave an entry point to a program in a virus bodyReplace a program entry point with a jump to a virus bodyVirus code restores the original entry point and jumps to itafter its own execution

Viren-Infektionsvektoren Infektion von Dateien

Anhängen an die Datei (1)

Abbildung: Infektion durch Anhängen


Malware carriers: EXE executables

Append a virus body to a programOverwrite a program header to switch the entry point to avirusJump to the original entry point during execution


Anhängen an die Datei (2)

Abbildung: Infektion durch Anhängen


Malware carriers: PE executables

Virus is split into parts that areparcelled together by adefragmentation routine.Defragmentation routine isinserted between the PE headerand the first section.Entry point in the PE header isswitched to the defragmentationroutine.Additional viral sections are storedin unused parts of sections.


Einstreuen in ungenutzte Füllbereiche (1)Code Interlacing Infection bzw. Cavity Hole Infection

Abbildung: Infektion durch Einstreuen in ungenutzte Dateibereiche


Malware carriers: companion viruses

MS-DOS feature: if a command is typed without anextension, first a .COM file is searched for and then an .EXE

Exploitation: Inject a malicions program <program>.COMwhich calls <program.EXE> besides doing its dirty job.

Variations on a theme:Renaming legitimate filesPlacing a new earlier in the search path


MS-DOS feature: if a command is typed without anextension, first a .COM file is searched for and then an .EXEExploitation: Inject a malicions program <program>.COMwhich calls <program.EXE> besides doing its dirty job.



MS-DOS feature: if a command is typed without anextension, first a .COM file is searched for and then an .EXEExploitation: Inject a malicions program <program>.COMwhich calls <program.EXE> besides doing its dirty job.


Malware carriers: macros

Malicious functionality is implemented in Visual Basic forApplications (VBA).If a document template are infected, so will be everydocument on a system.


Dokumenten-Viren (3)Macro Viruses

Abbildung: Beispiel: Concept Virus infiziert Microsoft-Word-Dateien


Malware carriers: Visual Basic (VB) script

Similar functionality to macro viruses implemented in “pure”VB.A script is executed by a user by clicking at the emailattachment (LoveLetter mass-mailer).Why does the user execute a VB script? The attachmentname LOVE-LETTER-FOR-YOU.TXT.vbs is shown inOutlook as LOVE-LETTER-FOR-YOU.TXT (withoutextension!).Further functionality is possible via access to ActiveXobjects.

Malware carriers: SuperLogo

A set of “turtle-control” commandsis provided in the Logo language(e.g. HIDETURTLE, FORWARD,PENUP, PENDOWN, WAIT).Sets of commands can be saved inLGP file.A command PRINTTO “XYZ” canbe used to write directly to files(with a complete path to a file).

Overwrite winstart.bat with anyfunctionality and it will be run!

Malware carriers: SuperLogo

A set of “turtle-control” commandsis provided in the Logo language(e.g. HIDETURTLE, FORWARD,PENUP, PENDOWN, WAIT).Sets of commands can be saved inLGP file.A command PRINTTO “XYZ” canbe used to write directly to files(with a complete path to a file).Overwrite winstart.bat with anyfunctionality and it will be run!

Malware carriers: JavaScript

Similar functionality to VB scripts:Read, write and overwrite filesAccess to ActiveX communication objects: send emailseval(), setTimeOut()...

Automatic invocation during web browsing: infection ispossible via opening of malicious web pages.

Malware carriers: other script languages

Potential carriers: shell scripts, PHP, Perl, Python, Emacs,Tcl, VIMInfection strategies:

file overwriting“exec” functionality

Nonexecutable malware

Recall that in modern exploits theshellcode is usually delivered asdata, e.g. a local variable.Modern operating systems canprevent shellcode execution bymarking stack as non-executable(NX).New idea: build malware from(non-executable) pointers tomalware already existing on asystem!


Recall that in modern exploits theshellcode is usually delivered asdata, e.g. a local variable.

Modern operating systems canprevent shellcode execution bymarking stack as non-executable(NX).New idea: build malware from(non-executable) pointers tomalware already existing on asystem!

Previous frame

Functionarguments

Return address

Frame pointer

Local variables

Unused stackspace

Stackframe


Recall that in modern exploits theshellcode is usually delivered asdata, e.g. a local variable.Modern operating systems canprevent shellcode execution bymarking stack as non-executable(NX).

New idea: build malware from(non-executable) pointers tomalware already existing on asystem!

Previous frame

Functionarguments

Return address

Frame pointer

Local variables

Unused stackspace

Stackframe

NX


Recall that in modern exploits theshellcode is usually delivered asdata, e.g. a local variable.Modern operating systems canprevent shellcode execution bymarking stack as non-executable(NX).New idea: build malware from(non-executable) pointers tomalware already existing on asystem!

Previous frame

Functionarguments

Return address

Frame pointer

Local variables

Unused stackspace

Stackframe

NX

Where to find malware on a system?

Anywhere!e.g., in libc on a Linux

libc

"Instruction 1"retaddr

"Instruction 2"

"Instruction 3"

...

pop %edxret

addl (%edx), %eaxpush %ediret

movl (%ecx), %edxret

stack


Anywhere!

e.g., in libc on a Linux

libc


"Instruction 2"

"Instruction 3"

...

pop %edxret



stack



libc


"Instruction 2"

"Instruction 3"

...

pop %edxret



stack



libc


"Instruction 2"

"Instruction 3"

...

pop %edxret



stack

Unintentional returns

Many more return statements can be found in binary code thatthere were actually placed by compiler!

True code:f7 c7 07 00 00 00 00 test $0x00000007, %edi0f 95 45 c3 setnzb -61(%ebp)

Code disassembled one byte later:c7 07 00 00 00 0f movl $0x0f000000, (%edi)95 xchg %ebp, %eax45 inc %ebpc3 ret

Finding useful sequences

Any sequence ending with byte c3 that disassembles asvalid x64 code and does not transfer control away before retis potentially interesting.

Observation: any suffix of an instruction sequence ispotentially an instruction sequence!Scan the binary image of libc backwards insertinginteresting sequences into a trie.Performance: 1,189,501 bytes of libc yield a trie with 15,121nodes and take 1.6sec to process.


Any sequence ending with byte c3 that disassembles asvalid x64 code and does not transfer control away before retis potentially interesting.Observation: any suffix of an instruction sequence ispotentially an instruction sequence!

Scan the binary image of libc backwards insertinginteresting sequences into a trie.Performance: 1,189,501 bytes of libc yield a trie with 15,121nodes and take 1.6sec to process.


Any sequence ending with byte c3 that disassembles asvalid x64 code and does not transfer control away before retis potentially interesting.Observation: any suffix of an instruction sequence ispotentially an instruction sequence!Scan the binary image of libc backwards insertinginteresting sequences into a trie.

Performance: 1,189,501 bytes of libc yield a trie with 15,121nodes and take 1.6sec to process.


Any sequence ending with byte c3 that disassembles asvalid x64 code and does not transfer control away before retis potentially interesting.Observation: any suffix of an instruction sequence ispotentially an instruction sequence!Scan the binary image of libc backwards insertinginteresting sequences into a trie.Performance: 1,189,501 bytes of libc yield a trie with 15,121nodes and take 1.6sec to process.

From interesting sequences to gadgets

A gadget is a set of available interesting sequences whichimplements a certain “instruction” to be used in shellcode.

To execute a gadget, an attacker must put pointers to therespective sequences onto the stack, in the reverse order ofexecution.

From interesting sequences to gadgets

A gadget is a set of available interesting sequences whichimplements a certain “instruction” to be used in shellcode.To execute a gadget, an attacker must put pointers to therespective sequences onto the stack, in the reverse order ofexecution.

Load constant gadget

%esppop %edx

ret

0xdeadbeef

Figure 2: Load the constant 0xdeadbeef into %edx.

3 Return-Oriented Programming

This section is intended to serve as a catalogue for the actions that we can perform using thesequences we find in libc, and as a tutorial to return-oriented programming generally. Accordingly,we provide more explanatory detail for the earlier gadgets than the later.

Gadgets are our intermediate organizational unit. Each gadget specifies certain values to beplaced on the stack that make use of one or more sequences of instructions from libc. Gadgetsperform well-defined operations, such as a load, an xor, or a jump. Return-oriented programmingconsists in putting gadgets together that will perform the desired operations. The set of gadgetswe describe is Turing complete by inspection, so return-oriented programs can do anything possiblewith x86 code. We stress that the code sequences pointed to by our gadgets are actually containedin libc; they are not injected with the gadgets themselves— this is ruled out by W⊕X. This is thereason that some of the sequences used are weird looking: those were the best sequences availablein our testbed libc.

Each of our gadgets expects to be entered in the same way: the processor executes a ret withthe stack pointer, %esp, pointing to the bottom word of the gadget. This means that, in an exploit,the first gadget should be placed so that its bottom word overwrites some function’s saved returnaddress on the stack. Further gadgets can be placed immediately after the first or, by means of thecontrol flow gadgets given in Section 3.3, in arbitrary locations. (It is helpful for visualizing gadgetplacement to think of the gadgets as being instructions in a rather strange computer.)

3.1 Load/Store

We consider three cases: loading a constant into a register; loading the contents of a memorylocation into a register; and writing the contents of a register into a memory location.

3.1.1 Loading a Constant

The first of these can trivially be accomplished using a sequence of the form pop %reg; ret. Onesuch example is illustrated in Figure 2. In this figure as in all the following, the entries in theladder represent words on the stack; those with larger addresses are placed higher on the page.Some words on the stack will contain the address of a sequence in libc. Our notation for this showsa pointer from the word to the sequence. Other words will contain pointers to other words, orimmediate values. In the example here, once the processor is executing the sequence pop %edx;ret, the ret that caused it to enter the gadget will also have caused %esp to be incremented bya word; the pop %edx instruction, therefore, will pop the next word on the stack— 0xdeadbeef,

9

Load from memory gadget

%esppop %eax

ret

movl 64(%eax), %eax

ret

0xdeadbeef

+ 64

Figure 3: Load a word in memory into %eax.

in this case— into %edx, advancing %esp once more, past the end of the gadget, so that the retinstruction causes execution to continue with the next gadget, placed above it.

3.1.2 Loading from Memory

We choose to load from memory into the register %eax, using the sequence movl 64(%eax), %eax;ret. We first load the address into %eax, using, for example, the constant-load procedure detailedabove. Because of the immediate offset in the movl instruction we use, the address in %eax mustactually be 64 bytes less than the address we wish to load. We then apply the movl sequence, afterwhich %eax contains the contents of the memory location. The procedure is detailed in Figure 3.Note the notation we use to signify, “the pointer in this cell requires that 64 be added to it so thatit points to some other cell.”

3.1.3 Storing to Memory

We use the sequence movl %eax, 24(%edx); ret to store the contents of %eax into memory. We loadthe address to be written into %edx using the constant-load procedure above. The procedure isdetailed in Figure 4.

3.2 Arithmetic and Logic

There are many approaches by which we could implement arithmetic and logic operations. The onewe choose, which we call our ALU paradigm, is as follows. For all operations, one operand is %eax;the other is a memory location. Depending on what is more convenient, either %eax or the memorylocation receives the computed value. This approach allows us to compute memory-to-memoryoperations in a simple way: we load one of the operands into %eax, using the load-from-memorymethods of Section 3.1; we apply the operation; and, if the result is now held in %eax, we write itto memory, using the store-to-memory methods of the same section.

10

Save to memory gadget

%esppop %edx

ret

movl %eax, 24(%edx)

ret

+ 24

Figure 4: Store %eax to a word in memory.

Below, we describe in detail some of the operations we implement—particularly those thatintroduce new techniques—and the remainder more briefly.

3.2.1 Add

The most convenient sequence for performing an add that fits into our ALU paradigm is thefollowing:

addl (%edx), %eax; push %edi; ret. (1)

The first instruction adds the word at %edx to %eax, which is exactly what we want. The nextinstruction, however, creates some problems. Whereas a “popret” sequence is convenient for im-plementing a constant-load operation, a “pushret” sequence is inconvenient for two reasons. First,the value pushed onto the stack is then immediately used by the ret instruction as the address forthe next code sequence to execute, which means the values we can push are restricted. Second, thepush overwrites a word on the stack, so that if we execute the gadget again (say, in a loop) it willnot behave the same.

We first present a simple approach that does not take the second problem into account. Beforeundertaking the addl instruction sequence, we load into %edi the address of a ret instruction. Inreturn-oriented programming, a ret acts like nop, increasing %esp but otherwise having no effect.We illustrate this version in Figure 5. Observe that the push %edi instruction causes the top wordon the stack to be overwritten by the contents of %edi, i.e., to point to a ret instruction. Figure 6illustrates the state of memory immediately after push %edi is executed.

As can be seen, the gadget is changed by the pushret sequence, and a subsequent run through itwould not give an add operation. This is fine if the gadget is only executed once, but is a problemif it forms a subroutine or a loop body. The solution in this case is to fix up the last word in thegadget with the address of (1), as part of the gadget’s code. We cannot use the store-into-memorymethod given in Section 3.1 because %eax is occupied by an add operand. Instead, we use anothercode sequence available to us: movl %ecx, (%edx); ret. The complete procedure is illustrated inFigure 7.

11

Other gadgets

Addition: uses addl instruction.Exclusive OR: uses xorb and various hacks (no xorl found inlibc).Unconditional jump: same as load constant but use %esp asthe target.Conditional jump: a sequence of manipulations of the stackpointer (not the instruction pointer as in conventional jcc!).System calls: mimick a real system call by putting syscallnumber in %eax and trapping into the kernel by callinglinux-gate.so.1.

Return-oriented programming

Proved to work on all major operating systems andhardware platforms.Methods have been proposed to compile high-levelprograms into the ROP code.Can be used for self-modification: another level ofobfuscation!Can be implemented without return statements!Has been observed in real attacks.

Conclusions

Malicious software is an omnipresent threat.Sophisticated technical functionality, constantly evolving.Discrimination between malicious and benign programs isfundamentally difficult.Widely used for organized Internet crime.

Documents

Introduction to Computer Security - Introduction to Malware€¦ · Introduction to Computer Security Introduction to Malware Pavel Laskov Wilhelm Schickard Institute for Computer