This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Systems Security● Hardening of computer systems through 3 classes of protection
mechanisms against adversaries– Prevention
● Physical world: Door/window locks, door security● Computer security: Net/host firewalls, file permissions, reserved network ports, CPU ring
● Operating system– e.g. File permissions (DAC), System privileges (MAC)– Type 1: Trojan – Type 1: Browser exploit + malware installation– Type 1: Exploiting misconfiguration to edit setuid’ed scripts having root as owner– Type 2: Bruteforce supervisor password
● Enterprise application– e.g. restricted/privileged areas, accountcentric forms– Type 1: Password theft– Type 2: Exploit insufficient mechanism
● E.g. Discover a form button that takes to a sensitive application form without application referring request to access control mechanism
Broken Access Control ii
6
● Web portals– to enterprise applications– Type 1 – SQL injection attack– Type 2 – Exploit nonrandom session identifiers
● Network Firewall– DMZs, Wifi isolation– Type 1 – IP address spoofing– Type 2 – Malicious defragmentation attack
Broken Access Control iii
7
● Malicious logic: ultimate goals– System take over/pivoting– Complete access control subversion– Various forms and flavors
– Interactive malware analysis ideal place to start from– Identify malware goals and use output to configure security
tools e.g. IDS, memory dump analysis tools
Binary code analysis
9
Malware analysis i
● Dynamic disassembly
10
● Full knowledge of– Instruction trace, including dynamically linked libraries– CPU state– Execution flow state – stack– Data: global, heap, TLS
● However– Information overflow– Thousands of instructions and more– GBs of data– And despite of all this...
● Restricted to a single execution path
Malware analysis ii
11
● Iterative process, with each phase informing the next and refining a set of hypothesis about malware's goals
– Basic static analysis
Malware analysis iii
Using binary metadata> Architecture> Imports> Memory layout...
> Triage> Guidance for setting up sandbox probes> Static disassembly focus
12
Malware analysis iv
● Basic dynamic analysis: malware sandboxesHow about: Multiple execution paths? Evasive malware? Passwordprotected malware? Or just setting up the right environment e.g.> a keylogger but no Keystrokes are sent, or> IEtargeting spyware but no passwords storedin there, etc...
Need more context fromcode – Machine Code
13
Malware analysis v
● Static disassembly Gain: Control flow analysis API arguments Data structure analysis
But: Computed args may be hard to follow Optimized code/obscure idioms Packed code!
> Execution paths> Right environment> Follow areas of interest inside a debugger