分类: 信息化
2015-06-30 15:25:07
这个Session是恶意代码分析,比较实用,大家常关注的黑客或者极客主要是这块了。恶意代码分析过程绝对是个枯燥的过程。
(1)Cross-Architecture Bug Search in Binary Executables
With the general availability of closed-source software for various CPU architectures, there is a need to identify security-critical vulnerabilities at the binary level to perform a vulnerability assessment. Unfortunately, existing bug finding methods fall short in that they i) require source code, ii) only work on a single architecture (typically x86), or iii) rely on dynamic analysis, which is inherently difficult for embedded devices. In this paper, we propose a system to derive bug signatures for known bugs. We then use these signatures to find bugs in binaries that have been deployed on different CPU architectures (e.g., x86 vs. MIPS). The variety of CPU architectures imposes many challenges, such as the incomparability of instruction set architectures between the CPU models. We solve this by first translating the binary code to an intermediate representation, resulting in assignment formulas with input and output variables. We then sample concrete inputs to observe the I/O behavior of basic blocks, which grasps their semantics. Finally, we use the I/O behaviors to find code parts that behave similar to the bug signature, effectively revealing code parts that contain the bug. We have designed and implemented a tool for cross-architecture bug search in executables. Our prototype currently supports three instruction set architectures (x86, ARM, and MIPS) and can find vulnerabilities in buggy binary code for any of these architectures. We show that we can find Heartbleed vulnerabilities, regardless of the underlying software instruction set. Similarly, we apply our method to find backdoors in closed- source firmware images of MIPS- and ARM-based routers.
(2)The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching
Vulnerability exploits remain an important mech- anism for malware delivery, despite efforts to speed up the creation of patches and improvements in software updating mech- anisms. Vulnerabilities in client applications are often exploited in spear phishing attacks and cannot be discovered using network vulnerability scanners. Analyzing their lifecycle is challenging because it requires observing the deployment of patches on hosts around the world. Using 5-year data collected on 8.4 million hosts, available through Symantec’s WINE platform, we present the first systematic study of patch deployment in client-side vulnerabilities. Our analysis of the vulnerability lifecycle of 10 popular client applications identifies several new threats presented by multiple installations of the same program and shared libraries that may be distributed with multiple applications. We find that 80 vulnerabilities in our data set affect common code shared by two applications. In these cases, the time between patch releases in the different applications is up to to 118 days (with a median of 11 days). Furthermore, as the patching rates differ between applications, many hosts patch the vulnerability in one application but not in the other one. We demonstrate two novel attacks that enable exploitation by invoking old versions of applications that are used infrequently, but that remain installed. We also find that the patch rate is affected by user-specific and application-specific factors; for example, hosts belonging to security analysts and applications with an automated updating mechanism have significantly lower median times to patch.
(3)SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers
Run-time packers are typically used by malware-writers to obfuscate their code and hinder static analysis. The packer problem has been widely studied, and several solutions have been proposed in order to generically unpacked these protected binaries. Nevertheless, these solutions commonly rely on certain assumptions that may not necessarily be met by certain types of packers. In this paper, we propose a taxonomy to measure runtime packer complexity, and evaluate it over two datasets composed of both off-the-shelf packers and custom packed binaries. Also, we propose a set of heuristics to improve the feasibility of multi-path exploration approaches for recovering the code of packers that unprotect their code on demand.
(4)A Generic Approach to Automatic Deobfuscation of Executable Code
Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed (``deobfuscated'') in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.
(5)Program-Adaptive Mutational Fuzzing
In this work, we propose a novel way to maximize the number of bugs found for black-box mutational fuzzing given a program and a seed input. The major intuition is to leverage a white-box symbolic analysis on an execution trace for a given program-seed pair to optimize parameters for mutational fuzzing. The result is promising: we found 25% more bugs than the state- of-the-art fuzzers over 8 applications, given a limited resource. We make our code publicly available to foster open science.
内存完整性,这个session的技术都比较难,需要多年的积累。内存完整性分析都与实际攻击相关,如内存泄露攻击、代码重用攻击、ROP攻击等等。用到的解决技术都需要对系统底层了解比较透彻。
(1)Micro-Policies: Formally Verified, Tag-Based Security Monitors
Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies micro-policies to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine," and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.
(2)Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications
Code reuse attacks(代码重用攻击) such as return-oriented programming (ROP) are prevalent and powerful and are widely used to exploit memory corruption vulnerabilities in software programs. Recently, many defenses were proposed to mitigate code reuse attacks, but some of them have already been successfully broken. In this paper, we perform a systematic assessment of recently proposed CFI solutions and other defenses against code reuse attacks in the context of object-oriented languages. We focus on C++ since this programming language is used by a large number of today's most attacked software projects (e.g., web browsers, document viewers, and other programming languages' runtime interpreters). We demonstrate that almost all CFI solutions and many other defenses that do not consider object-oriented C++ semantics can be bypassed in practice. Our novel attack technique, denoted as COOP (counterfeit object-oriented programming), induces malicious program behavior by only invoking chains of a program's existing virtual functions through legitimate call sites. COOP is Turing complete under realistic conditions and we demonstrate its viability by developing complex, real-world exploit codes for Internet Explorer 10 on Windows and Firefox 36 on Linux. We also show that even recently proposed defenses (Code-Pointer Separation, T-VIP, vfGuard, and VTint) that specifically target C++ are vulnerable to COOP. Our observation is that no strong defense against COOP exists today that does not require access to source code, and constructing such a defense seems to be challenging. We believe that our investigation and results are helpful contributions to the design and implementation of future defense systems against the severe threat of control-flow hijacking attacks that has sustained in the wild for more than two decades.
(3)Automatic Inference of Search Patterns for Taint-Style Vulnerabilities
Taint-style vulnerabilities are a persistent problem in software development, as the recently discovered "Heartbleed" vulnerability strikingly illustrates. In this class of vulnerabilities, attacker-controlled data is passed unsanitized from an input source to a sensitive sink. While simple instances of this vulnerability class can be detected automatically, more subtle defects involving data flow across several functions or project- specific APIs are mainly discovered by manual auditing. Different techniques have been proposed to accelerate this process by searching for typical patterns of vulnerable code. However, all of these approaches require a security expert to manually model and specify appropriate patterns in practice. In this paper, we propose a method for automatically inferring search patterns for taint-style vulnerabilities in C code. Given a security-sensitive sink, such as a memory function, our method automatically identifies corresponding source-sink systems and constructs patterns that model the data flow and sanitization in these systems. The inferred patterns are expressed as traversals in a code property graph and enable efficiently searching for unsanitized data flows—across several functions as well as with project-specific APIs. We demonstrate the efficacy of this approach in different experiments with 5 open-source projects. The inferred search patterns reduce the amount of code to inspect for finding known vulnerabilities by a factor of 19.5 (94.9%) and also enable us to uncover 8 previously unknown vulnerabilities.
(4)Readactor: Practical Code Randomization Resilient to Memory Disclosure
Code-reuse attacks such as return-oriented programming (ROP) pose a severe threat to modern software. Designing practical and effective defenses against code-reuse attacks is highly challenging. One line of defense builds upon fine-grained code diversification to prevent the adversary from constructing a reliable code-reuse attack. However, all solutions proposed so far are either vulnerable to memory disclosure or are impractical for deployment on commodity systems. In this paper, we address the deficiencies of existing solutions and present the first practical, fine-grained code randomization defense, called Readactor, resilient to both static and dynamic ROP attacks. We distinguish between direct memory disclosure, where the attacker reads code pages, and indirect memory disclosure, where attackers use code pointers on data pages to infer the code layout without reading code pages. Unlike previous work, Readactor resists both types of memory disclosure. Moreover, our technique protects both statically and dynamically generated code. We use a new compiler-based code generation paradigm that uses hardware features provided by modern CPUs to enable execute-only memory and hide code pointers from leakage to the adversary. Finally, our extensive evaluation shows that our approach is practical---we protect the entire Google Chromium browser and its V8 JIT compiler---and efficient with an average SPEC CPU2006 performance overhead of only 6.4%.
(5)Missing the Point: On the Effectiveness of Code Pointer Integrity
Memory corruption attacks (内存泄露攻击)have been known for decades, but they are still a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety incur a large overhead, while weaker ones such as practical control flow integrity have been shown to be ineffective. A recent technique called code pointer integrity (CPI) promises to provide the best of both security and performance worlds, preventing control hijacking attacks while maintaining low overhead. In this paper, we show that the assumptions made by CPI are fundamentally flawed and in fact CPI can be bypassed using existing, known types of vulnerabilities. We show that CPI’s safe region can be leaked and then maliciously modified by using data pointer overwrites. Although many other implementation bugs exist in CPI, for this work we assume the weakest assumptions for the attacker and the strongest implementation of CPI and show that just by controlling the stack, an attacker can easily bypass CPI. Our attack was implemented as a proof-of-concept against Nginx and could successfully bypass CPI in 6 seconds with 13 observed crashes. We also present an attack that generates no crashes and is able to bypass CPI in 98 hours.
这是第二个特色安全Session了,通过对之前特色论文的了解,论文应该都具有一定的新颖性和吸引力。
(1)Securing Multiparty Online Services via Certified Symbolic Transactions
现在很多在线服务(如单点登录、第三方支付等)都存在安全缺陷,对程序进行形式化验证变得很需要。不过程序验证在现实世界中存在很多障碍:协议规范通常很模糊,如果描述其安全属性;如何对攻击者和运行时平台建模;如何处理交易中的无限集合(the unbounded set)。这篇文章介绍认证符合交易Certified Symbolic Transaction (CST),可以大大降低程序验证方法使用的障碍。
(2)Caelus: Verifying the Consistency of Cloud Services with Battery-Powered Devices
云存储服务,如Amazon S3、DropBox、Google Drive、Microsoft OneDrive、百度云等已经日益流行。不过,用户不可能完全相信云服务。目前提出的对云存储的解决方案,当用到电池供电的设备中都存在不足,如或者需要设备长期开启以便通信,或者需要依赖一个可信服务来传递消息,或者无法提供及时的攻击检测。这篇论文提出Caelus,可以解决这些不足。The key insight that enables Caelus to do this is having the cloud service declare the timing and order of operations on the cloud service. Our experiments show that Caelus can detect consistency violations on Amazon’s S3 service when the desired consistency requirements set by the user are stricter than what S3 provides. Caelus achieves this with a roughly 12.6% increase in CPU utilization on clients, 1.3% of network bandwidth overhead and negligible impact on the battery life of devices.
(3)High System-Code Security with Low Overhead
由于编写安全系统代码是非常困难的,导致安全漏洞长期困扰着现代各种系统。好的方法通过运行时检测实现期望的安全策略能够自动改造安全,不过诱发的系统变慢导致很多用户难以接受,使得这些工具很少被使用。这样,现实系统的不安全性就一直存在。这篇文章就帮助开发者如何优雅的处理性能问题,在安全性和性能上达到一种平衡。We present an approach in which developers/operators can specify what level of overhead they find acceptable for a given workload (e.g., 5%); our proposed tool ASAP then automatically instruments the program to maximize its security while staying within the specified "overhead budget." Two insights make this approach effective: most overhead in existing tools is due to only a few "hot" checks, whereas the checks most useful to security are typically "cold" and cheap. We evaluate ASAP on programs from the Phoronix and SPEC benchmark suites. It can precisely select the best points in the security-performance spectrum. Moreover, we analyzed existing bugs and security vulnerabilities in RIPE, OpenSSL, and the Python interpreter, and found that the protection level offered by the ASAP approach is sufficient to protect against all of them.
(4)Understanding and Monitoring Embedded Web Scripts
Web浏览器经常使用各种第三方脚本,安全隐患自然而来。这篇文章介绍他们开发的一些工具,可以帮助站点管理员来理解、监控和限制嵌入到他们站点的第三方脚本的行为。关注Web安全的研究者可以学习使用下这篇文章的工具,看看是否能有很好的效果。
移动互联网应该是时下最热门的,移动安全自然也不例外,不过SP上居然最后一个session才讨论这一块,而且局限于安卓安全。一方面可以看到Android系统在移动市场中的地位,另一方面可以发现在移动安全这块的研究才刚刚起步。这里的论文都是关于移动Apps可能访问移动设备上的用户敏感信息的。
(1)Effective Real-time Android Application Auditing
这篇文章也有来自国内研究机构的作者,来自上海交大的Lu Gong(二作)。
移动Apps可以访问移动设备上的各种私人数据,如通讯录、短信等。这容易造成数据泄露,App审计是一个基本的程序分析任务,可以发现数据泄露的代码路径。目前,静态分析技术用的比较多,因为其可以精确找到整个程序中有问题的数据流。不过,静态分析也容易产生错误报警,需要手动确认;而且存在的静态分析方法可能需要数分钟或者甚至几个小时才能检查完一个App,这是很不实际的。为了克服这些限制,本文设计了AppAudit,结合静态分析和动态分析技术。They design AppAudit to use an efficient but over-estimating static API analysis first and then relies on a dynamic analysis to prune its false positives. Overall, AppAudit achieves a low false positive rate as the dynamic analysis only explores possible code paths during real execution. AppAudit also achieves short analysis time by combining an efficient static stage with a highly parallelizable dynamic stage.
(2)What the App is That? Deception and Countermeasures in the Android User Interface
用户只能通过视觉外观来识别一个App是存在安全风险的。这篇文章进行更加本质的分析和识别,帮助用户以免误信其它App。In this paper, we analyze in detail the many ways in which Android users can be confused into misidentifying an app, thus, for instance, being deceived into giving sensitive information to a malicious app. Our analysis of the Android platform APIs, assisted by an automated state-exploration tool, led us to identify and categorize a variety of attack vectors (some previously known, others novel, such as a non-escapable fullscreen overlay) that allow a malicious app to surreptitiously replace or mimic the GUI of other apps and mount phishing and click-jacking attacks.
(3)Leave Me Alone: App-level Protection Against Runtime Information Gathering on Android
Stealing of sensitive information from apps is always considered to be one of the most critical threats to Android security. Recent studies show that this can happen even to the apps without explicit implementation flaws, through exploiting some design weaknesses of the operating system, e.g., shared communication channels such as audio and Bluetooth, and side channels like CPU, memory, network-data usages, etc. In all these attacks, a malicious app needs to run side-by-side with the target app (the victim) to collect its runtime information. Examples include recording phone conversations from the phone app, gathering network-data usages of WebMD to infer the disease condition the user looks at, etc(攻击例子). This runtime-information-gathering (RIG) threat is both realistic and serious, as demonstrated by prior research and our new findings, which reveal that the adversary monitoring daily operations of popular Android-based home security systems can easily figure out when the house is empty and the user is not looking at surveillance cameras, and even turn off the alarm delivered to the user's phone. To defend against this new category of attacks, we propose a novel technique that changes neither the operating system nor the target apps, and provides immediate protection as soon as an ordinary app (with only normal and dangerous permissions) is installed(本文提出的防止攻击的新技术). This new approach, calledApp Guardian(称为App守卫), thwarts a malicious app's runtime monitoring attempt by pausing all suspicious background processes when the target app (called principal) is running in the foreground, and resuming them after the app stops and its runtime environment is cleaned up. Our technique leverages a unique feature of Android, on which third-party apps running in the background are often considered to be disposable and can be stopped anytime with only a minor performance and utility implication. We further limit such an impact by only focusing on a small set of suspicious background apps, which are identified based upon their behaviors inferred from their side channels, such as thread names, CPU scheduling data and kernel time. App Guardian is also carefully designed to choose the right moments to start and end the protection procedure, and effectively protect itself against malicious apps. Our experimental studies show that this new technique defeated all known RIG attacks, ranging from phone taping to keylogging through various side channels. In the meantime, the inconvenience it introduces is found to be minimal, with negligible impacts on the utility of legitimate apps and the performance of the OS.
